yahoo-eng-team team mailing list archive

[Tristan Cacqueray <tdecacqu@xxxxxxxxxx>]

** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1491307

Title:
  [OSSA 2015-021] secgroup rules doesn't work for instance immediately
  (CVE-2015-7713)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  I have an OpenStack kilo setup on RHEL7.1 with a controller and a
  compute node (network-compute + network-network)，the config is
  following:

  # /etc/nova.nova.conf on contrller node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova

  # /etc/nova/nova.conf on compute node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova
  firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
  network_manager = nova.network.manager.FlatDHCPManager
  network_size = 254
  allow_same_net_traffic = False
  multi_host = True
  send_arp_for_ha = True
  share_dhcp_address = True
  force_dhcp_release = True
  flat_network_bridge = br100
  flat_interface = eth0
  public_interface = eth0

  steps for test 1:
  1) create and start VM instance-1 with secgroup default;
  2) VM instance-1 ping br100:  OK;  
  3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
  4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  5) br100 ping VM instance-1: i got the same wrong message, not expected.

  steps for test 2:
  1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
  2) create and start VM instance-2 with secgroup default;
  3) br100 ping instance-2: OK

  It seems that command "nova secgroup-add-rule ..." doesn't work
  immediately for the existed or running VM instances?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions