[OSSA 2015-021] secgroup rules doesn't work for instance immediately (CVE-2015-7713)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
High
|
MOS Nova | ||
6.0.x |
Invalid
|
High
|
Denis Puchkin | ||
6.1.x |
Invalid
|
High
|
Denis Puchkin | ||
7.0.x |
Fix Released
|
High
|
Denis Puchkin |
Bug Description
Upstream bug: https:/
I have an OpenStack kilo setup on RHEL7.1 with a controller and a compute node (network-compute + network-
# /etc/nova.nova.conf on contrller node
[DEFAULT]
network_api_class = nova.network.
security_group_api = nova
# /etc/nova/nova.conf on compute node
[DEFAULT]
network_api_class = nova.network.
security_group_api = nova
firewall_driver = nova.virt.
network_manager = nova.network.
network_size = 254
allow_same_
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_network_bridge = br100
flat_interface = eth0
public_interface = eth0
steps for test 1:
1) create and start VM instance-1 with secgroup default;
2) VM instance-1 ping br100: OK;
3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
5) br100 ping VM instance-1: i got the same wrong message, not expected.
steps for test 2:
1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
2) create and start VM instance-2 with secgroup default;
3) br100 ping instance-2: OK
It seems that command "nova secgroup-add-rule ..." doesn't work immediately for the existed or running VM instances?
CVE References
summary: |
[OSSA 2015-021] secgroup rules doesn't work for instance immediately - (CVE-2015-7713 + (CVE-2015-7713) |
tags: | added: on-verification |
tags: | removed: on-verification |
tags: | added: on-verification |
tags: | removed: on-verification |
tags: | added: on-automation |
tags: | removed: on-automation |
Fix proposed to branch: openstack- ci/fuel- 7.0/2015. 1.0 /review. fuel-infra. org/16269
Change author: Matt Riedemann <email address hidden>
Review: https:/