[SOLVED] Secgroup commit not as expected on OpenNebula 5.2


(Pecadis) #1

Hi there,

i just made some test regarding the commit Mechanism when applying or removing new Rules on secgroup when i just saw a behavior which, with my understanding, shouldn’t happen.
The Applying of a new rule (for example allow icmp Packages) are working almost instantly.
BUT when i try to remove a rule from the secgroup, it doesn’t work for already running VM. I had to remove the NIC, attach it again and reboot the VM.

In both cases i can see the new rule is popping up and disappear in the VM/Network section of the NIC on the VM but the rule is not going to be removed.

Setup:
1 Testnetwork called :Testnet
1 security rule applied to Testnet (this is also the only secgroup for Testnet)
1 VM within Testnet
1 Physical machine which is also wired up into Testnet

How i tested it:

  1. Drop all rules in the Secgroup so nothing is allowed.
  2. Start the VM within this environment
  3. Ping the IP of the VM from Physical Machine -> no ping possible as expected
  4. Apply inbound icmp Rule into Secgroup.
  5. Ping VM again -> Ping works as expected
  6. Remove icmp Rule from point 4. (also checked that the rule disappear on the VM NIC)
  7. Ping once again -> Ping still works -> not as i expect.

My Question here:
Is it a feature or a Bug?

Thanks
Pecadis


(Ruben S. Montero) #2

From your message I assume that you commit the changes after each update, is this right?. Also is there any relevant message in the VirtualMachine log, or in oned.log?


(Pecadis) #3

Hi Ruben,

no, i didn’t do any commit after the update usually but even if i commit it manually, it didn’t change the behavior.
To the logs:

There is nothing strange in sched.log.
The VM log is just saying that all changes were made (add and remove are both displaying).

The removal of the rules are neither working on sunstone nor on the commandline for the secgroup… at least for me.

Can you reproduce it?


(Denis Ldv) #4

If we speak about Linux-KVM - You can check if secgoups work correctly.
look at ouput of
iptables -S
before step 6 and after step 6. (command should be executed on “Physical Machine”)

If rule for icmp traffic disappears after step 6 then secroups works correctly and reason of that behavior is linux connection tracker. Wait 60 sec and try to ping again (you should stop pinging before removing rule).


(Pecadis) #5

Thank you for this hint.

Looks like that i was just to impatient. But at the end, i would expect to have the security rules to be applied instantly when i remove them. So some kind of cut the wires the hard way.

I would say that this Topic is solved.
Thank you a lot for those ideas.