cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [4.11] KVM Advanced Networking with SG Problem
Date Mon, 22 Jan 2018 08:06:47 GMT
Thanks Wido, I'll review your patch.



- Rohit

<https://cloudstack.apache.org>



________________________________
From: Wido den Hollander <wido@widodh.nl>
Sent: Monday, January 22, 2018 8:08:33 AM
To: dev@cloudstack.apache.org
Cc: Özhan Rüzgar Karaman
Subject: Re: [4.11] KVM Advanced Networking with SG Problem



On 01/22/2018 07:35 AM, Wido den Hollander wrote:
>
>
> On 01/21/2018 11:23 AM, Rohit Yadav wrote:
>> Wido - Were you able to reproduce and fix the issue? Thanks.
>>
>
> Still working on it! This weekend I was short on time and wasn't able to
> fix it yet.
>
> Today (Mon) and tomorrow (Tue) my time is limited as well. Trying to fix
> it asap.

During my train ride this morning I wrote this patch:
https://github.com/apache/cloudstack/pull/2418

@ Özhan, could you test this patch? It's just a matter of replacing
security_group.py on your Hypervisor.

Thanks,

Wido

>
> Wido
>
>>
>>
>> - Rohit
>>
>> <https://cloudstack.apache.org>
>>
>>
>>
>> ________________________________
>> From: Wido den Hollander <wido@widodh.nl>
>> Sent: Friday, January 19, 2018 10:12:45 PM
>> To: dev@cloudstack.apache.org
>> Subject: Re: [4.11] KVM Advanced Networking with SG Problem
>>
>>
>>
>> On 01/19/2018 02:03 PM, Özhan Rüzgar Karaman wrote:
>>> Hi Daan;
>>> Wido or others will write a fix, i am not a developer, i do not have
>>> a fix,
>>> i just only want to report it to make it official thats all :)
>>>
>>
>> I'll look into this asap. The Python script should parse these rules
>> properly and then it should be fixed.
>>
>> I hope to have a fix this weekend.
>>
>> Wido
>>
>>> Thanks
>>> Özhan
>>>
>>> On Fri, Jan 19, 2018 at 3:59 PM, Daan Hoogland <daan.hoogland@gmail.com>
>>> wrote:
>>>
>>>> This is not a PR but a ticket, Özhan. Do you plan to make a pull
>>>> request on
>>>> github with your solution for it?
>>>>
>>>> On Fri, Jan 19, 2018 at 1:53 PM, Özhan Rüzgar Karaman <
>>>> oruzgarkaraman@gmail.com> wrote:
>>>>
>>>>> Hi Daan;
>>>>> Wido is the previous PR's owner, he will check it. By the way i have
>>>>> created a PR for this problem which is below:
>>>>>
>>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-10242
>>>>>
>>>>> I select its priority as blocker, if its wrong developers will
>>>>> update its
>>>>> priority.
>>>>>
>>>>> Thanks
>>>>> Özhan
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 19, 2018 at 3:25 PM, Daan Hoogland
>>>>> <daan.hoogland@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Özhan, this is sure to break ipv6. can you make it use another
>>>> delimiter?
>>>>>>
>>>>>> On Fri, Jan 19, 2018 at 1:12 PM, Özhan Rüzgar Karaman <
>>>>>> oruzgarkaraman@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Rohit;
>>>>>>> This is a fresh install of 4.11 rc1 and we have only ipv4 setup
on
>>>> our
>>>>>> test
>>>>>>> environment no ipv6 addresses, our VR's are new 4.11 rc1 system
vms.
>>>>> Our
>>>>>>> workaround is 4 lines of code to convert ";" character to ":"
on
>>>>>>> security_group.py
>>>>>>> code to make it operational for ipv4 addresses but i am sure
it will
>>>>>> break
>>>>>>> Wido's "Add support for ipv6 address and subnets" PR. Workaround
>>>> works
>>>>>> only
>>>>>>> for us because we have ipv4 only setup.
>>>>>>>
>>>>>>> If Wido could check parse_network_rules function on
>>>>>>> security_group.py
>>>>>> then
>>>>>>> that could be great. After his check and possible code fix i
like to
>>>>> make
>>>>>>> test again on our environment.
>>>>>>>
>>>>>>> @Rohit i will create a JIRA ticket to follow it easily by team.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Özhan
>>>>>>>
>>>>>>> On Fri, Jan 19, 2018 at 2:51 PM, Rohit Yadav <
>>>>> rohit.yadav@shapeblue.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Ozhan,
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks for sharing.
>>>>>>>>
>>>>>>>>
>>>>>>>> I traced the change to the following PR that changes the
delimiter
>>>>>>>> character to ';' than ":" to support ipv6 addresses:
>>>>>>>>
>>>>>>>> https://github.com/apache/cloudstack/pull/2028/files
>>>>>>>>
>>>>>>>>
>>>>>>>> Can you share with the workaround, if applicable send a pull
>>>> request?
>>>>>>>>
>>>>>>>>
>>>>>>>> Were you still using old 4.9.3 VRs post upgrade, does killing
old
>>>> 4.9
>>>>>> VRs
>>>>>>>> help fix the issue? /cc Wido
>>>>>>>>
>>>>>>>>
>>>>>>>> - Rohit
>>>>>>>>
>>>>>>>> <https://cloudstack.apache.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
>>>>>>>> Sent: Friday, January 19, 2018 3:38:19 PM
>>>>>>>> To: dev@cloudstack.apache.org
>>>>>>>> Subject: Re: [4.11] KVM Advanced Networking with SG Problem
>>>>>>>>
>>>>>>>> Hi;
>>>>>>>> We solved the bug there and write a small workaround today,
the
>>>>> problem
>>>>>>> is
>>>>>>>> generally from the Java code which calls security_group.py.
On
>>>> 4.9.3
>>>>>>>> release it was using : character but from 4.11 release delimiter
>>>>>> changed
>>>>>>> to
>>>>>>>> ; character but security_group.py expects : as delimeter
so
>>>>>>>> security_group.py could not parse & send rules to the
iptables.
>>>>>>>>
>>>>>>>> Afternoon i will create a JIRA ticket and if anyone could
fix the
>>>>>>> delimiter
>>>>>>>> character or code in the Java code for 4.11 release that
would be
>>>>> great
>>>>>>>> because without this code Security Groups are not operational
for
>>>>> 4.11.
>>>>>>>>
>>>>>>>> Also @Rohit do we need to check test codes for Security Groups?
>>>>>> Because i
>>>>>>>> do not understand how this bug passed our testing scenarios.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Özhan
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jan 19, 2018 at 12:00 PM, Rohit Yadav <
>>>>>> rohit.yadav@shapeblue.com
>>>>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Can anyone help look into this issue, reproduce it and
if it's a
>>>>>>> genuine
>>>>>>>>> bug help fix it?
>>>>>>>>>
>>>>>>>>> Any takers - Wido, Wei, Mike and others who may be using
KVM+SG?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> - Rohit
>>>>>>>>>
>>>>>>>>> <https://cloudstack.apache.org>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ________________________________
>>>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
>>>>>>>>> Sent: Tuesday, January 16, 2018 9:53:59 PM
>>>>>>>>> To: dev@cloudstack.apache.org
>>>>>>>>> Subject: [4.11] KVM Advanced Networking with SG Problem
>>>>>>>>>
>>>>>>>>> Hi;
>>>>>>>>> We made a test with 4.11 rc over Ubuntu16.04 KVM hosts
and we
>>>>> noticed
>>>>>>>> that
>>>>>>>>> there is a problem on setting & applying security
group changes
>>>> on
>>>>>> KVM
>>>>>>>>> host.
>>>>>>>>>
>>>>>>>>> All instances could ping vr and they could access internet
but no
>>>>> one
>>>>>>>> could
>>>>>>>>> access to the instances.
>>>>>>>>>
>>>>>>>>> I checked iptables rules and i noticed that iptables
rules for vm
>>>>> is
>>>>>> in
>>>>>>>> all
>>>>>>>>> drop state for incoming packages while i gave access
to all
>>>> ingress
>>>>>> and
>>>>>>>>> egress tcp/udp traffic ports for that instances. Below
are
>>>> iptables
>>>>>>>> output
>>>>>>>>> for selected vm:
>>>>>>>>>
>>>>>>>>> Chain i-2-6-VM (1 references)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> DROP       all  --  anywhere             anywhere
>>>>>>>>>
>>>>>>>>> Chain i-2-6-VM-eg (1 references)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> RETURN     all  --  anywhere             anywhere
>>>>>>>>>
>>>>>>>>> Chain i-2-6-def (2 references)
>>>>>>>>> target     prot opt source               destination
>>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>>>>    state
>>>>>>>>> RELATED,ESTABLISHED
>>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-in vnet9 --physdev-is-bridged udp spt:bootpc
dpt:bootps
>>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-out vnet9 --physdev-is-bridged udp spt:bootps
>>>> dpt:bootpc
>>>>>>>>> DROP       all  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-in vnet9 --physdev-is-bridged ! match-set i-2-6-VM
src
>>>>>>>>> RETURN     udp  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set i-2-6-VM
src
>>>> udp
>>>>>>>>> dpt:domain
>>>>>>>>> RETURN     tcp  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set i-2-6-VM
src
>>>> tcp
>>>>>>>>> dpt:domain
>>>>>>>>> i-2-6-VM-eg  all  --  anywhere             anywhere
>>>>>>    PHYSDEV
>>>>>>>>> match --physdev-in vnet9 --physdev-is-bridged match-set
i-2-6-VM
>>>>> src
>>>>>>>>> i-2-6-VM   all  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match
>>>>>>>>> --physdev-out vnet9 --physdev-is-bridged
>>>>>>>>>
>>>>>>>>> All management and agent logs could be accessed from:
>>>>>>>>> http://51.15.199.7/4.11r1_Test_20190116.tgz
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Özhan
>>>>>>>>>
>>>>>>>>> rohit.yadav@shapeblue.com
>>>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
>>>>>>>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>>>>>>>> @shapeblue
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> rohit.yadav@shapeblue.com
>>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
>>>>>>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>>>>>>> @shapeblue
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Daan
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Daan
>>>>
>>>
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com<http://www.shapeblue.com>
>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>> @shapeblue
>>
>>

rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message