[Bug 1208880] [NEW] Adding a fixed IP doesn't fully update firewall rules on compute host
James Troup
james.troup at canonical.com
Tue Aug 6 15:18:14 UTC 2013
Public bug reported:
With Openstack Folsom, 'nova add-fixed-ip' doesn't appear to correctly
change the firewall rules on the compute host with the result that the
additional fixed IPs are unusable.
To reproduce, I did:
nova add-fixed-ip <server uuid> <network uuid>
nova show <server uuid> # <-- repeat until additional fixed IP shows
# in 'nova network' section.
ssh <user>@<server>
# [Configure additional IP on VM]
ping <new IP> # <-- from VM, works
ping <new IP> # <-- from e.g. cloud controller, doesn't work
I confirmed the VM is arping for the new IP. Then looking at iptables
on the compute host, I noticed there's no inbound rule for the
new fixed IP on the nova-compute-local chain:
| root at dybbuk:/etc# iptables-save | grep 10.33.16.63
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.63/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-local -d 10.33.16.63/32 -j nova-compute-inst-3035
| root at dybbuk:/etc# iptables-save | grep 10.33.16.222
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3034 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p tcp -m multiport --dports 1:65535 -j ACCEPT
| -A nova-compute-inst-3035 -s 10.33.16.222/32 -p udp -m multiport --dports 1:65535 -j ACCEPT
| root at dybbuk:/etc#
** Affects: nova (Ubuntu)
Importance: Undecided
Status: New
** Tags: prodstack
** Tags added: prodstack
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1208880
Title:
Adding a fixed IP doesn't fully update firewall rules on compute host
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1208880/+subscriptions
More information about the Ubuntu-server-bugs
mailing list