You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Nux! <nu...@li.nux.ro> on 2013/12/13 19:30:23 UTC
SG broken in Adv zone with multiple shared networks (4.2)
Hi,
It seems that using multiple shared networks in an Adv zone with
Security groups breaks the security groups.
Here's what happens:
- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49
GMT)
- crate Adv zone with SG
- add a shared network on vlan 109
- add instances on it
- create security groups
- everything rocks, they can ping each other etc
- create another shared network on vlan 999
- stop the running instances
- add the second network to the instances and start them
- the instances get a new set of IPs for eth1 via DHCP BUT!
- they can no longer access each other via the eth0 IPs; the SG seem to
apply correctly, but only to the newly added network
- the instances can also no longer access the router in their primary
shared network (hence no more passwords reset and other features)
For those good at firewalls, here's the iptables output from BEFORE
adding the second network:
http://paste.fedoraproject.org/61594/95896413
And AFTER adding the second network and starting back the instances:
http://paste.fedoraproject.org/61595/86959048
If someone can confirm it's not me doing something stupid I can open a
proper report in jira.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Nux! <nu...@li.nux.ro>.
On 14.12.2013 01:07, Alena Prokharchyk wrote:
> We do make this check when deployVm is called with multiple networks
> specified, in SG enabled Advance zone. And don¹t let VM to have a mix
> of
> SG enabled and disabled Nics.
Roger, so this is actually an unsupported feature that's not properly
unsupported. :)
Any reason this is the case though? It could be very handy to have the
VM capable of plugging into multiple shared networks with VMs.
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Alena Prokharchyk <Al...@citrix.com>.
It would indeed be a big change involving fixed in Java/backend
scripts/UI/DB upgrade code. Unfortunately, I can't give you even a rough
ETA as I¹m not an expert in SG code area, you might need to reach out to
folks who¹ve done most of the coding for this part - Anthony and
Chiradeep.
-Alena.
On 12/16/13, 11:16 AM, "Nux!" <nu...@li.nux.ro> wrote:
>On 16.12.2013 18:29, Alena Prokharchyk wrote:
>> The current CS design is the limitation. As SG is created per VM, not
>> per
>> Nic, the SG rule would apply to all vm¹s nics. Therefore we allow
>> having
>> only one Shared SG enabled network per zone, and if the vm is deployed
>> in
>> this network, it can¹t belong to any other network in the zone.
>>
>> To overcome the limitation, the SG functionality should be changed to
>> be
>> done per Nic basis.
>>
>> -Alena.
>
>Hello Alena and thanks for getting back to me.
>This sounds like a serious change. Can you give a very rough ETA for
>when this might land in CS?
>It's a feature that I've been waiting a long time for, can wait a bit
>more.
>
>Regards,
>Lucian
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Nux! <nu...@li.nux.ro>.
On 16.12.2013 18:29, Alena Prokharchyk wrote:
> The current CS design is the limitation. As SG is created per VM, not
> per
> Nic, the SG rule would apply to all vm’s nics. Therefore we allow
> having
> only one Shared SG enabled network per zone, and if the vm is deployed
> in
> this network, it can’t belong to any other network in the zone.
>
> To overcome the limitation, the SG functionality should be changed to
> be
> done per Nic basis.
>
> -Alena.
Hello Alena and thanks for getting back to me.
This sounds like a serious change. Can you give a very rough ETA for
when this might land in CS?
It's a feature that I've been waiting a long time for, can wait a bit
more.
Regards,
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Alena Prokharchyk <Al...@citrix.com>.
The current CS design is the limitation. As SG is created per VM, not per
Nic, the SG rule would apply to all vm’s nics. Therefore we allow having
only one Shared SG enabled network per zone, and if the vm is deployed in
this network, it can’t belong to any other network in the zone.
To overcome the limitation, the SG functionality should be changed to be
done per Nic basis.
-Alena.
On 12/14/13, 7:29 AM, "Nux!" <nu...@li.nux.ro> wrote:
>On 14.12.2013 01:07, Alena Prokharchyk wrote:
>> We do make this check when deployVm is called with multiple networks
>> specified, in SG enabled Advance zone. And don¹t let VM to have a mix
>> of
>> SG enabled and disabled Nics.
>>
>> However I suspect that this check is missing when Nic is plugged to
>> existing VM via PlugNic API command.
>
>Why can't we use multiple SG network? What is the limitation and what
>can we do to overcome it?
>
>Lucian
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Nux! <nu...@li.nux.ro>.
On 14.12.2013 01:07, Alena Prokharchyk wrote:
> We do make this check when deployVm is called with multiple networks
> specified, in SG enabled Advance zone. And don¹t let VM to have a mix
> of
> SG enabled and disabled Nics.
>
> However I suspect that this check is missing when Nic is plugged to
> existing VM via PlugNic API command.
Why can't we use multiple SG network? What is the limitation and what
can we do to overcome it?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Alena Prokharchyk <Al...@citrix.com>.
We do make this check when deployVm is called with multiple networks
specified, in SG enabled Advance zone. And don¹t let VM to have a mix of
SG enabled and disabled Nics.
However I suspect that this check is missing when Nic is plugged to
existing VM via PlugNic API command.
-Alena.
On 12/13/13, 3:40 PM, "Chiradeep Vittal" <Ch...@citrix.com>
wrote:
>My reading of https://cwiki.apache.org/confluence/x/kxTVAQ is :
> - a VM can only be on 1 security-group-enabled network.
>
>
>On 12/13/13 10:30 AM, "Nux!" <nu...@li.nux.ro> wrote:
>
>>Hi,
>>
>>It seems that using multiple shared networks in an Adv zone with
>>Security groups breaks the security groups.
>>
>>Here's what happens:
>>
>>- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49
>>GMT)
>>- crate Adv zone with SG
>>- add a shared network on vlan 109
>>- add instances on it
>>- create security groups
>>- everything rocks, they can ping each other etc
>>
>>- create another shared network on vlan 999
>>- stop the running instances
>>- add the second network to the instances and start them
>>- the instances get a new set of IPs for eth1 via DHCP BUT!
>>- they can no longer access each other via the eth0 IPs; the SG seem to
>>apply correctly, but only to the newly added network
>>- the instances can also no longer access the router in their primary
>>shared network (hence no more passwords reset and other features)
>>
>>For those good at firewalls, here's the iptables output from BEFORE
>>adding the second network:
>>http://paste.fedoraproject.org/61594/95896413
>>
>>And AFTER adding the second network and starting back the instances:
>>http://paste.fedoraproject.org/61595/86959048
>>
>>If someone can confirm it's not me doing something stupid I can open a
>>proper report in jira.
>>
>>--
>>Sent from the Delta quadrant using Borg technology!
>>
>>Nux!
>>www.nux.ro
>
Re: SG broken in Adv zone with multiple shared networks (4.2)
Posted by Chiradeep Vittal <Ch...@citrix.com>.
My reading of https://cwiki.apache.org/confluence/x/kxTVAQ is :
- a VM can only be on 1 security-group-enabled network.
On 12/13/13 10:30 AM, "Nux!" <nu...@li.nux.ro> wrote:
>Hi,
>
>It seems that using multiple shared networks in an Adv zone with
>Security groups breaks the security groups.
>
>Here's what happens:
>
>- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49
>GMT)
>- crate Adv zone with SG
>- add a shared network on vlan 109
>- add instances on it
>- create security groups
>- everything rocks, they can ping each other etc
>
>- create another shared network on vlan 999
>- stop the running instances
>- add the second network to the instances and start them
>- the instances get a new set of IPs for eth1 via DHCP BUT!
>- they can no longer access each other via the eth0 IPs; the SG seem to
>apply correctly, but only to the newly added network
>- the instances can also no longer access the router in their primary
>shared network (hence no more passwords reset and other features)
>
>For those good at firewalls, here's the iptables output from BEFORE
>adding the second network:
>http://paste.fedoraproject.org/61594/95896413
>
>And AFTER adding the second network and starting back the instances:
>http://paste.fedoraproject.org/61595/86959048
>
>If someone can confirm it's not me doing something stupid I can open a
>proper report in jira.
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro