[Openstack] Security group rules not propagating to instances

Matt Kassawara mkassawara at gmail.com
Sat Dec 14 00:45:58 UTC 2013 

Hmm... anyone else experienced this problem?


On Fri, Dec 6, 2013 at 1:05 PM, Matt Kassawara <mkassawara at gmail.com> wrote:

> I installed Havana with Neutron on Scientific Linux 6.4 using the official
> installation guide.  I added the following rules to the default security
> group to enable inbound ping and secure shell access to my instances with
> floating IPs:
>
> nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
> nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
>
> Output from "nova secgroup-list-rules default" shows the rules:
>
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range  | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> |             |           |         |           | default      |
> |             |           |         |           | default      |
> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
> | icmp        | -1        | -1      | 0.0.0.0/0 |              |
> +-------------+-----------+---------+-----------+--------------+
>
> However, after launching an instance and assigning a floating IP, I cannot
> ping the instance or access it via secure shell.  According to iptables on
> the compute node, no rules exist from the security group applied to the
> instance.
>
> # iptables -S neutron-openvswi-i58a501c3-4
> -N neutron-openvswi-i58a501c3-4
> -A neutron-openvswi-i58a501c3-4 -m state --state INVALID -j DROP
> -A neutron-openvswi-i58a501c3-4 -m state --state RELATED,ESTABLISHED -j
> RETURN
> -A neutron-openvswi-i58a501c3-4 -s 192.168.240.3/32 -p udp -m udp --sport
> 67 --dport 68 -j RETURN
> -A neutron-openvswi-i58a501c3-4 -j neutron-openvswi-sg-fallback
>
> Meanwhile, I'm also running a similar deployment of Havana on Ubuntu
> 12.04, also built using the official installation guide.  According to
> iptables on the compute node, rules from the security group applied to the
> instance successfully propagate to it.  I can ping the instance and access
> it via secure shell.
>
> # iptables -S neutron-openvswi-ibd9ba559-2
> -N neutron-openvswi-ibd9ba559-2
> -A neutron-openvswi-ibd9ba559-2 -m state --state INVALID -j DROP
> -A neutron-openvswi-ibd9ba559-2 -m state --state RELATED,ESTABLISHED -j
> RETURN
> -A neutron-openvswi-ibd9ba559-2 -p icmp -j RETURN
> -A neutron-openvswi-ibd9ba559-2 -p tcp -m tcp --dport 22 -j RETURN
> -A neutron-openvswi-ibd9ba559-2 -s 192.168.240.3/32 -p udp -m udp --sport
> 67 --dport 68 -j RETURN
> -A neutron-openvswi-ibd9ba559-2 -j neutron-openvswi-sg-fallback
>
> I haven't found any obvious errors in the logs on the Scientific Linux
> deployment.  Has anyone else experienced this problem?
>
> Thanks,
> Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131213/b6be3405/attachment.html>

More information about the Openstack mailing list