Network with SG Disabled still has security group script adding rules on KVM #5047
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
Security Group
CLOUDSTACK VERSION
4.15.0.0
CONFIGURATION
Zone deployed with Advanced Network and Security Group enabled.
OS / ENVIRONMENT
N/A
SUMMARY
We have been seeing the default security group rules being applied to VMs that are using a network with no SG. It is expected that when a network has Security Grouping turned off, it wouldn't execute this script at all.
For instance, if the network offering is the DefaultSharedNetworkOffering which does not list Security Grouping as a supported service, and VMs are rebooted CloudStack sends the command for KVM nodes to apply SG rules which can cause an outage for all the VMs on the respective network on that hypervisor.
LOG EXAMPLE
Checking the logs in the MGMT there are logs of SG Ruleset being scheduled and later sent to the KVM node; however, there are also validations detecting that SG is not supported for the network.
DEBUG [c.c.n.s.SecurityGroupManagerImpl] Security Group Mgr v2: scheduling ruleset updates for 1
...
DEBUG [c.c.n.NetworkModelImpl] Service SecurityGroup is not supported in the network id=XYZ.
...
DEBUG [c.c.n.s.SecurityGroupManagerImpl] SecurityGroupManager v2: sending ruleset update for vm i-123-4567-VM:ingress ....
At the KVM, matching the send commands from MGMT there are some logs:
DEBUG [kvm.resource.LibvirtComputingResource] Checking default network rules for vm i-123-4567-VM
DEBUG [kvm.resource.LibvirtComputingResource] Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules --vmname i-123-4567-VM --vmid 4567 --vmip ....
STEPS TO REPRODUCE
1. Deploy VM on a network with DefaultSharedNetworkOffering, at a zone that has Security Group enabled.
2. restart VM
EXPECTED RESULTS
VM is running and there are **NO** security group rules have been applied
ACTUAL RESULTS
VM is running but security group rules have been wrongly applied