[Openstack] 'allow_same_net_traffic=True' seems to have no effect

Daniel Petersen daniel.petersen at hpc2n.umu.se
Thu Aug 21 11:54:39 UTC 2014



two instances X and Y are members of security group A. Despite the
following explicit setting in nova.conf:


...the instances are only allowed to communicate according to the rules
defined in security group A.


I first noticed this attempting to run iperf between two instances on the
same security network; they were unable to connect via the default TCP port

They were able to ping...looking at rules for the security group they are
are associated with, ping was allowed, so I then suspected the security
group rules were being applied to all communication, despite them being on
the same security group.

To test, I added rules to group A that allowed all communication, and
associated the rules with itself (i.e. security group A) and voila, they
could talk!

I then thought I had remembered incorrectly that by default all traffic is
allowed between instances on the same security group, so I double-checked
the documentation, but according to the documentation I had remembered

allow_same_net_traffic = True (BoolOpt) Whether to allow network traffic
from same network

...I searched through my nova.conf files, but there was no
'allow_same_net_traffic' entry, so the default ought to be True, right?
Just to be sure, I explicitly added:

allow_same_net_traffic = True

to nova.conf and restarted nova services, but the security group rules are
still being applied to communication between instances that are associated
with the same security group.

I thought the 'default' security group might be a special case, so I tested
on another security group, but still get the same behaviour.

Is this a bug, or have I missed something here?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140821/06a47f82/attachment.html>

More information about the Openstack mailing list