[jira] [Commented] (CLOUDSTACK-6432) Prevent VR from response to DNS request from outside of network

ASF GitHub Bot (JIRA) Tue, 30 Aug 2016 06:21:41 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448991#comment-15448991
 ]


ASF GitHub Bot commented on CLOUDSTACK-6432:
--------------------------------------------

Github user borisstoyanov commented on the issue:

    https://github.com/apache/cloudstack/pull/1663
  
    LGTM, I was able to build and test the PR. Found a little issue with the 
tests and fixed it. 
    Here are the tests results: 
    
    
    ```
    $ nosetests --with-xunit --xunit-file=integration-test-results.xml 
--with-marvin --marvin-config=advanced_ccs.cfg -s -a 
tags=advanced,required_hardware=true --zone=zone1 --hypervisor=kvm 
cloudstack/test/integration/smoke/test_router_dns.py -vv
    nose.config: INFO: Ignoring files matching ['^\\.', '^_', '^setup\\.py$']
    
    ==== Marvin Init Started ====
    
    === Marvin Parse Config Successful ===
    
    === Marvin Setting TestData Successful===
    
    ==== Log Folder Path: /tmp//MarvinLogs//Aug_30_2016_15_44_51_LNKTQ1. All 
logs will be available here ====
    
    === Marvin Init Logging Successful===
    
    ==== Marvin Init Successful ====
    Creating Admin Account for domain b1376fae-6e2a-11e6-bca7-000c290e77f6 on 
zone 7060c2b9-7ea2-475f-9b74-56ce80444feb
    Creating Service Offering on zone 7060c2b9-7ea2-475f-9b74-56ce80444feb
    Creating Network Offering on zone 7060c2b9-7ea2-475f-9b74-56ce80444feb
    Creating Network for Account test-a-TestRouterDns-CF5DZ4 using offering 
8c206825-65e7-4aaa-9850-b8e804f523ef
    Creating guest VM for Account test-a-TestRouterDns-CF5DZ4 using offering 
6fd51c75-fe0f-4673-8b1a-a312fe5605c4
    Starting test_router_dns_externalips...
    Querying VR DNS IP: 192.168.1.103
    VR DNS query failed from non-guest network IP as expected
    === TestName: test_router_dns_externalipquery | Status : SUCCESS ===
    
    Starting test_router_dns_guestipquery...
    Creating Firewall rule for VM ID: cf929b5d-4ce1-4c86-b389-5baba0a5d8e7
    Creating NAT rule for VM ID: cf929b5d-4ce1-4c86-b389-5baba0a5d8e7
    SSH into guest VM with IP: 192.168.1.103
    ====Trying SSH Connection: Host:192.168.1.103 User:root                     
              Port:22 RetryCnt:8===
    SshClient: Exception under createConnection: ['Traceback (most recent call 
last):\n', '  File 
"/usr/local/lib/python2.7/site-packages/marvin/sshClient.py", line 122, in 
createConnection\n    allow_agent=False)\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 305, in 
connect\n    retry_on_signal(lambda: sock.connect(addr))\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/util.py", line 269, in 
retry_on_signal\n    return function()\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 305, in 
<lambda>\n    retry_on_signal(lambda: sock.connect(addr))\n', '  File 
"/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py",
 line 228, in meth\n    return getattr(self._sock,name)(*args)\n', 'error: 
[Errno 51] Network is unreachable\n']
    Traceback (most recent call last):
      File "/usr/local/lib/python2.7/site-packages/marvin/sshClient.py", line 
122, in createConnection
        allow_agent=False)
      File "/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 
305, in connect
        retry_on_signal(lambda: sock.connect(addr))
      File "/usr/local/lib/python2.7/site-packages/paramiko/util.py", line 269, 
in retry_on_signal
        return function()
      File "/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 
305, in <lambda>
        retry_on_signal(lambda: sock.connect(addr))
      File 
"/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py",
 line 228, in meth
        return getattr(self._sock,name)(*args)
    error: [Errno 51] Network is unreachable
    ====Trying SSH Connection: Host:192.168.1.103 User:root                     
              Port:22 RetryCnt:7===
    SshClient: Exception under createConnection: ['Traceback (most recent call 
last):\n', '  File 
"/usr/local/lib/python2.7/site-packages/marvin/sshClient.py", line 122, in 
createConnection\n    allow_agent=False)\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 305, in 
connect\n    retry_on_signal(lambda: sock.connect(addr))\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/util.py", line 269, in 
retry_on_signal\n    return function()\n', '  File 
"/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 305, in 
<lambda>\n    retry_on_signal(lambda: sock.connect(addr))\n', '  File 
"/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py",
 line 228, in meth\n    return getattr(self._sock,name)(*args)\n', 'error: 
[Errno 51] Network is unreachable\n']
    Traceback (most recent call last):
      File "/usr/local/lib/python2.7/site-packages/marvin/sshClient.py", line 
122, in createConnection
        allow_agent=False)
      File "/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 
305, in connect
        retry_on_signal(lambda: sock.connect(addr))
      File "/usr/local/lib/python2.7/site-packages/paramiko/util.py", line 269, 
in retry_on_signal
        return function()
      File "/usr/local/lib/python2.7/site-packages/paramiko/client.py", line 
305, in <lambda>
        retry_on_signal(lambda: sock.connect(addr))
      File 
"/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py",
 line 228, in meth
        return getattr(self._sock,name)(*args)
    error: [Errno 51] Network is unreachable
    ====Trying SSH Connection: Host:192.168.1.103 User:root                     
              Port:22 RetryCnt:6===
    ===SSH to Host 192.168.1.103 port : 22 SUCCESSFUL===
    {Cmd: nslookup google.com via Host: 192.168.1.103} {returns: 
[u'Server:\t\t10.1.1.1', u'Address:\t10.1.1.1#53', u'', u'Non-authoritative 
answer:', u'Name:\tgoogle.com', u'Address: 212.39.82.187', 
u'Name:\tgoogle.com', u'Address: 212.39.82.174', u'Name:\tgoogle.com', 
u'Address: 212.39.82.152', u'Name:\tgoogle.com', u'Address: 212.39.82.180', 
u'Name:\tgoogle.com', u'Address: 212.39.82.167', u'Name:\tgoogle.com', 
u'Address: 212.39.82.181', u'Name:\tgoogle.com', u'Address: 212.39.82.159', 
u'Name:\tgoogle.com', u'Address: 212.39.82.153', u'Name:\tgoogle.com', 
u'Address: 212.39.82.146', u'Name:\tgoogle.com', u'Address: 212.39.82.173', 
u'Name:\tgoogle.com', u'Address: 212.39.82.166', u'Name:\tgoogle.com', 
u'Address: 212.39.82.160', u'']}
    === TestName: test_router_dns_guestipquery | Status : SUCCESS ===
    
    ===final results are now copied to: 
/tmp//MarvinLogs/test_router_dns_IG8LQP===
    ```


> Prevent VR from response to DNS request from outside of network
> ---------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6432
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6432
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.4.0, 4.5.0
>            Reporter: Sheng Yang
>            Assignee: Sheng Yang
>             Fix For: 4.4.0, 4.5.0
>
>
> In basic and shared network, VR use private network nic for dhcp/dns 
> services. But if private network is on the internet as well, it would make VR 
> facing outside network.
> We would restrain the VR DNS service inside CloudStack managed network.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-6432) Prevent VR from response to DNS request from outside of network

Reply via email to