Some virtual machines are unreachable after upgrading to ACP 4.7.1

Problem

Due to a defect in ACP,  for customers using IP Reservation feature non cloudplatform virtual/physical machines in cloudplatform networks are unreachable after upgrading to version 4.7.1

Root Cause

Accelerite CloudPlatform uses Guest CIDR for dhcp-range for the Guest VMs. The entire CIDR is used by CloudPlatform for assigning IPs to Guest VMs. IP Address Reservation will allow part of address space to be used for non CloudPlatform hosts/physical servers also, by restricting the address space of CloudPlatform Guest VMs.  networks table of database, contains two fields cidr and network_cidr. When IP Reservation feature is not used, the cidr field serves as both the guest VM CIDR used for DHCP and network CIDR and the network_cidr contains the value of null.  When ip reservation feature is used, network_cidr contains the network cidr. 4.7.0 to 4.7.1 does not handle the IP reservation case. It always picks cidr column to update firewall rules  Instead network_cidr should be used when not null and cidr column otherwise.  However when we have a network_cidr and you have some firewall rules with source cidr configured with cidr already. Then this fix would overwrite the source_cidr of those rules with network_cidr (in case of a wider network_cidr). The source_cidr of those firewall rules need to be updated back manually after the upgrade.

 

Resolution/Workaround

In order to fix this issue. The following query needs to be run after the upgrade to 4.7.1 HFx.
  
UPDATE `cloud`.`firewall_rules_cidrs` AS s, 
(SELECT `networks`.`cidr`, if (CONVERT(SUBSTRING(networks.cidr, LENGTH(networks.cidr)-1, 2), UNSIGNED INTEGER) <= CONVERT(SUBSTRING(IFNULL(networks.network_cidr,networks.cidr), LENGTH(IFNULL(networks.network_cidr,networks.cidr))-1, 2), UNSIGNED INTEGER), networks.cidr,networks.network_cidr) network_cidr, `firewall_rules_cidrs`.`id`, `firewall_rules`.`traffic_type` FROM `cloud`.`networks`, `cloud`.`firewall_rules`,`cloud`.`firewall_rules_cidrs` WHERE `cloud`.`networks`.`id`=`cloud`.`firewall_rules`.`network_id` AND `cloud`.`firewall_rules`.`id` = `cloud`.`firewall_rules_cidrs`.`firewall_rule_id`) AS p
SET `s`.`source_cidr` = `p`.`network_cidr` WHERE `s`.`source_cidr`=`p`.`cidr` AND `s`.`id`=`p`.`id` AND `p`.`traffic_type`="Egress” ;

Steps to Reproduce the problem

1. Create isolated guest networks in ACP 4.7.0
2. Update the CIDR (as in UI) to a supernet of the network's subnet
3. Create egress rules with source CIDR as 0.0.0.0/0
4. Upgrade ACP to 4.7.1
5. Verify the egress rules source CIDR value .

Verification

You can verify the presence of those rules by running  the following query before the upgrade:
 
select * from `cloud`.`networks`, `cloud`.`firewall_rules`,`cloud`.`firewall_rules_cidrs` WHERE `cloud`.`networks`.`id`=`cloud`.`firewall_rules`.`network_id` AND `cloud`.`firewall_rules`.`id` = `cloud`.`firewall_rules_cidrs`.`firewall_rule_id` AND `cloud`.`networks`.`network_cidr` IS NOT NULL AND `cloud`.`firewall_rules_cidrs`.`source_cidr` = `cloud`.`networks`.`cidr`;

Impact on Existing System

The solution is a fix to unblock the virtual/physical machines which are in cloudplatform networks but are not managed by cloudplatform. 

Potential Adverse Effect

There is no known adverse effect to the system.

Document ID:
115004785203

Product:
CloudPlatform

Version:
4.7.1

Operating System:
Linux

Reference Jira ID:
ES-4764

Zendesk Ticket ID:
56211

 
Have more questions? Submit a request

Comments