OpenStack Compute (nova)

Updating the security group rules does not reflected in the applicable running instances

Bug #1492264 reported by Murugan234 on 2015-09-04

This bug report is a duplicate of: Bug #1491307: [OSSA 2015-021] secgroup rules doesn't work for instance immediately (CVE-2015-7713). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	New	Undecided	Unassigned

Bug Description

Hi,

Open Stack Version : Kilo

Problem :
========

A instance has been created with the security group- Sample_Group and it's running as per the rules in the security group. While modify/updating the rules in the group doesn't reflected in the running instances.

Query :
======

Is it possible to update/modify the security rule for running instance without adding any new group to that instance?

Step/Terminal Output :
====================

[root@centos7-openstack keystone]# nova secgroup-list-rules Sample_Group
+-------------+-----------+---------+----------------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------------+--------------+
| tcp | 22 | 22 | 203.0.113.0/24 | |
| icmp | -1 | -1 | 203.0.113.0/24 | |
+-------------+-----------+---------+----------------+--------------+

[root@centos7-openstack keystone]# nova boot --flavor m1.tiny --image cirros-0.3.4-x86_64 --nic net-id=d0902d54-e00d-4c54-a4a0-9a63c8102039 --security-group Sample_Group --key-name demo-key demo-instance3
+--------------------------------------+------------------------------------------------------------+
| Property | Value |
+--------------------------------------+------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000a |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | fmHZXR638udt |
| config_drive | |
| created | 2015-09-04T12:53:12Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 92623f86-600c-4a3e-bdcb-b308bd1747de |
| image | cirros-0.3.4-x86_64 (44fc5cb7-62ea-4ced-95fe-cabaedcf583d) |
| key_name | demo-key |
| metadata | {} |
| name | demo-instance3 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | Sample_Group |
| status | BUILD |
| tenant_id | e91aeb7cdcf1410e9a70be9a4003c5d9 |
| updated | 2015-09-04T12:53:12Z |
| user_id | 6ea371c469ee41b7adcff4b7c5a9c211 |
+--------------------------------------+------------------------------------------------------------+

[root@centos7-openstack keystone]# nova list
+--------------------------------------+----------------+--------+------------+-------------+-----------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------+-------------+-----------------------+
| 080c3068-4afa-453a-ad84-8f15051fb9d3 | demo-instance1 | ACTIVE | - | Running | demo-net=203.0.113.26 |
| 92623f86-600c-4a3e-bdcb-b308bd1747de | demo-instance3 | ACTIVE | - | Running | demo-net=203.0.113.27 |
+--------------------------------------+----------------+--------+------------+-------------+-----------------------+
[root@centos7-openstack keystone]# ping 203.0.113.27
PING 203.0.113.27 (203.0.113.27) 56(84) bytes of data.
64 bytes from 203.0.113.27: icmp_seq=1 ttl=64 time=4.56 ms
64 bytes from 203.0.113.27: icmp_seq=2 ttl=64 time=0.757 ms
64 bytes from 203.0.113.27: icmp_seq=3 ttl=64 time=0.728 ms

[root@centos7-openstack keystone]# nova secgroup-delete-rule Sample_Group icmp -1 -1 203.0.113.0/24
+-------------+-----------+---------+----------------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------------+--------------+
| icmp | -1 | -1 | 203.0.113.0/24 | |
+-------------+-----------+---------+----------------+--------------+
[root@centos7-openstack keystone]# nova secgroup-list-rules Sample_Group
+-------------+-----------+---------+----------------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------------+--------------+
| tcp | 22 | 22 | 203.0.113.0/24 | |
+-------------+-----------+---------+----------------+--------------+
[root@centos7-openstack keystone]# ping 203.0.113.27
PING 203.0.113.27 (203.0.113.27) 56(84) bytes of data.
64 bytes from 203.0.113.27: icmp_seq=1 ttl=64 time=2.35 ms
64 bytes from 203.0.113.27: icmp_seq=2 ttl=64 time=0.995 ms
64 bytes from 203.0.113.27: icmp_seq=3 ttl=64 time=0.683 ms
64 bytes from 203.0.113.27: icmp_seq=4 ttl=64 time=0.588 ms
64 bytes from 203.0.113.27: icmp_seq=5 ttl=64 time=0.614 ms

Regards
Jeya Murugan B

Tags:

Markus Zoeller (markus_z) (mzoeller) on 2015-09-17

tags:

added: network security-groups

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1491307 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.