cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] andrijapanic commented on issue #13: Update Quick Installation Guide
Date Wed, 24 Oct 2018 13:37:35 GMT
andrijapanic commented on issue #13: Update Quick Installation Guide
URL: https://github.com/apache/cloudstack-documentation/pull/13#issuecomment-432659098
 
 
   Hi Alex,
   
   Let me begin :)
   
   First thanks for the update, I have followed "blindly" the updated tutorial (while still
doing sanity checks and frequent reboots...) and I find it very straight-forward, so big thanks
for the update !
   
   I do have a couple of small fixes / missing points, so can you please fix it - but I would
also wait for @rhtyd to give his feedback.
   
   ## Line break for eth0 / enp3s0 config
   
   Next section seems printed in one line, instead of multiple lines (at least while viewing
file on github)
   ```
   TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV6INIT=no
NAME=enp5s0 UUID=26f024e6-1113-416e-b319-58ebec347886 DEVICE=enp3s0 ONBOOT=yes BRIDGE=cloudbr0
   ```
   
   Further more, UUID defined in "eth0" equivalent interface is not needed and bare minimum
is enough, as following:
   
   ( ifcfg-eth0 # or other name which you assume in tutorial, ensp30 (there is type above
also!)
   
   ```
   TYPE=Ethernet
   BOOTPROTO=none
   DEFROUTE=yes
   IPV6INIT=no
   NAME=eth0 
   DEVICE=eth0
   ONBOOT=yes
   BRIDGE=cloudbr0
   ```
   If you choose to accept changes above, then also remove the following sentence:
   
   ```
   You should not use the Hardware Address (aka the MAC address, or UUID) from our example
for your configuration. It is network interface specific, so you should keep the address already
provided in the UUID directive...
   ```
   
   ## Firewall script issues - many, many issues here, read carefully please !
   
   In general I don't like this whole firewall sections, because it caused tons of problem
for me, when following this modified guide, during test setup (last 3 h):
   - ssvm/cpvm agents could not connect to mgmt server - so whole zone was broken
   - ssmv.sh script reports bad IP address of the Secondary Storage - since agent didn't run
and no additional configuration was done inside SSVM.
   - since SSVM was not functional, Dashboard showed ZERO capacity for Secondary Storage..
   - I could not access UI on 8080 from my laptop over VPN
   - etc.
   
   @rhtyd  I propose, for simple purpose of Quick Installation Guide, to either COMPLETELY
DISABLE FIREWALL ! (we anyway "disable" selinux, we don't set it up "properly"...) or at least
drop/remove the "DENY" rules/lines and add more "allow" lines/ports, because I could not access
UI from remote laptop (over VPN, etc), also SSVM/CPVM could not connect to 8250 on mgmt server,
since this is not covered in the firewall configuration, etc.
   
   So either disable firewall completely ("cloudstack-setup-management" command seems to have
done this for me, until I rebooted host ...)  or at least do following changes to the firewalldnfs.sh
script
   
   * replace CIDR "204.168.1.0/24" with the one from tutorial "172.16.10.0/24" ( @AlexBeez
this is copy/paste leftover I assume)
   * Remove both "deny" lines from current places (50, 60), they are duplicated and also have
to come after all ACCEPT rules
   * Add lines that will enable remote access to 53 (cpvm DNS resolution) 8080 (UI access),
8250(cpvm/ssvm to mgmt) ,3306 (for sake of DB management) ,80 (forward chain, for CPVM access),
5900-6100 (vnc, for CPVM) - and some of these have soruce set to 0.0.0.0/0 (common sense)
   
   So the final script looks like following, with modification from above, looks as following
(and yet, we have not covered ports for VM live migration etc..)
   
   ```
   #!/bin/bash
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -m state --state ESTABLISHED,RELATED
-j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 20 -p icmp -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 30 -i lo -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 40 -m state --state NEW -m tcp
-p tcp --dport 22 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 70 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 111 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 80 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 111 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 90 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 2049 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 100 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 32803 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 110 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 32769 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 120 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 892 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 130 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 892 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 140 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 875 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 150 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 875 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 160 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 662 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 170 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 662 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 180 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 3306 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 190 -s 0.0.0.0/0 -m state --state
NEW -p tcp --dport 8080 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter FORWARD_direct 191 -s 0.0.0.0/0 -m state --state
NEW -p tcp --dport 80 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter FORWARD_direct 192 -s 172.16.10.0/24 -m state
--state NEW -p udp --dport 53 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 193 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 5900:6100 -j ACCEPT
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 194 -s 172.16.10.0/24 -m state
--state NEW -p tcp --dport 8250 -j ACCEPT
   
   firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 300 -j REJECT --reject-with icmp-host-prohibited
   # make changes permanent and reload
   firewall-cmd --runtime-to-permanent
   firewall-cmd --reload
   ```
   Or, again, as mentioned above - just disable the firewall altogether, since it will cause
more problems for new users (no real benefit, since nobody is building production environment
following Quick Installation Guide)... and I'm NOT sure what other port has been blocked -
above are just the ones that I tested and saw issues with - because even without explicit
DENY rule in script above, there is default DROP rule in the INPUT chain in Centos7 (though
chain policy is set to ACCEPT). So again...this will kill user experience due to different
problems... *strongly* suggest we give this a though (disable firewall completely)
   
   After all firewall fixes above, I could deploy Basic Zone as per tutorial, just fine, deploy
VM from default CEntos 5.5 template, verified connectivity in different areas, etc...

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message