[
https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14723375#comment-14723375
]
ASF GitHub Bot commented on CLOUDSTACK-8688:
--------------------------------------------
Github user wilderrodrigues commented on the pull request:
https://github.com/apache/cloudstack/pull/765#issuecomment-136363043
VM Life Cycle tests (Advanced Zone)
```
[root@cs1 integration]# nosetests --with-marvin
--marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a
tags=advanced,required_hardware=false smoke/test_vm_life_cycle.py
==== Marvin Init Started ====
=== Marvin Parse Config Successful ===
=== Marvin Setting TestData Successful===
==== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_14_38_JN3PBD. All
logs will be available here ====
=== Marvin Init Logging Successful===
==== Marvin Init Successful ====
=== TestName: test_advZoneVirtualRouter | Status : SUCCESS ===
=== TestName: test_deploy_vm | Status : SUCCESS ===
=== TestName: test_deploy_vm_multiple | Status : SUCCESS ===
=== TestName: test_01_stop_vm | Status : SUCCESS ===
=== TestName: test_02_start_vm | Status : SUCCESS ===
=== TestName: test_03_reboot_vm | Status : SUCCESS ===
=== TestName: test_06_destroy_vm | Status : SUCCESS ===
=== TestName: test_07_restore_vm | Status : SUCCESS ===
=== TestName: test_09_expunge_vm | Status : SUCCESS ===
===final results are now copied to:
/tmp//MarvinLogs/test_vm_life_cycle_L0WK32===
[root@cs1 integration]#
```
VM Life Cycle tests (Basic Zone)
```
[root@cs1 integration]# nosetests --with-marvin
--marvin-config=/data/shared/marvin/mct-zone1-kvm1-basic.cfg -s -a
tags=basic,required_hardware=false smoke/test_vm_life_cycle.py
==== Marvin Init Started ====
=== Marvin Parse Config Successful ===
=== Marvin Setting TestData Successful===
==== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_41_40_5VQUD2. All
logs will be available here ====
=== Marvin Init Logging Successful===
==== Marvin Init Successful ====
=== TestName: test_deploy_vm | Status : SUCCESS ===
=== TestName: test_deploy_vm_multiple | Status : SUCCESS ===
=== TestName: test_01_stop_vm | Status : SUCCESS ===
=== TestName: test_02_start_vm | Status : SUCCESS ===
=== TestName: test_03_reboot_vm | Status : SUCCESS ===
=== TestName: test_06_destroy_vm | Status : SUCCESS ===
=== TestName: test_07_restore_vm | Status : SUCCESS ===
=== TestName: test_09_expunge_vm | Status : SUCCESS ===
===final results are now copied to:
/tmp//MarvinLogs/test_vm_life_cycle_8F4UL3===
[root@cs1 integration]#
```
> Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
> Key: CLOUDSTACK-8688
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Environment: Latest build from ACS master.
> Zone type: Advanced
> Reporter: Sanjeev N
> Assignee: Wilder Rodrigues
> Priority: Blocker
> Fix For: 4.6.0
>
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering
> "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> state NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http-alt state NEW
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of
> ACCEPT. Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
