"source-group" option in euca-authorize does not function
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Soren Hansen |
Bug Description
On specifying the -o <source_group_name> or --source-
Steps to Test:-
1) Launch one VM instance
2) Associate floating ip address, say '10.2.3.96' to the VM instance
3) Add security group, say 'icmpgroup'
$euca-add-group icmpgroup -d "test group"
4) Add rule to allow access from 10.2.3.0/24 for ICMP for icmpgroup security group
$euca-authorize -P icmp -t -1:-1 -s 10.2.3.0/24 icmpgroup
5) Add rule by specifying icmpgroup security group using -o parameter to allow access to default group
$euca-authorize -P icmp -t -1:-1 -o icmpgroup default
6) check if everything is added properly or now using euca-describe-
root@
GROUP admin default default
PERMISSION admin default ALLOWS icmp -1 -1 GRPNAME icmpgroup
GROUP admin icmpgroup test group
PERMISSION admin icmpgroup ALLOWS icmp -1 -1 FROM CIDR 10.2.3.0/24
It looks good till now.
7) Try to ping to the VM instance using floating ip address 10.2.3.96.
Ping is NOT successful.
To verify if icmp rule is added properly or not, I checked the iptables on the compute node and found out that the icmp rules wasn't added.
Compute node iptables
-------
root@ubuntu-
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
nova-compute-
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-compute-
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-compute-INPUT (1 references)
target prot opt source destination
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 10.0.0.1 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT all -- 10.0.0.0/27 0.0.0.0/0
nova-compute-
Chain nova-compute-local (1 references)
target prot opt source destination
nova-compute-
Chain nova-compute-
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0
Related branches
- Jesse Andrews (community): Approve
- Vish Ishaya (community): Approve
-
Diff: 305 lines (+91/-27)6 files modifiednova/compute/api.py (+6/-8)
nova/db/sqlalchemy/models.py (+5/-0)
nova/network/manager.py (+20/-1)
nova/tests/test_libvirt.py (+33/-8)
nova/tests/test_network.py (+4/-0)
nova/virt/libvirt/firewall.py (+23/-10)
Changed in nova: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in nova: | |
milestone: | none → diablo-3 |
assignee: | nobody → Soren Hansen (soren) |
Changed in nova: | |
milestone: | diablo-3 → diablo-4 |
status: | Confirmed → In Progress |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | diablo-4 → 2011.3 |
status: | Fix Committed → Fix Released |
I've experience this issue as well. It's not just with floating IPs. If you have --allow_ project_ net_traffic= false VMs in the same project cannot talk to each other unless explicitly allowed by IP, even on their DHCP assigned addresses. It appears to be the same issue (source group chain is not applied)