[Bug 1670766] [NEW] Mitaka Trove security groups do not have an ICMP option - patch available
bugproxy
bugproxy at us.ibm.com
Tue Mar 7 16:49:45 UTC 2017
Public bug reported:
=== Problem Description ===================================
#===========================================================
After enabling security groups in Trove, ICMP traffic is being blocked.
A patch to enable ICMP traffic in the Trove security group configuration
was merged into Master about 7 months ago.
Linux zs93kg 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:55:38 UTC 2017 s390x s390x s390x GNU/Linux
Machine Type = s390x
Userspace tool common name: trove
#=== Steps to Reproduce ====================================
#===========================================================
1. Edit /etc/trove/trove-taskmanager.conf and enable security groups:
[DEFAULT]
...
trove_security_groups_support = True
trove_security_group_rule_cidr = 0.0.0.0/0
2. In the same config file, add some ports to the target datastores, for
example:
[db2]
icmp = True
tcp_ports = 22, 50000
volume_support = True
[postgresql]
icmp = True
tcp_ports = 22, 5432
volume_support = True
3. Deploy a new instance of the indicated datastore, and try to ping it. This will fail. Looking at the assigned security group for the instance:
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack server show vem-tenant1-trove-postgres | grep security_groups
| security_groups | [{u'name': u'SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743'}] |
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack security group show SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743
+-------------+------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------------------------------------------------+
| description | Security Group for 801648ae-8a1f-4388-be38-01f3e9f1c743 |
| id | 61a58f17-10b4-4d94-a677-9831f7eda2d7 |
| name | SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743 |
| project_id | 68eba9de5c3b49b6b6e4199faf1053f7 |
| rules | id='2874bf94-c2e9-4046-b2a6-a08f791152b9', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='22:22' |
| | id='e7c3fcad-2c7f-4cef-8f6c-7418f2c6bde6', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='5432:5432' |
+-------------+------------------------------------------------------------------------------------------------------------+
#=== Additional Info ====================================
#===========================================================
Please see the following change in Trove master:
https://review.openstack.org/#/c/214056/
Change 214056 - Merged
Introduce "icmp" option for security group rule
This change introduces new datastore option "icmp" to
configure whether to permit ICMP. It helps users to
check DB instance health in different way from access
DB ports.
** Affects: openstack-trove (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39031.64 bugnameltc-152315 severity-high targetmilestone-inin16042
** Tags added: architecture-s39031.64 bugnameltc-152315 severity-high
targetmilestone-inin16042
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => openstack-trove (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/1670766
Title:
Mitaka Trove security groups do not have an ICMP option - patch
available
Status in openstack-trove package in Ubuntu:
New
Bug description:
=== Problem Description ===================================
#===========================================================
After enabling security groups in Trove, ICMP traffic is being
blocked.
A patch to enable ICMP traffic in the Trove security group
configuration was merged into Master about 7 months ago.
Linux zs93kg 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:55:38 UTC 2017 s390x s390x s390x GNU/Linux
Machine Type = s390x
Userspace tool common name: trove
#=== Steps to Reproduce ====================================
#===========================================================
1. Edit /etc/trove/trove-taskmanager.conf and enable security groups:
[DEFAULT]
...
trove_security_groups_support = True
trove_security_group_rule_cidr = 0.0.0.0/0
2. In the same config file, add some ports to the target datastores,
for example:
[db2]
icmp = True
tcp_ports = 22, 50000
volume_support = True
[postgresql]
icmp = True
tcp_ports = 22, 5432
volume_support = True
3. Deploy a new instance of the indicated datastore, and try to ping it. This will fail. Looking at the assigned security group for the instance:
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack server show vem-tenant1-trove-postgres | grep security_groups
| security_groups | [{u'name': u'SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743'}] |
[vmorris at zs93kg USER:vmorris PROJ:tenant1 ~]$ openstack security group show SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743
+-------------+------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------------------------------------------------+
| description | Security Group for 801648ae-8a1f-4388-be38-01f3e9f1c743 |
| id | 61a58f17-10b4-4d94-a677-9831f7eda2d7 |
| name | SecGroup_801648ae-8a1f-4388-be38-01f3e9f1c743 |
| project_id | 68eba9de5c3b49b6b6e4199faf1053f7 |
| rules | id='2874bf94-c2e9-4046-b2a6-a08f791152b9', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='22:22' |
| | id='e7c3fcad-2c7f-4cef-8f6c-7418f2c6bde6', ip_protocol='tcp', ip_range='0.0.0.0/0', port_range='5432:5432' |
+-------------+------------------------------------------------------------------------------------------------------------+
#=== Additional Info ====================================
#===========================================================
Please see the following change in Trove master:
https://review.openstack.org/#/c/214056/
Change 214056 - Merged
Introduce "icmp" option for security group rule
This change introduces new datastore option "icmp" to
configure whether to permit ICMP. It helps users to
check DB instance health in different way from access
DB ports.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/1670766/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list