ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
n/a
OS / ENVIRONMENT
n/a
SUMMARY
When having a VPC without associated vms, there are no firewall rules defined (iptables). And that's a problem because it leaves the vrouter vulnerable to receiving a packet on port 35999, and if that happens, HAProxy will start logging in a loop until it fills the vrouter's disk.
STEPS TO REPRODUCE
Create a new VPC with default VPC network offering
Send a package to 35999 port of VPC vrouter public IP. Example: telnet <public-ip> 35999
Conect to vrouter shell and check /var/log/haproxy.log
EXPECTED RESULTS
That applies the iptables rules even when there are no vms associated with the VPC, or that there is no virtual router running if there are no vms associated with the VPC (just as it is in isolated networks).
ACTUAL RESULTS
Virtual router running in a VPC even when there are no vms associated with it and its network offering is not as persistent and without defined firewall rules.
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
n/a
OS / ENVIRONMENT
n/a
SUMMARY
When having a VPC without associated vms, there are no firewall rules defined (iptables). And that's a problem because it leaves the vrouter vulnerable to receiving a packet on port 35999, and if that happens, HAProxy will start logging in a loop until it fills the vrouter's disk.
STEPS TO REPRODUCE
Create a new VPC with default VPC network offering
Send a package to 35999 port of VPC vrouter public IP. Example:
telnet <public-ip> 35999Conect to vrouter shell and check
/var/log/haproxy.logEXPECTED RESULTS
That applies the iptables rules even when there are no vms associated with the VPC, or that there is no virtual router running if there are no vms associated with the VPC (just as it is in isolated networks).
ACTUAL RESULTS
Virtual router running in a VPC even when there are no vms associated with it and its network offering is not as persistent and without defined firewall rules.