We do make this check when deployVm is called with multiple networks specified, in SG enabled Advance zone. And donĀ¹t let VM to have a mix of SG enabled and disabled Nics.
However I suspect that this check is missing when Nic is plugged to existing VM via PlugNic API command. -Alena. On 12/13/13, 3:40 PM, "Chiradeep Vittal" <chiradeep.vit...@citrix.com> wrote: >My reading of https://cwiki.apache.org/confluence/x/kxTVAQ is : > - a VM can only be on 1 security-group-enabled network. > > >On 12/13/13 10:30 AM, "Nux!" <n...@li.nux.ro> wrote: > >>Hi, >> >>It seems that using multiple shared networks in an Adv zone with >>Security groups breaks the security groups. >> >>Here's what happens: >> >>- install 4.2.1 SNAPSHOT.el6 (from Build Date: Thu 05 Dec 2013 13:19:49 >>GMT) >>- crate Adv zone with SG >>- add a shared network on vlan 109 >>- add instances on it >>- create security groups >>- everything rocks, they can ping each other etc >> >>- create another shared network on vlan 999 >>- stop the running instances >>- add the second network to the instances and start them >>- the instances get a new set of IPs for eth1 via DHCP BUT! >>- they can no longer access each other via the eth0 IPs; the SG seem to >>apply correctly, but only to the newly added network >>- the instances can also no longer access the router in their primary >>shared network (hence no more passwords reset and other features) >> >>For those good at firewalls, here's the iptables output from BEFORE >>adding the second network: >>http://paste.fedoraproject.org/61594/95896413 >> >>And AFTER adding the second network and starting back the instances: >>http://paste.fedoraproject.org/61595/86959048 >> >>If someone can confirm it's not me doing something stupid I can open a >>proper report in jira. >> >>-- >>Sent from the Delta quadrant using Borg technology! >> >>Nux! >>www.nux.ro >
