[
https://issues.apache.org/jira/browse/CLOUDSTACK-6214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13930727#comment-13930727
]
angeline shen commented on CLOUDSTACK-6214:
-------------------------------------------
> Per Alena:
> To validate my fix, you need to check that on first VM start in the freshly
> created VPC tier (network), the networkACL commands are being sent to the
> backend. For that, in the management server log look out for
> SetNetworkACLCommand being sent :
var/log/cloudstack/management/management-server.log:
2014-03-10 17:39:12,530 DEBUG [c.c.a.ApiServlet] (catalina-exec-9:ctx-d949905f)
===START=== 10.215.3.21 -- GET
command=createNetworkACL&response=json&sessionkey=uE1SWphvLSWzU60saH8uENKNstw%3D&number=1&cidrlist=0.0.0.0%2F0&actio
n=Allow&protocol=all&traffictype=Ingress&aclid=ac32ebbd-c36e-4e2a-96cc-fa88be13e75b&_=1394498147132
2014-03-10 17:39:12,577 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-9:ctx-d949905f ctx-501ff31f) submit async job-36, details:
AsyncJobVO {id:36, userId: 2, accountId: 2, instanceType: None, instanceId: 7,
cmd: org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd,
cmdInfo:
{"sessionkey":"uE1SWphvLSWzU60saH8uENKNstw\u003d","protocol":"all","cmdEventType":"NETWORK.ACL.ITEM.CREATE","ctxUserId":"2","traffictype":"Ingress","httpmethod":"GET","number":"1","response":"json","id":"7","aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","action":"Allow","cidrlist":"0.0.0.0/0","_":"1394498147132","ctxAccountId":"2","ctxStartEventId":"94"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 7692017993539, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-03-10 17:39:12,579 DEBUG [c.c.a.ApiServlet] (catalina-exec-9:ctx-d949905f
ctx-501ff31f) ===END=== 10.215.3.21 -- GET
command=createNetworkACL&response=json&sessionkey=uE1SWphvLSWzU60saH8uENKNstw%3D&number=1&cidrlist=0.0.0.0%2F0&action=Allow&protocol=all&traffictype=Ingress&aclid=ac32ebbd-c36e-4e2a-96cc-fa88be13e75b&_=1394498147132
2014-03-10 17:39:12,582 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(Job-Executor-37:Job-36) Add job-36 into job monitoring
2014-03-10 17:39:12,582 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-37:Job-36) Executing AsyncJobVO {id:36, userId: 2, accountId: 2,
instanceType: None, instanceId: 7, cmd:
org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd, cmdInfo:
{"sessionkey":"uE1SWphvLSWzU60saH8uENKNstw\u003d","protocol":"all","cmdEventType":"NETWORK.ACL.ITEM.CREATE","ctxUserId":"2","traffictype":"Ingress","httpmethod":"GET","number":"1","response":"json","id":"7","aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","action":"Allow","cidrlist":"0.0.0.0/0","_":"1394498147132","ctxAccountId":"2","ctxStartEventId":"94"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 7692017993539, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-03-10 17:39:12,598 DEBUG [c.c.n.v.NetworkACLManagerImpl]
(Job-Executor-37:Job-36 ctx-d42f1928) Applying NetworkACL for network: 205 with
Network ACL service provider
2014-03-10 17:39:12,607 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(Job-Executor-37:Job-36 ctx-d42f1928) Applying network acls in network
Ntwk[205|Guest|15]
2014-03-10 17:39:12,625 DEBUG [c.c.n.NetworkModelImpl] (Job-Executor-37:Job-36
ctx-d42f1928) Service SecurityGroup is not supported in the network id=205
2014-03-10 17:39:12,637 DEBUG [c.c.a.t.Request] (Job-Executor-37:Job-36
ctx-d42f1928) Seq 1-1281884501: Sending { Cmd , MgmtId: 7692017993539, via:
1(Rack2Host18.lab.vmops.com), Ver: v1, Flags: 100001,
[{"com.cloud.agent.api.routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2497","protocol":"all","revoked":false,"alreadyAdded":false,"cidrList":["0.0.0.0/0"],"trafficType":"Ingress","action":"ACCEPT","number":1}],"nic":{"deviceId":2,"networkRateMbps":200,"defaultNic":false,"uuid":"3fce33ca-1191-478f-975b-5ab9c3bc0b37","ip":"10.1.1.1","netmask":"255.255.255.0","gateway":"10.1.1.1","mac":"02:00:33:51:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2497","isolationUri":"vlan://2497","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"10.1.1.1","guest.vlan.tag":"2497","zone.network.type":"Advanced","router.ip":"169.254.2.234","router.name":"r-4-VM"},"wait":0}}]
}
2014-03-10 17:39:12,638 DEBUG [c.c.a.t.Request] (Job-Executor-37:Job-36
ctx-d42f1928) Seq 1-1281884501: Executing: { Cmd , MgmtId: 7692017993539, via:
1(Rack2Host18.lab.vmops.com), Ver: v1, Flags: 100001,
[{"com.cloud.agent.api.routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2497","protocol":"all","revoked":false,"alreadyAdded":false,"cidrList":["0.0.0.0/0"],"trafficType":"Ingress","action":"ACCEPT","number":1}],"nic":{"deviceId":2,"networkRateMbps":200,"defaultNic":false,"uuid":"3fce33ca-1191-478f-975b-5ab9c3bc0b37","ip":"10.1.1.1","netmask":"255.255.255.0","gateway":"10.1.1.1","mac":"02:00:33:51:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2497","isolationUri":"vlan://2497","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"10.1.1.1","guest.vlan.tag":"2497","zone.network.type":"Advanced","router.ip":"169.254.2.234","router.name":"r-4-VM"},"wait":0}}]
}
2014-03-10 17:39:12,646 DEBUG [c.c.a.m.DirectAgentAttache]
(DirectAgent-208:ctx-9ff5e224) Seq 1-1281884501: Executing request
2014-03-10 17:39:13,214 DEBUG [c.c.a.m.DirectAgentAttache]
(DirectAgent-208:ctx-9ff5e224) Seq 1-1281884501: Response Received:
2014-03-10 17:39:13,215 DEBUG [c.c.a.t.Request] (DirectAgent-208:ctx-9ff5e224)
Seq 1-1281884501: Processing: { Ans: , MgmtId: 7692017993539, via: 1, Ver: v1,
Flags: 0,
[{"com.cloud.agent.api.routing.SetNetworkACLAnswer":{"results":[null],"result":true,"wait":0}}]
}
2014-03-10 17:39:13,215 DEBUG [c.c.a.t.Request] (Job-Executor-37:Job-36
ctx-d42f1928) Seq 1-1281884501: Received: { Ans: , MgmtId: 7692017993539, via:
1, Ver: v1, Flags: 0, { SetNetworkACLAnswer } }
2014-03-10 17:39:13,228 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-37:Job-36 ctx-d42f1928) Complete async job-36, jobStatus:
SUCCEEDED, resultCode: 0, result:
org.apache.cloudstack.api.response.NetworkACLItemResponse/networkacl/{"id":"dd5945e3-3f66-48a3-9d71-31a4a2723dcb","protocol":"all","traffictype":"Ingress","state":"Active","cidrlist":"0.0.0.0/0","tags":[],"aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","number":1,"action":"Allow"}
2014-03-10 17:39:13,236 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-37:Job-36) Done executing
org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd for job-36
2014-03-10 17:39:13,242 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(Job-Executor-37:Job-36) Remove job-36 from job monitoring
2014-03-10 17:39:36,831 DEBUG [c.c.a.ApiServlet] (catalina-exec-7:ctx-8b04bed3)
===START=== 10.215.3.21 -- GET
command=createNetworkACL&response=json&sessionkey=uE1SWphvLSWzU60saH8uENKNstw%3D&number=2&cidrlist=0.0.0.0%2F0&actio
n=Allow&protocol=all&traffictype=Egress&aclid=ac32ebbd-c36e-4e2a-96cc-fa88be13e75b&_=1394498171433
2014-03-10 17:39:36,880 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-7:ctx-8b04bed3 ctx-b296339b) submit async job-37, details:
AsyncJobVO {id:37, userId: 2, accountId: 2, instanceType: None, instanceId: 8,
cmd: org.apa che.cloudstack.api.command.user.network.CreateNetworkACLCmd,
cmdInfo:
{"sessionkey":"uE1SWphvLSWzU60saH8uENKNstw\u003d","protocol":"all","cmdEventType":"NETWORK.ACL.ITEM.CREATE","ctxUserId":"2","traffictype":"Egress","httpmethod"
:"GET","number":"2","response":"json","id":"8","aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","action":"Allow","cidrlist":"0.0.0.0/0","_":"1394498171433","ctxAccountId":"2","ctxStartEventId":"96"},
cmdVersion: 0, status: IN_PROGR ESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 7692017993539, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-03-10 17:39:36,882 DEBUG [c.c.a.ApiServlet] (catalina-exec-7:ctx-8b04bed3
ctx-b296339b) ===END=== 10.215.3.21 -- GET
command=createNetworkACL&response=json&sessionkey=uE1SWphvLSWzU60saH8uENKNstw%3D&number=2&cidrlist=0.0.0.
0%2F0&action=Allow&protocol=all&traffictype=Egress&aclid=ac32ebbd-c36e-4e2a-96cc-fa88be13e75b&_=1394498171433
2014-03-10 17:39:36,885 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(Job-Executor-38:Job-37) Add job-37 into job monitoring
2014-03-10 17:39:36,885 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-38:Job-37) Executing AsyncJobVO {id:37, userId: 2, accountId: 2,
instanceType: None, instanceId: 8, cmd:
org.apache.cloudstack.api.command.user.network
.CreateNetworkACLCmd, cmdInfo:
{"sessionkey":"uE1SWphvLSWzU60saH8uENKNstw\u003d","protocol":"all","cmdEventType":"NETWORK.ACL.ITEM.CREATE","ctxUserId":"2","traffictype":"Egress","httpmethod":"GET","number":"2","response":"json","
id":"8","aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","action":"Allow","cidrlist":"0.0.0.0/0","_":"1394498171433","ctxAccountId":"2","ctxStartEventId":"96"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, r
esult: null, initMsid: 7692017993539, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-03-10 17:39:36,901 DEBUG [c.c.n.v.NetworkACLManagerImpl]
(Job-Executor-38:Job-37 ctx-f3340de4) Applying NetworkACL for network: 205 with
Network ACL service provider
2014-03-10 17:39:36,910 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(Job-Executor-38:Job-37 ctx-f3340de4) Applying network acls in network
Ntwk[205|Guest|15]
2014-03-10 17:39:36,929 DEBUG [c.c.n.NetworkModelImpl] (Job-Executor-38:Job-37
ctx-f3340de4) Service SecurityGroup is not supported in the network id=205
2014-03-10 17:39:36,942 DEBUG [c.c.a.t.Request] (Job-Executor-38:Job-37
ctx-f3340de4) Seq 1-1281884503: Sending { Cmd , MgmtId: 7692017993539, via:
1(Rack2Host18.lab.vmops.com), Ver: v1, Flags: 100001,
[{"com.cloud.agent.api.rou
ting.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2497","protocol":"all","revoked":false,"alreadyAdded":true,"cidrList":["0.0.0.0/0"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2497","protocol"
:"all","revoked":false,"alreadyAdded":false,"cidrList":["0.0.0.0/0"],"trafficType":"Egress","action":"ACCEPT","number":2}],"nic":{"deviceId":2,"networkRateMbps":200,"defaultNic":false,"uuid":"3fce33ca-1191-478f-975b-5ab9c3bc0b37"
,"ip":"10.1.1.1","netmask":"255.255.255.0","gateway":"10.1.1.1","mac":"02:00:33:51:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2497","isolationUri":"vlan://2497","isSecurityGroupEnabled":false},"accessDeta
ils":{"router.guest.ip":"10.1.1.1","guest.vlan.tag":"2497","zone.network.type":"Advanced","router.ip":"169.254.2.234","router.name":"r-4-VM"},"wait":0}}]
}
2014-03-10 17:39:36,943 DEBUG [c.c.a.t.Request] (Job-Executor-38:Job-37
ctx-f3340de4) Seq 1-1281884503: Executing: { Cmd , MgmtId: 7692017993539, via:
1(Rack2Host18.lab.vmops.com), Ver: v1, Flags: 100001, [{"com.cloud.agent.api.
routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2497","protocol":"all","revoked":false,"alreadyAdded":true,"cidrList":["0.0.0.0/0"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2497","protoc
ol":"all","revoked":false,"alreadyAdded":false,"cidrList":["0.0.0.0/0"],"trafficType":"Egress","action":"ACCEPT","number":2}],"nic":{"deviceId":2,"networkRateMbps":200,"defaultNic":false,"uuid":"3fce33ca-1191-478f-975b-5ab9c3bc0b
37","ip":"10.1.1.1","netmask":"255.255.255.0","gateway":"10.1.1.1","mac":"02:00:33:51:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2497","isolationUri":"vlan://2497","isSecurityGroupEnabled":false},"accessD
etails":{"router.guest.ip":"10.1.1.1","guest.vlan.tag":"2497","zone.network.type":"Advanced","router.ip":"169.254.2.234","router.name":"r-4-VM"},"wait":0}}]
}
2014-03-10 17:39:36,951 DEBUG [c.c.a.m.DirectAgentAttache]
(DirectAgent-209:ctx-0a25a0a2) Seq 1-1281884503: Executing request
2014-03-10 17:39:37,562 DEBUG [c.c.a.m.DirectAgentAttache]
(DirectAgent-209:ctx-0a25a0a2) Seq 1-1281884503: Response Received:
2014-03-10 17:39:37,562 DEBUG [c.c.a.t.Request] (DirectAgent-209:ctx-0a25a0a2)
Seq 1-1281884503: Processing: { Ans: , MgmtId: 7692017993539, via: 1, Ver: v1,
Flags: 0, [{"com.cloud.agent.api.routing.SetNetworkACLAnswer":{"result
s":[null,null],"result":true,"wait":0}}] }
2014-03-10 17:39:37,562 DEBUG [c.c.a.t.Request] (Job-Executor-38:Job-37
ctx-f3340de4) Seq 1-1281884503: Received: { Ans: , MgmtId: 7692017993539, via:
1, Ver: v1, Flags: 0, { SetNetworkACLAnswer } }
2014-03-10 17:39:37,576 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-38:Job-37 ctx-f3340de4) Complete async job-37, jobStatus:
SUCCEEDED, resultCode: 0, result:
org.apache.cloudstack.api.response.NetworkACLItemResponse/n
etworkacl/{"id":"f98fcdd1-b79c-4442-a251-58bba4f193a4","protocol":"all","traffictype":"Egress","state":"Active","cidrlist":"0.0.0.0/0","tags":[],"aclid":"ac32ebbd-c36e-4e2a-96cc-fa88be13e75b","number":2,"action":"Allow"}
2014-03-10 17:39:37,586 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(Job-Executor-38:Job-37) Done executing
org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd for job-37
> VPC: when guest network is in Setup state, on its initial nicPlug to the VR,
> corresponding network rules are not getting applied
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6214
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6214
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Alena Prokharchyk
> Assignee: Alena Prokharchyk
> Priority: Critical
> Fix For: 4.3.0
>
>
> Steps to reproduce:
> ==========================
> 1) Create VPC
> 2) Add networkACLList and a rule to it
> 3) In VPC, create a network from NetworkOffering with specifyVlan=true.
> Network is created in Setup state.
> 4) Start user vm in the network.
> Bug: network ACLs are not applied although the guest nic is plugged to the VR.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
