SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

Helo,

My Advanced Zone itself has security groups disabled. I have enabled
the SecurityGroupsProvider and created a SharedNetwork with
DefaultSharedNetworkOfferingWithSGService offering.

With this, I am now able to create a new VM in the shared network by
specifying the network ids as the SharedNetwork’s id. The shared VMs end up
in the “default” SG and the rules seems to be working correctly. I added ICMP
and SSH Ingress rules and I was able to reach the VM. I am also able to create
new security groups with rules.

I am however, unable to deploy VMs to security groups other than to
the “default” SG.

> deploy virtualmachine displayname=dmz10
  diskofferingid=9c8c46f0-9b7a-4d7a-8a9b-0ae085e90316
  name=dmz10 serviceofferingid=6554c4c6-d1c6-40c7-9b6b-3ec904422c79
  templateid=69686130-5b3e-11e3-a4b9-000c2931adcf
  securitygroupnames=AdminVM
  networkids=3240155c-e7a2-4ede-aa73-63e21b0c558e
  zoneid=66870482-b34e-4218-92cd-954cf639f493 hypervisor=KVM
: Can't create vm with security groups; security group feature is not enabled per zone

If I leave securitygroupnames (or securitygroupids) out of the deployVirtualMachine
command, the VM does get created in the shared network and end up in the default SG.

Should I not be able to choose a SG while deploying VMs to a
DefaultSharedNetworkOfferingWithSGService network?

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

On 04-Dec-2013, at 6:54 pm, Nux! <nu...@li.nux.ro> wrote:

> On 04.12.2013 07:54, Shanker Balan wrote:
>> Helo,
>> My Advanced Zone itself has security groups disabled. I have enabled
>> the SecurityGroupsProvider and created a SharedNetwork with
>> DefaultSharedNetworkOfferingWithSGService offering.
>> With this, I am now able to create a new VM in the shared network by
>> specifying the network ids as the SharedNetwork’s id. The shared VMs end up
>> in the “default” SG and the rules seems to be working correctly. I added ICMP
>> and SSH Ingress rules and I was able to reach the VM. I am also able to create
>> new security groups with rules.
>> I am however, unable to deploy VMs to security groups other than to
>> the “default” SG.
>
> Shankar,
>
> I'm testing an Adv zone with SG and I can define and use new groups.
> This is on 4.2.0, which version are you testing?

Am using 4.2.0. Let me rebuild and try.

Thanks.


--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

On 05-Dec-2013, at 2:12 pm, Radek Smigielski <ra...@ymail.com> wrote:

>> I just redid the setup with Advanced Zone + Security Groups enabled.
> I am trying to understand if you could define, apply, use security groups after you just update value in data_center.is_security_group_enabled ?
>
>
> Or you just basically rebuild zone with SG enabled?

Hi Radek,

I created a shared network with DefaultSharedNetworkOfferingWithSGService
in an existing Advanced Zone which had security groups disabled. VMs would get
created in the default security group if I choose the DefaultSharedNetworkOfferingWithSGService
offering. However, I wasn’t able to any other security groups to the VMs created in the
DefaultSharedNetworkOfferingWithSGService network.

Once I set data_center.is_security_group_enabled=1, I was able to assign security
groups to VMs in the DefaultSharedNetworkOfferingWithSGService network via API.

I hope it makes sense.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Radek Smigielski <ra...@ymail.com>]

> I just redid the setup with Advanced Zone + Security Groups enabled.
I am trying to understand if you could define, apply, use security groups after you just update value in data_center.is_security_group_enabled ? 


Or you just basically rebuild zone with SG enabled? 


- Radoslaw Smigielski 

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

On 05-Dec-2013, at 3:06 am, Radek Smigielski <ra...@ymail.com> wrote:

>>> FWIW, it works over here with the DB hack. :)
> Interesting, have you destroyed and re-created VR after you made a db hack?

Not yet.

I just redid the setup with Advanced Zone + Security Groups enabled.
I don’t really like the “reduced” functionality so gonna keep it simple with
a Basic Zone and an Advanced Zone.


--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Radek Smigielski <ra...@ymail.com>]

>> FWIW, it works over here with the DB hack. :)
Interesting, have you destroyed and re-created VR after you made a db hack?
 


- Radoslaw  Smigielski

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

On 04-Dec-2013, at 8:24 pm, Geoff Higginbottom <ge...@shapeblue.com> wrote:

> Radek is correct, you cannot use the DefaultSharedNetworkOfferingWithSGService in a 'standard' advanced Zone, only one which had Security Groups enabled when it was created

FWIW, it works over here with the DB hack. :)

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Geoff Higginbottom <ge...@shapeblue.com>]

Radek is correct, you cannot use the DefaultSharedNetworkOfferingWithSGService in a 'standard' advanced Zone, only one which had Security Groups enabled when it was created

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Radek Smigielski [mailto:radek.smigielski@ymail.com]
Sent: 04 December 2013 13:51
To: users@cloudstack.apache.org
Subject: Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

On Wednesday, 4 December 2013, 13:26:07, Nux! <nu...@li.nux.ro> wrote:

On 04.12.2013 07:54, Shanker Balan wrote:
> Helo,
>
> My Advanced Zone itself has security groups disabled. I have enabled
> the SecurityGroupsProvider and created a SharedNetwork with
> DefaultSharedNetworkOfferingWithSGService offering.

If I am not mistaken, you can not enable security groups for an existing zone. SG needs to be enabled while you creating zone.
Also in adv zone, SG works only on KVM.


- Radek Śmigielski
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Radek Smigielski <ra...@ymail.com>]

On Wednesday, 4 December 2013, 13:26:07, Nux! <nu...@li.nux.ro> wrote:
 
On 04.12.2013 07:54, Shanker Balan wrote:
> Helo,
> 
> My Advanced Zone itself has security groups disabled. I have enabled
> the SecurityGroupsProvider and created a SharedNetwork with
> DefaultSharedNetworkOfferingWithSGService offering.

If I am not mistaken, you can not enable security groups for an existing zone. SG needs to be enabled while you creating zone. 
Also in adv zone, SG works only on KVM.


- Radek Śmigielski

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Nux! <nu...@li.nux.ro>]

On 04.12.2013 07:54, Shanker Balan wrote:
> Helo,
> 
> My Advanced Zone itself has security groups disabled. I have enabled
> the SecurityGroupsProvider and created a SharedNetwork with
> DefaultSharedNetworkOfferingWithSGService offering.
> 
> With this, I am now able to create a new VM in the shared network by
> specifying the network ids as the SharedNetwork’s id. The shared VMs 
> end up
> in the “default” SG and the rules seems to be working correctly. I 
> added ICMP
> and SSH Ingress rules and I was able to reach the VM. I am also able 
> to create
> new security groups with rules.
> 
> I am however, unable to deploy VMs to security groups other than to
> the “default” SG.

Shankar,

I'm testing an Adv zone with SG and I can define and use new groups. 
This is on 4.2.0, which version are you testing?

HTH
Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: SecurityGroups, Advanced Zone And DefaultSharedNetworkOfferingWithSGService

[Shanker Balan <sh...@shapeblue.com>]

On 04-Dec-2013, at 1:24 pm, Shanker Balan <sh...@shapeblue.com> wrote:

> Helo,
>
> My Advanced Zone itself has security groups disabled. I have enabled
> the SecurityGroupsProvider and created a SharedNetwork with
> DefaultSharedNetworkOfferingWithSGService offering.
>
> With this, I am now able to create a new VM in the shared network by
> specifying the network ids as the SharedNetwork’s id. The shared VMs end up
> in the “default” SG and the rules seems to be working correctly. I added ICMP
> and SSH Ingress rules and I was able to reach the VM. I am also able to create
> new security groups with rules.
>
> I am however, unable to deploy VMs to security groups other than to
> the “default” SG.
>
>> deploy virtualmachine displayname=dmz10
>  diskofferingid=9c8c46f0-9b7a-4d7a-8a9b-0ae085e90316
>  name=dmz10 serviceofferingid=6554c4c6-d1c6-40c7-9b6b-3ec904422c79
>  templateid=69686130-5b3e-11e3-a4b9-000c2931adcf
>  securitygroupnames=AdminVM
>  networkids=3240155c-e7a2-4ede-aa73-63e21b0c558e
>  zoneid=66870482-b34e-4218-92cd-954cf639f493 hypervisor=KVM
> : Can't create vm with security groups; security group feature is not enabled per zone
>
> If I leave securitygroupnames (or securitygroupids) out of the deployVirtualMachine
> command, the VM does get created in the shared network and end up in the default SG.
>
> Should I not be able to choose a SG while deploying VMs to a
> DefaultSharedNetworkOfferingWithSGService network?


DB workaround. Am sure it has repercussions elsewhere but makes
deployVirtualmachine happy with securitygroupnames.

mysql> UPDATE data_center SET is_security_group_enabled=1 WHERE id=1;

Regards.


--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.