[Openstack] Security group isolation on same physical host
Mitchell Broome
mitchell.broome at gmail.com
Thu Jun 7 14:00:11 UTC 2012
So I'm running into a problem where two different virtual machines on
the same physical host can get to each other bypassing security
groups. As a test, I have removed all rules from the default security
group and created two other groups for testing (test1 and test2) that
only have inbound ssh access from a client network. The hosts are on
192.168.95.0/24 and the guest's fixed addresses are on
192.168.97.0/24. I'm not doing anything with floating ips, just
strictly fixed ips. While testing, I'm using a single controller
running everything except nova-compute and a single compute host only
running nova-compute.
I'm using centos 6.2 with openstack from epel:
python-nova-2012.1-7.el6.noarch
openstack-nova-2012.1-7.el6.noarch
nova.conf (from the compute node):
http://paste.openstack.org/show/18381/
iptables -n -L:
http://paste.openstack.org/show/18382/
Is there some flag I'm missing in nova.conf to stop this?
More information about the Openstack
mailing list