ACS Advance with Security Group, IPTable not write to Host

[hstan77]

ISSUE TYPE

• Bug Report

Advance Security Security Group

Configure Security Group Advance in AdvanceZone

CLOUDSTACK VERSION - 4.14

Cloudstack 4.14

CONFIGURATION

Advance Networking, with Security Group, on KVM

OS / ENVIRONMENT

CentOS Linux release 7.8.2003 (Core)

SUMMARY

STEPS TO REPRODUCE

Create Zone with Advance with Security Group, KVM HyperVisor

Create VM , and apply the Default Security Group.

Add on following in HyperVisor Host:
modprobe br_netfilter

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

The Security Group Rules is not apply to HyperVisor

EXPECTED RESULTS

Default Ingress Rules (inboud) shall be Drop, except define in Allow Rules .

ACTUAL RESULTS

iptables is rules not generated in hypervisors , Log show:

2020-09-28 04:49:27,142 ERROR [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:689bce0a) Unable to apply default network rule for nic cloudbr0 for VM i-2-81-VM
2020-09-28 04:49:27,312 ERROR [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-4:null) (logid:52809b79) Unable to apply default network rule for nic cloudbr0 for VM i-2-81-VM
2020-09-28 04:49:27,312 WARN [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (agentRequest-Handler-4:null) (logid:52809b79) Failed to program default network rules for vm i-2-81-VM

[weizhouapache]

@hstan77 any log in /var/log/cloudstack/agent/security_group.log ?

[hstan77]

In folder /var/log/cloudstack/agent, only have
agent.log resizevolume.log setup.log

there is no file security_group.log

[hstan77]

Just update my finding here.

The same issue is no issue on Ubuntu 18, and only happen to CentOS 7

[DaanHoogland]

The same issue is no issue on Ubuntu 18, and only happen to CentOS 7

so when the hypervisor is on centos the iptables commands don't work, right?

[weizhouapache]

The same issue is no issue on Ubuntu 18, and only happen to CentOS 7

so when the hypervisor is on centos the iptables commands don't work, right?

Just update my finding here.

The same issue is no issue on Ubuntu 18, and only happen to CentOS 7

@hstan77 do you still have the centos7 environment ?
if yes, can you change log level and reproduce the issue ?

sed -i "s/INFO/DEBUG" /etc/cloudstack/agent/log4j-cloud.xml
systemctl restart cloudstack-agent

you should get more debug info in /var/log/cloudstack/agent/agent.log

[weizhouapache]

@DaanHoogland @rhtyd @wido @GabrielBrascher do you have centos7 env to reproduce this issue ?

[DaanHoogland]

I can give it a shot, but it will be on a nested env, not sure if that is relevant.

[DaanHoogland]

tip from a couple of colleagues: it looks like Hean Seng (is that you @hstan77 ?) had already given the solution to this: https://lists.apache.org/thread.html/r329758cbcc2a3ddc70bbb133b5629a854ba67f8f942d38a89d37519e%40%3Cusers.cloudstack.apache.org%3E

cc @weizhouapache
I think we can close this. (@hstan77 please reopen if i'm wrong)

[weizhouapache]

@DaanHoogland good, so this is fixed by #4124

[hstan77]

Hi Yes , this issue can close, I found the issue and shared also, Need to install python36-libvirt to Centos, and issue solved .

…

On Fri, Nov 27, 2020 at 5:46 PM Wei Zhou ***@***.***> wrote: @DaanHoogland <https://github.com/DaanHoogland> good, so this is fixed by #4124 <#4124> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4351 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARFNGAVLRVSSFHRHCCKW7KLSR5YN7ANCNFSM4R4IAAPQ> .

-- Regards, Hean Seng