cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: [4.11] KVM Advanced Networking with SG Problem
Date Mon, 22 Jan 2018 06:35:55 GMT


On 01/21/2018 11:23 AM, Rohit Yadav wrote:
> Wido - Were you able to reproduce and fix the issue? Thanks.
> 

Still working on it! This weekend I was short on time and wasn't able to 
fix it yet.

Today (Mon) and tomorrow (Tue) my time is limited as well. Trying to fix 
it asap.

Wido

> 
> 
> - Rohit
> 
> <https://cloudstack.apache.org>
> 
> 
> 
> ________________________________
> From: Wido den Hollander <wido@widodh.nl>
> Sent: Friday, January 19, 2018 10:12:45 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [4.11] KVM Advanced Networking with SG Problem
> 
> 
> 
> On 01/19/2018 02:03 PM, Özhan Rüzgar Karaman wrote:
>> Hi Daan;
>> Wido or others will write a fix, i am not a developer, i do not have a fix,
>> i just only want to report it to make it official thats all :)
>>
> 
> I'll look into this asap. The Python script should parse these rules
> properly and then it should be fixed.
> 
> I hope to have a fix this weekend.
> 
> Wido
> 
>> Thanks
>> Özhan
>>
>> On Fri, Jan 19, 2018 at 3:59 PM, Daan Hoogland <daan.hoogland@gmail.com>
>> wrote:
>>
>>> This is not a PR but a ticket, Özhan. Do you plan to make a pull request on
>>> github with your solution for it?
>>>
>>> On Fri, Jan 19, 2018 at 1:53 PM, Özhan Rüzgar Karaman <
>>> oruzgarkaraman@gmail.com> wrote:
>>>
>>>> Hi Daan;
>>>> Wido is the previous PR's owner, he will check it. By the way i have
>>>> created a PR for this problem which is below:
>>>>
>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-10242
>>>>
>>>> I select its priority as blocker, if its wrong developers will update its
>>>> priority.
>>>>
>>>> Thanks
>>>> Özhan
>>>>
>>>>
>>>>
>>>> On Fri, Jan 19, 2018 at 3:25 PM, Daan Hoogland <daan.hoogland@gmail.com>
>>>> wrote:
>>>>
>>>>> Özhan, this is sure to break ipv6. can you make it use another
>>> delimiter?
>>>>>
>>>>> On Fri, Jan 19, 2018 at 1:12 PM, Özhan Rüzgar Karaman <
>>>>> oruzgarkaraman@gmail.com> wrote:
>>>>>
>>>>>> Hi Rohit;
>>>>>> This is a fresh install of 4.11 rc1 and we have only ipv4 setup on
>>> our
>>>>> test
>>>>>> environment no ipv6 addresses, our VR's are new 4.11 rc1 system vms.
>>>> Our
>>>>>> workaround is 4 lines of code to convert ";" character to ":" on
>>>>>> security_group.py
>>>>>> code to make it operational for ipv4 addresses but i am sure it will
>>>>> break
>>>>>> Wido's "Add support for ipv6 address and subnets" PR. Workaround
>>> works
>>>>> only
>>>>>> for us because we have ipv4 only setup.
>>>>>>
>>>>>> If Wido could check parse_network_rules function on security_group.py
>>>>> then
>>>>>> that could be great. After his check and possible code fix i like
to
>>>> make
>>>>>> test again on our environment.
>>>>>>
>>>>>> @Rohit i will create a JIRA ticket to follow it easily by team.
>>>>>>
>>>>>> Thanks
>>>>>> Özhan
>>>>>>
>>>>>> On Fri, Jan 19, 2018 at 2:51 PM, Rohit Yadav <
>>>> rohit.yadav@shapeblue.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Ozhan,
>>>>>>>
>>>>>>>
>>>>>>> Thanks for sharing.
>>>>>>>
>>>>>>>
>>>>>>> I traced the change to the following PR that changes the delimiter
>>>>>>> character to ';' than ":" to support ipv6 addresses:
>>>>>>>
>>>>>>> https://github.com/apache/cloudstack/pull/2028/files
>>>>>>>
>>>>>>>
>>>>>>> Can you share with the workaround, if applicable send a pull
>>> request?
>>>>>>>
>>>>>>>
>>>>>>> Were you still using old 4.9.3 VRs post upgrade, does killing
old
>>> 4.9
>>>>> VRs
>>>>>>> help fix the issue? /cc Wido
>>>>>>>
>>>>>>>
>>>>>>> - Rohit
>>>>>>>
>>>>>>> <https://cloudstack.apache.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________________
>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
>>>>>>> Sent: Friday, January 19, 2018 3:38:19 PM
>>>>>>> To: dev@cloudstack.apache.org
>>>>>>> Subject: Re: [4.11] KVM Advanced Networking with SG Problem
>>>>>>>
>>>>>>> Hi;
>>>>>>> We solved the bug there and write a small workaround today, the
>>>> problem
>>>>>> is
>>>>>>> generally from the Java code which calls security_group.py. On
>>> 4.9.3
>>>>>>> release it was using : character but from 4.11 release delimiter
>>>>> changed
>>>>>> to
>>>>>>> ; character but security_group.py expects : as delimeter so
>>>>>>> security_group.py could not parse & send rules to the iptables.
>>>>>>>
>>>>>>> Afternoon i will create a JIRA ticket and if anyone could fix
the
>>>>>> delimiter
>>>>>>> character or code in the Java code for 4.11 release that would
be
>>>> great
>>>>>>> because without this code Security Groups are not operational
for
>>>> 4.11.
>>>>>>>
>>>>>>> Also @Rohit do we need to check test codes for Security Groups?
>>>>> Because i
>>>>>>> do not understand how this bug passed our testing scenarios.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Özhan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jan 19, 2018 at 12:00 PM, Rohit Yadav <
>>>>> rohit.yadav@shapeblue.com
>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Can anyone help look into this issue, reproduce it and if
it's a
>>>>>> genuine
>>>>>>>> bug help fix it?
>>>>>>>>
>>>>>>>> Any takers - Wido, Wei, Mike and others who may be using
KVM+SG?
>>>>>>>>
>>>>>>>>
>>>>>>>> - Rohit
>>>>>>>>
>>>>>>>> <https://cloudstack.apache.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>> From: Özhan Rüzgar Karaman <oruzgarkaraman@gmail.com>
>>>>>>>> Sent: Tuesday, January 16, 2018 9:53:59 PM
>>>>>>>> To: dev@cloudstack.apache.org
>>>>>>>> Subject: [4.11] KVM Advanced Networking with SG Problem
>>>>>>>>
>>>>>>>> Hi;
>>>>>>>> We made a test with 4.11 rc over Ubuntu16.04 KVM hosts and
we
>>>> noticed
>>>>>>> that
>>>>>>>> there is a problem on setting & applying security group
changes
>>> on
>>>>> KVM
>>>>>>>> host.
>>>>>>>>
>>>>>>>> All instances could ping vr and they could access internet
but no
>>>> one
>>>>>>> could
>>>>>>>> access to the instances.
>>>>>>>>
>>>>>>>> I checked iptables rules and i noticed that iptables rules
for vm
>>>> is
>>>>> in
>>>>>>> all
>>>>>>>> drop state for incoming packages while i gave access to all
>>> ingress
>>>>> and
>>>>>>>> egress tcp/udp traffic ports for that instances. Below are
>>> iptables
>>>>>>> output
>>>>>>>> for selected vm:
>>>>>>>>
>>>>>>>> Chain i-2-6-VM (1 references)
>>>>>>>> target     prot opt source               destination
>>>>>>>> DROP       all  --  anywhere             anywhere
>>>>>>>>
>>>>>>>> Chain i-2-6-VM-eg (1 references)
>>>>>>>> target     prot opt source               destination
>>>>>>>> RETURN     all  --  anywhere             anywhere
>>>>>>>>
>>>>>>>> Chain i-2-6-def (2 references)
>>>>>>>> target     prot opt source               destination
>>>>>>>> ACCEPT     all  --  anywhere             anywhere
>>>    state
>>>>>>>> RELATED,ESTABLISHED
>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-in vnet9 --physdev-is-bridged udp spt:bootpc dpt:bootps
>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-out vnet9 --physdev-is-bridged udp spt:bootps
>>> dpt:bootpc
>>>>>>>> DROP       all  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-in vnet9 --physdev-is-bridged ! match-set i-2-6-VM
src
>>>>>>>> RETURN     udp  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set i-2-6-VM
src
>>> udp
>>>>>>>> dpt:domain
>>>>>>>> RETURN     tcp  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-in vnet9 --physdev-is-bridged match-set i-2-6-VM
src
>>> tcp
>>>>>>>> dpt:domain
>>>>>>>> i-2-6-VM-eg  all  --  anywhere             anywhere
>>>>>    PHYSDEV
>>>>>>>> match --physdev-in vnet9 --physdev-is-bridged match-set i-2-6-VM
>>>> src
>>>>>>>> i-2-6-VM   all  --  anywhere             anywhere
>>>>    PHYSDEV
>>>>>>> match
>>>>>>>> --physdev-out vnet9 --physdev-is-bridged
>>>>>>>>
>>>>>>>> All management and agent logs could be accessed from:
>>>>>>>> http://51.15.199.7/4.11r1_Test_20190116.tgz
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Özhan
>>>>>>>>
>>>>>>>> rohit.yadav@shapeblue.com
>>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
>>>>>>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>>>>>>> @shapeblue
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> rohit.yadav@shapeblue.com
>>>>>>> www.shapeblue.com<http://www.shapeblue.com>
>>>>>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>>>>>> @shapeblue
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Daan
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Daan
>>>
>>
> 
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>    
>   
> 
> 

Mime
View raw message