CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be se…

[wilderrodrigues]

…t to DROP instead of ACCEPT

• In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state

Tests:

• Deployed 2 zones, basic and advanced, using KVM as hypervisor

• On the basic zone, created 1 security group, added ingress rules to open port 22 and deployed 1 VM

  • SSH into the router and checked that the INPUT/FORWARD policies were set to DROP
  • SSH to the VM

• On the advanced zone, created 1 single VPC (with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL), 1 redundant VPC ((with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL)), 1 isolated network (with 1 VM and 1 pub IP), 1 redundant network (with 1 VM and 1 pub IP)

  • SSH into all routers to check that the INPUT/FORWARD policies were set to DROP
  • SSH into all VMs to test the communication

  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.26
  The authenticity of host '192.168.23.26 (192.168.23.26)' can't be established.
  RSA key fingerprint is cb:42:81:d0:05:97:f4:be:9e:3b:dd:3f:c6:d2:48:e7.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.26' (RSA) to the list of known hosts.
  root@192.168.23.26's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exit
  Connection to 192.168.23.26 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.22.63
  The authenticity of host '192.168.22.63 (192.168.22.63)' can't be established.
  RSA key fingerprint is a2:20:d6:e2:fb:c5:89:94:57:f5:89:b1:a1:6d:63:99.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.22.63' (RSA) to the list of known hosts.
  root@192.168.22.63's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exit
  Connection to 192.168.22.63 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.27 
  The authenticity of host '192.168.23.27 (192.168.23.27)' can't be established.
  RSA key fingerprint is 20:f1:6d:9b:74:c5:7b:53:10:5c:a0:0c:bc:9f:2a:29.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.27' (RSA) to the list of known hosts.
  root@192.168.23.27's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exitConnection to 192.168.23.27 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.28
  The authenticity of host '192.168.23.28 (192.168.23.28)' can't be established.
  RSA key fingerprint is f7:ae:49:46:ba:02:c1:25:5a:50:87:0e:6f:a4:43:a3.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.28' (RSA) to the list of known hosts.
  root@192.168.23.28's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exitConnection to 192.168.23.28 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.29
  The authenticity of host '192.168.23.29 (192.168.23.29)' can't be established.
  RSA key fingerprint is 09:0c:f2:41:a3:74:3d:ee:04:2b:78:ff:a9:91:0d:79.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.29' (RSA) to the list of known hosts.
  root@192.168.23.29's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exit
  Connection to 192.168.23.29 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.30
  The authenticity of host '192.168.23.30 (192.168.23.30)' can't be established.
  RSA key fingerprint is 2c:a6:10:f5:6d:4b:d1:70:e2:47:07:19:0b:86:c1:b0.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.30' (RSA) to the list of known hosts.
  root@192.168.23.30's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exitConnection to 192.168.23.30 closed.
  
  sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh root@192.168.23.32
  The authenticity of host '192.168.23.32 (192.168.23.32)' can't be established.
  RSA key fingerprint is 6b:85:1e:c7:2e:aa:01:a2:d4:19:e3:ec:a7:69:a1:71.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.23.32' (RSA) to the list of known hosts.
  root@192.168.23.32's password: 
  # ls /
  bin         boot        dev         etc         home        lib         lib64       linuxrc     lost+found  media       mnt         opt         proc        root        run         sbin        sys         tmp         usr         var
  # exitConnection to 192.168.23.32 closed.
  sbpltk1zffh04:asf_cloudstack wrodrigues$ 
  

I'm now running some automated tests, will post the results here once they are complete.

@remibergsma @DaanHoogland @bhaisaab @miguelaferreira @wido @karuturi , could you guys please have a look?

Do not forget to replace the systemvm.iso in your hypervisor. Do the following for KVM:

• Copy this:
  • ./client/target/cloud-client-ui-4.6.0-SNAPSHOT/WEB-INF/classes/vms/systemvm.iso
• To:
  • /usr/share/cloudstack-common/vms/systemvm.iso

Cheers,
Wilder

[wilderrodrigues]

Some screenshots:

VMs:

Infra:

Routers:

[asfbot]

cloudstack-pull-rats #454 SUCCESS
This pull request looks good

[wilderrodrigues]

VM Life Cycle tests (Advanced Zone)

[root@cs1 integration]# nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a tags=advanced,required_hardware=false smoke/test_vm_life_cycle.py 

==== Marvin Init Started ====

=== Marvin Parse Config Successful ===

=== Marvin Setting TestData Successful===

==== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_14_38_JN3PBD. All logs will be available here ====

=== Marvin Init Logging Successful===

==== Marvin Init Successful ====
=== TestName: test_advZoneVirtualRouter | Status : SUCCESS ===

=== TestName: test_deploy_vm | Status : SUCCESS ===

=== TestName: test_deploy_vm_multiple | Status : SUCCESS ===

=== TestName: test_01_stop_vm | Status : SUCCESS ===

=== TestName: test_02_start_vm | Status : SUCCESS ===

=== TestName: test_03_reboot_vm | Status : SUCCESS ===

=== TestName: test_06_destroy_vm | Status : SUCCESS ===

=== TestName: test_07_restore_vm | Status : SUCCESS ===

=== TestName: test_09_expunge_vm | Status : SUCCESS ===

===final results are now copied to: /tmp//MarvinLogs/test_vm_life_cycle_L0WK32===
[root@cs1 integration]# 

VM Life Cycle tests (Basic Zone)

[root@cs1 integration]# nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone1-kvm1-basic.cfg -s -a tags=basic,required_hardware=false smoke/test_vm_life_cycle.py 

==== Marvin Init Started ====

=== Marvin Parse Config Successful ===

=== Marvin Setting TestData Successful===

==== Log Folder Path: /tmp//MarvinLogs//Aug_31_2015_12_41_40_5VQUD2. All logs will be available here ====

=== Marvin Init Logging Successful===

==== Marvin Init Successful ====
=== TestName: test_deploy_vm | Status : SUCCESS ===

=== TestName: test_deploy_vm_multiple | Status : SUCCESS ===

=== TestName: test_01_stop_vm | Status : SUCCESS ===

=== TestName: test_02_start_vm | Status : SUCCESS ===

=== TestName: test_03_reboot_vm | Status : SUCCESS ===

=== TestName: test_06_destroy_vm | Status : SUCCESS ===

=== TestName: test_07_restore_vm | Status : SUCCESS ===

=== TestName: test_09_expunge_vm | Status : SUCCESS ===

===final results are now copied to: /tmp//MarvinLogs/test_vm_life_cycle_8F4UL3===
[root@cs1 integration]#

[asfbot]

cloudstack-pull-analysis #387 SUCCESS
This pull request looks good

[wilderrodrigues]

@karuturi @bhaisaab @DaanHoogland @koushik-das

Anyone with some time to have a look at this PR?

Thanks in advance.

Cheers,
Wilder

[miguelaferreira]

@wilderrodrigues I'm now testing your PR, but I have a question: how is SSHing into the VMs testing the default policy is set to DROP?

[wilderrodrigues]

SSH doesn't test it... I just did to make sure all works as before.

To check the policies to iptables -L --verbose (you will see DROP for INPUT and FORWARD chains on all routers)

You can also try connecting to a port that doesn't have a PF setup.

[miguelaferreira]

ok, that's what I thought.

[miguelaferreira]

@wilderrodrigues wouldn't it be better to have a Marvin test that checks the policy?
Now that I think of it, also a Python unit-test?

[DaanHoogland]

trailing white space?

[wilderrodrigues]

3 days of work to find the cause of the bugs and the thing goes with trailing spaces... crap.

Will remove it once I add a marvin test.

[borisroman]

@wilderrodrigues Seems like you hadn't removed the trailing white spaces. Maybe a good time to remove them when PRing CLOUDSTACK-8878 or CLOUDSTACK-8795? :)

[DaanHoogland]

changes look reasonable. have not tested, so I am going to trust @wilderrodrigues on this but @miguelaferreira his point on an automation sounds very promising to me.

[wilderrodrigues]

Hi @miguelaferreira

Okay for the Marvin test, but then it will make the thing wait for another day, at least. Which is fine, but I hope people LGTM it afterwards. I'm worried about the lack of reviews/tests by reviewers on PRs.

Concerning the unit test, I won't add it because I want to refactor the code as a project and have it done in a way that we can add tests and refactor, as it was done with other components. I know it could be done in a way where I could refactor just 1 method, add a tests and push it. However, I do not want to mix styles in the Python code.

By styles I mean: the way it was developed and the way I would have developed it. So, mixing styles by refactoring 1 method to add 1 test will not really improve it. Once we release 4.6, and if that okay with the team, I, we, will work on the python refactor.

Cheers,
Wilder

[miguelaferreira]

@wilderrodrigues ok for the python unit tests, but I would really like a marvin test, or al least some way to automate setting up the environment you described. I'm trying to test this, and clicking around in the UI is just too inefficient.

[wilderrodrigues]

I will push a test today to cover the iptables default policies.

Do you need help finding the options on the UI whilst the test gets cooked?

Cheers,
Wilder

[karuturi]

tested this on Xen 6.5 advanced zone with isolated and VPC. verified that the default policies are set to drop.

I am not sure if its related to this. But, I found the below issue
in case of vm launched in vpc, outgoing public traffic worked (I was able to ping google.com)
But, in case of default isolated network(DefaultIsolatedNetworkOfferingWithSourceNatService) vm, outgoing public traffic was blocked even after adding egress rule.
It only worked after running the following on isolated VR

iptables -I FW_OUTBOUND -j FIREWALL_EGRESS_RULES

[wilderrodrigues]

Thanks for testing it, @karuturi, much appreciated!

I'm writing marvin tests for this PR and the other issue (CLOUDSTACK-8759). Once done, I will have a look at the problem you reported.

In order to keep things separate and move quicker with the PRs, could you please a separate issue with the details above?

Thanks in advance.

Cheers,
Wilder

[karuturi]

Ok. Here is the new issue https://issues.apache.org/jira/browse/CLOUDSTACK-8795

👍 for this PR

[wilderrodrigues]

Thanks for the LGTM and for the new issue, @karuturi. :)

I will push the test today and merge the PR after @miguelaferreira tests it.

Cheers,
Wilder

[asfbot]

cloudstack-pull-rats #489 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #422 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #491 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #424 FAILURE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-rats #494 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #495 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #427 FAILURE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-rats #496 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #497 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #498 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #499 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #434 UNSTABLE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-analysis #435 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #437 UNSTABLE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-analysis #438 UNSTABLE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-rats #508 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #441 SUCCESS
This pull request looks good

[karuturi]

@miguelaferreira @wilderrodrigues waiting for the PR merge :)

[miguelaferreira]

@karuturi Wilder will add marvin test for this PR, I will run that and post the results

[asfbot]

cloudstack-pull-rats #525 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #459 UNSTABLE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-rats #528 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #462 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #533 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #534 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #535 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-rats #536 SUCCESS
This pull request looks good

[wilderrodrigues]

@miguelaferreira @remibergsma @karuturi @DaanHoogland

The test is done!

Results:

Test iptables default INPUT/FORWARD policy on RouterVM ... === TestName: test_02_routervm_iptables_policies | Status : SUCCESS ===
ok
Test iptables default INPUT/FORWARD policies on VPC router ... === TestName: test_01_single_VPC_iptables_policies | Status : SUCCESS ===
ok

---

Ran 2 tests in 663.540s

OK
/tmp//MarvinLogs/test_routers_iptables_default_policy_RC3AMZ/results.txt (END)

The tests were done only for single VPC and Isolated Network because the python code executed is also used by Redundant VPC and Shared Network. We can come back to this test later and add more cases, I already added some service for the above mentioned networks in the test.

You can run this test by doing so:

nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg -s -a tags=advanced,required_hardware=true component/test_routers_iptables_default_policy.py

Make sure you do the following before running the test agains a KVM hypervisor:

• Copy the systemvm.iso:
  • cloudstack/client/target/cloud-client-ui-4.6.0-SNAPSHOT/WEB-INF/classes/vms/systemvm.iso
• To:
  • /usr/share/cloudstack-common/vms/systemvm.iso

Cheers,
Wilder

[asfbot]

cloudstack-pull-analysis #467 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #468 ABORTED

[asfbot]

cloudstack-pull-rats #538 SUCCESS
This pull request looks good

[asfbot]

cloudstack-pull-analysis #469 ABORTED

[asfbot]

cloudstack-pull-analysis #470 FAILURE
Looks like there's a problem with this pull request

[asfbot]

cloudstack-pull-analysis #472 UNSTABLE
Looks like there's a problem with this pull request

[wilderrodrigues]

@wido @borisroman @bhaisaab

Could one of you have a look at this PR, please? :)

Cheers,
Wilder

[rohityadavcloud]

LGTM

[wilderrodrigues]

Thanks, @bhaisaab !