[Crowbar] [SPAM] RE: Changing barclamp options
kbringard at atti.com
Wed Jan 25 10:57:34 CST 2012
If you didn't specify "Use Tenant Vlans", then I believe crowbar will use FlatDHCP mode (Greg or someone else feel free to correct me if I'm wrong).
This causes a flat IP space to be used for all tenants. In this situation, L2 stuff is protected by ebtables and nwfilter, but if the security groups for the tenant allow ICMP from 0/0, without the VLAN to stop the traffic at the switch/hypervisor, another internal address in the same L2 domain is allowed. So, 10.0.0.10 can ping 10.0.0.11 if the security groups applied to the VM with 10.0.0.10 allows ICMP from 0.0.0.0/0 (since 10.0.0.11 is in that netmask). Assuming you've done that, I'd say as a test try allowing just a specific IP, or subset of IPs in the security group the 10.0.0.10 VM is in and see if it resolves the issue.
This is why security groups by source is so important… unfortunately it's been bugged in nova for awhile, so at least with the EC2 API it doesn't work right :-/
Does that make sense?
From: "Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>" <Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>>
Date: Wed, 25 Jan 2012 08:44:00 -0800
To: "csanburn at redwoodit.com<mailto:csanburn at redwoodit.com>" <csanburn at redwoodit.com<mailto:csanburn at redwoodit.com>>, "crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>" <crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>>
Subject: [Crowbar] [SPAM] RE: Changing barclamp options
I suspect that nova doesn’t understand what you did. It didn’t limit the iptable entries for the existing entry.
While crowbar lets you do things, I’m not sure nova can complete understand it.
From: crowbar-bounces On Behalf Of Chris Sanburn
Sent: Wednesday, January 25, 2012 10:33 AM
Subject: [Crowbar] Changing barclamp options
During my testing I found that an instance for one tenant could ping an instance for another tenant, which is something we don’t want to happen. There’s an option in the Nova barclamp:
“Use Tenant Vlans”
I had left it at the default of False.
I’ve tried to change it by deactivating the Nova barclamp, deleting it, recreating and changing the option before applying it. Left everything else in place, instances, other barclamps, etc. But I can still ping the instance in the other tenant.
Can anyone enlighten me on what I’ve missed? Can I not change the Nova barclamp options like I did? Do I need to delete all of my tenants, instances, etc, and start over? Do I need to start over the entire deployment of openstack?
More information about the Crowbar