Hi guys. Recently, I've stumbled upon strange behaviour of euca-authorize command. I'm using Diablo release If I create two security groups and add a rule using euca-authorize command to authorize ICMP traffic from one group to another, why am I not able to add another rule for, say, tcp traffic? Here are the commands I've tried:
[apetrovich@ostcore-wslab2 ]$ euca-describe-groups GROUP project1 default default [apetrovich@ostcore-wslab2 ]$ euca-add-group -d "mygroup description" mygroup GROUP mygroup mygroup description [apetrovich@ostcore-wslab2 ]$ euca-describe-groups GROUP project1 default default GROUP project1 mygroup mygroup description [apetrovich@ostcore-wslab2 ]$ euca-add-group -d "another description" mygroup2 GROUP mygroup2 another description [apetrovich@ostcore-wslab2 ]$ euca-describe-groups GROUP project1 default default GROUP project1 mygroup mygroup description GROUP project1 mygroup2 another description [apetrovich@ostcore-wslab2 ]$ euca-authorize --protocol icmp -t -1:-1 --source-group mygroup mygroup2 mygroup2 mygroup None icmp -1 -1 0.0.0.0/0 GROUP mygroup2 PERMISSION mygroup2 ALLOWS icmp -1 -1 GRPNAME mygroup FROM CIDR 0.0.0.0/0 [apetrovich@ostcore-wslab2 ]$ euca-authorize --protocol tcp --port-range 22 --source-group mygroup mygroup2 mygroup2 mygroup None tcp 22 22 0.0.0.0/0 ApiError: {'to_port': 22, 'group_id': 2L, 'protocol': 'tcp', 'from_port': 22, 'parent_group_id': 3L} - This rule already exists in group This seems very strange, so I digged in to the sources and found that this is happens because of the method _security_group_rule_exists of the nova.api.ec2.CloudController: def _security_group_rule_exists(self, security_group, values): """Indicates whether the specified rule values are already defined in the given security group. """ for rule in security_group.rules: if 'group_id' in values: if rule['group_id'] == values['group_id']: return rule['id'] else: is_duplicate = True for key in ('cidr', 'from_port', 'to_port', 'protocol'): if rule[key] != values[key]: is_duplicate = False break if is_duplicate: return rule['id'] return False And it looks like it explicitly checks for the source group of the new rule, and if there is already exists a rule with the same source group it returns id of that group, so, it is not possible to add a different rule with the same source group. Is it expected behaviour and I'm missing something, or is it just a bug? _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp