yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #08062
[Bug 1208880] Re: Adding a fixed IP doesn't fully update firewall rules on compute host
** Also affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1208880
Title:
Adding a fixed IP doesn't fully update firewall rules on compute host
Status in OpenStack Compute (Nova):
New
Status in “nova” package in Ubuntu:
New
Bug description:
With Openstack Folsom, 'nova add-fixed-ip' doesn't appear to correctly
change the firewall rules on the compute host with the result that the
additional fixed IPs are unusable.
To reproduce, I did:
nova add-fixed-ip <server uuid> <network uuid>
nova show <server uuid> # <-- repeat until additional fixed IP shows
# in 'nova network' section.
ssh <user>@<server>
# [Configure additional IP on VM]
ping <new IP> # <-- from VM, works
ping <new IP> # <-- from e.g. cloud controller, doesn't work
I confirmed the VM is arping for the new IP. Then looking at iptables
on the compute host, I noticed there's no inbound rule for the
new fixed IP on the nova-compute-local chain:
| root@dybbuk:/etc# iptables-save | grep 10.33.16.63
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-local -d 10.33.16.63/32 -j nova-compute-inst-3035
| root@dybbuk:/etc# iptables-save | grep 10.33.16.222
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| root@dybbuk:/etc#
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1208880/+subscriptions