Public bug reported:
=== Problem Description ===================================
#===========================================================
After enabling security groups in Trove, ICMP traffic is being blocked.
A patch to enable ICMP traffic in the Trove security group configuration
was merged into Master about 7 months ago.
Linux zs93kg 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:55:38 UTC 2017 s390x
s390x s390x GNU/Linux
Machine Type = s390x
Userspace tool common name: trove
#=== Steps to Reproduce ====================================
#===========================================================
1. Edit /etc/trove/trove-taskmanager.conf and enable security groups:
[DEFAULT]
...
trove_security_groups_support = True
trove_security_group_rule_cidr = 0.0.0.0/0
2. In the same config file, add some ports to the target datastores, for
example:
[db2]
icmp = True
tcp_ports = 22, 50000
volume_support = True
[postgresql]
icmp = True
tcp_ports = 22, 5432
volume_support = True
3. Deploy a new instance of the indicated datastore, and try to ping it. This
will fail. Looking at the assigned security group for the instance:
[vmorris@zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack server show
vem-tenant1-trove-postgres | grep security_groups
| security_groups | [{u'name':
u'SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743'}] |
[vmorris@zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack security group show
SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743
+-------------+------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------+------------------------------------------------------------------------------------------------------------+
| description | Security Group for 801648ae-8a1f-4388-be38-01f3e9f1c743
|
| id | 61a58f17-10b4-4d94-a677-9831f7eda2d7
|
| name | SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743
|
| project_id | 68eba9de5c3b49b6b6e4199faf1053f7
|
| rules | id='2874bf94-c2e9-4046-b2a6-a08f791152b9', ip_protocol='tcp',
ip_range='0.0.0.0/0', port_range='22:22' |
| | id='e7c3fcad-2c7f-4cef-8f6c-7418f2c6bde6', ip_protocol='tcp',
ip_range='0.0.0.0/0', port_range='5432:5432' |
+-------------+------------------------------------------------------------------------------------------------------------+
#=== Additional Info ====================================
#===========================================================
Please see the following change in Trove master:
https://review.openstack.org/#/c/214056/
Change 214056 - Merged
Introduce "icmp" option for security group rule
This change introduces new datastore option "icmp" to
configure whether to permit ICMP. It helps users to
check DB instance health in different way from access
DB ports.
** Affects: openstack-trove (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39031.64 bugnameltc-152315 severity-high
targetmilestone-inin16042
** Tags added: architecture-s39031.64 bugnameltc-152315 severity-high
targetmilestone-inin16042
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => openstack-trove (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1670766
Title:
Mitaka Trove security groups do not have an ICMP option - patch
available
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/1670766/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
