neutron

Removed security group rules are still persistent on instances

Bug #1340194 reported by chinasubbareddy on 2014-07-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

Even after removing the scurity group rules , able to do the operations like ssh/ping on vms.

Erlier to this we added rules to allow ssh and ping , and then removed those rules.

Below is log

nova list
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| a1426d0a-07df-40c8-b883-3f5fb34bbec2 | testvm1-az1 | ACTIVE | None | Running | Net1=2.2.2.2, 10.233.53.105 |
| 329b0493-e1f9-4baa-bfc9-5ecf9c2d4687 | testvm1-az2 | ACTIVE | None | Running | Net1=2.2.2.4 |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
root@controller:~# nova show a1426d0a-07df-40c8-b883-3f5fb34bbec2
+--------------------------------------+----------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------+
| status | ACTIVE |
| updated | 2014-07-03T06:34:31Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | compute1 |
| key_name | None |
| image | CirrOS 0.3.1 (ea93e47e-558e-4baf-bea1-777b4814ca5d) |
| hostId | 64a50db012ab0b483697b85be03d02d66535ff2656170b6c8fb9a8f8 |
| Net1 network | 2.2.2.2, 10.233.53.105 |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-00000018 |
| OS-SRV-USG:launched_at | 2014-07-03T06:34:31.000000 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | compute1 |
| flavor | myF1 (6) |
| id | a1426d0a-07df-40c8-b883-3f5fb34bbec2 |
| security_groups | [{u'name': u'default'}] | --------------------------> using default secgroup.
| OS-SRV-USG:terminated_at | None |
| user_id | 0dc64e9cfb07442b8d6ce7d518200d06 |
| name | testvm1-az1 |
| created | 2014-07-03T06:33:54Z |
| tenant_id | 8a5dee0f17204539a73987d6a8f255cd |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| os-extended-volumes:volumes_attached | [] |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | azhyd1 |
| config_drive | |
+--------------------------------------+----------------------------------------------------------+
root@controller:~# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| | | | | default |
| | | | | default |
+-------------+-----------+---------+----------+--------------+
root@controller:~# ip netns exec qdhcp-acf1b559-0602-461f-8b86-9e7c5a7cec80 ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_req=1 ttl=64 time=3.28 ms
64 bytes from 2.2.2.2: icmp_req=2 ttl=64 time=1.83 ms

We are using havana version of openstack on ubuntu 12.o4/64bit.

Tags:

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2014-07-12:

Have you tested it for Icehouse?
You may try to look through bugs and see if this issue was fixed for newer versions.
I think it's 'won't fix' for Havana.

tags:	added: gs-fw
Changed in neutron:
status:	New → Incomplete
tags:	added: sg-fw removed: gs-fw

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-09-11:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.