nova security group iptables rules conflict for overlapping subnets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
in my devstack all in one installation, I created two tenant, and each tenant has a subnet (10.0.0.0/24), and then start two instance each tenant, after instance started up. I check the iptable rules.
instances of tenant1:
# nova list
+------
| ID | Name | Status | Networks |
+------
| a0c528b9-
| 7f144411-
+------
instances of tenant2:
+------
| ID | Name | Status | Networks |
+------
| 880a0ce4-
| 60b40131-
+------
iptable rules:
# iptables-save
...
-A nova-compute-local -d 10.0.0.3/32 -j nova-compute-inst-1
-A nova-compute-local -d 10.0.0.4/32 -j nova-compute-inst-2
-A nova-compute-local -d 10.0.0.3/32 -j nova-compute-inst-3
-A nova-compute-local -d 10.0.0.4/32 -j nova-compute-inst-4
...
from the iptable rules, we can see that the instances with the same ip address will go through the same iptable rules which is not as we expected. More important, one tenant's security group setting may impact other tenant's.
summary: |
- iptable rules override for overlapping network + nova security group iptable rules override for overlapping subnets |
summary: |
- nova security group iptable rules override for overlapping subnets + nova security group iptables rules override for overlapping subnets |
summary: |
- nova security group iptables rules override for overlapping subnets + nova security group iptables rules conflict for overlapping subnets |
Changed in quantum: | |
status: | New → Confirmed |
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
status: | Confirmed → Won't Fix |
Yes, all parts of nova assumes that IPs can never overlap. This is similar to the issues with nova-metadata server and overlapping IPs.
During Folsom we had wanted to get security groups ported over to Quantum, which would have meant that we add support for overlapping IPs as well as multiple interface per VM. However, we ran out of time, and so we have the partial solution of utilizing Nova security groups, with those limits. Not great, I agree.
To me, the real concern here is that there is no good way to make sure nova metadata & security groups are only used if Quantum has no overlapping IPs. One thing we had discussed was potentially having a flag in Quantum that indicates whether overlapping IPs should be allowed or not. We could default this to false, and then mention the limitations around metadata + security groups where we document how to enable overlapping IPs in Quantum. The concern I have with this approach is that defaulting to not allowing overlapping IPs seems like the wrong long-term default for quantum, once quantum itself implements security groups (and we modify the metadata mechanism to handle overlapping IPs). Outside of that, I think this is just a question of documentation, unless someone else sees anything super bright.