[Bug 1208880] [NEW] Adding a fixed IP doesn't fully update firewall rules on compute host

Tue, 06 Aug 2013 08:27:53 -0700 

Public bug reported:

With Openstack Folsom, 'nova add-fixed-ip' doesn't appear to correctly
change the firewall rules on the compute host with the result that the
additional fixed IPs are unusable.

To reproduce, I did:

 nova add-fixed-ip <server uuid> <network uuid>
 nova show <server uuid> # <-- repeat until additional fixed IP shows
                         # in 'nova network' section.
 ssh <user>@<server>
 # [Configure additional IP on VM]
 ping <new IP> # <-- from VM, works
 ping <new IP> # <-- from e.g. cloud controller, doesn't work

I confirmed the VM is arping for the new IP.  Then looking at iptables
on the compute host, I noticed there's no inbound rule for the
new fixed IP on the nova-compute-local chain:

| root@dybbuk:/etc# iptables-save | grep 10.33.16.63
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p tcp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p udp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p tcp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p udp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-local -d 10.33.16.63/32 -j nova-compute-inst-3035
| root@dybbuk:/etc# iptables-save | grep 10.33.16.222
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p tcp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p udp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p tcp -m multiport --dports 
1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p udp -m multiport --dports 
1:65535 -j ACCEPT
| root@dybbuk:/etc#

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: prodstack

** Tags added: prodstack

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1208880

Title:
  Adding a fixed IP doesn't fully update firewall rules on compute host

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1208880/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to