Magnum

Swarm security groups block container traffic

Bug #1501038 reported by Daneyon Hansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Critical
Daneyon Hansen
Magnum liberty-3 "liberty-3"

Bug Description

The swarm baytype implements the following security groups:

https://github.com/openstack/magnum/blob/master/magnum/templates/docker-swarm/swarm.yaml#L160-L171
https://github.com/openstack/magnum/blob/master/magnum/templates/docker-swarm/swarmnode.yaml#L108-L119

Since the security group only allows icmp, ssh and swarm-mgr traffic, traffic between containers is being blocked. For example:

1. I deploy the test image:
$ docker -H tcp://10.0.0.3:2376 --tlsverify --tlscacert=/etc/docker/ca.crt --tlskey=/etc/docker/server.key --tlscert=/etc/docker/server.crt run -d --name test1 -p 80 larsks/thttpd

I verify the container is running:
# docker -H tcp://10.0.0.3:2376 --tlsverify --tlscacert=/etc/docker/ca.crt --tlskey=/etc/docker/server.key --tlscert=/etc/docker/server.crt ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
11ee90039924 larsks/thttpd:latest "/thttpd -D -l /dev/ 5 seconds ago Up Less than a second 10.0.0.4:49153->80/tcp sw-xmk2cyxjtix-0-psjiwilz52ko-swarm-node-r72nkvzppqoq.novalocal/test1

I should be able to curl the container using 10.0.0.4:49153, but I can't because neutron is blocking the traffic.

Daneyon Hansen (danehans)
Changed in magnum:
assignee: nobody → Daneyon Hansen (danehans)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/229134

Changed in magnum:
status: New → In Progress
Adrian Otto (aotto)
Changed in magnum:
status: In Progress → Triaged
importance: Undecided → Critical
milestone: none → liberty-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/229134
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=7c00f56a6a57c9bdaad80e36a3b8eb29671b4138
Submitter: Jenkins
Branch: master

commit 7c00f56a6a57c9bdaad80e36a3b8eb29671b4138
Author: Daneyon Hansen <email address hidden>
Date: Tue Sep 29 20:10:45 2015 +0000

    Fixes Neutron security groups for Swarm Bay type

    Previously, the security group rules were blocking all traffic
    except ssh, icmp and swarm-manager traffic. This causes container
    traffic to be blocked. This patch opens up the security rules
    until a better solution can be developed to secure Magnum nodes
    while allowing containers to communicate freely.

    Closes-bug: #1501038

    Change-Id: Idc20201b7e1928101629fc6231fd8a9c9070ba33

Changed in magnum:
status: Triaged → Fix Committed
Adrian Otto (aotto)
Changed in magnum:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.