Open Stack

Currrently source groups only allow from the fixed ips. It might be possible to set up routing so that floating ips would work as well by setting dmz_cidr in your config file to your floating ip range. I'm not convinced that this will work in all networking setups but it might work in some. Also, if you have a floating ip on both vms, you could specifically add an allow rule from the other machines floating ip.

Vish

On Aug 23, 2012, at 10:52 PM, Sirisha Devineni <Sirisha_Devineni at persistent.co.in> wrote:

> Hi Lloyd,
> 
> Yea "group" in the sense of security group here. Step3 is we need to add a source group rule to target security group by mentioning "source_group" as our first created source group as follows:
> 
> 1. Create two security groups
> 	nova secgroup-create srcsecgrp "Source Security Group"
> 	nova secgroup-create tgtsecgrp "Target Security Group"
> 2. Spawn VMs in both the groups separately.
> 	nova boot --flavor=100 --image=120 --key_name=key1 --security_group=srcsecgrp srcvm
> 	nova boot --flavor=100 --image=120 --key_name=key1 --security_group=tgtsecgrp tgtvm
> 3. Add source group as a source to the target group.
> 	nova secgroup-add-group-rule --ip_proto=icmp --from_port=-1 --to_port=-1 tgtgrp srcgrp
> 	nova secgroup-add-group-rule --ip_proto=tcp --from_port=22 --to_port=22 tgtgrp srcgrp
> 4. Add rules to allow ssh/ping into source group.
> 	nova secgroup-add-rule srcgrp tcp 22 22 0.0.0.0/0
> 	nova secgroup-add-rule srcgrp icmp -1 -1 0.0.0.0/0
> 
> 5. Now ssh into the source group and ping/ssh to target group vm using private IP - should be successful
> 6. Now try to ping/ssh to target group vm using its public ip- This will be successful when both VMs are onto same host and it is failing when both VMs are onto different compute nodes.
> 
> Here both the VMs are under different security groups(which has different rules associated to them). I checked these scenarios with distro.
> 
> Please let me know if you need any additional information.
> 
> Thanks & Regards,
> Sirisha Devineni.     
> 
> 
> -----Original Message-----
> From: Lloyd Dewolf [mailto:lloydostack at gmail.com] 
> Sent: Thursday, August 23, 2012 4:50 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Able to ping/ssh from source group VM to the target group VM using public IP when both the VMs are hosted on same compute node
> 
> On Thu, Aug 23, 2012 at 3:52 AM, Sirisha Devineni
> <Sirisha_Devineni at persistent.co.in> wrote:
>> 
>> 3. Add source group as a source to the target group.
> 
> What does "group" mean in your steps? Security group would be my
> guess, but I'm still having trouble understanding step 3. Would you
> provide a concrete example?
> 
> Does the way you've presented it suggest that in your environment that
> if the VMs are in the same security group you don't see this symptom?
> ie. you've confirmed the expected behavior in the simpler scenario.
> 
> When you say you've checked this scenario in stable Diablo version and
> as well as Folsom is that using devstack, or a distro?
> 
> Thank you,
> --
> @lloyddewolf
> http://www.pistoncloud.com/
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev