[Yahoo-eng-team] [Bug 1218494] Re: Nova security policies are being ignored

Wed, 17 Sep 2014 05:52:40 -0700 

** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1218494

Title:
  Nova security policies are being ignored

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  I have a multi-node Openstack Grizzly setup: 1 front-end network node
  (3 nics) and 2 compute nodes (3 nics). Everything seems to work
  perfectly: VM's have external access, I can ping the VM's from the
  virtual router, VM's can communicate between themselves...

  However, I am unable to ping the VM's from any compute node to the
  VM's. I have added the virtual router to the routing table, I changed
  the default security permissions...

  practicas@lemarq:~$ route
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  default         192.168.0.1     0.0.0.0         UG    0      0        0 br-ex
  10.5.5.0        192.168.0.100   255.255.255.0   UG    0      0        0 br-ex 
 # VIRTUAL ROUTER
  192.168.0.0     *               255.255.255.0   U     0      0        0 br-ex
  192.168.100.0   *               255.255.255.0   U     1      0        0 eth1

  practicas@lemarq:~$ nova secgroup-list-rules default
  +-------------+-----------+---------+-----------+--------------+
  | IP Protocol | From Port | To Port | IP Range  | Source Group |
  +-------------+-----------+---------+-----------+--------------+
  | icmp        | -1        | -1      | 0.0.0.0/0 |              |
  | tcp         | 1         | 65535   | 0.0.0.0/0 |              |
  +-------------+-----------+---------+-----------+--------------+

  
  In order to prove that it is a problem with nova security permissions I have 
done the following experiment. I tried to ping from the compute node 
192.168.0.204 to a VM 10.5.5.4. The VM's interface in br-int (in the compute 
node) is qvoc55f44c6-af. I executed tcpdump in qvoc55f44c6-af and I see the 
icmp package. However, inside the VM, I did tcpdump in eth0 and no sign of this 
icmp package appeared. If I ping from the virtual router this does not happen.  
Thank you in advance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1218494/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to