← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1208880] Re: Adding a fixed IP doesn't fully update firewall rules on compute host

 

** Also affects: nova
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1208880

Title:
  Adding a fixed IP doesn't fully update firewall rules on compute host

Status in OpenStack Compute (Nova):
  New
Status in “nova” package in Ubuntu:
  New

Bug description:
  With Openstack Folsom, 'nova add-fixed-ip' doesn't appear to correctly
  change the firewall rules on the compute host with the result that the
  additional fixed IPs are unusable.

  To reproduce, I did:

   nova add-fixed-ip <server uuid> <network uuid>
   nova show <server uuid> # <-- repeat until additional fixed IP shows
                           # in 'nova network' section.
   ssh <user>@<server>
   # [Configure additional IP on VM]
   ping <new IP> # <-- from VM, works
   ping <new IP> # <-- from e.g. cloud controller, doesn't work

  I confirmed the VM is arping for the new IP.  Then looking at iptables
  on the compute host, I noticed there's no inbound rule for the
  new fixed IP on the nova-compute-local chain:

  | root@dybbuk:/etc# iptables-save | grep 10.33.16.63
  | -A nova-compute-inst-3034 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3034 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3035 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3035 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-local -d 10.33.16.63/32 -j nova-compute-inst-3035
  | root@dybbuk:/etc# iptables-save | grep 10.33.16.222
  | -A nova-compute-inst-3034 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3034 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3035 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
  | -A nova-compute-inst-3035 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
  | root@dybbuk:/etc#

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1208880/+subscriptions