OpenStack Compute (nova)

Security groups with source groups no longer work

Bug #1216720 reported by Sam Morrison
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Critical
Vish Ishaya
OpenStack Compute (nova) 2013.2 "havana"
Grizzly
Fix Released
Critical
Vish Ishaya
OpenStack Compute (nova) 2013.1.4

Bug Description

The fix for bug #1184041 has a side affect of breaking security group linking via source groups.

Example:

Secgroup "Server" has rule

+-------------+-----------+---------+----------+---------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+---------------+
| tcp | 8140 | 8140 | | client |
+-------------+-----------+---------+----------+---------------+

Instance A is running and is associated with the "Server" secgroup

Now if a create a new instance with the "client" security group it should add a rule to instance A to all the new instance to talk to it.

This no longer gets added as it uses the cached version.

Tags: regression
ugvddm (271025598-9)
Changed in nova:
assignee: nobody → ugvddm (271025598-9)
Revision history for this message
Thierry Carrez (ttx) wrote :

Might also affect Folsom/Grizzly as the fix was backported

Changed in nova:
importance: Undecided → Critical
milestone: none → havana-3
status: New → Confirmed
tags: added: regression
ugvddm (271025598-9)
Changed in nova:
assignee: ugvddm (271025598-9) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/45107

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/45107
Committed: http://github.com/openstack/nova/commit/8679b2c8e7f9fddc31a74ad00f6705bca00a762b
Submitter: Jenkins
Branch: master

commit 8679b2c8e7f9fddc31a74ad00f6705bca00a762b
Author: Vishvananda Ishaya <email address hidden>
Date: Wed Sep 4 12:41:26 2013 -0700

    Refresh network info cache for secgroups

    Before updating security group rules, we need to make sure that
    the info cache is up-to-date. Without this source groups are not
    updated properly. This was a regression introduced in commit
    85aac04704350566d6b06aa7a3b99649946c672c which fixed a potential
    DOS using source groups.

    Fixes bug 1216720

    Change-Id: I6b5115df53f2e159ea506ef966cd49cedd35f83d

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/45274

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/45274
Committed: http://github.com/openstack/nova/commit/18f0264429e33f1f5165980de56bb37e49b2e336
Submitter: Jenkins
Branch: stable/grizzly

commit 18f0264429e33f1f5165980de56bb37e49b2e336
Author: Vishvananda Ishaya <email address hidden>
Date: Wed Sep 4 12:41:26 2013 -0700

    Refresh network info cache for secgroups

    Before updating security group rules, we need to make sure that
    the info cache is up-to-date. Without this source groups are not
    updated properly. This was a regression introduced in commit
    85aac04704350566d6b06aa7a3b99649946c672c which fixed a potential
    DOS using source groups.

    Fixes bug 1216720

    Conflicts:
     nova/network/manager.py
     nova/tests/network/test_manager.py

    Change-Id: I6b5115df53f2e159ea506ef966cd49cedd35f83d
    (cherry picked from commit 8679b2c8e7f9fddc31a74ad00f6705bca00a762b)

Thierry Carrez (ttx)
Changed in nova:
milestone: havana-3 → 2013.2
Sean Dague (sdague)
no longer affects: nova/folsom
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.