cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alena Prokharchyk (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5535) Do not allow addNetwork to create NIC across VPC tiers and Isolated Networks
Date Thu, 09 Jan 2014 21:13:52 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13867063#comment-13867063
] 

Alena Prokharchyk commented on CLOUDSTACK-5535:
-----------------------------------------------

Marcus,

We do allow adding nic from Shared network to the VPC. Here are the scenarios we support:

1) Vm is part of VPC network
2) Vm is part of VPC network + (1-n) number of Shared networks

All other scenarios are not supported, and deployVm call always made this check. Only addNic
was error prone call. So your core feature was written based on the buggy CS behavior.

Now why don't we allow it. The entire purpose of vpc is to control traffic from one tier to
another (by NetworkACL rules on the VPCVR). If vm is a part of 2 vpc tiers, this control gets
broken. Think about like that:

1) VPC has tier1 and tier2
2) Vm1 belongs to tier1, VM2 belongs to tier2.
3) Network ACL restricts ingress traffic from tier1 to tier2, so vm1 can't access vm2.
4) introduce vm1 to tier2 by plugging nic of that tier. Now vm1 can access vm2 as they are
the part of another network now, and networkACL is not respected. The entire VPC concept gets
broken right here.

Let me know if what I said needs more clarification. 

> Do not allow addNetwork to create NIC across VPC tiers and Isolated Networks 
> -----------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5535
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5535
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API, Management Server
>    Affects Versions: 4.3.0
>            Reporter: Saksham Srivastava
>            Assignee: Saksham Srivastava
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> addNetworkToVM allows adding any network to VM.
> Ideally a VM running in isolated Guest Network should not be able to add a VPC tier.
> A VM running in VPC tier should not be allowed to add another tier
> A VM running in VPC tier should not be allowed to add another isolated guest network.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message