[Bug 1670766] [NEW] Mitaka Trove security groups do not have an ICMP option - patch available
Launchpad Bug Tracker
1670766 at bugs.launchpad.net
Tue Mar 7 16:49:57 UTC 2017
You have been subscribed to a public bug:
=== Problem Description ===================================
#===========================================================
After enabling security groups in Trove, ICMP traffic is being blocked.
A patch to enable ICMP traffic in the Trove security group configuration
was merged into Master about 7 months ago.
Linux zs93kg 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:55:38 UTC 2017 s390x s390x s390x GNU/Linux
Machine Type = s390x
Userspace tool common name: trove
#=== Steps to Reproduce ====================================
#===========================================================
1. Edit /etc/trove/trove-taskmanager.conf and enable security groups:
[DEFAULT]
...
trove_security_groups_support = True
trove_security_group_rule_cidr = 0.0.0.0/0
2. In the same config file, add some ports to the target datastores, for
example:
[db2]
icmp = True
tcp_ports = 22, 50000
volume_support = True
[postgresql]
icmp = True
tcp_ports = 22, 5432
volume_support = True
3. Deploy a new instance of the indicated datastore, and try to ping it. This will fail. Looking at the assigned security group for the instance:
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack server show vem-tenant1-trove-postgres | grep security_groups
| security_groups | [{u'name': u'SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743'}] |
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack security group show SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743
+-------------+------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------------------------------------------------+
| description | Security Group for 801648ae-8a1f-4388-be38-01f3e9f1c743 |
| id | 61a58f17-10b4-4d94-a677-9831f7eda2d7 |
| name | SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743 |
| project_id | 68eba9de5c3b49b6b6e4199faf1053f7 |
| rules | id='2874bf94-c2e9-4046-b2a6-a08f791152b9', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='22:22' |
| | id='e7c3fcad-2c7f-4cef-8f6c-7418f2c6bde6', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='5432:5432' |
+-------------+------------------------------------------------------------------------------------------------------------+
#=== Additional Info ====================================
#===========================================================
Please see the following change in Trove master:
https://review.openstack.org/#/c/214056/
Change 214056 - Merged
Introduce "icmp" option for security group rule
This change introduces new datastore option "icmp" to
configure whether to permit ICMP. It helps users to
check DB instance health in different way from access
DB ports.
** Affects: openstack-trove (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39031.64 bugnameltc-152315 severity-high targetmilestone-inin16042
--
Mitaka Trove security groups do not have an ICMP option - patch available
https://bugs.launchpad.net/bugs/1670766
You received this bug notification because you are a member of Ubuntu OpenStack, which is subscribed to openstack-trove in Ubuntu.
More information about the Ubuntu-openstack-bugs
mailing list