[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user borisroman commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/765#discussion_r39765711 --- Diff: systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py --- @@ -414,7 +426,7 @@ def fw_router(self): self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) - + --- End diff -- @wilderrodrigues Seems like you hadn't removed the trailing white spaces. Maybe a good time to remove them when PRing CLOUDSTACK-8878 or CLOUDSTACK-8795? :) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user bhaisaab commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-138522855 LGTM --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user asfgit closed the pull request at: https://github.com/apache/cloudstack/pull/765 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-138529499 Thanks, @bhaisaab ! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user miguelaferreira commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-138250804 @karuturi Wilder will add marvin test for this PR, I will run that and post the results --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user karuturi commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-138238373 @miguelaferreira @wilderrodrigues waiting for the PR merge :) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-138321248 @miguelaferreira @remibergsma @karuturi @DaanHoogland The test is done! Results: Test iptables default INPUT/FORWARD policy on RouterVM ... === TestName: test_02_routervm_iptables_policies | Status : SUCCESS === ok Test iptables default INPUT/FORWARD policies on VPC router ... === TestName: test_01_single_VPC_iptables_policies | Status : SUCCESS === ok -- Ran 2 tests in 663.540s OK /tmp//MarvinLogs/test_routers_iptables_default_policy_RC3AMZ/results.txt (END) The tests were done only for single VPC and Isolated Network because the python code executed is also used by Redundant VPC and Shared Network. We can come back to this test later and add more cases, I already added some service for the above mentioned networks in the test. You can run this test by doing so: ``` nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a tags=advanced,required_hardware=true component/test_routers_iptables_default_policy.py ``` Make sure you do the following before running the test agains a KVM hypervisor: * Copy the systemvm.iso: * cloudstack/client/target/cloud-client-ui-4.6.0-SNAPSHOT/WEB-INF/classes/vms/systemvm.iso * To: * /usr/share/cloudstack-common/vms/systemvm.iso Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-137379240 Thanks for the LGTM and for the new issue, @karuturi. :) I will push the test today and merge the PR after @miguelaferreira tests it. Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user karuturi commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136962555 tested this on Xen 6.5 advanced zone with isolated and VPC. verified that the default policies are set to drop. I am not sure if its related to this. But, I found the below issue in case of vm launched in vpc, outgoing public traffic worked (I was able to ping google.com) But, in case of default isolated network(DefaultIsolatedNetworkOfferingWithSourceNatService) vm, outgoing public traffic was blocked even after adding egress rule. It only worked after running the following on isolated VR ``` iptables -I FW_OUTBOUND -j FIREWALL_EGRESS_RULES ``` --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136951585 I will push a test today to cover the iptables default policies. Do you need help finding the options on the UI whilst the test gets cooked? Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-137040420 Thanks for testing it, @karuturi, much appreciated! I'm writing marvin tests for this PR and the other issue (CLOUDSTACK-8759). Once done, I will have a look at the problem you reported. In order to keep things separate and move quicker with the PRs, could you please a separate issue with the details above? Thanks in advance. Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user karuturi commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-137048186 Ok. Here is the new issue https://issues.apache.org/jira/browse/CLOUDSTACK-8795 :+1: for this PR --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136601269 @karuturi @bhaisaab @DaanHoogland @koushik-das Anyone with some time to have a look at this PR? Thanks in advance. Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user miguelaferreira commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136620086 @wilderrodrigues I'm now testing your PR, but I have a question: how is SSHing into the VMs testing the default policy is set to DROP? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user DaanHoogland commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/765#discussion_r38396363 --- Diff: systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py --- @@ -414,7 +426,7 @@ def fw_router(self): self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) - + --- End diff -- trailing white space? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136621356 SSH doesn't test it... I just did to make sure all works as before. To check the policies to iptables -L --verbose (you will see DROP for INPUT and FORWARD chains on all routers) You can also try connecting to a port that doesn't have a PF setup. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/765#discussion_r38404211 --- Diff: systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py --- @@ -414,7 +426,7 @@ def fw_router(self): self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) - + --- End diff -- 3 days of work to find the cause of the bugs and the thing goes with trailing spaces... crap. Will remove it once I add a marvin test. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user miguelaferreira commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136621918 ok, that's what I thought. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136664670 Hi @miguelaferreira Okay for the Marvin test, but then it will make the thing wait for another day, at least. Which is fine, but I hope people LGTM it afterwards. I'm worried about the lack of reviews/tests by reviewers on PRs. Concerning the unit test, I won't add it because I want to refactor the code as a project and have it done in a way that we can add tests and refactor, as it was done with other components. I know it could be done in a way where I could refactor just 1 method, add a tests and push it. However, I do not want to mix styles in the Python code. By styles I mean: the way it was developed and the way I would have developed it. So, mixing styles by refactoring 1 method to add 1 test will not really improve it. Once we release 4.6, and if that okay with the team, I, we, will work on the python refactor. Cheers, Wilder --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user miguelaferreira commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136625019 @wilderrodrigues wouldn't it be better to have a Marvin test that check the policy? Now that I think of it, also a Python unit-test? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136636331 changes look reasonable. have not tested, so I am going to trust @wilderrodrigues on this but @miguelaferreira his point on an automation sounds very promising to me. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user miguelaferreira commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136667361 @wilderrodrigues ok for the python unit tests, but I would really like a marvin test, or al least some way to automate setting up the environment you described. I'm trying to test this, and clicking around in the UI is just too inefficient. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136354474 Some screenshots: VMs: ![image](https://cloud.githubusercontent.com/assets/5129209/9578445/681a3194-4fea-11e5-80c8-b085d4bf9809.png) Infra: ![image](https://cloud.githubusercontent.com/assets/5129209/9578454/789935d8-4fea-11e5-91dd-990de69f63e0.png) Routers: ![image](https://cloud.githubusercontent.com/assets/5129209/9578463/8546144a-4fea-11e5-99ed-5c29044c403b.png) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
GitHub user wilderrodrigues opened a pull request: https://github.com/apache/cloudstack/pull/765 CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be se⦠â¦t to DROP instead of ACCEPT - In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state Tests: * Deployed 2 zones, basic and advanced, using KVM as hypervisor * On the basic zone, created 1 security group, added ingress rules to open port 22 and deployed 1 VM * SSH into the router and checked that the INPUT/FORWARD policies were set to DROP * SSH to the VM * On the advanced zone, created 1 single VPC (with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL), 1 redundant VPC ((with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL)), 1 isolated network (with 1 VM and 1 pub IP), 1 redundant network (with 1 VM and 1 pub IP) * SSH into all routers to check that the INPUT/FORWARD policies were set to DROP * SSH into all VMs to test the communication sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.26 The authenticity of host '192.168.23.26 (192.168.23.26)' can't be established. RSA key fingerprint is cb:42:81:d0:05:97:f4:be:9e:3b:dd:3f:c6:d2:48:e7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.23.26' (RSA) to the list of known hosts. root@192.168.23.26's password: # ls / bin bootdev etc homelib lib64 linuxrc lost+found media mnt opt proc rootrun sbinsys tmp usr var # exit Connection to 192.168.23.26 closed. sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.22.63 The authenticity of host '192.168.22.63 (192.168.22.63)' can't be established. RSA key fingerprint is a2:20:d6:e2:fb:c5:89:94:57:f5:89:b1:a1:6d:63:99. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.22.63' (RSA) to the list of known hosts. root@192.168.22.63's password: # ls / bin bootdev etc homelib lib64 linuxrc lost+found media mnt opt proc rootrun sbinsys tmp usr var # exit Connection to 192.168.22.63 closed. sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.27 The authenticity of host '192.168.23.27 (192.168.23.27)' can't be established. RSA key fingerprint is 20:f1:6d:9b:74:c5:7b:53:10:5c:a0:0c:bc:9f:2a:29. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.23.27' (RSA) to the list of known hosts. root@192.168.23.27's password: # ls / bin bootdev etc homelib lib64 linuxrc lost+found media mnt opt proc rootrun sbinsys tmp usr var # exitConnection to 192.168.23.27 closed. sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.28 The authenticity of host '192.168.23.28 (192.168.23.28)' can't be established. RSA key fingerprint is f7:ae:49:46:ba:02:c1:25:5a:50:87:0e:6f:a4:43:a3. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.23.28' (RSA) to the list of known hosts. root@192.168.23.28's password: # ls / bin bootdev etc homelib lib64 linuxrc lost+found media mnt opt proc rootrun sbinsys tmp usr var # exitConnection to 192.168.23.28 closed. sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.29 The authenticity of host '192.168.23.29 (192.168.23.29)' can't be established. RSA key fingerprint is 09:0c:f2:41:a3:74:3d:ee:04:2b:78:ff:a9:91:0d:79. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.23.29' (RSA) to the list of known hosts. root@192.168.23.29's password: # ls / bin bootdev etc homelib lib64 linuxrc lost+found media mnt opt proc rootrun sbinsys tmp usr var # exit Connection to 192.168.23.29 closed. sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.30 The authenticity of host '192.168.23.30 (192.168.23.30)' can't be established. RSA key fingerprint is 2c:a6:10:f5:6d:4b:d1:70:e2:47:07:19:0b:86:c1:b0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.23.30' (RSA) to the list of known hosts. root@192.168.23.30's password:
[GitHub] cloudstack pull request: CLOUDSTACK-8688 - default policies for IN...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/765#issuecomment-136363043 VM Life Cycle tests (Advanced Zone) ``` [root@cs1 integration]# nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a tags=advanced,required_hardware=false smoke/test_vm_life_cycle.py Marvin Init Started === Marvin Parse Config Successful === === Marvin Setting TestData Successful=== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_14_38_JN3PBD. All logs will be available here === Marvin Init Logging Successful=== Marvin Init Successful === TestName: test_advZoneVirtualRouter | Status : SUCCESS === === TestName: test_deploy_vm | Status : SUCCESS === === TestName: test_deploy_vm_multiple | Status : SUCCESS === === TestName: test_01_stop_vm | Status : SUCCESS === === TestName: test_02_start_vm | Status : SUCCESS === === TestName: test_03_reboot_vm | Status : SUCCESS === === TestName: test_06_destroy_vm | Status : SUCCESS === === TestName: test_07_restore_vm | Status : SUCCESS === === TestName: test_09_expunge_vm | Status : SUCCESS === ===final results are now copied to: /tmp//MarvinLogs/test_vm_life_cycle_L0WK32=== [root@cs1 integration]# ``` VM Life Cycle tests (Basic Zone) ``` [root@cs1 integration]# nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone1-kvm1-basic.cfg -s -a tags=basic,required_hardware=false smoke/test_vm_life_cycle.py Marvin Init Started === Marvin Parse Config Successful === === Marvin Setting TestData Successful=== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_41_40_5VQUD2. All logs will be available here === Marvin Init Logging Successful=== Marvin Init Successful === TestName: test_deploy_vm | Status : SUCCESS === === TestName: test_deploy_vm_multiple | Status : SUCCESS === === TestName: test_01_stop_vm | Status : SUCCESS === === TestName: test_02_start_vm | Status : SUCCESS === === TestName: test_03_reboot_vm | Status : SUCCESS === === TestName: test_06_destroy_vm | Status : SUCCESS === === TestName: test_07_restore_vm | Status : SUCCESS === === TestName: test_09_expunge_vm | Status : SUCCESS === ===final results are now copied to: /tmp//MarvinLogs/test_vm_life_cycle_8F4UL3=== [root@cs1 integration]# ``` --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---