cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <>
Subject Re: SG broken in Adv zone with multiple shared networks (4.2)
Date Sat, 14 Dec 2013 01:07:50 GMT
We do make this check when deployVm is called with multiple networks
specified, in SG enabled Advance zone. And donĀ¹t let VM to have a mix of
SG enabled and disabled Nics.

However I suspect that this check is missing when Nic is plugged to
existing VM via PlugNic API command.


On 12/13/13, 3:40 PM, "Chiradeep Vittal" <>

>My reading of is :
> - a VM can only be on 1 security-group-enabled network.
>On 12/13/13 10:30 AM, "Nux!" <> wrote:
>>It seems that using multiple shared networks in an Adv zone with
>>Security groups breaks the security groups.
>>Here's what happens:
>>- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49
>>- crate Adv zone with SG
>>- add a shared network on vlan 109
>>- add instances on it
>>- create security groups
>>- everything rocks, they can ping each other etc
>>- create another shared network on vlan 999
>>- stop the running instances
>>- add the second network to the instances and start them
>>- the instances get a new set of IPs for eth1 via DHCP BUT!
>>- they can no longer access each other via the eth0 IPs; the SG seem to
>>apply correctly, but only to the newly added network
>>- the instances can also no longer access the router in their primary
>>shared network (hence no more passwords reset and other features)
>>For those good at firewalls, here's the iptables output from BEFORE
>>adding the second network:
>>And AFTER adding the second network and starting back the instances:
>>If someone can confirm it's not me doing something stupid I can open a
>>proper report in jira.
>>Sent from the Delta quadrant using Borg technology!

View raw message