[Openstack-security] [Bug 1221564] Re: Didn't associate a security-group to instances
Steven Hardy
shardy at redhat.com
Mon Dec 2 14:15:55 UTC 2013
** Tags added: grizzly-backport-potential
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1221564
Title:
Didn't associate a security-group to instances
Status in Orchestration API (Heat):
Fix Released
Bug description:
Define a WikiDatabaseSecurityGroup as below :
"WikiDatabaseSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 plus SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
]
}
},
refer it to instance properties as "SecurityGroups" : [ {"Ref" : "WikiDatabaseSecurityGroup"} ],
in template WordPress_2_Instances_With_EBS_EIP.template.
But when the instance is spawned, seems the security_group of this
instance is not "WikiDatabaseSecurityGroup", but the "default" one.
[root at oc2603148815 xianghui]# nova show wordpress_1-WikiDatabase-kpjsht332enl
+--------------------------------------+------------------------------------------------------------+
| Property | Value |
+--------------------------------------+------------------------------------------------------------+
| status | ACTIVE |
| updated | 2013-08-20T09:32:06Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | oc2603148815.ibm.com |
| key_name | userkey |
| image | F17-x86_64-cfntools (53181c83-4e24-4888-be88-1f9e7ed4877c) |
| hostId | 5c331878f9858b022f7d92f7f74714f1d58eef066dd6768a77e26264 |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-0000008d |
| OS-SRV-USG:launched_at | 2013-08-20T09:32:06.000000 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | oc2603148815.ibm.com |
| flavor | m1.small (2) |
| id | c7e59830-8ca7-43a3-8c17-d670c0263876 |
| security_groups | [{u'name': u'default'}] |
| OS-SRV-USG:terminated_at | None |
| vlan-70 network | 70.0.0.20, 192.168.12.19 |
| user_id | 22c367eb5eb34846acc0a2c0c4836f93 |
| name | wordpress_1-WikiDatabase-kpjsht332enl |
| created | 2013-08-20T09:31:52Z |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| os-extended-volumes:volumes_attached | [{u'id': u'e190341f-4007-43ce-8099-2e4be1e606da'}] |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
+--------------------------------------+------------------------------------------------------------+
By doing some investigation, the root cause has been found :
instance port will be created by calling quantumclient.create_port in /heat/engine/resources/instance.py ,
but the security_group resource created by heat is not passed as a parameter.
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1221564/+subscriptions
More information about the Openstack-security
mailing list