Open Stack

Greetings,

**brief**

two instances X and Y are members of security group A. Despite the
following explicit setting in nova.conf:

allow_same_net_traffic=True

...the instances are only allowed to communicate according to the rules
defined in security group A.


**detail**

I first noticed this attempting to run iperf between two instances on the
same security network; they were unable to connect via the default TCP port
5001.

They were able to ping...looking at rules for the security group they are
are associated with, ping was allowed, so I then suspected the security
group rules were being applied to all communication, despite them being on
the same security group.

To test, I added rules to group A that allowed all communication, and
associated the rules with itself (i.e. security group A) and voila, they
could talk!

I then thought I had remembered incorrectly that by default all traffic is
allowed between instances on the same security group, so I double-checked
the documentation, but according to the documentation I had remembered
correctly:

allow_same_net_traffic = True (BoolOpt) Whether to allow network traffic
from same network

...I searched through my nova.conf files, but there was no
'allow_same_net_traffic' entry, so the default ought to be True, right?
Just to be sure, I explicitly added:

allow_same_net_traffic = True

to nova.conf and restarted nova services, but the security group rules are
still being applied to communication between instances that are associated
with the same security group.

I thought the 'default' security group might be a special case, so I tested
on another security group, but still get the same behaviour.

Is this a bug, or have I missed something here?

//Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140821/06a47f82/attachment.html>