incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chandan Purushothama (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-324) Cannot edit default security group rules, default security group blocks all inbound traffic.
Date Fri, 12 Oct 2012 19:09:04 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13475255#comment-13475255
] 

Chandan Purushothama commented on CLOUDSTACK-324:
-------------------------------------------------

Hello Max,

In Basic Zone, there are only two valid network offeriings used. 1. "DefaultSharedNetworkOfferingWithSGService"
and 2. DefaultSharedNetscalerEIPandELBNetworkOffering. The reason why only these two network
offerings are valid is that the two network offerings use security groups for Guests Isolation
while other guest network offerings are VLAN based offerings which requires VLANs for Guests
isolation.

Valid Network Offerings 1 and 2 details are as given below:

mysql> select * from network_offerings where id=6 \G;
*************************** 1. row ***************************
                       id: 6
                     name: DefaultSharedNetworkOfferingWithSGService
                     uuid: dbc5a79f-0540-4b83-a571-4fd421d0e224
              unique_name: DefaultSharedNetworkOfferingWithSGService
             display_text: Offering for Shared Security group enabled networks
                  nw_rate: NULL
                  mc_rate: NULL
             traffic_type: Guest
                     tags: NULL
              system_only: 0
             specify_vlan: 1
      service_offering_id: NULL
            conserve_mode: 1
                  created: 2012-10-10 03:35:49
                  removed: NULL
                  default: 1
             availability: Optional
     dedicated_lb_service: 1
shared_source_nat_service: 0
                 sort_key: 0
 redundant_router_service: 0
                    state: Enabled
               guest_type: Shared
       elastic_ip_service: 0
       elastic_lb_service: 0
        specify_ip_ranges: 1
1 row in set (0.00 sec)

ERROR:
No query specified


mysql> select * from network_offerings where id=10 \G;
*************************** 1. row ***************************
                       id: 10
                     name: DefaultSharedNetscalerEIPandELBNetworkOffering
                     uuid: 8f8a4b0e-595a-48aa-b178-262bd2682122
              unique_name: DefaultSharedNetscalerEIPandELBNetworkOffering
             display_text: Offering for Shared networks with Elastic IP and Elastic LB capabilities
                  nw_rate: NULL
                  mc_rate: NULL
             traffic_type: Guest
                     tags: NULL
              system_only: 0
             specify_vlan: 1
      service_offering_id: NULL
            conserve_mode: 1
                  created: 2012-10-10 03:35:49
                  removed: NULL
                  default: 1
             availability: Optional
     dedicated_lb_service: 0
shared_source_nat_service: 0
                 sort_key: 0
 redundant_router_service: 0
                    state: Enabled
               guest_type: Shared
       elastic_ip_service: 1
       elastic_lb_service: 1
        specify_ip_ranges: 1
1 row in set (0.00 sec)

Service Providers Information of the Valid Network Offerings are as given below:

mysql> select * from ntwk_offering_service_map where network_offering_id=6;
+----+---------------------+---------------+-----------------------+---------------------+
| id | network_offering_id | service       | provider              | created             |
+----+---------------------+---------------+-----------------------+---------------------+
|  4 |                   6 | Dhcp          | VirtualRouter         | 2012-10-10 03:35:49 |
|  1 |                   6 | Dns           | VirtualRouter         | 2012-10-10 03:35:49 |
|  3 |                   6 | SecurityGroup | SecurityGroupProvider | 2012-10-10 03:35:49 |
|  2 |                   6 | UserData      | VirtualRouter         | 2012-10-10 03:35:49 |
+----+---------------------+---------------+-----------------------+---------------------+
4 rows in set (0.00 sec)

mysql> select * from ntwk_offering_service_map where network_offering_id=10;
+----+---------------------+---------------+-----------------------+---------------------+
| id | network_offering_id | service       | provider              | created             |
+----+---------------------+---------------+-----------------------+---------------------+
| 26 |                  10 | Dhcp          | VirtualRouter         | 2012-10-10 03:35:49 |
| 21 |                  10 | Dns           | VirtualRouter         | 2012-10-10 03:35:49 |
| 22 |                  10 | Lb            | Netscaler             | 2012-10-10 03:35:49 |
| 25 |                  10 | SecurityGroup | SecurityGroupProvider | 2012-10-10 03:35:49 |
| 23 |                  10 | StaticNat     | Netscaler             | 2012-10-10 03:35:49 |
| 24 |                  10 | UserData      | VirtualRouter         | 2012-10-10 03:35:49 |
+----+---------------------+---------------+-----------------------+---------------------+
6 rows in set (0.00 sec)

The Network Offering that you used "DefaultSharedNetworkOffering" is a VLAN based Offering
which doesnt use Security Groups. This Network Offering is used in Advanced Zone where shared
network is used to provide common service to all the VMs in the Zone using a shared VLAN.

mysql> select * from network_offerings where id=7 \G;
*************************** 1. row ***************************
                       id: 7
                     name: DefaultSharedNetworkOffering
                     uuid: 8a761655-1112-4ea9-8220-49fc9b4c6ef4
              unique_name: DefaultSharedNetworkOffering
             display_text: Offering for Shared networks
                  nw_rate: NULL
                  mc_rate: NULL
             traffic_type: Guest
                     tags: NULL
              system_only: 0
             specify_vlan: 1
      service_offering_id: NULL
            conserve_mode: 1
                  created: 2012-10-10 03:35:49
                  removed: NULL
                  default: 1
             availability: Optional
     dedicated_lb_service: 1
shared_source_nat_service: 0
                 sort_key: 0
 redundant_router_service: 0
                    state: Enabled
               guest_type: Shared
       elastic_ip_service: 0
       elastic_lb_service: 0
        specify_ip_ranges: 1
1 row in set (0.00 sec)

mysql> select * from ntwk_offering_service_map where network_offering_id=7;
+----+---------------------+----------+---------------+---------------------+
| id | network_offering_id | service  | provider      | created             |
+----+---------------------+----------+---------------+---------------------+
|  7 |                   7 | Dhcp     | VirtualRouter | 2012-10-10 03:35:49 |
|  5 |                   7 | Dns      | VirtualRouter | 2012-10-10 03:35:49 |
|  6 |                   7 | UserData | VirtualRouter | 2012-10-10 03:35:49 |
+----+---------------------+----------+---------------+---------------------+
3 rows in set (0.00 sec)


                
> Cannot edit default security group rules, default security group blocks all inbound traffic.
> --------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-324
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-324
>             Project: CloudStack
>          Issue Type: Bug
>    Affects Versions: pre-4.0.0
>            Reporter: Max Clark
>            Assignee: Wido den Hollander
>              Labels: iptables, network, security
>             Fix For: 4.1.0
>
>
> When configuring basic networking, by default the network is created with the "DefaultSharedNetworkOffering".
This offering does not have a security group. No inbound traffic is allowed to the created
VMs. Reading the AdminGuide documentation:
> "Each CloudStack account comes with a default security group that denies all inbound
traffic and allows all outbound traffic. The default security group can be modified so that
all new VMs inherit some other desired set of rules."
> If a network is created without a security group, it shouldn't have a security group
and all inbound/outbound traffic should be allowed - or at the very least the default security
group should be able to be configured.
> http://www.cloudstack.com/forum/8-storage-and-networking/7054-vm-instance-cant-be-accessd-using-basic-networking.html?limit=6&start=6#7084

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message