** Changed in: ossa Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1491307
Title: [OSSA 2015-021] secgroup rules doesn't work for instance immediately (CVE-2015-7713) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: I have an OpenStack kilo setup on RHEL7.1 with a controller and a compute node (network-compute + network-network),the config is following: # /etc/nova.nova.conf on contrller node [DEFAULT] network_api_class = nova.network.api.API security_group_api = nova # /etc/nova/nova.conf on compute node [DEFAULT] network_api_class = nova.network.api.API security_group_api = nova firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver network_manager = nova.network.manager.FlatDHCPManager network_size = 254 allow_same_net_traffic = False multi_host = True send_arp_for_ha = True share_dhcp_address = True force_dhcp_release = True flat_network_bridge = br100 flat_interface = eth0 public_interface = eth0 steps for test 1: 1) create and start VM instance-1 with secgroup default; 2) VM instance-1 ping br100: OK; 3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP) 4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 5) br100 ping VM instance-1: i got the same wrong message, not expected. steps for test 2: 1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0; 2) create and start VM instance-2 with secgroup default; 3) br100 ping instance-2: OK It seems that command "nova secgroup-add-rule ..." doesn't work immediately for the existed or running VM instances? To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp