devstack

security groups not enforced anymore

Bug #1252620 reported by Yair Fried
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
devstack
New
Undecided
Unassigned
neutron
Confirmed
High
Unassigned
neutron icehouse-1 "i1"
tempest
New
Undecided
Unassigned

Bug Description

VM is reachable even though there's no ingress rule in its security group

how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup

  OS_USERNAME=demo
  OS_TENANT_NAME=demo

  neutron net-create mynet
  neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
  neutron router-create myrouter
  neutron router-gateway-set myrouter public
  neutron router-interface-add myrouter mysubnet

  neutron security-group-create mysecgroup
  nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02

  neutron floatingip-create public
  neutron port-list
  neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623

  ping 172.24.4.229

Expected results:
VM should be unreachable.

Actual results:
VM is reachable via ping and ssh

Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
https://review.openstack.org/#/c/57112/

**happens only in devstack and tempest neutron gate. not on my regular RHOS setup

See original description
Yair Fried (yfried)
description: updated
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I think you use ML2 with OVS agent.

To maek Neutron Security group with OVS agent work we need the hybrid OVS bridge VIF driver, but recently the hybrid driver has been removed from Nova. As a result, no linux bridge is created for VIF and iptables rule is not enforced to traffic transferred on OVS bridge.

To address this issue, we need to address bug 1112912 ASAP.

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
milestone: none → icehouse-1
Revision history for this message
Akihiro Motoki (amotoki) wrote :

This bug itself can be solved if bug 1112912 is addressed, but this bug is about security group behavior.
I keep this bug open (and do not mark duplicated).

Revision history for this message
Akihiro Motoki (amotoki) wrote :

It only affects Icehouse. Removing deprecated VIF drivers was done after Icehouse is open.

Yair Fried (yfried)
description: updated
Akihiro Motoki (amotoki)
description: updated
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

The bug should therefore be: security groups not enforced anymore.

There is a related bug in nova I commented on (I seem to be unable to find it now).
Basically a recent devstack commit changed the security group driver to Noop driver in nova when using neutron, which make sense.

this uncovered an issue in vif.py for libvirt, where the generic driver uses the hybrid mode only when the value for the firewall_driver option in nova.conf is != NoOpFirewallDriver.

I am not sure how would be the best fix for it, but since the generic vif driver relies on port binding data, I think port binding should instruct to use the hybrid driver.

Yair Fried (yfried)
summary: - security groups don't block unwanted traffic
+ security groups not enforced anymore
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

It seems the approach suggested in the previous comment is going to be implemented for bug 1122912 which already have an assignee.

This means we might mark this as duplicate, in my opinion.

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

errata: bug 1112912

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I was suggested to mark this as duplicate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.