cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Özhan Rüzgar Karaman <oruzgarkara...@gmail.com>
Subject Re: [4.11] KVM Advanced Networking with SG Problem
Date Mon, 22 Jan 2018 10:28:41 GMT
Hi Wido & Rohit;
I tested the patch and its ok, parsing works as expected, thanks for all
help.

Özhan

On Mon, Jan 22, 2018 at 11:06 AM, Rohit Yadav <rohit.yadav@shapeblue.com>
wrote:

> Thanks Wido, I'll review your patch.
>
>
>
> - Rohit
> <https://cloudstack.apache.org>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> @shapeblue
>
>
>
> ------------------------------
> *From:* Wido den Hollander <wido@widodh.nl>
> *Sent:* Monday, January 22, 2018 8:08:33 AM
> *To:* dev@cloudstack.apache.org
> *Cc:* Özhan Rüzgar Karaman
>
> *Subject:* Re: [4.11] KVM Advanced Networking with SG Problem
>
>
>
> On 01/22/2018 07:35 AM, Wido den Hollander wrote:
> >
> >
> > On 01/21/2018 11:23 AM, Rohit Yadav wrote:
> >> Wido - Were you able to reproduce and fix the issue? Thanks.
> >>
> >
> > Still working on it! This weekend I was short on time and wasn't able to
> > fix it yet.
> >
> > Today (Mon) and tomorrow (Tue) my time is limited as well. Trying to fix
> > it asap.
>
> During my train ride this morning I wrote this patch:
> https://github.com/apache/cloudstack/pull/2418
>
> @ Özhan, could you test this patch? It's just a matter of replacing
> security_group.py on your Hypervisor.
>
> Thanks,
>
> Wido
>
> >
> > Wido
> >
> >>
> >>
> >> - Rohit
> >>
> >> <https://cloudstack.apache.org>
> >>
> >>
> >>
> >> ________________________________
> >> From: Wido den Hollander <wido@widodh.nl>
> >> Sent: Friday, January 19, 2018 10:12:45 PM
> >> To: dev@cloudstack.apache.org
> >> Subject: Re: [4.11] KVM Advanced Networking with SG Problem
> >>
> >>
> >>
> >> On 01/19/2018 02:03 PM, Özhan Rüzgar Karaman wrote:
> >>> Hi Daan;
> >>> Wido or others will write a fix, i am not a developer, i do not have
> >>> a fix,
> >>> i just only want to report it to make it official thats all :)
> >>>
> >>
> >> I'll look into this asap. The Python script should parse these rules
> >> properly and then it should be fixed.
> >>
> >> I hope to have a fix this weekend.
> >>
> >> Wido
> >>
> >>> Thanks
> >>> Özhan
> >>>
> >>> On Fri, Jan 19, 2018 at 3:59 PM, Daan Hoogland <
> daan.hoogland@gmail.com>
> >>> wrote:
> >>>
> >>>> This is not a PR but a ticket, Özhan. Do you plan to make a pull
> >>>> request on
> >>>> github with your solution for it?
> >>>>
> >>>> On Fri, Jan 19, 2018 at 1:53 PM, Özhan Rüzgar Karaman <
> >>>> oruzgarkaraman@gmail.com> wrote:
> >>>>
> >>>>> Hi Daan;
> >>>>> Wido is the previous PR's owner, he will check it. By the way i
have
> >>>>> created a PR for this problem which is below:
> >>>>>
> >>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-10242
> >>>>>
> >>>>> I select its priority as blocker, if its wrong developers will
> >>>>> update its
> >>>>> priority.
> >>>>>
> >>>>> Thanks
> >>>>> Özhan
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Fri, Jan 19, 2018 at 3:25 PM, Daan Hoogland
> >>>>> <daan.hoogland@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Özhan, this is sure to break ipv6. can you make it use another
> >>>> delimiter?
> >>>>>>
> >>>>>> On Fri, Jan 19, 2018 at 1:12 PM, Özhan Rüzgar Karaman <
> >>>>>> oruzgarkaraman@gmail.com> wrote:
> >>>>>>
> >>>>>>> Hi Rohit;
> >>>>>>> This is a fresh install of 4.11 rc1 and we have only ipv4
setup on
> >>>> our
> >>>>>> test
> >>>>>>> environment no ipv6 addresses, our VR's are new 4.11 rc1
system
> vms.
> >>>>> Our
> >>>>>>> workaround is 4 lines of code to convert ";" character to
":" on
> >>>>>>> security_group.py
> >>>>>>> code to make it operational for ipv4 addresses but i am
sure it
> will
> >>>>>> break
> >>>>>>> Wido's "Add support for ipv6 address and subnets" PR. Workaround
> >>>> works
> >>>>>> only
> >>>>>>> for us because we have ipv4 only setup.
> >>>>>>>
> >>>>>>> If Wido could check parse_network_rules function on
> >>>>>>> security_group.py
> >>>>>> then
> >>>>>>> that could be great. After his check and possible code fix
i like
> to
> >>>>> make
> >>>>>>> test again on our environment.
> >>>>>>>
> >>>>>>> @Rohit i will create a JIRA ticket to follow it easily by
team.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>> Özhan
> >>>>>>>
> >>>>>>> On Fri, Jan 19, 2018 at 2:51 PM, Rohit Yadav <
> >>>>> rohit.yadav@shapeblue.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi Ozhan,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks for sharing.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I traced the change to the following PR that changes
the delimiter
> >>>>>>>> character to ';' than ":" to support ipv6 addresses:
> >>>>>>>>
> >>>>>>>> https://github.com/apache/cloudstack/pull/2028/files
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Can you share with the workaround, if applicable send
a pull
> >>>> request?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Were you still using old 4.9.3 VRs post upgrade, does
killing old
> >>>> 4.9
> >>>>>> VRs
> >>>>>>>> help fix the issue? /cc Wido
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> - Rohit
> >>>>>>>>
> >>>>>>>> <https://cloudstack.apache.org>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ________________________________
> >>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
> >>>>>>>> Sent: Friday, January 19, 2018 3:38:19 PM
> >>>>>>>> To: dev@cloudstack.apache.org
> >>>>>>>> Subject: Re: [4.11] KVM Advanced Networking with SG
Problem
> >>>>>>>>
> >>>>>>>> Hi;
> >>>>>>>> We solved the bug there and write a small workaround
today, the
> >>>>> problem
> >>>>>>> is
> >>>>>>>> generally from the Java code which calls security_group.py.
On
> >>>> 4.9.3
> >>>>>>>> release it was using : character but from 4.11 release
delimiter
> >>>>>> changed
> >>>>>>> to
> >>>>>>>> ; character but security_group.py expects : as delimeter
so
> >>>>>>>> security_group.py could not parse & send rules to
the iptables.
> >>>>>>>>
> >>>>>>>> Afternoon i will create a JIRA ticket and if anyone
could fix the
> >>>>>>> delimiter
> >>>>>>>> character or code in the Java code for 4.11 release
that would be
> >>>>> great
> >>>>>>>> because without this code Security Groups are not operational
for
> >>>>> 4.11.
> >>>>>>>>
> >>>>>>>> Also @Rohit do we need to check test codes for Security
Groups?
> >>>>>> Because i
> >>>>>>>> do not understand how this bug passed our testing scenarios.
> >>>>>>>>
> >>>>>>>> Thanks
> >>>>>>>> Özhan
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Fri, Jan 19, 2018 at 12:00 PM, Rohit Yadav <
> >>>>>> rohit.yadav@shapeblue.com
> >>>>>>>>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> Can anyone help look into this issue, reproduce
it and if it's a
> >>>>>>> genuine
> >>>>>>>>> bug help fix it?
> >>>>>>>>>
> >>>>>>>>> Any takers - Wido, Wei, Mike and others who may
be using KVM+SG?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> - Rohit
> >>>>>>>>>
> >>>>>>>>> <https://cloudstack.apache.org>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ________________________________
> >>>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
> >>>>>>>>> Sent: Tuesday, January 16, 2018 9:53:59 PM
> >>>>>>>>> To: dev@cloudstack.apache.org
> >>>>>>>>> Subject: [4.11] KVM Advanced Networking with SG
Problem
> >>>>>>>>>
> >>>>>>>>> Hi;
> >>>>>>>>> We made a test with 4.11 rc over Ubuntu16.04 KVM
hosts and we
> >>>>> noticed
> >>>>>>>> that
> >>>>>>>>> there is a problem on setting & applying security
group changes
> >>>> on
> >>>>>> KVM
> >>>>>>>>> host.
> >>>>>>>>>
> >>>>>>>>> All instances could ping vr and they could access
internet but no
> >>>>> one
> >>>>>>>> could
> >>>>>>>>> access to the instances.
> >>>>>>>>>
> >>>>>>>>> I checked iptables rules and i noticed that iptables
rules for vm
> >>>>> is
> >>>>>> in
> >>>>>>>> all
> >>>>>>>>> drop state for incoming packages while i gave access
to all
> >>>> ingress
> >>>>>> and
> >>>>>>>>> egress tcp/udp traffic ports for that instances.
Below are
> >>>> iptables
> >>>>>>>> output
> >>>>>>>>> for selected vm:
> >>>>>>>>>
> >>>>>>>>> Chain i-2-6-VM (1 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> DROP       all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain i-2-6-VM-eg (1 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> RETURN     all  --  anywhere             anywhere
> >>>>>>>>>
> >>>>>>>>> Chain i-2-6-def (2 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >>>>    state
> >>>>>>>>> RELATED,ESTABLISHED
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-in vnet9 --physdev-is-bridged udp spt:bootpc
dpt:bootps
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-out vnet9 --physdev-is-bridged udp spt:bootps
> >>>> dpt:bootpc
> >>>>>>>>> DROP       all  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-in vnet9 --physdev-is-bridged ! match-set
i-2-6-VM src
> >>>>>>>>> RETURN     udp  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set
i-2-6-VM src
> >>>> udp
> >>>>>>>>> dpt:domain
> >>>>>>>>> RETURN     tcp  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set
i-2-6-VM src
> >>>> tcp
> >>>>>>>>> dpt:domain
> >>>>>>>>> i-2-6-VM-eg  all  --  anywhere             anywhere
> >>>>>>    PHYSDEV
> >>>>>>>>> match --physdev-in vnet9 --physdev-is-bridged match-set
i-2-6-VM
> >>>>> src
> >>>>>>>>> i-2-6-VM   all  --  anywhere             anywhere
> >>>>>    PHYSDEV
> >>>>>>>> match
> >>>>>>>>> --physdev-out vnet9 --physdev-is-bridged
> >>>>>>>>>
> >>>>>>>>> All management and agent logs could be accessed
from:
> >>>>>>>>> http://51.15.199.7/4.11r1_Test_20190116.tgz
> >>>>>>>>>
> >>>>>>>>> Thanks
> >>>>>>>>> Özhan
> >>>>>>>>>
> >>>>>>>>> rohit.yadav@shapeblue.com
> >>>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
> >>>>>>>>> 53 Chandos Place, Covent Garden, London
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> WC2N
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> 4HSUK
> >>>>>>>>> @shapeblue
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> rohit.yadav@shapeblue.com
> >>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
> >>>>>>>> 53 Chandos Place, Covent Garden, London
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> WC2N
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> 4HSUK
> >>>>>>>> @shapeblue
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Daan
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Daan
> >>>>
> >>>
> >>
> >> rohit.yadav@shapeblue.com
> >> www.shapeblue.com
> >> 53 Chandos Place, Covent Garden, London
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> WC2N
> <https://maps.google.com/?q=53+Chandos+Place,+Covent+Garden,+London%C2%A0+WC2N&entry=gmail&source=g>
> 4HSUK
> >> @shapeblue
> >>
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message