[GitHub] wido opened a new issue #3057: Security Grouping is broken with VXLAN on KVM

Mon, 26 Nov 2018 10:24:02 -0800 

wido opened a new issue #3057: Security Grouping is broken with VXLAN on KVM
URL: https://github.com/apache/cloudstack/issues/3057
 
 
   ##### ISSUE TYPE
    * Bug Report
   
   ##### COMPONENT NAME
   ~~~
   KVM
   Security Group
   ~~~
   
   ##### CLOUDSTACK VERSION
   ~~~
   master / 4.12
   ~~~
   
   ##### CONFIGURATION
   Advanced Networking with Shared VXLAN networking
   
   
   ##### OS / ENVIRONMENT
   - Ubuntu 18.04
   - KVM
   
   
   ##### SUMMARY
   When deploying a VM with Security Grouping enabled the rules are not 
properly set on the hypervisor.
   
   
   ##### STEPS TO REPRODUCE
   ~~~
   root@n01:~# 
/usr/share/cloudstack-common/scripts/vm/network/security_group.py 
default_network_rules --vmname i-2-1506-VM --vmid 1506 --vmip 10.0.2.15 --vmip6 
2a00:f10:114:1001:1c00:f5ff:fe00:9c3 --vmmac 1e:00:f5:00:09:c3 --vif vnet64 
--brname brvx-1001 --nicsecips 0;
   iptables: No chain/target/match by that name.
   iptables: No chain/target/match by that name.
   iptables: No chain/target/match by that name.
   ip6tables: No chain/target/match by that name.
   ip6tables: No chain/target/match by that name.
   ip6tables: No chain/target/match by that name.
   iptables: No chain/target/match by that name.
   iptables: No chain/target/match by that name.
   ip6tables: No chain/target/match by that name.
   root@n01:~#
   ~~~
   
   This causes the proper chains not to be created.
   
   Checking security_group.log I see:
   
   ~~~
   root@n01:~# cat /var/log/cloudstack/agent/security_group.log
   2018-11-26 19:19:54,816 - Executing command: default_network_rules
   2018-11-26 19:19:54,816 - sysctl -w net.bridge.bridge-nf-call-arptables=1
   2018-11-26 19:19:54,824 - sysctl -w net.bridge.bridge-nf-call-iptables=1
   2018-11-26 19:19:54,831 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
   2018-11-26 19:19:54,838 - iptables-save |grep physdev-is-bridged |grep 
FORWARD |grep BF |grep '\-o' | grep -w brvx-1001|awk '{print $9}' | head -1
   2018-11-26 19:19:54,850 - iptables -L BF-brvx-1001
   2018-11-26 19:19:54,858 - iptables -L BF-brvx-1001-OUT
   2018-11-26 19:19:54,865 - iptables -L BF-brvx-1001-IN
   2018-11-26 19:19:54,874 - ip6tables -L BF-brvx-1001
   2018-11-26 19:19:54,882 - ip6tables -L BF-brvx-1001-OUT
   2018-11-26 19:19:54,890 - ip6tables -L BF-brvx-1001-IN
   2018-11-26 19:19:54,898 - iptables -n -L BF-brvx-1001 | awk 
'/BF-brvx-1001(.*)references/ {gsub(/\(/, "") ;print $3}'
   2018-11-26 19:19:54,910 - iptables -F BF-brvx-1001
   2018-11-26 19:19:54,920 - ip6tables -F BF-brvx-1001
   root@n01:~#
   ~~~
   
   The chains are not created and thus rules can't be applied later.
   
   This seems like a bug in security_group.py which needs investigating.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to