OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Egress rules not applied in 4.11.0


That is interesting. The VM is indeed in HVM mode.

On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz <s.seitz@xxxxxxxxxxxxxxxxxxx>
wrote:

> # xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e
> PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
>                HVM-boot-policy ( RW): BIOS order
>                HVM-boot-params (MRW): order: dc
>          HVM-shadow-multiplier ( RW): 1.000
>                 PV-legacy-args ( RW):
>                  PV-bootloader ( RW):
>             PV-bootloader-args ( RW):
>
> Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> > Xen you execute the following command in your XenServer?
> >
> > >
> > > xe vm-param-list uuid=<UuidOfDebian9Vm>
> > >
> > Then, what is the content of these parameters?
> >
> >    - PV-legacy-args
> >    - PV-bootloader
> >    - PV-bootloader-args
> >    - HVM-boot-policy
> >    - HVM-boot-params
> >    - HVM-shadow-multiplier
> >
> >
> > It is just to make sure that the VM was indeed created using HVM mode.
> >
> > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <
> s.seitz@xxxxxxxxxxxxxxxxxxx>
> > wrote:
> >
> > >
> > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other
> 2.6x
> > > Linux (64-bit)":
> > >
> > > # virt-what --version
> > > 1.15
> > > # virt-what
> > > hyperv
> > > xen
> > > xen-domU
> > > #
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > >
> > > > AFAIK not for 6.5 SP1.
> > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/
> shows
> > > that 7.x is fixed and gives the hint,
> > > >
> > > > that HVM guests are not affected (at least for spectre)
> > > >
> > > > https://support.citrix.com/article/CTX231390
> > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > > architectural changes to do so. Citrix is therefore not making
> hotfixes for
> > > these versions available to customers, and will continue to
> > > >
> > > > work with hardware vendors on other mitigation strategies. Customers
> on
> > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade
> to a
> > > more recent version. "
> > > >
> > > >
> > > > I haven't tried it so far, but recent debian versions were kind of
> picky
> > > with different kinds of Xen virtualization as I've seen on "regular"
> VMs.
> > > >
> > > >
> > > >
> > > >
> > > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> > > > >
> > > > >
> > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > > XenServer make some kind of change around this as a Meltdown/Spectre
> > > migation?
> > > >
> > > > >
> > > > >
> > > > >
> > > > > Kind regards,
> > > > >
> > > > > Paul Angus
> > > > >
> > > > > paul.angus@xxxxxxxxxxxxx
> > > > > www.shapeblue.com
> > > > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > > > > @shapeblue
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Stephan Seitz <s.seitz@xxxxxxxxxxxxxxxxxxx>
> > > > > Sent: 11 April 2018 12:38
> > > > > To: users@xxxxxxxxxxxxxxxxxxxxx
> > > > > Subject: Re: Egress rules not applied in 4.11.0
> > > > >
> > > > > Hi martin,
> > > > >
> > > > > I've just read your issue on github and was wondering how you;ve
> been
> > > able to select Debian 9.
> > > >
> > > > >
> > > > > But maybe you did a fresh installation.
> > > > >
> > > > > We did an update from 4.9.2 to 4.11.0 and were able to select
> "Debian
> > > GNU/Linux 7(64-bit)" as highest possible Debian-version. The
> documentation
> > > said to register the new systemvm-template before
> > > >
> > > > >
> > > > > updating the management server.
> > > > >
> > > > > Maybe your issue is hot-fixed by registering a template with
> Debian 7
> > > profile.
> > > >
> > > > >
> > > > >
> > > > > Cheers,
> > > > >
> > > > > - Stephan
> > > > >
> > > > >
> > > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > > > >
> > > > > >
> > > > > >
> > > > > > I investigated further, and opened an issue:
> > > > > > https://github.com/apache/cloudstack/issues/2561
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > >
> > > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Thanks... But I think something else is now broken, too...:
> > > > > > >
> > > > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > > > "empty" with "systemvm type=".
> > > > > > >
> > > > > > > I also deleted the Console Proxy VM, and the new one is plain,
> > > too...
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> > > same
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > effect...
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > >
> > > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Martin,
> > > > > > > >
> > > > > > > >
> > > > > > > > This is a known issue, a freshly restarted VR may not have
> the
> > > > > > > > EGREE related tables which is why any rules will fail to
> apply.
> > > As
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > a workaround, you can restart the network without selecting
> the
> > > > > > > > cleanup option which will reconfigure the VR and add the
> egress
> > > table.
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I've a fix in this PR:
> > > > > > > > https://github.com/apache/cloudstack/pull/2508/files#
> > > diff-2d3ea57d
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > fd9156e3983b1bb2d64abecd
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > - Rohit
> > > > > > > >
> > > > > > > > <https://cloudstack.apache.org>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ________________________________
> > > > > > > > From: Martin Emrich <martin.emrich@xxxxxxxxxxx>
> > > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > > > > To: CloudStack-Users
> > > > > > > > Subject: Egress rules not applied in 4.11.0
> > > > > > > >
> > > > > > > > Hi!
> > > > > > > >
> > > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default
> policy
> > > > > > > > for isolated networks is "Deny".
> > > > > > > >
> > > > > > > > But now, adding rules to allow egress traffic are not
> applied to
> > > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from
> the
> > > > > > > > UI, but does not appear in the iptables output on the VR.
> > > > > > > >
> > > > > > > > Any Ideas?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > > Martin
> > > > > > > >
> > > > > > > >
> > > > > > > > rohit.yadav@xxxxxxxxxxxxx
> > > > > > > > www.shapeblue.com
> > > > > > > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
> > > > > > > >
> > > > > Mit freundlichen Grüßen,
> > > > >
> > > > > Stephan Seitz
> > > > >
> > > > > --
> > > > >
> > > > > Heinlein Support GmbH
> > > > > Schwedter Str. 8/9b, 10119 Berlin
> > > > >
> > > > > http://www.heinlein-support.de
> > > > >
> > > > > Tel: 030 / 405051-44
> > > > > Fax: 030 / 405051-19
> > > > >
> > > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > Berlin-Charlottenburg,
> > > >
> > > > >
> > > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > > >
> > > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Stephan Seitz
> > > >
> > > > --
> > > >
> > > > Heinlein Support GmbH
> > > > Schwedter Str. 8/9b, 10119 Berlin
> > > >
> > > > http://www.heinlein-support.de
> > > >
> > > > Tel: 030 / 405051-44
> > > > Fax: 030 / 405051-19
> > > >
> > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > > Berlin-Charlottenburg,
> > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > >
> > > >
> > > Mit freundlichen Grüßen,
> > >
> > > Stephan Seitz
> > >
> > > --
> > >
> > > Heinlein Support GmbH
> > > Schwedter Str. 8/9b, 10119 Berlin
> > >
> > > http://www.heinlein-support.de
> > >
> > > Tel: 030 / 405051-44
> > > Fax: 030 / 405051-19
> > >
> > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > Berlin-Charlottenburg,
> > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > >
> > >
> > >
> >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
>


-- 
Rafael Weingärtner