You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/03/26 08:33:01 UTC
[GitHub] [cloudstack] Spaceman1984 opened a new pull request #4847: Restricting http access on VR to internal network
Spaceman1984 opened a new pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847
### Description
There is a potential security issue with having http access to the VR from anywhere.
This PR restricts http access to the VR to the internal network only.
<!--- Describe your changes in DETAIL - And how has behavior functionally changed. -->
<!-- For new features, provide link to FS, dev ML discussion etc. -->
<!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. -->
<!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged -->
<!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" -->
<!-- Fixes: # -->
<!--- ********************************************************************************* -->
<!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
<!--- PLEASE PUT AN 'X' in only **ONE** box -->
<!--- ********************************************************************************* -->
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [x] Minor
### Screenshots (if appropriate):
### How Has This Been Tested?
<!-- Please describe in detail how you tested your changes. -->
<!-- Include details of your testing environment, and the tests you ran to -->
<!-- see how your change affects other areas of the code, etc. -->
This was tested by creating a shared network and checking if port 80 and 443 is open on the VR based on the network you are connecting from.
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-808721400
<b>Trillian test result (tid-269)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 102449 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4847-t269-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_accounts.py
Intermittent failure detected: /marvin/tests/smoke/test_affinity_groups_projects.py
Intermittent failure detected: /marvin/tests/smoke/test_async_job.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_virtio_scsi_vm.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_vm_iso.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_vms_with_varied_deploymentplanners.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_vm_with_userdata.py
Intermittent failure detected: /marvin/tests/smoke/test_diagnostics.py
Intermittent failure detected: /marvin/tests/smoke/test_domain_service_offerings.py
Intermittent failure detected: /marvin/tests/smoke/test_internal_lb.py
Intermittent failure detected: /marvin/tests/smoke/test_iso.py
Intermittent failure detected: /marvin/tests/smoke/test_kubernetes_clusters.py
Intermittent failure detected: /marvin/tests/smoke/test_kubernetes_supported_versions.py
Intermittent failure detected: /marvin/tests/smoke/test_list_ids_parameter.py
Intermittent failure detected: /marvin/tests/smoke/test_loadbalance.py
Intermittent failure detected: /marvin/tests/smoke/test_metrics_api.py
Intermittent failure detected: /marvin/tests/smoke/test_multipleips_per_nic.py
Intermittent failure detected: /marvin/tests/smoke/test_nested_virtualization.py
Intermittent failure detected: /marvin/tests/smoke/test_network_acl.py
Intermittent failure detected: /marvin/tests/smoke/test_network.py
Intermittent failure detected: /marvin/tests/smoke/test_nic_adapter_type.py
Intermittent failure detected: /marvin/tests/smoke/test_password_server.py
Intermittent failure detected: /marvin/tests/smoke/test_portforwardingrules.py
Intermittent failure detected: /marvin/tests/smoke/test_privategw_acl.py
Intermittent failure detected: /marvin/tests/smoke/test_projects.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_snapshots.py
Intermittent failure detected: /marvin/tests/smoke/test_volumes.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_router_nics.py
Smoke tests completed. 57 look OK, 26 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
ContextSuite context=TestAccounts>:setup | `Error` | 0.00 | test_accounts.py
ContextSuite context=TestAddVmToSubDomain>:setup | `Error` | 0.00 | test_accounts.py
test_DeleteDomain | `Error` | 0.77 | test_accounts.py
test_forceDeleteDomain | `Failure` | 0.77 | test_accounts.py
test_forceDeleteDomain | `Error` | 2.91 | test_accounts.py
ContextSuite context=TestRemoveUserFromAccount>:setup | `Error` | 5.02 | test_accounts.py
ContextSuite context=TestDeployVmWithAffinityGroup>:setup | `Error` | 0.00 | test_affinity_groups_projects.py
ContextSuite context=TestAsyncJob>:setup | `Error` | 0.00 | test_async_job.py
ContextSuite context=TestLoadBalance>:setup | `Error` | 0.00 | test_loadbalance.py
test_list_clusters_metrics | `Error` | 1511.50 | test_metrics_api.py
test_list_vms_metrics | `Error` | 0.12 | test_metrics_api.py
ContextSuite context=TestDeployVirtioSCSIVM>:setup | `Error` | 0.00 | test_deploy_virtio_scsi_vm.py
ContextSuite context=TestDeployVMFromISO>:setup | `Error` | 0.00 | test_deploy_vm_iso.py
ContextSuite context=TestNetworkACL>:setup | `Error` | 0.00 | test_network_acl.py
ContextSuite context=TestDeployVmWithVariedPlanners>:setup | `Error` | 0.00 | test_deploy_vms_with_varied_deploymentplanners.py
ContextSuite context=TestDeployVmWithUserData>:setup | `Error` | 0.00 | test_deploy_vm_with_userdata.py
test_delete_account | `Error` | 1511.22 | test_network.py
test_delete_network_while_vm_on_it | `Error` | 0.05 | test_network.py
test_deploy_vm_l2network | `Error` | 0.05 | test_network.py
test_l2network_restart | `Error` | 1.11 | test_network.py
ContextSuite context=TestPortForwarding>:setup | `Error` | 3.31 | test_network.py
ContextSuite context=TestPublicIP>:setup | `Error` | 1.00 | test_network.py
test_reboot_router | `Error` | 0.04 | test_network.py
test_releaseIP | `Error` | 0.42 | test_network.py
ContextSuite context=TestRouterRules>:setup | `Error` | 0.46 | test_network.py
ContextSuite context=TestRemoteDiagnostics>:setup | `Error` | 0.00 | test_diagnostics.py
ContextSuite context=TestAdapterTypeForNic>:setup | `Error` | 0.00 | test_nic_adapter_type.py
ContextSuite context=TestDomainsServiceOfferings>:setup | `Error` | 1514.41 | test_domain_service_offerings.py
ContextSuite context=TestInternalLb>:setup | `Error` | 0.00 | test_internal_lb.py
test_01_create_iso_with_checksum_sha1 | `Error` | 65.35 | test_iso.py
test_02_create_iso_with_checksum_sha256 | `Error` | 65.34 | test_iso.py
test_03_create_iso_with_checksum_md5 | `Error` | 65.37 | test_iso.py
test_04_create_iso_with_no_checksum | `Error` | 65.35 | test_iso.py
test_01_create_iso | `Failure` | 1511.20 | test_iso.py
ContextSuite context=TestISO>:setup | `Error` | 3023.55 | test_iso.py
ContextSuite context=TestIsolatedNetworksPasswdServer>:setup | `Error` | 0.00 | test_password_server.py
test_01_deploy_kubernetes_cluster | `Failure` | 0.01 | test_kubernetes_clusters.py
test_02_invalid_upgrade_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_03_deploy_and_upgrade_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_04_deploy_and_scale_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_05_delete_kubernetes_cluster | `Failure` | 0.01 | test_kubernetes_clusters.py
test_06_deploy_invalid_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_07_deploy_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_08_deploy_and_upgrade_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_09_delete_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_01_add_delete_kubernetes_supported_version | `Error` | 60.59 | test_kubernetes_supported_versions.py
ContextSuite context=TestListIdsParams>:setup | `Error` | 0.00 | test_list_ids_parameter.py
test_nic_secondaryip_add_remove | `Error` | 1511.30 | test_multipleips_per_nic.py
ContextSuite context=TestNestedVirtualization>:setup | `Error` | 0.00 | test_nested_virtualization.py
ContextSuite context=TestPortForwardingRules>:setup | `Error` | 0.00 | test_portforwardingrules.py
ContextSuite context=TestPrivateGwACL>:setup | `Error` | 0.00 | test_privategw_acl.py
ContextSuite context=TestProjectSuspendActivate>:setup | `Error` | 1518.06 | test_projects.py
test_01_migrate_VM_and_root_volume | `Error` | 61.09 | test_vm_life_cycle.py
test_02_migrate_VM_with_two_data_disks | `Error` | 48.02 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805522302
Packaging result: :heavy_check_mark: centos7 :heavy_multiplication_x: centos8 :heavy_check_mark: debian. SL-JID 218
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-803570678
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests [S]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-811711178
Packaging result: :heavy_check_mark: centos7 :heavy_check_mark: debian. SL-JID 304
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805092154
@Spaceman1984 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-806547306
Packaging result: :heavy_check_mark: centos7 :heavy_check_mark: debian. SL-JID 261
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805077692
@Spaceman1984 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-811694148
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805575646
> -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
@Spaceman1984 are you testing with shared network, isolated network or vpc ?
this looks like a critical issue with shared network.
for vpc and isolated network, it is not.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd merged pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd merged pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-820203562
@borisstoyanov a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-807976544
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-807989389
@Spaceman1984 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-807977125
@Spaceman1984 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-811694536
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809318581
Packaging result: :heavy_check_mark: centos7 :heavy_check_mark: debian. SL-JID 277
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-802908704
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-807988901
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-806536600
@Spaceman1984 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 edited a comment on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805580352
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>
> @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> this looks like a critical issue with shared network.
> for vpc and isolated network, it is not.
@weizhouapache I'm testing with a shared network.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809328634
@Spaceman1984 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a change in pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on a change in pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#discussion_r597791035
##########
File path: systemvm/debian/opt/cloud/bin/cs/CsApp.py
##########
@@ -61,12 +61,12 @@ def setup(self):
self.fw.append([
"", "front",
- "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
+ "-A INPUT -i %s -s %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
Review comment:
@Spaceman1984 should the source be the guest network ?
refer to https://github.com/apache/cloudstack/pull/3907/files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache edited a comment on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805591607
> > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> >
> >
> > @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> > this looks like a critical issue with shared network.
> > for vpc and isolated network, it is not.
>
> @weizhouapache I'm testing with a shared network.
@Spaceman1984 ok. I see
1. the line you change for port 80, can be removed as well.
```
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
```
is not needed.
because there is a rule below
```
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
```
2. the line you change for port 443, is not ok.
```
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
```
it should be
```
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
```
you can add rules in CsAddress.py, not CsApp.py
3. line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr can be removed, as it is not used. it is not an issue to keep it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-807987085
Packaging result: :heavy_check_mark: centos7 :heavy_check_mark: debian. SL-JID 266
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805591607
> > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> >
> >
> > @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> > this looks like a critical issue with shared network.
> > for vpc and isolated network, it is not.
>
> @weizhouapache I'm testing with a shared network.
@Spaceman1984 ok. I see
1. the line you change for port 80, can be removed as well.
````
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
```
is not needed.
because there is a rule below
```
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
```
2. the line you change for port 443, is not ok.
```
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
```
it should be
```
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
```
you can add rules in CsAddress.py, not CsApp.py
3. line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr can be removed, as it is not used. it is not an issue to keep it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805566088
> > > I think the change in this line also needed.
> > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/etc/iptables/iptables-dhcpsrvr#L40
> >
> >
> > In my testing, this was not needed.
>
> @Spaceman1984 line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr should be removed, as it opens http access to all internet.
> `-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT`
Doesn't seem like those rules are applied. This is the output from iptables-save:
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*mangle
:PREROUTING ACCEPT [3051:197074]
:INPUT ACCEPT [3051:197074]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [886:99341]
:POSTROUTING ACCEPT [886:99341]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*filter
:INPUT DROP [2517:137372]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [886:99341]
:FW_EGRESS_RULES - [0:0]
:FW_OUTBOUND - [0:0]
:NETWORK_STATS - [0:0]
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j NETWORK_STATS
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A FORWARD -j NETWORK_STATS
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j NETWORK_STATS
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A NETWORK_STATS -i eth0 -o eth2
-A NETWORK_STATS -i eth2 -o eth0
-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-817095771
Merged based on Wei and Nicolas's review and testing, and smoketests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805077093
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805073077
> I think the change in this line also needed.
> https://github.com/apache/cloudstack/blob/master/systemvm/debian/etc/iptables/iptables-dhcpsrvr#L40
In my testing, this was not needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809146782
@nvazquez can you review and test this? Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805126392
> > I think the change in this line also needed.
> > https://github.com/apache/cloudstack/blob/master/systemvm/debian/etc/iptables/iptables-dhcpsrvr#L40
>
> In my testing, this was not needed.
@Spaceman1984 line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr should be removed, as it opens http access to all internet.
`-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 closed pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 closed pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-812728346
<b>Trillian test result (tid-333)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 32343 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4847-t333-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Smoke tests completed. 82 look OK, 1 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_01_migrate_VM_and_root_volume | `Error` | 61.04 | test_vm_life_cycle.py
test_02_migrate_VM_with_two_data_disks | `Error` | 49.04 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-804140424
<b>[S] Trillian test result (tid-187)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 93831 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4847-t187-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_affinity_groups_projects.py
Intermittent failure detected: /marvin/tests/smoke/test_affinity_groups.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_virtio_scsi_vm.py
Intermittent failure detected: /marvin/tests/smoke/test_deploy_vm_extra_config_data.py
Intermittent failure detected: /marvin/tests/smoke/test_internal_lb.py
Intermittent failure detected: /marvin/tests/smoke/test_kubernetes_clusters.py
Intermittent failure detected: /marvin/tests/smoke/test_kubernetes_supported_versions.py
Intermittent failure detected: /marvin/tests/smoke/test_loadbalance.py
Intermittent failure detected: /marvin/tests/smoke/test_network.py
Intermittent failure detected: /marvin/tests/smoke/test_password_server.py
Intermittent failure detected: /marvin/tests/smoke/test_privategw_acl.py
Intermittent failure detected: /marvin/tests/smoke/test_router_dhcphosts.py
Intermittent failure detected: /marvin/tests/smoke/test_router_dns.py
Intermittent failure detected: /marvin/tests/smoke/test_router_dnsservice.py
Intermittent failure detected: /marvin/tests/smoke/test_routers_iptables_default_policy.py
Intermittent failure detected: /marvin/tests/smoke/test_routers_network_ops.py
Intermittent failure detected: /marvin/tests/smoke/test_routers.py
Intermittent failure detected: /marvin/tests/smoke/test_service_offerings.py
Intermittent failure detected: /marvin/tests/smoke/test_snapshots.py
Intermittent failure detected: /marvin/tests/smoke/test_ssvm.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_snapshots.py
Intermittent failure detected: /marvin/tests/smoke/test_volumes.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_redundant.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_router_nics.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_vpn.py
Intermittent failure detected: /marvin/tests/smoke/test_hostha_kvm.py
Smoke tests completed. 56 look OK, 27 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80 | `Failure` | 264.12 | test_internal_lb.py
test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80 | `Failure` | 309.66 | test_internal_lb.py
test_03_vpc_internallb_haproxy_stats_on_all_interfaces | `Error` | 128.22 | test_internal_lb.py
test_04_rvpc_internallb_haproxy_stats_on_all_interfaces | `Error` | 160.26 | test_internal_lb.py
test_DeployVmAntiAffinityGroup_in_project | `Error` | 56.17 | test_affinity_groups_projects.py
test_01_create_lb_rule_src_nat | `Failure` | 308.59 | test_loadbalance.py
test_02_create_lb_rule_non_nat | `Failure` | 34.58 | test_loadbalance.py
test_assign_and_removal_lb | `Failure` | 35.65 | test_loadbalance.py
test_DeployVmAntiAffinityGroup | `Error` | 37.78 | test_affinity_groups.py
test_01_verify_libvirt | `Error` | 602.80 | test_deploy_virtio_scsi_vm.py
test_02_verify_libvirt_after_restart | `Error` | 610.03 | test_deploy_virtio_scsi_vm.py
test_03_verify_libvirt_attach_disk | `Error` | 605.78 | test_deploy_virtio_scsi_vm.py
test_04_verify_guest_lspci | `Error` | 602.04 | test_deploy_virtio_scsi_vm.py
test_05_change_vm_ostype_restart | `Error` | 610.21 | test_deploy_virtio_scsi_vm.py
test_06_verify_guest_lspci_again | `Error` | 602.09 | test_deploy_virtio_scsi_vm.py
test_02_deploy_vm_with_extraconfig_kvm | `Error` | 633.47 | test_deploy_vm_extra_config_data.py
test_03_update_vm_with_extraconfig_kvm | `Error` | 743.48 | test_deploy_vm_extra_config_data.py
test_01_port_fwd_on_src_nat | `Failure` | 605.11 | test_network.py
test_02_port_fwd_on_non_src_nat | `Failure` | 607.01 | test_network.py
test_reboot_router | `Failure` | 343.91 | test_network.py
test_network_rules_acquired_public_ip_1_static_nat_rule | `Error` | 607.49 | test_network.py
test_network_rules_acquired_public_ip_2_nat_rule | `Error` | 609.06 | test_network.py
test_network_rules_acquired_public_ip_3_Load_Balancer_Rule | `Error` | 613.23 | test_network.py
test_isolate_network_password_server | `Failure` | 157.13 | test_password_server.py
test_01_deploy_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_02_invalid_upgrade_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_03_deploy_and_upgrade_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_04_deploy_and_scale_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_05_delete_kubernetes_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_06_deploy_invalid_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_07_deploy_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_08_deploy_and_upgrade_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_09_delete_kubernetes_ha_cluster | `Failure` | 0.00 | test_kubernetes_clusters.py
test_02_vpc_privategw_static_routes | `Failure` | 744.55 | test_privategw_acl.py
test_03_vpc_privategw_restart_vpc_cleanup | `Failure` | 743.28 | test_privategw_acl.py
test_04_rvpc_privategw_static_routes | `Failure` | 829.20 | test_privategw_acl.py
test_01_add_delete_kubernetes_supported_version | `Error` | 0.01 | test_kubernetes_supported_versions.py
test_router_dhcphosts | `Failure` | 156.95 | test_router_dhcphosts.py
ContextSuite context=TestRouterDHCPHosts>:teardown | `Error` | 167.24 | test_router_dhcphosts.py
test_router_dhcp_opts | `Error` | 609.08 | test_router_dhcphosts.py
test_router_dns_guestipquery | `Failure` | 454.87 | test_router_dns.py
test_router_dns_guestipquery | `Failure` | 454.60 | test_router_dnsservice.py
test_02_routervm_iptables_policies | `Error` | 653.30 | test_routers_iptables_default_policy.py
test_01_single_VPC_iptables_policies | `Error` | 716.02 | test_routers_iptables_default_policy.py
test_01_isolate_network_FW_PF_default_routes_egress_true | `Failure` | 204.53 | test_routers_network_ops.py
test_02_isolate_network_FW_PF_default_routes_egress_false | `Failure` | 204.86 | test_routers_network_ops.py
test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | `Failure` | 238.73 | test_routers_network_ops.py
test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | `Failure` | 234.86 | test_routers_network_ops.py
test_03_RVR_Network_check_router_state | `Error` | 684.10 | test_routers_network_ops.py
test_01_router_internal_basic | `Error` | 602.70 | test_routers.py
test_02_router_internal_adv | `Error` | 602.74 | test_routers.py
test_04_restart_network_wo_cleanup | `Error` | 604.78 | test_routers.py
test_01_service_offering_cpu_limit_use | `Error` | 100.51 | test_service_offerings.py
test_04_change_offering_small | `Failure` | 714.49 | test_service_offerings.py
test_01_snapshot_root_disk | `Error` | 604.88 | test_snapshots.py
test_03_ssvm_internals | `Error` | 602.76 | test_ssvm.py
test_04_cpvm_internals | `Error` | 602.83 | test_ssvm.py
test_05_stop_ssvm | `Error` | 646.37 | test_ssvm.py
test_06_stop_cpvm | `Error` | 657.45 | test_ssvm.py
test_07_reboot_ssvm | `Error` | 624.00 | test_ssvm.py
test_08_reboot_cpvm | `Error` | 620.92 | test_ssvm.py
test_09_destroy_ssvm | `Error` | 654.18 | test_ssvm.py
test_10_destroy_cpvm | `Error` | 651.29 | test_ssvm.py
test_10_attachAndDetach_iso | `Failure` | 607.74 | test_vm_life_cycle.py
test_01_create_vm_snapshots | `Failure` | 604.68 | test_vm_snapshots.py
test_02_revert_vm_snapshots | `Failure` | 601.79 | test_vm_snapshots.py
test_03_delete_vm_snapshots | `Failure` | 0.01 | test_vm_snapshots.py
test_01_create_volume | `Failure` | 608.74 | test_volumes.py
test_02_attach_volume | `Failure` | 605.62 | test_volumes.py
test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | `Error` | 821.99 | test_vpc_redundant.py
test_02_redundant_VPC_default_routes | `Error` | 828.23 | test_vpc_redundant.py
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers | `Error` | 749.54 | test_vpc_redundant.py
test_04_rvpc_network_garbage_collector_nics | `Error` | 718.01 | test_vpc_redundant.py
test_05_rvpc_multi_tiers | `Error` | 797.25 | test_vpc_redundant.py
test_05_rvpc_multi_tiers | `Error` | 823.27 | test_vpc_redundant.py
test_01_VPC_nics_after_destroy | `Failure` | 715.24 | test_vpc_router_nics.py
test_02_VPC_default_routes | `Failure` | 718.35 | test_vpc_router_nics.py
test_01_redundant_vpc_site2site_vpn | `Failure` | 329.59 | test_vpc_vpn.py
test_01_vpc_site2site_vpn_multiple_options | `Error` | 236.50 | test_vpc_vpn.py
test_01_vpc_site2site_vpn | `Error` | 284.56 | test_vpc_vpn.py
test_hostha_enable_ha_when_host_disconected | `Error` | 603.96 | test_hostha_kvm.py
test_hostha_kvm_host_degraded | `Failure` | 671.10 | test_hostha_kvm.py
test_hostha_kvm_host_fencing | `Failure` | 643.58 | test_hostha_kvm.py
test_hostha_kvm_host_recovering | `Failure` | 643.67 | test_hostha_kvm.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805592700
> > > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > > > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > > > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > > > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> > >
> > >
> > > @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> > > this looks like a critical issue with shared network.
> > > for vpc and isolated network, it is not.
> >
> >
> > @weizhouapache I'm testing with a shared network.
>
> @Spaceman1984 ok. I see
>
> 1. the line you change for port 80, can be removed as well.
>
> ```
> -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> ```
> is not needed.
>
> because there is a rule below
> ```
> -A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> ```
>
> 2. the line you change for port 443, is not ok.
> ```
> -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> ```
>
> it should be
> ```
> -A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> ```
> you can add rules in CsAddress.py, not CsApp.py
>
> 3. line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr can be removed, as it is not used. it is not an issue to keep it.
> ```
Alright @weizhouapache I'll make the changes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809283648
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a change in pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on a change in pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#discussion_r601362146
##########
File path: systemvm/debian/opt/cloud/bin/cs/CsAddress.py
##########
@@ -367,6 +367,8 @@ def fw_router(self):
if self.config.is_vpc():
return
+ self.fw.append(["", "front","-A INPUT -i %s -s %s/24 -p tcp -m tcp -m state --state NEW --dport 443 -j ACCEPT" % (self.dev, self.address['public_ip'])])
+
Review comment:
@Spaceman1984 please refer to the rules for port 80 and port 8080 (line 419 to line 422).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache closed pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache closed pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809328242
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 edited a comment on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805566088
> > > I think the change in this line also needed.
> > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/etc/iptables/iptables-dhcpsrvr#L40
> >
> >
> > In my testing, this was not needed.
>
> @Spaceman1984 line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr should be removed, as it opens http access to all internet.
> `-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT`
Doesn't seem like those rules are applied. This is the output from iptables-save:
```
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*mangle
:PREROUTING ACCEPT [3051:197074]
:INPUT ACCEPT [3051:197074]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [886:99341]
:POSTROUTING ACCEPT [886:99341]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*filter
:INPUT DROP [2517:137372]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [886:99341]
:FW_EGRESS_RULES - [0:0]
:FW_OUTBOUND - [0:0]
:NETWORK_STATS - [0:0]
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j NETWORK_STATS
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A FORWARD -j NETWORK_STATS
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j NETWORK_STATS
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A NETWORK_STATS -i eth0 -o eth2
-A NETWORK_STATS -i eth2 -o eth0
-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-820214654
Packaging result: :heavy_check_mark: centos7 :heavy_check_mark: debian. SL-JID 418
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 edited a comment on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805580352
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>
> @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> this looks like a critical issue with shared network.
> for vpc and isolated network, it is not.
I'm testing with a shared network.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809831131
<b>Trillian test result (tid-284)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 45243 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4847-t284-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_internal_lb.py
Intermittent failure detected: /marvin/tests/smoke/test_password_server.py
Intermittent failure detected: /marvin/tests/smoke/test_privategw_acl.py
Intermittent failure detected: /marvin/tests/smoke/test_router_dhcphosts.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Intermittent failure detected: /marvin/tests/smoke/test_vpc_redundant.py
Smoke tests completed. 79 look OK, 4 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_isolate_network_password_server | `Failure` | 18.51 | test_password_server.py
test_03_vpc_privategw_restart_vpc_cleanup | `Failure` | 382.34 | test_privategw_acl.py
test_01_migrate_VM_and_root_volume | `Error` | 62.03 | test_vm_life_cycle.py
test_02_migrate_VM_with_two_data_disks | `Error` | 46.98 | test_vm_life_cycle.py
test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | `Failure` | 474.17 | test_vpc_redundant.py
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers | `Failure` | 354.05 | test_vpc_redundant.py
test_05_rvpc_multi_tiers | `Failure` | 445.51 | test_vpc_redundant.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on a change in pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on a change in pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#discussion_r599765300
##########
File path: systemvm/debian/opt/cloud/bin/cs/CsApp.py
##########
@@ -61,12 +61,12 @@ def setup(self):
self.fw.append([
"", "front",
- "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
+ "-A INPUT -i %s -s %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
Review comment:
I'm not sure I understand what you are asking. The way it is now, port 80 and 443 are only open from within the guest network.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd closed pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd closed pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-802909584
@Spaceman1984 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests [S]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805091835
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-803570529
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-809283985
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-821131566
Yes, that is expected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] borisstoyanov commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
borisstoyanov commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-820203309
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805090519
Packaging result: :heavy_check_mark: centos7 :heavy_multiplication_x: centos8 :heavy_check_mark: debian. SL-JID 216
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-808039895
travis test failed. closed/reopened to restart it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-806535903
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-802928783
<b>[S] Trillian Build Failed (tid-183)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-802907269
Packaging result: :heavy_check_mark: centos7 :heavy_multiplication_x: centos8 :heavy_check_mark: debian. SL-JID 190
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a change in pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on a change in pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#discussion_r599824466
##########
File path: systemvm/debian/opt/cloud/bin/cs/CsApp.py
##########
@@ -61,12 +61,12 @@ def setup(self):
self.fw.append([
"", "front",
- "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
+ "-A INPUT -i %s -s %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
Review comment:
@Spaceman1984
here is an example,
if VR ip is 192.168.10.1, and guest network is 192.168.10.0/24, the rule should be `-i eth0 -s 192.168.10.0/24`, not `-i eth0 -s 192.168.10.1/32`
otherwise, the vms in guest network could not access metadata/userdata in VR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on pull request #4847: Restricting http access on VR to internal network
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805580352
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> > -A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>
> @Spaceman1984 are you testing with shared network, isolated network or vpc ?
> this looks like a critical issue with shared network.
> for vpc and isolated network, it is not.
I'm testing with the shared network.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org