openstack team mailing list archive

Thread
Date

Security group isolation on same physical host

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Mitchell Broome <mitchell.broome@xxxxxxxxx>
Date: Thu, 7 Jun 2012 10:00:11 -0400

So I'm running into a problem where two different virtual machines on
the same physical host can get to each other bypassing security
groups.  As a test, I have removed all rules from the default security
group and created two other groups for testing (test1 and test2) that
only have inbound ssh access from a client network.  The hosts are on
192.168.95.0/24 and the guest's fixed addresses are on
192.168.97.0/24.  I'm not doing anything with floating ips, just
strictly fixed ips.  While testing, I'm using a single controller
running everything except nova-compute and a single compute host only
running nova-compute.

I'm using centos 6.2 with openstack from epel:
python-nova-2012.1-7.el6.noarch
openstack-nova-2012.1-7.el6.noarch


nova.conf (from the compute node):
http://paste.openstack.org/show/18381/

iptables -n -L:
http://paste.openstack.org/show/18382/

Is there some flag I'm missing in nova.conf to stop this?

Follow ups

Re: Security group isolation on same physical host
From: Stephen Gran, 2012-06-07
Re: Security group isolation on same physical host
From: Mitchell Broome, 2012-06-07