Hi colleagues,
after upgrade from Ocata to Pike I noticed change in security groups
behaviour.
In Ocata, I was using a combination of default security group + custom
group (which matches ingress ethertype both IPv4 and IPv6) on a port and
this was allowing ingress traffic to VM.
In Pike this doesn't work anymore, i.e. having two security groups in
project
$ openstack security group list
[ ... ]
| 53ede63e-b08f-4c95-b5fe-29cd21ed442a | default | Default security
group | d8051a3ff3ad4c4bb380f828992b8178 |
| cd0bd222-78e1-42b2-b8a5-51d655c49a8f | jex-esg
| | d8051a3ff3ad4c4bb380f828992b8178 |
and using both on port disables any traffic from outside (e.g. ping):
$ openstack port show jex-n1-wan
[ ... ]
| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security_group_ids | 53ede63e-b08f-4c95-b5fe-29cd21ed442a,
cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
while keeping only custom group allows traffic from outside:
$ openstack port show jex-n1-wan
| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security_group_ids | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
*I didn't find any notices on this in Pike release notes. Can anybody
point me to the pla**ce**where I can find information on this and,
possibly, other implicit changes?*
For additional information, rules of jex-esg are these:
$ openstack security group show jex-esg
+-----------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| created_at | 2017-09-21T13:25:53Z |
| description | |
| id | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
| name | jex-esg |
| project_id | d8051a3ff3ad4c4bb380f828992b8178 |
| revision_number | 4 |
| rules | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv4', id='1b979cd7- |
| | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv6', id='906ac4e2- |
| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv6', id='c8cc2114- |
| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv4', id='ebb060f5- |
| updated_at | 2017-09-21T13:25:53Z |
+-----------------+-----------------------------------------------------------------------------------------+
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack