[OSSA 2015-021] secgroup rules doesn't work for instance immediately (CVE-2015-7713)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Sreekumar S | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Tristan Cacqueray |
Bug Description
I have an OpenStack kilo setup on RHEL7.1 with a controller and a compute node (network-compute + network-
# /etc/nova.nova.conf on contrller node
[DEFAULT]
network_api_class = nova.network.
security_group_api = nova
# /etc/nova/nova.conf on compute node
[DEFAULT]
network_api_class = nova.network.
security_group_api = nova
firewall_driver = nova.virt.
network_manager = nova.network.
network_size = 254
allow_same_
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_network_bridge = br100
flat_interface = eth0
public_interface = eth0
steps for test 1:
1) create and start VM instance-1 with secgroup default;
2) VM instance-1 ping br100: OK;
3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
5) br100 ping VM instance-1: i got the same wrong message, not expected.
steps for test 2:
1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
2) create and start VM instance-2 with secgroup default;
3) br100 ping instance-2: OK
It seems that command "nova secgroup-add-rule ..." doesn't work immediately for the existed or running VM instances?
Changed in nova: | |
assignee: | nobody → Sreekumar S (sreesiv) |
Changed in ossa: | |
status: | Incomplete → Triaged |
Changed in nova: | |
milestone: | none → liberty-rc1 |
status: | Fix Committed → Fix Released |
summary: |
- secgroup rules doesn't work for instance immediately + secgroup rules doesn't work for instance immediately (CVE-2015-7713) |
summary: |
- secgroup rules doesn't work for instance immediately (CVE-2015-7713) + [OSSA 2015-021] secgroup rules doesn't work for instance immediately + (CVE-2015-7713) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in nova: | |
milestone: | liberty-rc1 → 12.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
So does new nova net security- group-rules are supposed to be applied on existing instance ?