yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #17126
[Bug 1340194] [NEW] Removed security group rules are still persistent on instances
Public bug reported:
Even after removing the scurity group rules , able to do the operations
like ssh/ping on vms.
Erlier to this we added rules to allow ssh and ping , and then removed
those rules.
Below is log
nova list
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| a1426d0a-07df-40c8-b883-3f5fb34bbec2 | testvm1-az1 | ACTIVE | None | Running | Net1=2.2.2.2, 10.233.53.105 |
| 329b0493-e1f9-4baa-bfc9-5ecf9c2d4687 | testvm1-az2 | ACTIVE | None | Running | Net1=2.2.2.4 |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
root@controller:~# nova show a1426d0a-07df-40c8-b883-3f5fb34bbec2
+--------------------------------------+----------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------+
| status | ACTIVE |
| updated | 2014-07-03T06:34:31Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | compute1 |
| key_name | None |
| image | CirrOS 0.3.1 (ea93e47e-558e-4baf-bea1-777b4814ca5d) |
| hostId | 64a50db012ab0b483697b85be03d02d66535ff2656170b6c8fb9a8f8 |
| Net1 network | 2.2.2.2, 10.233.53.105 |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-00000018 |
| OS-SRV-USG:launched_at | 2014-07-03T06:34:31.000000 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | compute1 |
| flavor | myF1 (6) |
| id | a1426d0a-07df-40c8-b883-3f5fb34bbec2 |
| security_groups | [{u'name': u'default'}] | --------------------------> using default secgroup.
| OS-SRV-USG:terminated_at | None |
| user_id | 0dc64e9cfb07442b8d6ce7d518200d06 |
| name | testvm1-az1 |
| created | 2014-07-03T06:33:54Z |
| tenant_id | 8a5dee0f17204539a73987d6a8f255cd |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| os-extended-volumes:volumes_attached | [] |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | azhyd1 |
| config_drive | |
+--------------------------------------+----------------------------------------------------------+
root@controller:~# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| | | | | default |
| | | | | default |
+-------------+-----------+---------+----------+--------------+
root@controller:~# ip netns exec qdhcp-acf1b559-0602-461f-8b86-9e7c5a7cec80 ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_req=1 ttl=64 time=3.28 ms
64 bytes from 2.2.2.2: icmp_req=2 ttl=64 time=1.83 ms
We are using havana version of openstack on ubuntu 12.o4/64bit.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1340194
Title:
Removed security group rules are still persistent on instances
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Even after removing the scurity group rules , able to do the
operations like ssh/ping on vms.
Erlier to this we added rules to allow ssh and ping , and then removed
those rules.
Below is log
nova list
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
| a1426d0a-07df-40c8-b883-3f5fb34bbec2 | testvm1-az1 | ACTIVE | None | Running | Net1=2.2.2.2, 10.233.53.105 |
| 329b0493-e1f9-4baa-bfc9-5ecf9c2d4687 | testvm1-az2 | ACTIVE | None | Running | Net1=2.2.2.4 |
+--------------------------------------+-------------+--------+------------+-------------+-----------------------------+
root@controller:~# nova show a1426d0a-07df-40c8-b883-3f5fb34bbec2
+--------------------------------------+----------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------+
| status | ACTIVE |
| updated | 2014-07-03T06:34:31Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | compute1 |
| key_name | None |
| image | CirrOS 0.3.1 (ea93e47e-558e-4baf-bea1-777b4814ca5d) |
| hostId | 64a50db012ab0b483697b85be03d02d66535ff2656170b6c8fb9a8f8 |
| Net1 network | 2.2.2.2, 10.233.53.105 |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-00000018 |
| OS-SRV-USG:launched_at | 2014-07-03T06:34:31.000000 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | compute1 |
| flavor | myF1 (6) |
| id | a1426d0a-07df-40c8-b883-3f5fb34bbec2 |
| security_groups | [{u'name': u'default'}] | --------------------------> using default secgroup.
| OS-SRV-USG:terminated_at | None |
| user_id | 0dc64e9cfb07442b8d6ce7d518200d06 |
| name | testvm1-az1 |
| created | 2014-07-03T06:33:54Z |
| tenant_id | 8a5dee0f17204539a73987d6a8f255cd |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| os-extended-volumes:volumes_attached | [] |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | azhyd1 |
| config_drive | |
+--------------------------------------+----------------------------------------------------------+
root@controller:~# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| | | | | default |
| | | | | default |
+-------------+-----------+---------+----------+--------------+
root@controller:~# ip netns exec qdhcp-acf1b559-0602-461f-8b86-9e7c5a7cec80 ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_req=1 ttl=64 time=3.28 ms
64 bytes from 2.2.2.2: icmp_req=2 ttl=64 time=1.83 ms
We are using havana version of openstack on ubuntu 12.o4/64bit.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1340194/+subscriptions
Follow ups
References