cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <Alena.Prokharc...@citrix.com>
Subject Re: SG broken in Adv zone with multiple shared networks (4.2)
Date Sat, 14 Dec 2013 01:07:50 GMT
We do make this check when deployVm is called with multiple networks
specified, in SG enabled Advance zone. And donĀ¹t let VM to have a mix of
SG enabled and disabled Nics.

However I suspect that this check is missing when Nic is plugged to
existing VM via PlugNic API command.

-Alena.

On 12/13/13, 3:40 PM, "Chiradeep Vittal" <Chiradeep.Vittal@citrix.com>
wrote:

>My reading of https://cwiki.apache.org/confluence/x/kxTVAQ is :
> - a VM can only be on 1 security-group-enabled network.
>
>
>On 12/13/13 10:30 AM, "Nux!" <nux@li.nux.ro> wrote:
>
>>Hi,
>>
>>It seems that using multiple shared networks in an Adv zone with
>>Security groups breaks the security groups.
>>
>>Here's what happens:
>>
>>- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49
>>GMT)
>>- crate Adv zone with SG
>>- add a shared network on vlan 109
>>- add instances on it
>>- create security groups
>>- everything rocks, they can ping each other etc
>>
>>- create another shared network on vlan 999
>>- stop the running instances
>>- add the second network to the instances and start them
>>- the instances get a new set of IPs for eth1 via DHCP BUT!
>>- they can no longer access each other via the eth0 IPs; the SG seem to
>>apply correctly, but only to the newly added network
>>- the instances can also no longer access the router in their primary
>>shared network (hence no more passwords reset and other features)
>>
>>For those good at firewalls, here's the iptables output from BEFORE
>>adding the second network:
>>http://paste.fedoraproject.org/61594/95896413
>>
>>And AFTER adding the second network and starting back the instances:
>>http://paste.fedoraproject.org/61595/86959048
>>
>>If someone can confirm it's not me doing something stupid I can open a
>>proper report in jira.
>>
>>-- 
>>Sent from the Delta quadrant using Borg technology!
>>
>>Nux!
>>www.nux.ro
>


Mime
View raw message