Comment 4 for bug 1316822

The most glaring issue from my perspective is that iptables rules are lost upon a nova-compute restart. That has the broadest impact and fixing that would address this. Beyond that it would be nice to have a check that security group rules are in place anytime an instance is started, whether it's reboot or start. Additionally I question whether reboot should be a valid action for a stopped instance, but that's outside the scope of this.

The likeliness is difficult to comment on because it is dependent on how often a deployer restarts their nova-compute services. That's not something that should be occurring frequently so I would classify this as rather unlikely. But it is triggerable over a long enough timeframe. As a user if I stopped my instance and waited long enough it would almost certainly trigger this at some point. But it should be noted that this is a security hole that a user can open on their own instance, or a deployer could inadvertently open on a user, but can't be triggered in a targeted manner upon another users instance.