cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ove Ewerlid <Ove.Ewer...@oracle.com>
Subject Re: [VOTE] Apache CloudStack 4.3.0 (eighth round)
Date Fri, 14 Mar 2014 13:51:14 GMT
It should be noted that my tests use a single IP per VM.
I believe NUX mentioned using multiple IP's.
When SG in advanced zone is enabled, only one NIC can be assigned per VM.
/Ove

On 03/14/2014 02:41 PM, Ove Ewerlid wrote:
> On 03/14/2014 01:57 PM, Nux! wrote:
>> On 14.03.2014 12:06, Nux! wrote:
>>> It looks like the traffic doesn't go in the right chains, all traffic
>>> is accepted as FORWARD is set to ACCEPT.
>>> There are zero packets going through BF-breth0-109.
>>>
>>> Here's outputs from:
>>> iptables-save: http://paste.fedoraproject.org/85337/47982321/raw/
>>> ebatables-save: http://paste.fedoraproject.org/85338/79831713/raw/
>>> ipset -L: http://paste.fedoraproject.org/85339/79832613/raw/
>>>
>>> I will install 4.2.1 as that one was working and try to compare the
>>> outputs.
>>
>> Ok, reinstalled with 4.2.1 and this one works as expected, all ingress
>> is blocked unless stated otherwise. Here's the same outputs as earlier:
>> iptables http://paste.fedoraproject.org/85350/1356139/raw/
>> ebtables http://paste.fedoraproject.org/85351/80136613/raw/
>> ipset -L http://paste.fedoraproject.org/85352/13948013/raw/
>>
>> Kindly look into this, it breaks a major feature.
>>
>> Lucian
>>
>
> I can confirm this observation.
> The test was to install ACS42 and ACS43 in the same environment;
>
>    - OEL65 (Oracle's variant of CentOS v65)
>    - KVM hypervisor
>    - Advanced with 3 shared networks (3 VLAN's)
>    - ACS421; official KVM system VM template
>    - ACS43; latest 64 bit KVM system VM template
>    - 24 hypervisors; 144Gbyte RAM / 24 Cores / 4TB local disk
>
> SG works as expected in ACS42.
> In ACS43, the iptables forward chain on hypervisors is empty and in
> policy ACCEPT, hence all traffic goes through.
>
> The same set of automated install scripts were used in both cases so the
> installs are virtually identical.
>
> /Ove
>
>


-- 
Ove Everlid
System Administrator / Architect / SDN- & Automation- & Linux-hacker
Mobile: +46706662363 (dedicated work mobile)
Country: Sweden, timezone; Middle Europan Time (MET or GMT+1)

Mime
View raw message