cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5144) [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no ingress rule defined for the security group
Date Mon, 30 Dec 2013 10:02:52 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13858686#comment-13858686
] 

Wei Zhou commented on CLOUDSTACK-5144:
--------------------------------------

I notice the following error, The ip address and mac address are null in SecurityGroupRulesCmd.
This may be the root cause.

2013-12-24 00:13:50,340 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) Request:Seq
1-539754840:  { Cmd , MgmtId: 73187150500751, via: 1, Ver: v1, Flags: 100111, [{"com.cloud.agent.api.SecurityGroupRulesCmd":{"vmName":"i-48-27-TestVM","signature":"d41d8cd98f00b204e9800998ecf8427e","seqNum":1,"vmId":27,"msId":73187150500751,"ingressRuleSet":[],"egressRuleSet":[],"wait":0}}]
}
2013-12-24 00:13:50,340 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) Processing
command: com.cloud.agent.api.SecurityGroupRulesCmd
2013-12-24 00:13:50,355 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null)
Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules
--vmname i-48-27-TestVM --vmid 27 --vmip null --sig d41d8cd98f00b204e9800998ecf8427e --seq
1 --vmmac null --vif vnet7 --brname cloudbr0 --nicsecips 0: 
2013-12-24 00:13:50,356 WARN  [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null)
Exception: /usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules
--vmname i-48-27-TestVM --vmid 27 --vmip null --sig d41d8cd98f00b204e9800998ecf8427e --seq
1 --vmmac null --vif vnet7 --brname cloudbr0 --nicsecips 0: 
java.lang.NullPointerException
	at java.lang.ProcessBuilder.start(ProcessBuilder.java:457)
	at com.cloud.utils.script.Script.execute(Script.java:177)
	at com.cloud.utils.script.Script.execute(Script.java:155)
	at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.add_network_rules(LibvirtComputingResource.java:5161)
	at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.execute(LibvirtComputingResource.java:2702)
	at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:1276)
	at com.cloud.agent.Agent.processRequest(Agent.java:498)
	at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:806)
	at com.cloud.utils.nio.Task.run(Task.java:83)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:679)
2013-12-24 00:13:50,356 WARN  [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null)
Failed to program network rules for vm i-48-27-TestVM
2013-12-24 00:13:50,357 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) Seq 1-539754840:
 { Ans: , MgmtId: 73187150500751, via: 1, Ver: v1, Flags: 110, [{"com.cloud.agent.api.SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":27,"reason":"PROGRAMMING_FAILED","result":false,"details":"programming
network rules failed","wait":0}}] }

> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no
ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5144
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.3.0
>            Reporter: Gaurav Aradhye
>            Assignee: Wei Zhou
>            Priority: Critical
>              Labels: automation
>             Fix For: 4.3.0
>
>         Attachments: MS-Log.txt, agent.log, ipset-L output.txt, iptables-rules.txt
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group belonging to the
account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is not defined.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message