GabrielBrascher opened a new issue #5047:
URL: https://github.com/apache/cloudstack/issues/5047
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and master branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Security Group
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on master
branch.
-->
~~~
4.15.0.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
Zone deployed with Advanced Network and Security Group enabled.
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
N/A
##### SUMMARY
<!-- Explain the problem/feature briefly -->
We have been seeing the default security group rules being applied to VMs
that are using a network **with no SG**. It is expected that when a network has
Security Grouping turned off, it wouldn't execute this script at all.
For instance, if the network offering is the DefaultSharedNetworkOffering
which does not list Security Grouping as a supported service, and VMs are
rebooted CloudStack sends the command for KVM nodes to apply SG rules which can
cause an outage for all the VMs on the respective network on that hypervisor.
###### LOG EXAMPLE
Checking the logs in the **MGMT** there are logs of SG Ruleset being
scheduled and later sent to the KVM node; however, there are also validations
detecting that SG is not supported for the network.
```
DEBUG [c.c.n.s.SecurityGroupManagerImpl] Security Group Mgr v2: scheduling
ruleset updates for 1
...
DEBUG [c.c.n.NetworkModelImpl] Service SecurityGroup is not supported in the
network id=XYZ.
...
DEBUG [c.c.n.s.SecurityGroupManagerImpl] SecurityGroupManager v2: sending
ruleset update for vm i-123-4567-VM:ingress ....
```
At the **KVM**, matching the send commands from **MGMT** there are some logs:
```
DEBUG [kvm.resource.LibvirtComputingResource] Checking default network rules
for vm i-123-4567-VM
```
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
1. Deploy VM on a network with DefaultSharedNetworkOffering, at a zone that
has Security Group enabled.
2. restart VM
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
VM is running and there are **NO** security group rules have been applied
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
VM is running but security group rules have been wrongly applied
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
