nova-network applies too liberal a SNAT rule
Bug #1091939 reported by
Paul Collins
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned |
Bug Description
Version: 2012.1.
We recently set up a new Nova cluster on precise + essex with Juju and MaaS, and ran into a problem where instances could not communicate with the swift-proxy node on the MaaS network. This turned out to be due to nova-network installing a SNAT rule for the cluster's public IP that applied to all network traffic, not just that traffic destined to exit towards the Internet.
This problem has been fixed upstream in https:/
Please consider applying this change to Ubuntu 12.04 LTS in an SRU.
Changed in nova (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in nova (Ubuntu Precise): | |
status: | New → In Progress |
Changed in nova (Ubuntu): | |
status: | New → In Progress |
Changed in nova: | |
status: | New → Invalid |
To post a comment you must log in.
nova (2012.1. 3+stable- 20130423- e52e6912- 0ubuntu1) precise-proposed; urgency=low
* Resynchronize with stable/essex (e52e6912) (LP: #1089488): default_ gateway does not function correctly security_ group_rules in nova.virt.firewall is very default_ security_ group() does not call sgh (LP: #1050982) patches/ CVE-2013- 0335.patch: [48e81f1] patches/ CVE-2013- 1838.patch: [efaacda] patches/ CVE-2013- 1664.patch: [c0a10db] patches/ CVE-2013- 0208.patch: [243d516]
- [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
- [3bf5a58] snat rule too broad for some network configurations LP: 1048765
- [efaacda] DOS by allocating all fixed ips LP: 1125468
- [b683ced] Add nosehtmloutput as a test dependency.
- [45274c8] Nova unit tests not running, but still passing for stable/essex
LP: 1132835
- [e02b459] vnc unit-test fixes
- [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
- [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
- [243d516] No authentication on block device used for os-volume_boot
LP: 1069904
- [80fefe5] use_single_
(LP: #1075859)
- [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
attached (LP: #1079745)
- [86a5937] do_refresh_
slow (LP: #1062314)
- [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
fixed_ip (LP: #1017633)
- [20f98c5] failed to allocate fixed ip because old deleted one exists
(LP: #996482)
- [75f6922] snapshot stays in saving state if the vm base image is deleted
(LP: #921774)
- [1076699] lock files may be removed in error dues to permissions issues
(LP: #1051924)
- [40c5e94] ensure_
- [4eebe76] At termination, LXC rootfs is not always unmounted before
rmtree() is called (LP: #1046313)
- [47dabb3] Heavily loaded nova-compute instances don't sent reports
frequently enough (LP: #1045152)
- [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
- [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
- [014fcbc] Bridge port's hairpin mode not set after resuming a machine
(LP: #1040537)
- [2f35f8e] Nova flavor ephemeral space size reported incorrectly
(LP: #1026210)
* Dropped, superseeded by new snapshot:
- debian/
- debian/
- debian/
- debian/
-- Yolanda <email address hidden> Mon, 22 Apr 2013 12:37:08 +0200