Security group not getting applied

Product Support Operations
1

Versions of the related components and OS (frontend, hypervisors, VMs):

OS: Debian 12 (frontend and hypervisors)
Opennebula version 7.0.0

Steps to reproduce:

create a security group and only allow ssh inbound

apply the security group to the network and remove default security group 0

start a VM in that network

test outbound connection to any port.

Current results:

All ports are allowed inbound and outbound.

Expected results:

Only allow inbound ssh and block all other inbound and outbound connections.

Additional details:

[root@bln-onebula-001 ~]# su - oneadmin
oneadmin@bln-onebula-001:~$ onehost sync --force
* Adding bln-hyperlab-006.imeka.io to upgrade
* Adding bln-hyperlab-005.imeka.io to upgrade
* Adding bln-hyperlab-003.imeka.io to upgrade
* Adding bln-hyperlab-002.imeka.io to upgrade
* Adding bln-hyperlab-004.imeka.io to upgrade
* Adding bln-hyperlab-001.imeka.io to upgrade
[========================================] 6/6 bln-hyperlab-001.imeka.io        
All hosts updated successfully.

oneadmin@bln-onebula-001:~$ onesecgroup commit 100

$ onevm show 61
VIRTUAL MACHINE 61 INFORMATION                                                  
ID                  : 61
NAME                : bln-openvox-001
USER                : oneadmin
GROUP               : oneadmin
STATE               : ACTIVE
LCM_STATE           : RUNNING
LOCK                : None
RESCHED             : No
HOST                : bln-hyperlab-006.imeka.io
CLUSTER ID          : 100
CLUSTER             : OLD DL360 G7
START TIME          : 10/14 17:43:37
END TIME            : -
DEPLOY ID           : 0a0d5a43-4040-4564-b1d6-36733241070d
...
NIC_ID NETWORK                   SECURITY_GROUPS                                
     0 L3                        100

SECURITY GROUP   TYPE     PROTOCOL NETWORK                       RANGE          
  ID NAME                          VNET START             SIZE                  
 100 imk-common  inbound  TCP                                    22
...

[root@bln-onebula-001 ~]# dpkg -l | grep nebula
ii  opennebula                      7.0.0-1                             amd64        OpenNebula Server and Scheduler (Community Edition)
ii  opennebula-common               7.0.0-1                             all          Common OpenNebula package shared by various components (Community Edition)
ii  opennebula-common-onecfg        7.0.0-1                             all          Helpers for OpenNebula onecfg (Community Edition)
ii  opennebula-fireedge             7.0.0-1                             amd64        OpenNebula web interface FireEdge (Community Edition)
ii  opennebula-flow                 7.0.0-1                             all          OpenNebula Flow server (Community Edition)
ii  opennebula-gate                 7.0.0-1                             all          OpenNebula Gate server (Community Edition)
ii  opennebula-guacd                7.0.0-1                             amd64        Provides Guacamole server for Fireedge to be used in Sunstone (Community Edition)
ii  opennebula-libs                 7.0.0-1                             all          OpenNebula libraries (Community Edition)
ii  opennebula-migration            7.0.0-1                             all          Migration tools for OpenNebula (Community Edition)
ii  opennebula-rubygems             7.0.0-1                             amd64        Ruby dependencies for OpenNebula (Community Edition)
ii  opennebula-tools                7.0.0-1                             all          OpenNebula command line tools (Community Edition)

on the deployed host

[root@bln-hyperlab-006 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[root@bln-hyperlab-006 ~]# dpkg -l | grep nebula
ii  opennebula-common                    7.0.0-1                         all          Common OpenNebula package shared by various components (Community Edition)
ii  opennebula-common-onecfg             7.0.0-1                         all          Helpers for OpenNebula onecfg (Community Edition)
ii  opennebula-node-kvm                  7.0.0-1                         all          Services for OpenNebula KVM node (Community Edition)
ii  opennebula-rubygems                  7.0.0-1                         amd64        Ruby dependencies for OpenNebula (Community Edition)

Let me know if you need more information.

2

Hello @j-s.frerot, apologies for the delay in the reply, but your question is a bit tricky:

Can I ask you the following first?:

  1. Is there any Networking driver involved?
  2. Has each hypervisor updated following the security group ID?
  3. Seems that there’s no rules on a hypervisor (I’m checking with the team to see if we can reproduce these), so I don’t know if you already placed some rules, or restrictions.

From what I understand the issue here is that all ports behave as there is no security at all (ssh connections), but if I miss something, let me know.

I don’t know if you checked our documentation about Security Groups. In any case, I’ve already requested some help to the engineer team, and check if this is a bug or there some stuff missing.

Regards,
Francisco.-