[
https://issues.apache.org/jira/browse/CLOUDSTACK-324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13475255#comment-13475255
]
Chandan Purushothama commented on CLOUDSTACK-324:
-------------------------------------------------
Hello Max,
In Basic Zone, there are only two valid network offeriings used. 1.
"DefaultSharedNetworkOfferingWithSGService" and 2.
DefaultSharedNetscalerEIPandELBNetworkOffering. The reason why only these two
network offerings are valid is that the two network offerings use security
groups for Guests Isolation while other guest network offerings are VLAN based
offerings which requires VLANs for Guests isolation.
Valid Network Offerings 1 and 2 details are as given below:
mysql> select * from network_offerings where id=6 \G;
*************************** 1. row ***************************
id: 6
name: DefaultSharedNetworkOfferingWithSGService
uuid: dbc5a79f-0540-4b83-a571-4fd421d0e224
unique_name: DefaultSharedNetworkOfferingWithSGService
display_text: Offering for Shared Security group enabled networks
nw_rate: NULL
mc_rate: NULL
traffic_type: Guest
tags: NULL
system_only: 0
specify_vlan: 1
service_offering_id: NULL
conserve_mode: 1
created: 2012-10-10 03:35:49
removed: NULL
default: 1
availability: Optional
dedicated_lb_service: 1
shared_source_nat_service: 0
sort_key: 0
redundant_router_service: 0
state: Enabled
guest_type: Shared
elastic_ip_service: 0
elastic_lb_service: 0
specify_ip_ranges: 1
1 row in set (0.00 sec)
ERROR:
No query specified
mysql> select * from network_offerings where id=10 \G;
*************************** 1. row ***************************
id: 10
name: DefaultSharedNetscalerEIPandELBNetworkOffering
uuid: 8f8a4b0e-595a-48aa-b178-262bd2682122
unique_name: DefaultSharedNetscalerEIPandELBNetworkOffering
display_text: Offering for Shared networks with Elastic IP and
Elastic LB capabilities
nw_rate: NULL
mc_rate: NULL
traffic_type: Guest
tags: NULL
system_only: 0
specify_vlan: 1
service_offering_id: NULL
conserve_mode: 1
created: 2012-10-10 03:35:49
removed: NULL
default: 1
availability: Optional
dedicated_lb_service: 0
shared_source_nat_service: 0
sort_key: 0
redundant_router_service: 0
state: Enabled
guest_type: Shared
elastic_ip_service: 1
elastic_lb_service: 1
specify_ip_ranges: 1
1 row in set (0.00 sec)
Service Providers Information of the Valid Network Offerings are as given below:
mysql> select * from ntwk_offering_service_map where network_offering_id=6;
+----+---------------------+---------------+-----------------------+---------------------+
| id | network_offering_id | service | provider | created
|
+----+---------------------+---------------+-----------------------+---------------------+
| 4 | 6 | Dhcp | VirtualRouter | 2012-10-10
03:35:49 |
| 1 | 6 | Dns | VirtualRouter | 2012-10-10
03:35:49 |
| 3 | 6 | SecurityGroup | SecurityGroupProvider | 2012-10-10
03:35:49 |
| 2 | 6 | UserData | VirtualRouter | 2012-10-10
03:35:49 |
+----+---------------------+---------------+-----------------------+---------------------+
4 rows in set (0.00 sec)
mysql> select * from ntwk_offering_service_map where network_offering_id=10;
+----+---------------------+---------------+-----------------------+---------------------+
| id | network_offering_id | service | provider | created
|
+----+---------------------+---------------+-----------------------+---------------------+
| 26 | 10 | Dhcp | VirtualRouter | 2012-10-10
03:35:49 |
| 21 | 10 | Dns | VirtualRouter | 2012-10-10
03:35:49 |
| 22 | 10 | Lb | Netscaler | 2012-10-10
03:35:49 |
| 25 | 10 | SecurityGroup | SecurityGroupProvider | 2012-10-10
03:35:49 |
| 23 | 10 | StaticNat | Netscaler | 2012-10-10
03:35:49 |
| 24 | 10 | UserData | VirtualRouter | 2012-10-10
03:35:49 |
+----+---------------------+---------------+-----------------------+---------------------+
6 rows in set (0.00 sec)
The Network Offering that you used "DefaultSharedNetworkOffering" is a VLAN
based Offering which doesnt use Security Groups. This Network Offering is used
in Advanced Zone where shared network is used to provide common service to all
the VMs in the Zone using a shared VLAN.
mysql> select * from network_offerings where id=7 \G;
*************************** 1. row ***************************
id: 7
name: DefaultSharedNetworkOffering
uuid: 8a761655-1112-4ea9-8220-49fc9b4c6ef4
unique_name: DefaultSharedNetworkOffering
display_text: Offering for Shared networks
nw_rate: NULL
mc_rate: NULL
traffic_type: Guest
tags: NULL
system_only: 0
specify_vlan: 1
service_offering_id: NULL
conserve_mode: 1
created: 2012-10-10 03:35:49
removed: NULL
default: 1
availability: Optional
dedicated_lb_service: 1
shared_source_nat_service: 0
sort_key: 0
redundant_router_service: 0
state: Enabled
guest_type: Shared
elastic_ip_service: 0
elastic_lb_service: 0
specify_ip_ranges: 1
1 row in set (0.00 sec)
mysql> select * from ntwk_offering_service_map where network_offering_id=7;
+----+---------------------+----------+---------------+---------------------+
| id | network_offering_id | service | provider | created |
+----+---------------------+----------+---------------+---------------------+
| 7 | 7 | Dhcp | VirtualRouter | 2012-10-10 03:35:49 |
| 5 | 7 | Dns | VirtualRouter | 2012-10-10 03:35:49 |
| 6 | 7 | UserData | VirtualRouter | 2012-10-10 03:35:49 |
+----+---------------------+----------+---------------+---------------------+
3 rows in set (0.00 sec)
> Cannot edit default security group rules, default security group blocks all
> inbound traffic.
> --------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-324
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-324
> Project: CloudStack
> Issue Type: Bug
> Affects Versions: pre-4.0.0
> Reporter: Max Clark
> Assignee: Wido den Hollander
> Labels: iptables, network, security
> Fix For: 4.1.0
>
>
> When configuring basic networking, by default the network is created with the
> "DefaultSharedNetworkOffering". This offering does not have a security group.
> No inbound traffic is allowed to the created VMs. Reading the AdminGuide
> documentation:
> "Each CloudStack account comes with a default security group that denies all
> inbound traffic and allows all outbound traffic. The default security group
> can be modified so that all new VMs inherit some other desired set of rules."
> If a network is created without a security group, it shouldn't have a
> security group and all inbound/outbound traffic should be allowed - or at the
> very least the default security group should be able to be configured.
> http://www.cloudstack.com/forum/8-storage-and-networking/7054-vm-instance-cant-be-accessd-using-basic-networking.html?limit=6&start=6#7084
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
