[jira] [Commented] (CLOUDSTACK-4622) [IP Reservation][If a VM from guest network is added to network tier of VPC then IP reservation allows the CIDR to be a superset of Network CIDR for that VPC tier

Mon, 16 Dec 2013 11:38:51 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-4622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13849637#comment-13849637
 ] 

Alena Prokharchyk commented on CLOUDSTACK-4622:
-----------------------------------------------

Saksham,

I reproduced the scenario, and the scenario you've tested, is not quite valid. 
When you add a nic from another network to the VPC vm, and do ip reservation in 
that network, it shoudln't obey the VPC CIDR limitation. VPC cidr limitation 
affects only networks that are being the part of this VPC. I've tested CIDR 
modification for VPC network, it doesn't let updates outside of the VPC cidr. 
Here is the error being thrown: "Invalid value of Guest VM CIDR. For IP 
Reservation, Guest VM CIDR  should be a subset of network CIDR :  10.1.1.0/24"

But there is a completely different critical bug in addNetwork functionality - 
it doesn't respect VPC limitation: VM can belong to only one VPC + 0-(n) number 
of Shared networks.

To fix:

* Don't let attach Isolated networks to VM belonging to VPC.
* Don't let attach VPC network(s) to the vm belonging to Isolated network

Both UI and Java code should be fixed. UI should only display networks that can 
be potentially attached to the VM. Java code in addNetwork method should obey 
all the limitations, and throw an exception if violated. 

Saksham, please go ahead and create a new patch. You can either attach it to 
this bug, or file a new one for that matter.

> [IP Reservation][If a VM from guest network is added to network tier of VPC 
> then IP reservation allows the CIDR to be a superset of Network CIDR  for 
> that VPC tier
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-4622
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4622
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Network Controller
>    Affects Versions: 4.2.0
>            Reporter: Abhinav Roy
>            Assignee: Saksham Srivastava
>            Priority: Critical
>             Fix For: 4.3.0
>
>         Attachments: CS-4622.zip
>
>
> Steps :
> ===================
> 1. Deploy a CS 4.2 advanced networking setup
> 2. Create a Guest network , gn1 and deploy a VM, vm1 on that network.
> 3. Create a VPC Tier, tier1 with CIDR as 10.1.2.1/24 and deploy a vm , v1t1 
> on that tier.
> 4. Go to Instances -> vm1 -> nics -> Add Network to VM    and add tier1 
> network to vm1.
> 5. Now, go to tier1 and do IP reservation with CIDR as 10.1.2.1/23
> Expected behaviour :
> =================
> The IP reservation should fail as the CIDR 10.1.2.1/23 is not a subset of the 
> network CIDR which is 10.1.2.1/24
> Observed behaviour :
> ================
> The IP reservation goes through , here is a snippet from management server 
> logs
> 2013-09-06 12:13:27,760 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (catalina-exec-13:null) submit async job-39 = [ 
> 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ], details: AsyncJobVO {id:39, userId: 
> 2, accountId: 2, sessionKey: null, instanceType: None, instanceId: null, cmd: 
> org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd, 
> cmdOriginator: null, cmdInfo: 
> {"id":"674355e5-8c3b-44a2-b47d-d198548ccea7","response":"json","sessionkey":"moOLxaFrqNc50wz6SDh6v413RnA\u003d","cmdEventType":"NETWORK.UPDATE","ctxUserId":"2","name":"TIER-1","guestvmcidr":"10.1.2.0/23","displaytext":"TIER-1","httpmethod":"GET","_":"1378450020843","ctxAccountId":"2","ctxStartEventId":"134"},
>  cmdVersion: 0, callbackType: 0, callbackAddress: null, status: 0, 
> processStatus: 0, resultCode: 0, result: null, initMsid: 280320865129348, 
> completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
> 2013-09-06 12:13:27,761 DEBUG [cloud.api.ApiServlet] (catalina-exec-13:null) 
> ===END===  10.144.7.25 -- GET  
> command=updateNetwork&response=json&sessionkey=moOLxaFrqNc50wz6SDh6v413RnA%3D&id=674355e5-8c3b-44a2-b47d-d198548ccea7&name=TIER-1&displaytext=TIER-1&guestvmcidr=10.1.2.0%2F23&_=1378450020843
> 2013-09-06 12:13:27,763 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Executing 
> org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd for job-39 = 
> [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]
> 2013-09-06 12:13:27,771 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Sync 
> job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ] execution on object 
> network.205
> 2013-09-06 12:13:27,778 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) job 
> org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd for job-39 = 
> [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ] was queued, processing the queue.
> 2013-09-06 12:13:27,782 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Executing 
> sync queue item: SyncQueueItemVO {id:15, queueId: 1, contentType: AsyncJob, 
> contentId: 39, lastProcessMsid: 280320865129348, lastprocessNumber: 7, 
> lastProcessTime: Fri Sep 06 12:13:27 IST 2013, created: Fri Sep 06 12:13:27 
> IST 2013}
> 2013-09-06 12:13:27,783 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Schedule 
> queued job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]
> 2013-09-06 12:13:27,786 DEBUG [cloud.async.SyncQueueManagerImpl] 
> (Job-Executor-53:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) There is 
> a pending process in sync queue(id: 1)
> 2013-09-06 12:13:27,788 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Executing 
> org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd for job-39 = 
> [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]
> 2013-09-06 12:13:27,809 INFO  [cloud.network.NetworkServiceImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) The start 
> IP of the specified guest vm cidr is: 10.1.2.1 and end IP is: 10.1.3.254
> 2013-09-06 12:13:27,809 INFO  [cloud.network.NetworkServiceImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) The 
> specified guest vm cidr has 510 IPs
> 2013-09-06 12:13:27,811 INFO  [cloud.network.NetworkServiceImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) IP 
> Reservation has been applied. The new CIDR for Guests Vms is 10.1.2.0/23
> 2013-09-06 12:13:27,843 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Complete 
> async job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ], jobStatus: 1, 
> resultCode: 0, result: 
> org.apache.cloudstack.api.response.NetworkResponse@3f57d929
> 2013-09-06 12:13:27,851 DEBUG [cloud.async.SyncQueueManagerImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Sync 
> queue (1) is currently empty
> 2013-09-06 12:13:27,851 DEBUG [cloud.async.AsyncJobManagerImpl] 
> (Job-Executor-54:job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]) Done 
> executing org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd for 
> job-39 = [ 4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e ]
> Here is a snippet from api logs :
> 2013-09-06 12:13:27,761 INFO  [cloud.api.ApiServer] (catalina-exec-13:null) 
> (userId=2 accountId=2 sessionId=DA08FA8E57384D44EDBD0EB02D547164) 10.144.7.25 
> -- GET 
> command=updateNetwork&response=json&sessionkey=moOLxaFrqNc50wz6SDh6v413RnA%3D&id=674355e5-8c3b-44a2-b47d-d198548ccea7&name=TIER-1&displaytext=TIER-1&guestvmcidr=10.1.2.0%2F23&_=1378450020843
>  200 { "updatenetworkresponse" : 
> {"jobid":"4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e"} }
> 2013-09-06 12:13:30,804 INFO  [cloud.api.ApiServer] (catalina-exec-20:null) 
> (userId=2 accountId=2 sessionId=DA08FA8E57384D44EDBD0EB02D547164) 10.144.7.25 
> -- GET 
> command=queryAsyncJobResult&jobId=4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e&response=json&sessionkey=moOLxaFrqNc50wz6SDh6v413RnA%3D&_=1378450023951
>  200 { "queryasyncjobresultresponse" : 
> {"accountid":"0add9fc0-15ef-11e3-9b03-fef34996d384","userid":"0addcf54-15ef-11e3-9b03-fef34996d384","cmd":"org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd","jobstatus":1,"jobprocstatus":0,"jobresultcode":0,"jobresulttype":"object","jobresult":{"network":{"id":"674355e5-8c3b-44a2-b47d-d198548ccea7","name":"TIER-1","displaytext":"TIER-1","broadcastdomaintype":"Vlan","traffictype":"Guest","gateway":"10.1.2.1","netmask":"255.255.255.0","cidr":"10.1.2.0/23","networkcidr":"10.1.2.0/24","zoneid":"b53dc749-1576-495a-91b8-49db37aecf15","zonename":"Zone-1","networkofferingid":"6c52357c-3013-4d9e-a035-910bd5eb59ab","networkofferingname":"DefaultIsolatedNetworkOfferingForVpcNetworks","networkofferingdisplaytext":"Offering
>  for Isolated Vpc networks with Source Nat service 
> enabled","networkofferingconservemode":false,"networkofferingavailability":"Optional","issystem":false,"state":"Implemented","related":"674355e5-8c3b-44a2-b47d-d198548ccea7","broadcasturi":"vlan://726","dns1":"10.103.128.15","type":"Isolated","vlan":"726","acltype":"Account","account":"admin","domainid":"e3b3104c-15ee-11e3-9b03-fef34996d384","domain":"ROOT","service":[{"name":"Vpn","capability":[{"name":"VpnTypes","value":"s2svpn","canchooseservicecapability":false},{"name":"SupportedVpnTypes","value":"pptp,l2tp,ipsec","canchooseservicecapability":false}]},{"name":"PortForwarding"},{"name":"Dns","capability":[{"name":"AllowDnsSuffixModification","value":"true","canchooseservicecapability":false}]},{"name":"Dhcp","capability":[{"name":"DhcpAccrossMultipleSubnets","value":"true","canchooseservicecapability":false}]},{"name":"NetworkACL","capability":[{"name":"SupportedProtocols","value":"tcp,udp,icmp","canchooseservicecapability":false}]},{"name":"StaticNat"},{"name":"UserData"},{"name":"SourceNat","capability":[{"name":"RedundantRouter","value":"false","canchooseservicecapability":false},{"name":"SupportedSourceNatTypes","value":"peraccount","canchooseservicecapability":false}]},{"name":"Lb","capability":[{"name":"SupportedLBIsolation","value":"dedicated","canchooseservicecapability":false},{"name":"SupportedStickinessMethods","value":"[{\"methodname\":\"LbCookie\",\"paramlist\":[{\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"nocache\",\"required\":false,\"isflag\":true,\"description\":\"
>  
> \"},{\"paramname\":\"indirect\",\"required\":false,\"isflag\":true,\"description\":\"
>  
> \"},{\"paramname\":\"postonly\",\"required\":false,\"isflag\":true,\"description\":\"
>  
> \"},{\"paramname\":\"domain\",\"required\":false,\"isflag\":false,\"description\":\"
>  \"}],\"description\":\"This is loadbalancer cookie based stickiness 
> method.\"},{\"methodname\":\"AppCookie\",\"paramlist\":[{\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"length\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"holdtime\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"request-learn\",\"required\":false,\"isflag\":true,\"description\":\"
>  
> \"},{\"paramname\":\"prefix\",\"required\":false,\"isflag\":true,\"description\":\"
>  
> \"},{\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\"
>  \"}],\"description\":\"This is App session based sticky method. Define 
> session stickiness on an existing application cookie. It can be used only for 
> a specific http 
> traffic\"},{\"methodname\":\"SourceBased\",\"paramlist\":[{\"paramname\":\"tablesize\",\"required\":false,\"isflag\":false,\"description\":\"
>  
> \"},{\"paramname\":\"expire\",\"required\":false,\"isflag\":false,\"description\":\"
>  \"}],\"description\":\"This is source based Stickiness method, it can be 
> used for any type of 
> protocol.\"}]","canchooseservicecapability":false},{"name":"SupportedProtocols","value":"tcp,
>  
> udp","canchooseservicecapability":false},{"name":"LbSchemes","value":"Public","canchooseservicecapability":false},{"name":"SupportedLbAlgorithms","value":"roundrobin,leastconn,source","canchooseservicecapability":false}]}],"networkdomain":"cs2cloud.internal","physicalnetworkid":"a0368cfe-3d15-4d18-afee-906bd5a998c6","restartrequired":false,"specifyipranges":false,"vpcid":"8a647441-3d3f-49ff-95b9-e4f20a57bdbc","canusefordeploy":true,"ispersistent":false,"tags":[],"displaynetwork":true}},"created":"2013-09-06T12:13:27+0530","jobid":"4562cb4d-54d5-4b7e-90bd-e3d2c679ab5e"}
>  }
> NOTE :
> =============================
> This problem is seen only in this particular scenario. I executed some other 
> tests around this and the issue was not seen,
> i)  Add the VM to another guest network and do IP reservation on that network 
> with CIDR as a subset of network CIDR .
> ii) Add a VM from VPC tier to a guest network and do IP reservation on that 
> network with CIDR as a subset of network CIDR.
> ii) Add a VM from VPC tier to another VPC tier and do IP reservation on that 
> tier with CIDR as a subset of network CIDR.
> Attaching management server logs and api logs



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Reply via email to