[Openstack-security] [Bug 1491307] Re: secgroup rules doesn't work for instance immediately

Tristan Cacqueray tdecacqu at redhat.com
Mon Sep 14 20:36:45 UTC 2015 

Since it's quite a security defect, and already fixed in supported
stable release, I suggest we issue an OSSA with this impact description:

Title: Nova network security group changes are not applied to running instances
Products: Nova
Affects: versions through 2014.2.3, and 2015.1 versions through 2015.1.1

Description:
Security group changes silently fails to be applied to already running instances, potentially resulting in instances not being protected by security group. All Nova network setups are affected.


Now about attributions, It seems like this was independently reported by suntao, Sreekumar S. Are those your name and is there affiliations to mention along or are you independent contributors ?

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1491307

Title:
  secgroup rules doesn't work for instance immediately

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  I have an OpenStack kilo setup on RHEL7.1 with a controller and a
  compute node (network-compute + network-network),the config is
  following:

  # /etc/nova.nova.conf on contrller node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova

  # /etc/nova/nova.conf on compute node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova
  firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
  network_manager = nova.network.manager.FlatDHCPManager
  network_size = 254
  allow_same_net_traffic = False
  multi_host = True
  send_arp_for_ha = True
  share_dhcp_address = True
  force_dhcp_release = True
  flat_network_bridge = br100
  flat_interface = eth0
  public_interface = eth0

  steps for test 1:
  1) create and start VM instance-1 with secgroup default;
  2) VM instance-1 ping br100:  OK;  
  3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
  4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  5) br100 ping VM instance-1: i got the same wrong message, not expected.

  steps for test 2:
  1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
  2) create and start VM instance-2 with secgroup default;
  3) br100 ping instance-2: OK

  It seems that command "nova secgroup-add-rule ..." doesn't work
  immediately for the existed or running VM instances?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions

More information about the Openstack-security mailing list