OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Egress rules not applied in 4.11.0


For me:


[root@csdev-xen1 ~]# xe vm-param-list uuid=68daf990-0cc6-174c-c114-30f52940af1d
uuid ( RO)                          : 68daf990-0cc6-174c-c114-30f52940af1d


               HVM-boot-policy ( RW): BIOS order
               HVM-boot-params (MRW): order: dc
         HVM-shadow-multiplier ( RW): 1.000
                     PV-kernel ( RW):
                    PV-ramdisk ( RW):
                       PV-args ( RW): %template=domP%type=consoleproxy%host=172.24.186.96%port=8250%name=v-21-VM%zone=1%pod=1%guid=Proxy.21%proxy_vm=21%disable_rp_filter=true%eth2ip=172.24.186.226%eth2mask=255.255.254.0%gateway=172.24.186.1%eth0ip=169.254.1.130%eth0mask=255.255.0.0%eth1ip=172.24.186.241%eth1mask=255.255.254.0%mgmtcidr=172.24.186.0/23%localgw=172.24.186.1%internaldns1=172.24.187.196%internaldns2=172.24.187.33%dns1=172.24.187.196%dns2=172.24.187.33
                PV-legacy-args ( RW):
                 PV-bootloader ( RW):
            PV-bootloader-args ( RW):

OS Type in Cloudstack is "Debian GNU/Linux 8 (64-bit)". (The docs said:

OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)

)

Ciao

Martin


Am 11.04.18 um 14:00 schrieb Rafael Weingärtner:
Xen you execute the following command in your XenServer?

xe vm-param-list uuid=<UuidOfDebian9Vm>

Then, what is the content of these parameters?

    - PV-legacy-args
    - PV-bootloader
    - PV-bootloader-args
    - HVM-boot-policy
    - HVM-boot-params
    - HVM-shadow-multiplier


It is just to make sure that the VM was indeed created using HVM mode.

On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s.seitz@xxxxxxxxxxxxxxxxxxx>
wrote:

Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
Linux (64-bit)":

# virt-what --version
1.15
# virt-what
hyperv
xen
xen-domU
#


Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
AFAIK not for 6.5 SP1.
https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
that 7.x is fixed and gives the hint,
that HVM guests are not affected (at least for spectre)

https://support.citrix.com/article/CTX231390
" 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
architectural changes to do so. Citrix is therefore not making hotfixes for
these versions available to customers, and will continue to
work with hardware vendors on other mitigation strategies. Customers on
the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
more recent version. "
I haven't tried it so far, but recent debian versions were kind of picky
with different kinds of Xen virtualization as I've seen on "regular" VMs.


Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
virt-what will give 'xen-domU' for paravirtualized guests. Didn't
XenServer make some kind of change around this as a Meltdown/Spectre
migation?

Kind regards,

Paul Angus

paul.angus@xxxxxxxxxxxxx
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue




-----Original Message-----
From: Stephan Seitz <s.seitz@xxxxxxxxxxxxxxxxxxx>
Sent: 11 April 2018 12:38
To: users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Egress rules not applied in 4.11.0

Hi martin,

I've just read your issue on github and was wondering how you;ve been
able to select Debian 9.
But maybe you did a fresh installation.

We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
said to register the new systemvm-template before
updating the management server.

Maybe your issue is hot-fixed by registering a template with Debian 7
profile.
Cheers,

- Stephan


Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:

I investigated further, and opened an issue:
https://github.com/apache/cloudstack/issues/2561

Cheers,

Martin


Am 11.04.18 um 12:18 schrieb Martin Emrich:


Thanks... But I think something else is now broken, too...:

The SystemVMs are now no longer being provisioned: They come up
"empty" with "systemvm type=".

I also deleted the Console Proxy VM, and the new one is plain,
too...
I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
same
effect...

Cheers,

Martin


Am 11.04.18 um 00:56 schrieb Rohit Yadav:


Hi Martin,


This is a known issue, a freshly restarted VR may not have the
EGREE related tables which is why any rules will fail to apply.
As
a workaround, you can restart the network without selecting the
cleanup option which will reconfigure the VR and add the egress
table.

I've a fix in this PR:
https://github.com/apache/cloudstack/pull/2508/files#
diff-2d3ea57d
fd9156e3983b1bb2d64abecd



- Rohit

<https://cloudstack.apache.org>



________________________________
From: Martin Emrich <martin.emrich@xxxxxxxxxxx>
Sent: Tuesday, April 10, 2018 2:13:57 PM
To: CloudStack-Users
Subject: Egress rules not applied in 4.11.0

Hi!

I upgraded my test cluster from 4.9 to 4.11. The default policy
for isolated networks is "Deny".

But now, adding rules to allow egress traffic are not applied to
the virtual router. adding a 0.0.0.0/0 rule looks fine from the
UI, but does not appear in the iptables output on the VR.

Any Ideas?

Thanks

Martin


rohit.yadav@xxxxxxxxxxxxx
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK @shapeblue

Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin


Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin


Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin