Return-Path: <dev-return-96892-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 53005200B4C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 22 Jul 2016 10:38:15 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 51A61160A77; Fri, 22 Jul 2016 08:38:15 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 96CF1160A5A
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 22 Jul 2016 10:38:14 +0200 (CEST)
Received: (qmail 34942 invoked by uid 500); 22 Jul 2016 08:38:13 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 34566 invoked by uid 99); 22 Jul 2016 08:38:13 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jul 2016 08:38:13 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B2717C1693
	for <dev@cloudstack.apache.org>; Fri, 22 Jul 2016 08:38:12 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level: 
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=arhont.com
Received: from mx2-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id JT2ri6-F9iQX for <dev@cloudstack.apache.org>;
	Fri, 22 Jul 2016 08:38:08 +0000 (UTC)
Received: from mail.arhont.com (mail1.arhont.com [178.248.108.132])
	by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 65E1A5FADC
	for <dev@cloudstack.apache.org>; Fri, 22 Jul 2016 08:38:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail1.arhont.com (Postfix) with ESMTP id 691CB980906;
	Fri, 22 Jul 2016 09:38:28 +0100 (BST)
Received: from mail.arhont.com ([127.0.0.1])
	by localhost (mail1.arhont.com [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id QzSxMmx2FIMc; Fri, 22 Jul 2016 09:38:28 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by mail1.arhont.com (Postfix) with ESMTP id 2DB23980907;
	Fri, 22 Jul 2016 09:38:28 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.9.2 mail1.arhont.com 2DB23980907
X-Virus-Scanned: amavisd-new at arhont.com
Received: from mail.arhont.com ([127.0.0.1])
	by localhost (mail1.arhont.com [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id fVwnEJ7a21tq; Fri, 22 Jul 2016 09:38:28 +0100 (BST)
Received: from mail1.arhont.com (mail1.arhont.com [178.248.108.132])
	by mail1.arhont.com (Postfix) with ESMTP id EF2B2980906;
	Fri, 22 Jul 2016 09:38:27 +0100 (BST)
Date: Fri, 22 Jul 2016 09:38:26 +0100 (BST)
From: Andrei Mikhailovsky <andrei@arhont.com.INVALID>
To: dev <dev@cloudstack.apache.org>
Cc: Simon Weller <sweller@ena.com>
Message-ID: <58239528.321666.1469176706367.JavaMail.zimbra@arhont.com>
In-Reply-To: <DB5PR07MB1685373D2C88C4F4587B7E7AE9090@DB5PR07MB1685.eurprd07.prod.outlook.com>
References: <A07E8BB3-DF9E-4C36-B35A-7CC6DE31478A@shapeblue.com> <BY2PR02MB20075EED59568C7F7B461127A9090@BY2PR02MB2007.namprd02.prod.outlook.com> <CAC2panrTYxUe6xqGyXyngRe_gP6vwW55aG5PpqVJAz0TGx9MMw@mail.gmail.com> <DB5PR07MB1685373D2C88C4F4587B7E7AE9090@DB5PR07MB1685.eurprd07.prod.outlook.com>
Subject: Re: 4.9.0 RC2 Status
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.6.0_GA_1182 (ZimbraWebClient - FF47 (Linux)/8.6.0_GA_1182)
Thread-Topic: 4.9.0 RC2 Status
Thread-Index: AQHR42hWIS+VZ8D24kykiXaCEyCqBKAjDCN/gAACvgCAAEI9P1dULxGK
archived-at: Fri, 22 Jul 2016 08:38:15 -0000

Hi

I've been randomly seeing this issue for over a year now. At least I think it might be related.

I am currently on 4.7.1.1, but a few previous releases had this issue too on some of the networks. I've got a half a dozen of networks or so, which are broken and do not allow outgoing traffic despite having the egress rule that allows all traffic out with cidr 0.0.0.0/0. These networks are always broken. Restarting the network with and without the Clean Up option doesnt help nor does removing and adding the Egress rule.

In order to fix the outgoing traffic I have to login to the VR in question and manually run:

iptables -A FW_OUTBOUND -j ACCEPT

Only after this command the egress traffic starts to flow. This procedure has to be repeated EVERY time the router is restarted or recreated for EVERY network which is broken. The rest of the networks are not affected by this issue.

I definitely didn't have this issue on the early 4.X releases and this issue probably happened around version 4.4 or 4.5.

Andrei

----- Original Message -----
> From: "Rohit Yadav" <rohit.yadav@shapeblue.com>
> To: "Simon Weller" <sweller@ena.com>, "dev" <dev@cloudstack.apache.org>
> Sent: Thursday, 21 July, 2016 21:13:52
> Subject: Re: 4.9.0 RC2 Status

> Hi Will,
> 
> 
> The issue is that after upgrading the VR from a pre-4.6 environment, the
> outbound traffic for guest VMs stop working (where their egress rule was allow
> all for 0.0.0.0/0). Along with this, I found that removing allow all 0.0.0.0/0
> egress rule does not remove the rule from VR's filter table. This could be
> minor security issue for guest VMs.
> 
> 
> I think it's a blocker, please help review and test it:
> 
> https://github.com/apache/cloudstack/pull/1614
> 
> 
> Regards.
> 
> ________________________________
> From: williamstevens@gmail.com <williamstevens@gmail.com> on behalf of Will
> Stevens <wstevens@cloudops.com>
> Sent: 21 July 2016 21:43:42
> To: Simon Weller
> Cc: dev@cloudstack.apache.org
> Subject: Re: 4.9.0 RC2 Status
> 
> I am waiting on pdube's PR to fix some issues with VPCs (not introduced in
> 4.9, but should be fixed in 4.9).
> 
> I am also testing #1613 because I had added #1594 and had to revert it
> because I was running into an error consistently ever since.  Hopefully
> #1613 will run cleanly and I can merge it as well for 4.9.
> 
> Sorry for the delay.  Since this release is so huge, it makes sense to fix
> as many issues as possible before it ships (especially if we will LTS this
> release).
> 
> *Will STEVENS*
> Lead Developer
> 
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
> 
> 
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>  
> 
> 
> On Thu, Jul 21, 2016 at 12:04 PM, Simon Weller <sweller@ena.com> wrote:
> 
>> John,
>>
>>
>> I think we're pending a PR from pdube related to broken VPCs. It sounds
>> very much like what we found in our QA environment a few weeks ago.
>>
>> - Si
>>
>> ------------------------------
>> *From:* John Burwell <john.burwell@shapeblue.com>
>> *Sent:* Thursday, July 21, 2016 10:55 AM
>> *To:* dev@cloudstack.apache.org
>> *Cc:* Will Stevens
>> *Subject:* 4.9.0 RC2 Status
>>
>> Will,
>>
>> I am inquiring as to the status of 4.9.0 RC2.  Are there issues we can
>> help resolve in order to get it out?  If not, do you have an ETA on when it
>> will be cut?
>>
>> Thanks,
>> -John
>> john.burwell@shapeblue.com
>> www.shapeblue.com<http://www.shapeblue.com>
>> 53 Chandos Place, Covent Garden, London VA WC2N 4HSUK
>> @shapeblue
>>
>>
>>