openstack team mailing list archive

Thread
Date

Re: Security group isolation on same physical host

To: Mitchell Broome <mitchell.broome@xxxxxxxxx>
From: Stephen Gran <stephen.gran@xxxxxxxxxxxxxx>
Date: Thu, 07 Jun 2012 15:35:32 +0100
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAPvgqdyN=PqL0YXzop64hHiJ=tHTtt_eS50Zm7_x+5X4ivksew@mail.gmail.com>
Organization: Guardian News and Media
Reply-to: stephen.gran@xxxxxxxxxxxxxx

Hi,

If they're in the same subnet, they won't go through a firewall to reach
each other.  I'd imagine this is expected.

Cheers,

On Thu, 2012-06-07 at 10:00 -0400, Mitchell Broome wrote:
> So I'm running into a problem where two different virtual machines on
> the same physical host can get to each other bypassing security
> groups.  As a test, I have removed all rules from the default security
> group and created two other groups for testing (test1 and test2) that
> only have inbound ssh access from a client network.  The hosts are on
> 192.168.95.0/24 and the guest's fixed addresses are on
> 192.168.97.0/24.  I'm not doing anything with floating ips, just
> strictly fixed ips.  While testing, I'm using a single controller
> running everything except nova-compute and a single compute host only
> running nova-compute.
> 
> I'm using centos 6.2 with openstack from epel:
> python-nova-2012.1-7.el6.noarch
> openstack-nova-2012.1-7.el6.noarch
> 
> 
> nova.conf (from the compute node):
> http://paste.openstack.org/show/18381/
> 
> iptables -n -L:
> http://paste.openstack.org/show/18382/
> 
> Is there some flag I'm missing in nova.conf to stop this?
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-- 
Stephen Gran
Senior Systems Integrator - The Guardian

Please consider the environment before printing this email.
------------------------------------------------------------------
Visit guardian.co.uk - newspaper of the year

www.guardian.co.uk    www.observer.co.uk     www.guardiannews.com 

On your mobile, visit m.guardian.co.uk or download the Guardian
iPhone app www.guardian.co.uk/iphone
 
To save up to 30% when you subscribe to the Guardian and the Observer
visit www.guardian.co.uk/subscriber 
---------------------------------------------------------------------
This e-mail and all attachments are confidential and may also
be privileged. If you are not the named recipient, please notify
the sender and delete the e-mail and all attachments immediately.
Do not disclose the contents to another person. You may not use
the information for any purpose, or store, or copy, it in any way.
 
Guardian News & Media Limited is not liable for any computer
viruses or other material transmitted with or as part of this
e-mail. You should employ virus checking software.

Guardian News & Media Limited

A member of Guardian Media Group plc
Registered Office
PO Box 68164
Kings Place
90 York Way
London
N1P 2AP

Registered in England Number 908396

Follow ups

Re: Security group isolation on same physical host--perhaps needs to enhance openstack security on multihost model
From: romizhang1968, 2012-06-07

References

Security group isolation on same physical host
From: Mitchell Broome, 2012-06-07