[SOLVED] Security groups don't seem to work (5.8.1)

Tony · June 24, 2019, 12:50pm

Hello,
running tests with Opennebula and can’t get the security group to do anything. The rules seem to not apply at all.

onevm show -x 41

<VM>
  <ID>41</ID>
  <UID>0</UID>
  <GID>0</GID>
  <UNAME>oneadmin</UNAME>
  <GNAME>oneadmin</GNAME>
  <NAME>Ubuntu 16.04 (x1)-41</NAME>
  <PERMISSIONS>
    <OWNER_U>1</OWNER_U>
    <OWNER_M>1</OWNER_M>
    <OWNER_A>0</OWNER_A>
    <GROUP_U>0</GROUP_U>
    <GROUP_M>0</GROUP_M>
    <GROUP_A>0</GROUP_A>
    <OTHER_U>0</OTHER_U>
    <OTHER_M>0</OTHER_M>
    <OTHER_A>0</OTHER_A>
  </PERMISSIONS>
  <LAST_POLL>1561380127</LAST_POLL>
  <STATE>3</STATE>
  <LCM_STATE>3</LCM_STATE>
  <PREV_STATE>3</PREV_STATE>
  <PREV_LCM_STATE>3</PREV_LCM_STATE>
  <RESCHED>0</RESCHED>
  <STIME>1561378410</STIME>
  <ETIME>0</ETIME>
  <DEPLOY_ID>one-41</DEPLOY_ID>
  <MONITORING>
    <CPU><![CDATA[0.99]]></CPU>
    <DISKRDBYTES><![CDATA[155272556]]></DISKRDBYTES>
    <DISKRDIOPS><![CDATA[7364]]></DISKRDIOPS>
    <DISKWRBYTES><![CDATA[397255680]]></DISKWRBYTES>
    <DISKWRIOPS><![CDATA[3465]]></DISKWRIOPS>
    <DISK_SIZE>
      <ID><![CDATA[0]]></ID>
      <SIZE><![CDATA[640]]></SIZE>
    </DISK_SIZE>
    <DISK_SIZE>
      <ID><![CDATA[1]]></ID>
      <SIZE><![CDATA[1]]></SIZE>
    </DISK_SIZE>
    <MEMORY><![CDATA[621148]]></MEMORY>
    <NETRX><![CDATA[24300690]]></NETRX>
    <NETTX><![CDATA[331356]]></NETTX>
    <STATE><![CDATA[a]]></STATE>
  </MONITORING>
  <TEMPLATE>
    <AUTOMATIC_DS_REQUIREMENTS><![CDATA[("CLUSTERS/ID" @> 0)]]></AUTOMATIC_DS_REQUIREMENTS>
    <AUTOMATIC_NIC_REQUIREMENTS><![CDATA[("CLUSTERS/ID" @> 0)]]></AUTOMATIC_NIC_REQUIREMENTS>
    <AUTOMATIC_REQUIREMENTS><![CDATA[(CLUSTER_ID = 0) & !(PUBLIC_CLOUD = YES)]]></AUTOMATIC_REQUIREMENTS>
    <CONTEXT>
      <DISK_ID><![CDATA[1]]></DISK_ID>
      <ETH0_CONTEXT_FORCE_IPV4><![CDATA[]]></ETH0_CONTEXT_FORCE_IPV4>
      <ETH0_DNS><![CDATA[8.8.8.8]]></ETH0_DNS>
      <ETH0_EXTERNAL><![CDATA[]]></ETH0_EXTERNAL>
      <ETH0_GATEWAY><![CDATA[37.59.54.254]]></ETH0_GATEWAY>
      <ETH0_GATEWAY6><![CDATA[]]></ETH0_GATEWAY6>
      <ETH0_IP><![CDATA[178.33.223.132]]></ETH0_IP>
      <ETH0_IP6><![CDATA[]]></ETH0_IP6>
      <ETH0_IP6_PREFIX_LENGTH><![CDATA[]]></ETH0_IP6_PREFIX_LENGTH>
      <ETH0_IP6_ULA><![CDATA[]]></ETH0_IP6_ULA>
      <ETH0_MAC><![CDATA[02:00:00:49:b3:2b]]></ETH0_MAC>
      <ETH0_MASK><![CDATA[255.255.255.0]]></ETH0_MASK>
      <ETH0_MTU><![CDATA[]]></ETH0_MTU>
      <ETH0_NETWORK><![CDATA[37.59.54.0]]></ETH0_NETWORK>
      <ETH0_SEARCH_DOMAIN><![CDATA[]]></ETH0_SEARCH_DOMAIN>
      <ETH0_VLAN_ID><![CDATA[]]></ETH0_VLAN_ID>
      <ETH0_VROUTER_IP><![CDATA[]]></ETH0_VROUTER_IP>
      <ETH0_VROUTER_IP6><![CDATA[]]></ETH0_VROUTER_IP6>
      <ETH0_VROUTER_MANAGEMENT><![CDATA[]]></ETH0_VROUTER_MANAGEMENT>
      <NETWORK><![CDATA[YES]]></NETWORK>
      <SSH_PUBLIC_KEY><![CDATA[ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0/dIUzav1FlNY6SmD658Svtr0QyuB3Wo/X9MyUnUROifr5q+34uFZIJNVAQzojRMpEhLWQ8IQyGiuDWVuZSuR33lZuX5SZ/E2usO0XO9hR5g4Q2mw8NpLl1epOTUh4rX++DqkM6tYPM2h8Fz/SIOy8asL6TBrDOSntuQjfiS6Lf9ydTjOYSQnj7PQU+mSir+pyRpL7T4evsWNafFwmZ4tuyQ4DBJDpngH3iQ1Jjfdxg9ZX6X7kvAJCw5IU5kKPuvQE3dCyrbBDQftYt/xEKuGEbgf5DzNru/JDCwK+9cAFw3gUiUGg/o2w5JI7Jj/Nymebqiy0FoEWxCBTjuccpSM4rb5c0vzpjWytWtKDLJTHnav6RuBSyfwKVRGQpRF+0TMR7kxILa5izXr9BuUPs6B+m7mCwJfm5EOddfgrx42kVWa/oTYKK2FeSNrUv2Enk1NmJgSPLpax2i3s5+9ITH/PeGhndD7IBFvIfG83SOMm1MgM2znfVn5Q5woJ+nY3DLtS6VFfTxmpGffmztLe1YqwfTRL/5G6jsMstTDfKRRavZM7t1OUxMzLzzB9wtGzjOUCV/69mFQ3uSTJ8QvXJw0VqdzcOThDrdxsKzZ3+9Iis+1cYOcn39AgJxPXkSKDjUKH+8Kpg2kHamTfi7XDNgAxAX2rCNZchsirsUpesbwoQ==]]></SSH_PUBLIC_KEY>
      <TARGET><![CDATA[hda]]></TARGET>
    </CONTEXT>
    <CPU><![CDATA[1]]></CPU>
    <DISK>
      <ALLOW_ORPHANS><![CDATA[NO]]></ALLOW_ORPHANS>
      <CLONE><![CDATA[YES]]></CLONE>
      <CLONE_TARGET><![CDATA[SYSTEM]]></CLONE_TARGET>
      <CLUSTER_ID><![CDATA[0]]></CLUSTER_ID>
      <DATASTORE><![CDATA[default]]></DATASTORE>
      <DATASTORE_ID><![CDATA[1]]></DATASTORE_ID>
      <DEV_PREFIX><![CDATA[vd]]></DEV_PREFIX>
      <DISK_ID><![CDATA[0]]></DISK_ID>
      <DISK_SNAPSHOT_TOTAL_SIZE><![CDATA[0]]></DISK_SNAPSHOT_TOTAL_SIZE>
      <DISK_TYPE><![CDATA[FILE]]></DISK_TYPE>
      <DRIVER><![CDATA[qcow2]]></DRIVER>
      <IMAGE><![CDATA[Ubuntu 16.04 LTS]]></IMAGE>
      <IMAGE_ID><![CDATA[1]]></IMAGE_ID>
      <IMAGE_STATE><![CDATA[2]]></IMAGE_STATE>
      <IMAGE_UNAME><![CDATA[oneadmin]]></IMAGE_UNAME>
      <LN_TARGET><![CDATA[SYSTEM]]></LN_TARGET>
      <ORIGINAL_SIZE><![CDATA[2252]]></ORIGINAL_SIZE>
      <READONLY><![CDATA[NO]]></READONLY>
      <SAVE><![CDATA[NO]]></SAVE>
      <SIZE><![CDATA[10240]]></SIZE>
      <SOURCE><![CDATA[/var/lib/one//datastores/1/0ac59e99b044445d25b0c18907da7bb6]]></SOURCE>
      <TARGET><![CDATA[vda]]></TARGET>
      <TM_MAD><![CDATA[ssh]]></TM_MAD>
      <TYPE><![CDATA[FILE]]></TYPE>
    </DISK>
    <FEATURES>
      <ACPI><![CDATA[yes]]></ACPI>
      <LOCALTIME><![CDATA[yes]]></LOCALTIME>
    </FEATURES>
    <GRAPHICS>
      <LISTEN><![CDATA[0.0.0.0]]></LISTEN>
      <PORT><![CDATA[5941]]></PORT>
      <TYPE><![CDATA[VNC]]></TYPE>
    </GRAPHICS>
    <MEMORY><![CDATA[1024]]></MEMORY>
    <NIC>
      <AR_ID><![CDATA[4]]></AR_ID>
      <BRIDGE><![CDATA[br0]]></BRIDGE>
      <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
      <CLUSTER_ID><![CDATA[0]]></CLUSTER_ID>
      <IP><![CDATA[178.33.223.132]]></IP>
      <MAC><![CDATA[02:00:00:49:b3:2b]]></MAC>
      <NAME><![CDATA[NIC0]]></NAME>
      <NETWORK><![CDATA[FR-01-OVH]]></NETWORK>
      <NETWORK_ID><![CDATA[0]]></NETWORK_ID>
      <NETWORK_UNAME><![CDATA[oneadmin]]></NETWORK_UNAME>
      <NIC_ID><![CDATA[0]]></NIC_ID>
      <SECURITY_GROUPS><![CDATA[0,100]]></SECURITY_GROUPS>
      <TARGET><![CDATA[one-41-0]]></TARGET>
      <VN_MAD><![CDATA[bridge]]></VN_MAD>
    </NIC>
    <OS>
      <ARCH><![CDATA[x86_64]]></ARCH>
      <BOOT><![CDATA[]]></BOOT>
      <MACHINE><![CDATA[ubuntu]]></MACHINE>
    </OS>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[ALL]]></PROTOCOL>
      <RULE_TYPE><![CDATA[OUTBOUND]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[0]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[default]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[ALL]]></PROTOCOL>
      <RULE_TYPE><![CDATA[INBOUND]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[0]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[default]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[TCP]]></PROTOCOL>
      <RANGE><![CDATA[1:24,26:52,54:464,466:586,588:65535]]></RANGE>
      <RULE_TYPE><![CDATA[inbound]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[100]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[New-customers]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[TCP]]></PROTOCOL>
      <RANGE><![CDATA[1:24,26:52,54:464,466:586,588:65535]]></RANGE>
      <RULE_TYPE><![CDATA[outbound]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[100]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[New-customers]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[UDP]]></PROTOCOL>
      <RANGE><![CDATA[1:24,26:52,54:464,466:586,588:65535]]></RANGE>
      <RULE_TYPE><![CDATA[inbound]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[100]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[New-customers]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[UDP]]></PROTOCOL>
      <RANGE><![CDATA[1:24,26:52,54:464,466:586,588:65535]]></RANGE>
      <RULE_TYPE><![CDATA[outbound]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[100]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[New-customers]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <TEMPLATE_ID><![CDATA[13]]></TEMPLATE_ID>
    <TM_MAD_SYSTEM><![CDATA[ssh]]></TM_MAD_SYSTEM>
    <VCPU><![CDATA[1]]></VCPU>
    <VMID><![CDATA[41]]></VMID>
  </TEMPLATE>
  <USER_TEMPLATE>
    <DESCRIPTION><![CDATA[1 vCPU / 1GB RAM / 1TB traffic @ 1Gbps]]></DESCRIPTION>
    <HYPERVISOR><![CDATA[kvm]]></HYPERVISOR>
    <INPUTS_ORDER><![CDATA[]]></INPUTS_ORDER>
    <LOGO><![CDATA[images/logos/ubuntu.png]]></LOGO>
    <MEMORY_UNIT_COST><![CDATA[MB]]></MEMORY_UNIT_COST>
    <SUNSTONE>
      <NETWORK_SELECT><![CDATA[NO]]></NETWORK_SELECT>
    </SUNSTONE>
    <USER_INPUTS>
      <CPU><![CDATA[O|fixed|| |1]]></CPU>
      <MEMORY><![CDATA[O|fixed|| |1024]]></MEMORY>
      <VCPU><![CDATA[O|fixed|| |1]]></VCPU>
    </USER_INPUTS>
  </USER_TEMPLATE>
  <HISTORY_RECORDS>
    <HISTORY>
      <OID>41</OID>
      <SEQ>0</SEQ>
      <HOSTNAME>FR-01-OVH</HOSTNAME>
      <HID>2</HID>
      <CID>0</CID>
      <STIME>1561378420</STIME>
      <ETIME>0</ETIME>
      <VM_MAD><![CDATA[kvm]]></VM_MAD>
      <TM_MAD><![CDATA[ssh]]></TM_MAD>
      <DS_ID>0</DS_ID>
      <PSTIME>1561378420</PSTIME>
      <PETIME>1561378429</PETIME>
      <RSTIME>1561378429</RSTIME>
      <RETIME>0</RETIME>
      <ESTIME>0</ESTIME>
      <EETIME>0</EETIME>
      <ACTION>0</ACTION>
      <UID>-1</UID>
      <GID>-1</GID>
      <REQUEST_ID>-1</REQUEST_ID>
    </HISTORY>
  </HISTORY_RECORDS>
</VM>

iptables-save:

# Generated by iptables-save v1.6.0 on Mon Jun 24 14:46:01 2019
*mangle
:PREROUTING ACCEPT [21166784328:57467757409355]
:INPUT ACCEPT [21150794580:57466899216236]
:FORWARD ACCEPT [11753033:449532207]
:OUTPUT ACCEPT [19496456380:58718471682410]
:POSTROUTING ACCEPT [19508209404:58718921213957]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Jun 24 14:46:01 2019
# Generated by iptables-save v1.6.0 on Mon Jun 24 14:46:01 2019
*nat
:PREROUTING ACCEPT [180578312:11479535860]
:INPUT ACCEPT [163729897:10564907655]
:OUTPUT ACCEPT [57608884:6652892286]
:POSTROUTING ACCEPT [69277290:7098019533]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jun 24 14:46:01 2019
# Generated by iptables-save v1.6.0 on Mon Jun 24 14:46:01 2019
*filter
:INPUT ACCEPT [597486:4608892633]
:FORWARD ACCEPT [488:17223]
:OUTPUT ACCEPT [320918:22606542]
COMMIT

# Completed on Mon Jun 24 14:46:01 2019

EDIT:
Here are the settings of the group:

Help would be appreciated. Frontend is Ubuntu 18.04.2, Hypervisor is Ubuntu 16.04.3.

Thank you!

Tony · June 24, 2019, 9:33pm

Replying to myself. I have selected bridge instead of bridge+security groups. Please disregard this ticket.

Topic		Replies	Views
How to check working process of security group? Development	1	511	April 25, 2017
Rules from securitygroup not applied Community Support	3	670	September 25, 2016
Security Group wont apply to VM Community Support	1	709	July 19, 2016
Can'f figure out Security Groups Community Support	2	384	October 18, 2018
Security Group not working 802.1Q Vlan Community Support	10	2835	January 20, 2016

[SOLVED] Security groups don't seem to work (5.8.1)

Related topics