)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":23804,"name":"Daniel Alvarez","email":"dalvarez@redhat.com","username":"dalvarez"},"change_message_id":"d55f7f0d2eb29c135892c92a7875093675ec8320","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"bf51134e_1a9b67c9","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":48},"updated":"2020-06-17 07:20:58.000000000","message":"The Neutron default SG allows this, right?\n\nIIUC, the purpose of this test would be precisely to test that intra SG traffic is properly blocked when this default group is not used yet traffic like metadata and DHCP works. Is this right?","commit_id":"6b48c5a775fe05801a2a62ab89bd012c257128da"},{"author":{"_account_id":11952,"name":"Flavio Fernandes","email":"flavio@flaviof.com","username":"ffernand"},"change_message_id":"9e980891015165a40173d5607f43e8786ec3910a","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"bf51134e_bb8fddca","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":48},"in_reply_to":"bf51134e_1a9b67c9","updated":"2020-06-17 10:35:17.000000000","message":"\u003e the neutron default SG allows this, right?\n\nYes. But I will dbl check to make sure I\u0027m not talking crazy.","commit_id":"6b48c5a775fe05801a2a62ab89bd012c257128da"},{"author":{"_account_id":11952,"name":"Flavio Fernandes","email":"flavio@flaviof.com","username":"ffernand"},"change_message_id":"22d68225749720319a8360677bd6202f5ce4d4ac","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"bf51134e_fbedd525","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":48},"in_reply_to":"bf51134e_1a9b67c9","updated":"2020-06-17 10:05:50.000000000","message":"Yup, that is it. Let me reword this description to\nmake that a little more clear.","commit_id":"6b48c5a775fe05801a2a62ab89bd012c257128da"},{"author":{"_account_id":11952,"name":"Flavio Fernandes","email":"flavio@flaviof.com","username":"ffernand"},"change_message_id":"a6d6aabc7c39dfaf29b0cee8100c1ab69e9c2b65","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"bf51134e_3700f967","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":48},"in_reply_to":"bf51134e_bb8fddca","updated":"2020-06-17 15:01:06.000000000","message":"@Daniel: yes, to answer your question... the tempest test uses a default security group with 2 ingress rules and that is what it assigns to the vms in the test if we do not specify one. They allow all local traffic, as shown in example below. That allows VMs to talk to their local dhcp server as well as metadata.\n\nsg b986a6fe-a395-4a39-b655-0ce5b08cf5df -- 5cf8556f-2fce-408a-81b0-671170a05b76\ndirection: ingress\nremote_group_id: b986a6fe-a395-4a39-b655-0ce5b08cf5df\nremote_ip_prefix: ::/0\nsecurity_group_id: b986a6fe-a395-4a39-b655-0ce5b08cf5df\n\nsg b986a6fe-a395-4a39-b655-0ce5b08cf5df -- 73e42bd6-0e9c-4c51-9ce2-11cfe8483b52\ndirection: ingress\nremote_group_id: b986a6fe-a395-4a39-b655-0ce5b08cf5df\nremote_ip_prefix: 0.0.0.0/0\nsecurity_group_id: b986a6fe-a395-4a39-b655-0ce5b08cf5df","commit_id":"6b48c5a775fe05801a2a62ab89bd012c257128da"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"e175052ba5da77b2d97287706815be3628aae1a4","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"bf51134e_a1d5d2b9","line":9,"range":{"start_line":9,"start_character":45,"end_line":9,"end_character":52},"updated":"2020-06-18 11:59:40.000000000","message":"nit: extra packets","commit_id":"957577c605d7f24d0b7ae78f063f24c9b7893083"},{"author":{"_account_id":11952,"name":"Flavio Fernandes","email":"flavio@flaviof.com","username":"ffernand"},"change_message_id":"6fbdab55819340fee1d2c10f2752938a1f5840b9","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add test for intra security group isolation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Default security group may not allow packets packets that"},{"line_number":10,"context_line":"originate from peers of the same security group (aka intra-sg)"},{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"bf51134e_dff41389","line":9,"range":{"start_line":9,"start_character":45,"end_line":9,"end_character":52},"in_reply_to":"bf51134e_a1d5d2b9","updated":"2020-06-18 19:17:51.000000000","message":"oops. Thanks for spotting that!","commit_id":"957577c605d7f24d0b7ae78f063f24c9b7893083"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"755abb1421de94292859dd8520a42f43dacd2c64","unresolved":false,"context_lines":[{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Depends-On: https://review.opendev.org/#/c/733033"},{"line_number":15,"context_line":"Related-Bug: #1881316"},{"line_number":16,"context_line":"Change-Id: Iceb2abf908fa3c7bb59dec2c0400c8b2ba6fc1a8"},{"line_number":17,"context_line":"Signed-off-by: Flavio Fernandes \u003cflaviof@redhat.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"bf51134e_61ed7a8a","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":49},"updated":"2020-06-18 12:00:52.000000000","message":"Everything is passing without the dependency merged, is this dependency really true?","commit_id":"957577c605d7f24d0b7ae78f063f24c9b7893083"},{"author":{"_account_id":11952,"name":"Flavio Fernandes","email":"flavio@flaviof.com","username":"ffernand"},"change_message_id":"6fbdab55819340fee1d2c10f2752938a1f5840b9","unresolved":false,"context_lines":[{"line_number":11,"context_line":"This new test ensures that even in such cases, servers are able"},{"line_number":12,"context_line":"to obtain an address via dhcp."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Depends-On: https://review.opendev.org/#/c/733033"},{"line_number":15,"context_line":"Related-Bug: #1881316"},{"line_number":16,"context_line":"Change-Id: Iceb2abf908fa3c7bb59dec2c0400c8b2ba6fc1a8"},{"line_number":17,"context_line":"Signed-off-by: Flavio Fernandes \u003cflaviof@redhat.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"bf51134e_ff1757a2","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":49},"in_reply_to":"bf51134e_61ed7a8a","updated":"2020-06-18 19:17:51.000000000","message":"Whoa, thanks for asking that! It turns out, OVN default egress rules use allow-related, which will make this work w/out the explicit subnet sg rules due to conntrack. Unfortunately, we cannot count on them being there, so I will need to tweak that to make it more realistic.","commit_id":"957577c605d7f24d0b7ae78f063f24c9b7893083"}]}