i try to edit the security rules, and following capture in log , i guess is initall iptables rules not created, and thus cause to this :
2020-09-28 02:23:30,276 ERROR [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-4:null) (logid:6ae48108) Unable to apply default network rule for nic cloudbr0 for VM i-2-81-VM 2020-09-28 02:23:30,276 WARN [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (agentRequest-Handler-4:null) (logid:6ae48108) Failed to program default network rules for vm i-2-81-VM 2020-09-28 02:23:30,323 ERROR [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:bbe20113) Unable to apply default network rule for nic cloudbr0 for VM i-2-78-VM 2020-09-28 02:23:30,323 WARN [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (agentRequest-Handler-3:null) (logid:bbe20113) Failed to program default network rules for vm i-2-78-VM 2020-09-28 02:23:30,370 ERROR [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:ffe01b13) Unable to apply default network rule for nic cloudbr0 for VM i-2-76-VM 2020-09-28 02:23:30,371 WARN [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (agentRequest-Handler-2:null) (logid:ffe01b13) Failed to program default network rules for vm i-2-76-VM On Mon, Sep 28, 2020 at 2:10 PM Hean Seng <heans...@gmail.com> wrote: > I checked the hypervisor , it seems iptables is nothing inside , this is > centos7 , initially i turnoff firewalld , but even i turn on it now and > try to update the security group rules, it seems empty iptable rules : > > [root@kvm03 ~]# iptables -L -v -n > > Chain INPUT (policy ACCEPT 82903 packets, 1170M bytes) > > pkts bytes target prot opt in out source > destination > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 80505 packets, 25M bytes) > > pkts bytes target prot opt in out source > destination > > > > > > > > On Mon, Sep 28, 2020 at 12:05 PM Pearl d'Silva <pearl.dsi...@shapeblue.com> > wrote: > >> Hi Hean, >> >> In an Advanced Zone with Security Groups enabled, by default, egress >> traffic from the VM is allowed, while Ingress traffic is denied. Hence, as >> you rightly mentioned, security group rules are added accordingly. These >> rules get added on the hypervisor host, and you can verify them, by going >> into the host and searching for iptables rules corresponding to the VM >> (internal name - i-x-y-VM). >> This blog maybe helpful in providing further details: >> >> https://shankerbalan.net/blog/cloudstack-advanced-zone-with-security-groups/ >> >> Thanks, >> Pearl >> ________________________________ >> From: Hean Seng <heans...@gmail.com> >> Sent: Sunday, September 27, 2020 2:48 PM >> To: users@cloudstack.apache.org <users@cloudstack.apache.org> >> Subject: Cloudstack Advance with Security Group >> >> Hi >> >> I created advance zone with security group, all working fine. >> >> But VMcreated , seems the default security group that assigned to the VM. >> all accept policy , i understand is Default Deny, and once add in the >> port >> in Security Group Ingress and Egress, only is allowed >> >> Also, is this rules created at VirtualRouter of the SharedNetwork, or at >> the Hypervisor? >> >> >> >> -- >> Regards, >> Hean Seng >> >> pearl.dsi...@shapeblue.com >> www.shapeblue.com >> 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK >> @shapeblue >> >> >> >> > > -- > Regards, > Hean Seng > -- Regards, Hean Seng
