You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by wilderrodrigues <gi...@git.apache.org> on 2016/01/06 12:26:44 UTC
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
GitHub user wilderrodrigues opened a pull request:
https://github.com/apache/cloudstack/pull/1311
CLOUDSTACK-9213 - As a user I want to be able to use multiple ip's/cidrs in an ACL
This PR fixes a problem with iptables when creating ACL items using a comma separated value list of CIDRs. Please refer to the details in the Jira issue.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ekholabs/cloudstack fix/4.7-acl-cidrs-CLOUDSTACK-9213
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1311.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1311
----
commit 61f3706255b5a658e77014fe7f20acab2707219a
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Date: 2016-01-06T08:08:21Z
CLOUDSTACK-9213 - Formatting the code
commit 94c0dc5dfec1d8b20afcbc1e652eb7c9350b4946
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Date: 2016-01-06T08:08:56Z
CLOUDSTACK-9213 - Split the ACL rules using comma instead of dash.
- The router code no longer deals with parsing the ALC list again. It's not necessary if it's sent in the proper way.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by wilderrodrigues <gi...@git.apache.org>.
Github user wilderrodrigues commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169303235
Ping @remibergsma @miguelaferreira @michaelandersen
* Environment
- Management Server on CentOS 7.1
- 1 KVM Host on CentOS 7.1
- Agent + Common built from 4.7 source
* Manual tests
![image](https://cloud.githubusercontent.com/assets/5129209/12141592/0b236cb2-b471-11e5-9ab8-3a6edf8bac19.png)
* Network ACL JSON file
```
root@r-3-VM:~#
root@r-3-VM:~# less /etc/cloudstack/networkacl.json
{
"eth2": {
"device": "eth2",
"egress_rules": [],
"ingress_rules": [
{
"allowed": true,
"cidr": "10.0.0.0/8,0.0.0.0/0",
"first_port": 22,
"last_port": 22,
"type": "tcp"
}
],
"mac_address": "02:00:7e:56:00:02",
"nic_ip": "10.0.1.1",
"nic_netmask": "26",
"private_gateway_acl": false,
"type": "networkacl"
},
"id": "networkacl"
}
/etc/cloudstack/networkacl.json (END)
```
* SSH into VM
```
sbpltk1zffh04:sbp_dev wrodrigues$ ssh root@192.168.23.5
The authenticity of host '192.168.23.5 (192.168.23.5)' can't be established.
RSA key fingerprint is 11:d8:17:ce:62:cf:f9:23:78:fe:ec:34:c3:90:6a:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.5' (RSA) to the list of known hosts.
root@192.168.23.5's password:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=48 time=9.879 ms
64 bytes from 8.8.8.8: seq=1 ttl=48 time=9.777 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.777/9.828/9.879 ms
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 02:00:76:53:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.28/26 brd 10.0.1.63 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::76ff:fe53:1/64 scope link
valid_lft forever preferred_lft forever
#
```
* ACL inbound (iptables)
```
Chain ACL_INBOUND_eth2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere 225.0.0.50
0 0 ACCEPT all -- any any anywhere vrrp.mcast.net
2 128 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any 10.0.0.0/8 anywhere tcp dpt:ssh
0 0 DROP all -- any any anywhere anywhere
```
I will run the integration tests now.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by remibergsma <gi...@git.apache.org>.
Github user remibergsma commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169631870
LGTM, verified it working properly:
![screen shot 2016-01-06 at 14 51 17](https://cloud.githubusercontent.com/assets/1630096/12169101/c3583e0a-b536-11e5-97fc-77e0f0abbec0.png)
![screen shot 2016-01-06 at 14 50 34](https://cloud.githubusercontent.com/assets/1630096/12169082/a51c4120-b536-11e5-95f1-5b944a8f81e5.png)
![screen shot 2016-01-06 at 14 52 17](https://cloud.githubusercontent.com/assets/1630096/12169092/b4ec0f18-b536-11e5-8bb7-bca7f334969e.png)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by wilderrodrigues <gi...@git.apache.org>.
Github user wilderrodrigues commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169592688
Ping @remibergsma @DaanHoogland @borisroman
I'm now running the ```test_routers_network_ops``` because I noticed it was not on the list after the batch finished. Once done, I will also run the other - non-hardware - tests.
* Environment
- Management Server on CentOS 7.1
- 1 KVM host on CentOS 7.1
- Agent + Common built from 4.7 source
* Tests executed
```
nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone1-kvm1-ISOLATED.cfg -s -a tags=advanced,required_hardware=true smoke/test_vpc_redundant.py smoke/test_routers_iptables_default_policy.py smoke/test_vpc_router_nics.py smoke/test_password_server.py smoke/test_router_dhcphosts.py smoke/test_loadbalance.py smoke/test_internal_lb.py smoke/test_ssvm.py smoke/test_vpc_vpn.py smoke/test_network.py smoke/test_privategw_acl.py
```
* Results
```
Create a redundant VPC with two networks with two VMs in each network ... === TestName: test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | Status : SUCCESS ===
ok
Create a redundant VPC with two networks with two VMs in each network and check default routes ... === TestName: test_02_redundant_VPC_default_routes | Status : SUCCESS ===
ok
Create a redundant VPC with two networks with two VMs in each network ... === TestName: test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers | Status : SUCCESS ===
ok
Test iptables default INPUT/FORWARD policy on RouterVM ... === TestName: test_02_routervm_iptables_policies | Status : SUCCESS ===
ok
Test iptables default INPUT/FORWARD policies on VPC router ... === TestName: test_01_single_VPC_iptables_policies | Status : SUCCESS ===
ok
Create a VPC with two networks with one VM in each network and test nics after destroy ... === TestName: test_01_VPC_nics_after_destroy | Status : SUCCESS ===
ok
Create a VPC with two networks with one VM in each network and test default routes ... === TestName: test_02_VPC_default_routes | Status : SUCCESS ===
ok
Check the password file in the Router VM ... === TestName: test_isolate_network_password_server | Status : SUCCESS ===
ok
Check that the /etc/dhcphosts.txt doesn't contain duplicate IPs ... === TestName: test_router_dhcphosts | Status : SUCCESS ===
ok
Test to create Load balancing rule with source NAT ... === TestName: test_01_create_lb_rule_src_nat | Status : SUCCESS ===
ok
Test to create Load balancing rule with non source NAT ... === TestName: test_02_create_lb_rule_non_nat | Status : SUCCESS ===
ok
Test for assign & removing load balancing rule ... === TestName: test_assign_and_removal_lb | Status : SUCCESS ===
ok
Test create, assign, remove of an Internal LB with roundrobin http traffic to 3 vm's in a Single VPC ... === TestName: test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80 | Status : SUCCESS ===
ok
Test create, assign, remove of an Internal LB with roundrobin http traffic to 3 vm's in a Redundant VPC ... === TestName: test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80 | Status : SUCCESS ===
ok
Test to verify access to loadbalancer haproxy admin stats page ... === TestName: test_03_vpc_internallb_haproxy_stats_on_all_interfaces | Status : SUCCESS ===
ok
Test to verify access to loadbalancer haproxy admin stats page ... === TestName: test_04_rvpc_internallb_haproxy_stats_on_all_interfaces | Status : SUCCESS ===
ok
Test SSVM Internals ... === TestName: test_03_ssvm_internals | Status : SUCCESS ===
ok
Test CPVM Internals ... === TestName: test_04_cpvm_internals | Status : SUCCESS ===
ok
Test stop SSVM ... === TestName: test_05_stop_ssvm | Status : SUCCESS ===
ok
Test stop CPVM ... === TestName: test_06_stop_cpvm | Status : SUCCESS ===
ok
Test reboot SSVM ... === TestName: test_07_reboot_ssvm | Status : SUCCESS ===
ok
Test reboot CPVM ... === TestName: test_08_reboot_cpvm | Status : SUCCESS ===
ok
Test destroy SSVM ... === TestName: test_09_destroy_ssvm | Status : SUCCESS ===
ok
Test destroy CPVM ... === TestName: test_10_destroy_cpvm | Status : SUCCESS ===
ok
Test Remote Access VPN in VPC ... === TestName: test_vpc_remote_access_vpn | Status : SUCCESS ===
ok
Test VPN in VPC ... === TestName: test_vpc_site2site_vpn | Status : SUCCESS ===
ok
Test for port forwarding on source NAT ... === TestName: test_01_port_fwd_on_src_nat | Status : SUCCESS ===
ok
Test for port forwarding on non source NAT ... === TestName: test_02_port_fwd_on_non_src_nat | Status : SUCCESS ===
ok
Test for reboot router ... === TestName: test_reboot_router | Status : SUCCESS ===
ok
Test for Router rules for network rules on acquired public IP ... === TestName: test_network_rules_acquired_public_ip_1_static_nat_rule | Status : SUCCESS ===
ok
Test for Router rules for network rules on acquired public IP ... === TestName: test_network_rules_acquired_public_ip_2_nat_rule | Status : SUCCESS ===
ok
Test for Router rules for network rules on acquired public IP ... === TestName: test_network_rules_acquired_public_ip_3_Load_Balancer_Rule | Status : SUCCESS ===
ok
----------------------------------------------------------------------
Ran 32 tests in 15444.324s
ok
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/cloudstack/pull/1311
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by wilderrodrigues <gi...@git.apache.org>.
Github user wilderrodrigues commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169600413
The test I missed:
```
[root@cs1 integration]# less /tmp//MarvinLogs/test_routers_network_ops_6WMMRL/results.txt
Test redundant router internals ... === TestName: test_01_isolate_network_FW_PF_default_routes_egress_true | Status : SUCCESS ===
ok
Test redundant router internals ... === TestName: test_02_isolate_network_FW_PF_default_routes_egress_false | Status : SUCCESS ===
ok
Test redundant router internals ... === TestName: test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | Status : SUCCESS ===
ok
Test redundant router internals ... === TestName: test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | Status : SUCCESS ===
ok
Test redundant router internals ... === TestName: test_03_RVR_Network_check_router_state | Status : SUCCESS ===
ok
----------------------------------------------------------------------
Ran 5 tests in 2383.776s
OK
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: CLOUDSTACK-9213 - As a user I want to be ...
Posted by DaanHoogland <gi...@git.apache.org>.
Github user DaanHoogland commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169613178
effectively a one character change, LGTM based on the code changed and the test reports.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---