settingsLogin | Registersettings

[Openstack] Ocata -> Pike security groups changed default behaviour?

0 votes

Hi colleagues,

after upgrade from Ocata to Pike I noticed change in security groups
behaviour.

In Ocata, I was using a  combination of default security group + custom
group (which matches ingress ethertype both IPv4 and IPv6) on a port and
this was allowing ingress traffic to VM.

In Pike this doesn't work anymore, i.e. having two security groups in
project

$ openstack security group list
[ ... ]
| 53ede63e-b08f-4c95-b5fe-29cd21ed442a | default | Default security
group | d8051a3ff3ad4c4bb380f828992b8178 |
| cd0bd222-78e1-42b2-b8a5-51d655c49a8f | jex-esg
|                        | d8051a3ff3ad4c4bb380f828992b8178 |

and using both on port disables any traffic from outside (e.g. ping):

$ openstack port show jex-n1-wan
[ ... ]
| fixedips             | ipaddress='x.x.x.246',
subnetid='5cfcb94e-5865-4cbd-83e3-56e397a436ec'    |
| security
group_ids    | 53ede63e-b08f-4c95-b5fe-29cd21ed442a,
cd0bd222-78e1-42b2-b8a5-51d655c49a8f  |

while keeping only custom group allows traffic from outside:

$ openstack port show jex-n1-wan
| fixedips             | ipaddress='x.x.x.246',
subnetid='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security
group_ids    | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |

I didn't find any notices on this in Pike release notes. Can anybody
point me to the placewhere I can find information on this and,
possibly, other implicit changes?

For additional information, rules of jex-esg are these:

$ openstack security group show jex-esg
+-----------------+-----------------------------------------------------------------------------------------+
| Field           | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| createdat      | 2017-09-21T13:25:53Z |
| description | |
| id              | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
| name            | jex-esg |
| project
id      | d8051a3ff3ad4c4bb380f828992b8178 |
| revisionnumber | 4 |
| rules           | created
at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv4', id='1b979cd7- |
|                 | createdat='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv6', id='906ac4e2- |
|                 | created
at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv6', id='c8cc2114-  |
|                 | createdat='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv4', id='ebb060f5-  |
| updated
at      | 2017-09-21T13:25:53Z |
+-----------------+-----------------------------------------------------------------------------------------+

Thank you.

--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked Sep 22, 2017 in openstack by Volodymyr_Litovka (1,100 points)   1 6 8
...