neutron

Create VM use another tenant's port, the VM can't communicate with other

Bug #1297701 reported by shihanzhang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Opinion
Undecided
shihanzhang
neutron
Won't Fix
Medium
shihanzhang

Bug Description

An admin user create port for another project, then use this port Create VM, the VM can't communicate with other, because the security rule does not work. the vm in nova can not show IP.

root@ubuntu01:/var/log/neutron# neutron port-show 66c2d6bd-7d39-4948-b561-935cb9d264eb
+-----------------------+-----------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | {"ip_address": "169.254.16.253", "mac_address": "fa:16:3e:48:73:a7"} |
| binding:capabilities | {"port_filter": false} |
| binding:host_id | |
| binding:vif_type | unbound |
| device_id | |
| device_owner | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "5519e015-fc83-44c2-99ad-d669b3c2c9d7", "ip_address": "10.10.10.4"} |
| id | 66c2d6bd-7d39-4948-b561-935cb9d264eb |
| mac_address | fa:16:3e:48:73:a7 |
| name | |
| network_id | 255f3e92-5a6e-44a5-bbf9-1a62bf5d5935 |
| security_groups | 94ad554f-392d-4dd5-8184-357f37b75111 |
| status | DOWN |
| tenant_id | 3badf700bbc749ec9d9869fddc63899f |
+-----------------------+-----------------------------------------------------------------------------------+

root@ubuntu01:/var/log/neutron# keystone tenant-list
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 34fddbc22c184214b823be267837ef81 | admin | True |
| 48eb4330b6e74a9f9e74d3e191a0fa2e | service | True |
+----------------------------------+---------+---------+

root@ubuntu01:/var/log/neutron# nova list
+--------------------------------------+-------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+----------+
| 5ce98599-75cb-49db-aa76-668491ee3bd0 | test3 | ACTIVE | None | Running | |
+--------------------------------------+-------+--------+------------+-------------+----------+

shihanzhang (shihanzhang)
Changed in neutron:
assignee: nobody → shihanzhang (shihanzhang)
Changed in nova:
assignee: nobody → shihanzhang (shihanzhang)
Tracy Jones (tjones-i)
tags: added: network
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

I think in this case it should be up to the admin to ensure the appropriate security group rules are added.
Do you think it should be different?

Changed in neutron:
status: New → Confirmed
status: Confirmed → Opinion
importance: Undecided → Medium
Brent Eagles (beagles)
tags: added: neutron
Sean Dague (sdague)
Changed in nova:
status: New → Opinion
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This sounds like a great way to create a security vulnerability.

Changed in neutron:
status: Opinion → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.