security groups not enforced anymore
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devstack |
New
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
High
|
Unassigned | ||
tempest |
New
|
Undecided
|
Unassigned |
Bug Description
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-
neutron security-
nova boot myserver --flavor 2 --image c50f6f12-
neutron floatingip-create public
neutron port-list
neutron floatingip-
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/
https:/
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup
description: | updated |
description: | updated |
description: | updated |
summary: |
- security groups don't block unwanted traffic + security groups not enforced anymore |
I think you use ML2 with OVS agent.
To maek Neutron Security group with OVS agent work we need the hybrid OVS bridge VIF driver, but recently the hybrid driver has been removed from Nova. As a result, no linux bridge is created for VIF and iptables rule is not enforced to traffic transferred on OVS bridge.
To address this issue, we need to address bug 1112912 ASAP.