[
https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13858686#comment-13858686
]
Wei Zhou commented on CLOUDSTACK-5144:
--------------------------------------
I notice the following error, The ip address and mac address are null in
SecurityGroupRulesCmd. This may be the root cause.
2013-12-24 00:13:50,340 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null)
Request:Seq 1-539754840: { Cmd , MgmtId: 73187150500751, via: 1, Ver: v1,
Flags: 100111,
[{"com.cloud.agent.api.SecurityGroupRulesCmd":{"vmName":"i-48-27-TestVM","signature":"d41d8cd98f00b204e9800998ecf8427e","seqNum":1,"vmId":27,"msId":73187150500751,"ingressRuleSet":[],"egressRuleSet":[],"wait":0}}]
}
2013-12-24 00:13:50,340 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null)
Processing command: com.cloud.agent.api.SecurityGroupRulesCmd
2013-12-24 00:13:50,355 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) Executing:
/usr/share/cloudstack-common/scripts/vm/network/security_group.py
add_network_rules --vmname i-48-27-TestVM --vmid 27 --vmip null --sig
d41d8cd98f00b204e9800998ecf8427e --seq 1 --vmmac null --vif vnet7 --brname
cloudbr0 --nicsecips 0:
2013-12-24 00:13:50,356 WARN [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) Exception:
/usr/share/cloudstack-common/scripts/vm/network/security_group.py
add_network_rules --vmname i-48-27-TestVM --vmid 27 --vmip null --sig
d41d8cd98f00b204e9800998ecf8427e --seq 1 --vmmac null --vif vnet7 --brname
cloudbr0 --nicsecips 0:
java.lang.NullPointerException
at java.lang.ProcessBuilder.start(ProcessBuilder.java:457)
at com.cloud.utils.script.Script.execute(Script.java:177)
at com.cloud.utils.script.Script.execute(Script.java:155)
at
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.add_network_rules(LibvirtComputingResource.java:5161)
at
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.execute(LibvirtComputingResource.java:2702)
at
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:1276)
at com.cloud.agent.Agent.processRequest(Agent.java:498)
at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:806)
at com.cloud.utils.nio.Task.run(Task.java:83)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
2013-12-24 00:13:50,356 WARN [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) Failed to program network rules for vm
i-48-27-TestVM
2013-12-24 00:13:50,357 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null)
Seq 1-539754840: { Ans: , MgmtId: 73187150500751, via: 1, Ver: v1, Flags: 110,
[{"com.cloud.agent.api.SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":27,"reason":"PROGRAMMING_FAILED","result":false,"details":"programming
network rules failed","wait":0}}] }
> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when
> there is no ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5144
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Gaurav Aradhye
> Assignee: Wei Zhou
> Priority: Critical
> Labels: automation
> Fix For: 4.3.0
>
> Attachments: MS-Log.txt, agent.log, ipset-L output.txt,
> iptables-rules.txt
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group
> belonging to the account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is
> not defined.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
