| 2013-11-19 07:23:12 |
Yair Fried |
bug |
|
|
added bug |
| 2013-11-19 08:22:15 |
Yair Fried |
bug task added |
|
neutron |
|
| 2013-11-19 08:22:28 |
Yair Fried |
bug task added |
|
tempest |
|
| 2013-11-19 09:32:30 |
Yair Fried |
description |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_NAME=demo
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-interface-add myrouter mynet
neutron subnet-list
neutron router-interface-add myrouter mysubnet
neutron security-group-create mysecgroup
nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02
neutron floatingip-create public
neutron port-list
neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
|
| 2013-11-19 11:13:12 |
Akihiro Motoki |
neutron: status |
New |
Confirmed |
|
| 2013-11-19 11:13:35 |
Akihiro Motoki |
neutron: importance |
Undecided |
High |
|
| 2013-11-19 11:13:42 |
Akihiro Motoki |
neutron: milestone |
|
icehouse-1 |
|
| 2013-11-19 11:36:35 |
Yair Fried |
description |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_NAME=demo
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-interface-add myrouter mynet
neutron subnet-list
neutron router-interface-add myrouter mysubnet
neutron security-group-create mysecgroup
nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02
neutron floatingip-create public
neutron port-list
neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_NAME=demo
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-interface-add myrouter mynet
neutron subnet-list
neutron router-interface-add myrouter mysubnet
neutron security-group-create mysecgroup
nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02
neutron floatingip-create public
neutron port-list
neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
https://review.openstack.org/#/c/57112/
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
|
| 2013-11-19 11:55:24 |
Akihiro Motoki |
description |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_NAME=demo
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-interface-add myrouter mynet
neutron subnet-list
neutron router-interface-add myrouter mysubnet
neutron security-group-create mysecgroup
nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02
neutron floatingip-create public
neutron port-list
neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
https://review.openstack.org/#/c/57112/
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
VM is reachable even though there's no ingress rule in its security group
how to reproduce:
1. empty security group (with 2 only default egress rules)
2. VM booted to this secgorup
OS_USERNAME=demo
OS_TENANT_NAME=demo
neutron net-create mynet
neutron subnet-create mynet 10.100.0.0/24 --name mysubnet
neutron router-create myrouter
neutron router-gateway-set myrouter public
neutron router-interface-add myrouter mysubnet
neutron security-group-create mysecgroup
nova boot myserver --flavor 2 --image c50f6f12-763b-4f55-891b-38efd3eede9e --security_groups mysecgroup --nic net-id=f630963e-2588-4810-b6b0-8eead5db3f02
neutron floatingip-create public
neutron port-list
neutron floatingip-associate 13c42328-6586-4347-a564-0146253619b6 04a9d5de-d959-43c0-9fd7-76c495ea9623
ping 172.24.4.229
Expected results:
VM should be unreachable.
Actual results:
VM is reachable via ping and ssh
Additional info:
to easily reproduce this bug simply run tempest test "scenario/test_network_basic_ops" after disabling rule creation in manager._create_security_group() (line 521)
https://review.openstack.org/#/c/57112/
**happens only in devstack and tempest neutron gate. not on my regular RHOS setup |
|
| 2013-11-19 16:17:51 |
Édouard Thuleau |
bug |
|
|
added subscriber Édouard Thuleau |
| 2013-11-20 13:13:24 |
Yair Fried |
summary |
security groups don't block unwanted traffic |
security groups not enforced anymore |
|
| 2013-11-24 18:00:20 |
Akihiro Motoki |
marked as duplicate |
|
1112912 |
|
| 2013-11-26 21:23:10 |
Sean M. Collins |
bug |
|
|
added subscriber Sean M. Collins |
| 2013-11-28 08:42:04 |
Mathieu Rohon |
bug |
|
|
added subscriber Mathieu Rohon |
| 2014-01-26 06:41:45 |
Xiang Hui |
bug |
|
|
added subscriber Xiang Hui |
| 2014-03-20 16:11:59 |
Sam Whyte |
bug |
|
|
added subscriber Sam Whyte |
