Security rules not being applied

asked 2014-02-12 10:55:25 -0600

Mathias Ewald gravatar image

Hi, I am running OpenStack Havana von Ubuntu 12.04 with KVM and OVS (gre) and had to find out my security groups are not being applied at all or at least they are not effective. But there are more funny things. I started playing with groups and rules and at some point just deleted them all.

    root@controller:~# neutron security-group-list
    +--------------------------------------+---------+-------------+
    | id                                   | name    | description |
    +--------------------------------------+---------+-------------+
    | 3f7e186a-29a9-4c26-b4c5-f74d67a73123 | default | default     |
    +--------------------------------------+---------+-------------+
    root@controller:~# neutron security-group-delete 3f7e186a-29a9-4c26-b4c5-f74d67a73123
    Deleted security_group: 3f7e186a-29a9-4c26-b4c5-f74d67a73123
    root@controller:~# neutron security-group-list
    +--------------------------------------+---------+-------------+
    | id                                   | name    | description |
    +--------------------------------------+---------+-------------+
    | 4ed5b01c-48e8-4b54-b699-84d38605a5dc | default | default     |
    +--------------------------------------+---------+-------------+
    root@controller:~# neutron security-group-rule-list
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | 418ec26b-dc73-4a3e-8207-20d0e3c7f3b9 | default        | egress    |          |                  |              |
    | 99f4d389-ee47-4154-8a9a-3c7bdef4e6ed | default        | ingress   |          |                  | default      |
    | ad4eebd5-de23-423f-a676-df002cae2ea5 | default        | ingress   |          |                  | default      |
    | eb151640-3c76-49c8-b48c-31198aceeea4 | default        | egress    |          |                  |              |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    root@controller:~#

Obviously, after deleting the default security group it simply get recreated with a different id. Although, the remote_group of "default" makes me suspicious but I canno actually remember if this was set by default.

Now I boot an instance and get a second security group name "default", too:

root@controller:~# neutron security-group-list
+--------------------------------------+---------+-------------+
| id                                   | name    | description |
+--------------------------------------+---------+-------------+
| 4ed5b01c-48e8-4b54-b699-84d38605a5dc | default | default     |
+--------------------------------------+---------+-------------+
root@controller:~# nova boot --flavor 1 --image acec50b2-fd18-4a00-a126-f2e3ea1a2eaa --key-name mykey --nic net-id=253b85cc-7975-42e0-aa26-62777ae5aa78 cirros01
+--------------------------------------+--------------------------------------+
| Property                             | Value                                |
+--------------------------------------+--------------------------------------+
| OS-EXT-STS:task_state                | scheduling                           |
| image                                | Cirros 0.3.0 x86_64                  |
| OS-EXT-STS:vm_state                  | building                             |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000050                    |
| OS-SRV-USG:launched_at               | None                                 |
| flavor                               | m1.tiny                              |
| id                                   | d5fdf1e2-bc3f-48aa-be81-c8490d4c2965 |
| security_groups                      | [{u'name': u'default'}]              |
| user_id                              | a8b5af7cb2ab401f90d5b4903c091216     |
| OS-DCF:diskConfig                    | MANUAL                               |
| accessIPv4                           |                                      |
| accessIPv6                           |                                      |
| progress                             | 0                                    |
| OS-EXT-STS:power_state               | 0                                    |
| OS-EXT-AZ:availability_zone          | nova                                 |
| config_drive                         |                                      |
| status                               | BUILD                                |
| updated                              | 2014-02-12T17:36:30Z                 |
| hostId                               |                                      |
| OS-EXT-SRV-ATTR:host                 | None                                 |
| OS-SRV-USG:terminated_at             | None                                 |
| key_name                             | mykey                                |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | None                                 |
| name                                 | cirros01                             |
| adminPass                            | gd952YZQNmaC                         |
| tenant_id                            | 2575481bef7f4fde956202e3070fe688     |
| created                              | 2014-02-12T17:36:29Z                 |
| os-extended-volumes:volumes_attached | []                                   |
| metadata                             | {}                                   |
+--------------------------------------+--------------------------------------+
root@controller:~# neutron security-group-list
+--------------------------------------+---------+-------------+
| id                                   | name    | description |
+--------------------------------------+---------+-------------+
| 4ed5b01c-48e8-4b54-b699-84d38605a5dc | default | default     |
| a6808e20-97ea-41b9-97b3-2315984a6d98 | default | default     |
+--------------------------------------+---------+-------------+
root@controller:~#

The instance is running and reachable:

root@controller:~# nova list
+--------------------------------------+----------+--------+------------+-------------+-----------------------+
| ID                                   | Name     | Status | Task State | Power State | Networks              |
+--------------------------------------+----------+--------+------------+-------------+-----------------------+
| d5fdf1e2-bc3f-48aa-be81-c8490d4c2965 | cirros01 | ACTIVE | None       | Running     | network01=172.16.0.10 |
+--------------------------------------+----------+--------+------------+-------------+-----------------------+
root@controller:~#
vxltsupport@desktop:~$ ping -c 2 172.16.0.10
PING 172.16.0.10 (172.16.0.10) 56(84) bytes of data.
64 bytes from 172.16.0.10: icmp_req=1 ttl=63 time=3.84 ms
64 bytes from 172.16.0.10: icmp_req=2 ttl=63 time=1.35 ms

--- 172.16.0.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.357/2.599/3.842/1.243 ms
vxltsupport@desktop:~$

Now, I create a second security group that allows RDP traffic only and boot an instance with that group attached:

root@controller:~# nova secgroup-create RDP RDP
+--------------------------------------+------+-------------+
| Id                                   | Name | Description |
+--------------------------------------+------+-------------+
| 15c87c40-1d27-4418-89d4-87812d3ef212 | RDP  | RDP         |
+--------------------------------------+------+-------------+
root@controller:~#
root@controller:~# nova secgroup-add-rule RDP tcp 3389 3389 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 3389      | 3389    | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
root@controller:~#
root@controller:~# neutron security-group-list
+--------------------------------------+---------+-------------+
| id                                   | name    | description |
+--------------------------------------+---------+-------------+
| 15c87c40-1d27-4418-89d4-87812d3ef212 | RDP     | RDP         |
| 4ed5b01c-48e8-4b54-b699-84d38605a5dc | default | default     |
| a6808e20-97ea-41b9-97b3-2315984a6d98 | default | default     |
+--------------------------------------+---------+-------------+
root@controller:~# neutron security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 1a6b85a9-30f2-4c3c-af4f-4d49a5328f9e | RDP            | egress    |          |                  |              |
| 3ee72b08-abc1-460c-a0b7-979a95ca6f1e | default        | ingress   |          |                  | default      |
| 418ec26b-dc73-4a3e-8207-20d0e3c7f3b9 | default        | egress    |          |                  |              |
| 6cc3e706-8530-49b4-b323-5ff6011066c1 | RDP            | egress    |          |                  |              |
| 6e3bf088-9968-4f5d-a44a-f50f779af52d | default        | egress    |          |                  |              |
| 99f4d389-ee47-4154-8a9a-3c7bdef4e6ed ...
(more)
edit retag flag offensive close merge delete