Completed config option to allow nested virtualization

[bradywilkin]

Description

This PR...

I introduced a new global configuration option, AllowNestedVMAccess, within the IPAddressManagerImpl.java file. This setting is then referenced in LibVirtComputingResource when determining whether the virtualized firewall can be bridged. If the configuration key is enabled, the system returns true for canBridgeFirewall without running security_group.py. As discussed in the issue itself we first wanted to get a functional basic version completed- later on this should include modifications to the script in secuirty_group.py to allow other functionality to occur while still allowing nested VM access.

#10286

10286

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

I added a test in IPAddressManagerTest.java to ensure that the firewall can be bridged when this setting is enabled.

How did you try to break this feature and the system with this change?

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: [email protected] (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[Copilot]

Pull Request Overview

This PR introduces a global configuration option to allow nested virtualization by enabling nested VM access and bypassing security group checks for firewall bridging.

• Introduces a new ConfigKey in IpAddressManagerImpl to control nested VM access.
• Updates LibvirtComputingResource to skip security group verification if nested VM access is enabled.
• Adds a test in IpAddressManagerTest to verify the new behavior.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
server/src/test/java/com/cloud/network/IpAddressManagerTest.java	Adds a test to validate that enabling nested VM access allows firewall bridging.
server/src/main/java/com/cloud/network/IpAddressManagerImpl.java	Introduces a new config key for nested VM access and its accessor method.
plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java	Modifies the firewall bridging logic to bypass security group checks when nested VM access is allowed.

Comments suppressed due to low confidence (1)

server/src/main/java/com/cloud/network/IpAddressManagerImpl.java:333

• [nitpick] Consider renaming 'AllowNestedVMAccess' to 'ALLOW_NESTED_VM_ACCESS' for consistency with other static config key naming conventions.

public static final ConfigKey<Boolean> AllowNestedVMAccess = new ConfigKey<>("Advanced", Boolean.class, "allow.nested.vm.access",

[Copilot]

[nitpick] Consider adding braces around the single-line if statement to enhance readability and reduce potential errors in future modifications.

Suggested change

	if (getAllowNestedVMAccess())
	return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
	if (getAllowNestedVMAccess()) {
	return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
	}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 4.00%. Comparing base (fd74895) to head (7821838).
Report is 4 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (fd74895) and HEAD (7821838). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (fd74895)	HEAD (7821838)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #10812       +/-   ##
=============================================
- Coverage     16.40%    4.00%   -12.41%     
=============================================
  Files          5692      399     -5293     
  Lines        501962    32597   -469365     
  Branches      60791     5783    -55008     
=============================================
- Hits          82353     1305    -81048     
+ Misses       410455    31142   -379313     
+ Partials       9154      150     -9004     

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

the method in LibvirtComputingResource are executed on the kvm host (part of cloudstack-agent)
The host cannot access the database.
so, this won't work.

a feasible way is, adding a setting to agent.properties