yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #02458
[Bug 1182358] Re: Security group created through the nova api does not permit expected traffic
I've figured out the problem - I was using copied code that it turns out
had been creating a source group rule rather than a regular rule (only
permitting traffic between ports associate with a given group). Not
sure why this was never a problem before, but the easy solution is to
create a regular (all sources) rule instead.
** Changed in: quantum
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1182358
Title:
Security group created through the nova api does not permit expected
traffic
Status in OpenStack Quantum (virtual network service):
Invalid
Bug description:
I was looking into a problem with the quantum smoke test in tempest -
a vm would be reported as pingable via an assigned floating ip even
when it hadn't been configured with a private ip address. I added an
ssh check to be sure that a vm was actually reachable
(https://bugs.launchpad.net/quantum/+bug/1182343), and have since
traced the underlying problem to what I suspect is an issue with
nova<->quantum security group integration.
The Networking smoke test in Tempest currently creates the security
group permitting ping and ssh via the nova api
(https://github.com/openstack/tempest/blob/master/tempest/scenario/manager.py#L253).
A security group created with this method does not pass traffic as
expected. If a vm is configured to use the default security group
(managed and updated manually through quantum), traffic is passed as
expected.
To reproduce:
- run devstack with quantum configured:
disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service quantum
enable_service tempest
API_RATE_LIMIT=False
TEMPEST_REPO=https://review.openstack.org/openstack/tempest
TEMPEST_BRANCH=refs/changes/82/29882/1
- run the smoke test (Should fail):
cd /opt/stack/tempest
nosetests tempest/scenario/test_network_basic_ops.py
To make the test pass:
- change test_network_basic_ops.py:205 to 'security_groups = []' to
ensure the default security group will be used
- enable inbound icmp and ssh in the default rule:
quantum security-group-rule-create --protocol icmp --direction ingress default
quantum security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 --direction ingress default
- nosetests tempest/scenario/test_network_basic_ops.py (should pass)
The following is the security group created via the nova api that does not pass ssh or icmp traffic:
| description | secgroup-smoke-1845398475 description |
| id | faf6cbad-fab7-4518-b199-08f2256a6705 |
| name | secgroup-smoke-1845398475 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "port_range_min": null, "ethertype": "IPv6", "id": "02411d5a-d779-4076-b326-ebaeb1bedd5f"} |
| | {"remote_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "direction": "ingress", "remote_ip_prefix": null, "protocol": "tcp", "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": 22, "security_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "port_range_min": 22, "ethertype": "IPv4", "id": "1d2207c4-8ee4-48bd-9041-95e939c9b83a"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "port_range_min": null, "ethertype": "IPv4", "id": "6f9b4bcc-0c2e-41d1-be8f-827ae9e7ef57"} |
| | {"remote_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "direction": "ingress", "remote_ip_prefix": null, "protocol": "icmp", "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "faf6cbad-fab7-4518-b199-08f2256a6705", "port_range_min": null, "ethertype": "IPv4", "id": "c1d5316a-0ca3-4ba6-b813-8ce616a204f7"} |
| tenant_id | 508a6e585abb4348988079a034ae4224
The following is the default security group that does pass ssh and icmp traffic:
| description | default |
| id | 1b0d2c36-2790-4292-ba0c-7282f7cbf991 |
| name | default |
| security_group_rules | {"remote_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": null, "ethertype": "IPv6", "id": "0bcb399f-b0d6-467a-981d-c189b1ca9224"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": null, "ethertype": "IPv6", "id": "354fee77-480a-4c9f-bd9b-de1e91c29c6a"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": null, "protocol": "icmp", "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": null, "ethertype": "IPv4", "id": "47832c49-fdd0-48a7-a069-7ae65fb9e016"} |
| | {"remote_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "direction": "ingress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": null, "ethertype": "IPv4", "id": "789ae680-79a7-4ca9-8748-0ae5746eef31"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": null, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": null, "ethertype": "IPv4", "id": "ac8784dc-4a78-40e7-8522-810dc77ee43a"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": null, "protocol": "tcp", "tenant_id": "508a6e585abb4348988079a034ae4224", "port_range_max": 22, "security_group_id": "1b0d2c36-2790-4292-ba0c-7282f7cbf991", "port_range_min": 22, "ethertype": "IPv4", "id": "fddd9e30-9f2c-4275-ba7a-ceac2a5c86db"} |
| tenant_id | 508a6e585abb4348988079a034ae4224
To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1182358/+subscriptions
