cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mārtiņš Jakubovičs <mart...@vertigs.lv>
Subject Re: Basic networking issue
Date Wed, 08 Jul 2015 07:41:21 GMT
Hello,

Main issue is when any user in basic networking zone can use any IP from 
zone's subnet, without any isolation and CS wouldn't know that.

On 2015.07.08. 10:09, Sanjeev N wrote:
> If you want CS not to allocate these IPs to any other vm, you can mark
> Allocated field in user_ip_address table for all the IPs you want to assign
> to guest vms manually.
>
> On Mon, Jul 6, 2015 at 12:17 PM, Mārtiņš Jakubovičs <martins@vertigs.lv>
> wrote:
>
>> Hello,
>>
>> In Basic Networking IP address acquisition is not a manual process but CS
>> it self give IP's for instances. Problems is that if you configure IP
>> address pool in zone, user can add all this IP addresses to one instance
>> without informing CS.
>>
>> Example:
>> IP address pool (10.11.11.1 - 10.11.11.10)
>> 1.) Create instance. (CS will give to instance IP 10.11.11.2)
>> 2.) In instance manually add IP's (create alias) from same subnet
>> (10.11.11.3, 10.11.11.4, *without* adding secondary IP's in CS).
>> 3.) In CloudStack you can see that instance use only one IP (10.11.11.2),
>> but in reality it use whole IP pool.
>> 4.) Deploy other instance, to which CS will give IP, which you manually
>> added before to instance nr. 1 (for example, 10.11.11.3).
>>
>> Instance nr. 1:
>> In CS use only one public IP (10.11.11.2), but in reality have configured
>> 10 IP's.
>>
>> Instance nr. 2:
>> In CS have one IP (10.11.11.3), but network didn't work, because Instance
>> Nr. 1 have IP which should be added to instance Nr. 2 and CS didn't know
>> about that.
>>
>>
>> On 2015.07.06. 07:45, Sanjeev N wrote:
>>
>>> What do you mean by IP address is acquired? In Basic Networking we don't
>>> have IP address acquisition concept. Also alias IPs you are manually
>>> configuring on deployed vms should not be overlapped with the Guest IP
>>> address range provided in that zone.
>>>
>>> On Fri, Jul 3, 2015 at 7:51 PM, Mārtiņš Jakubovičs <martins@vertigs.lv>
>>> wrote:
>>>
>>>   Hello,
>>>> I test right now infrastructure with base network setup. I faced issue,
>>>> if
>>>> I deploy instance, I am able manually add more public IP's. For example,
>>>> I
>>>> deploy VM, though DHCP I acquire IP, and I can manually add alias IP
>>>> addresses without problems and CloudStack still think that I use only one
>>>> IP. If IP address is acquired and other user boot VM can be situation
>>>> when
>>>> new VM can't get public IP. Am I doing something wrong or is this kind of
>>>> security "hole" in Basic Networking?
>>>>
>>>> Thanks.
>>>>
>>>>


Mime
View raw message