yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1611895] [NEW] Security groups don't work by default in newish kernels

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrew Bogott <1611895@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Aug 2016 18:17:49 -0000
Reply-to: Bug 1611895 <1611895@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I recently had some bad experiences running nova-compute on a linux
4.4-series kernel.  Specifically, the security-group code properly
configured IPtables but the actual rules were completely bypassed --
EVERY port on EVERY instance was open to the outside world.

This is presumably due to kernel change described below.  I'm unclear on
where responsibility sits for activating the proper modprobe; maybe this
is something for packagers to care about and not strictly a nova bug.

$ git describe --contains 34666d467cbf1e2e3c7bb15a63eccfb582cdd71f
v3.18-rc1~115^2~111^2~2
  netfilter: bridge: move br_netfilter out of the core
  Note that this is breaking compatibility for users that expect that
  bridge netfilter is going to be available after explicitly 'modprobe
  bridge' or via automatic load through brctl.
 
  However, the damage can be easily undone by modprobing br_netfilter.
  The bridge core also spots a message to provide a clue to people that
  didn't notice that this has been deprecated.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611895

Title:
  Security groups don't work by default in newish kernels

Status in OpenStack Compute (nova):
  New

Bug description:
  I recently had some bad experiences running nova-compute on a linux
  4.4-series kernel.  Specifically, the security-group code properly
  configured IPtables but the actual rules were completely bypassed --
  EVERY port on EVERY instance was open to the outside world.

  This is presumably due to kernel change described below.  I'm unclear
  on where responsibility sits for activating the proper modprobe; maybe
  this is something for packagers to care about and not strictly a nova
  bug.

  $ git describe --contains 34666d467cbf1e2e3c7bb15a63eccfb582cdd71f
  v3.18-rc1~115^2~111^2~2
    netfilter: bridge: move br_netfilter out of the core
    Note that this is breaking compatibility for users that expect that
    bridge netfilter is going to be available after explicitly 'modprobe
    bridge' or via automatic load through brctl.
   
    However, the damage can be easily undone by modprobing br_netfilter.
    The bridge core also spots a message to provide a clue to people that
    didn't notice that this has been deprecated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1611895/+subscriptions

Follow ups

[Bug 1611895] Re: Security groups don't work by default in newish kernels
From: Launchpad Bug Tracker, 2017-02-06