cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-1850) IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present
Date Fri, 19 Apr 2013 09:37:15 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13636212#comment-13636212
] 

Jayapal Reddy commented on CLOUDSTACK-1850:
-------------------------------------------

The iptables issue is not reproduced now.
Checked in the master, the latest commit is  96cf79535fb68881d7d191109ffa6d8f504e3136

1. I created 6 routes in my setup (xenserver host). 
2. All the router came up with the default iptables rules and FW_OUTBOUND chain is configured.

When this issue happened earlier observed the below error messages on boot logs of router.
iptables-restore v1.4.8: iptables-restore: unable to initialize table 'nat'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Twice observed the below message.
iptables-restore: line 28 failed

The above errors disappeared after  cloud-passed-srvr script Required-Start: added with iptables-persistent
Required-Start:    mountkernfs $local_fs cloud-early-config iptables-persistent
 

In current setup default iptables rules are loaded successfully. 
Pasted the router boot logs.
In the below logs first iptables persistent start failed. 
    insserv: Service iptables-persistent has to be enabled to start service cloud-passwd-srvr
    insserv: exiting now!

After the cloud-early-config script iptables-persistent ran.You can see lsmod | grep nf_ output
on the logs.
I added lsmod command into iptables-persistent script.
Now the iptables-restore successfully loaded the default iptables rules from the /etc/iptables/rules.

I am marking this bug to can't reproduce now.  
It can be reopened if the issues seen again.




------
[    3.228306] PCI: Fatal: No config space access function found
[    3.269467] isapnp: Write Data Register 0xa79 already used
[    3.274086] i8042.c: No controller found.
Loading, please wait...
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Starting the hotplug events dispatcher: udevd.
Synthesizing the initial hotplug events...done.
Waiting for /dev to be fully populated...[    4.004585] Error: Driver 'pcspkr' is already
registered, aborting...
done.
Activating swap...done.
Checking root file system...fsck from util-linux-ng 2.17.2
ROOT: clean, 17547/262144 files, 125021/524287 blocks
done.
Cleaning up ifupdown....
Loading kernel modules...done.
Setting up networking....
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux-ng 2.17.2
done.
Mounting local filesystems...done.
Activating swapfile swap...done.
Cleaning up temporary files....
Setting kernel variables ...done.
Configuring network interfaces...done.
Executing cloud-early-config...Executing cloud-early-config...Detected that we are running
inside xen-domU guest...mount: none already mounted or /proc/xen busy
mount: according to mtab, none is already mounted on /proc/xen
Patching  cloud service...mount: none already mounted or /proc/xen busy
mount: according to mtab, none is already mounted on /proc/xen
Cleaning up temporary files....
modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko):
No such device

modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko):
No such device

Loading IPsec SA/SP database: 
 - /etc/ipsec-tools.conf
done.
insserv: Service iptables-persistent has to be enabled to start service cloud-passwd-srvr
insserv: exiting now!
/sbin/insserv failed, exit code 1
Setting up virtual router system vm...ifdown: interface eth0 not configured
ifdown: interface eth1 not configured
ifdown: interface eth2 not configured
RTNETLINK answers: No such process
checking that eth2 has IP before setting default route to 10.147.52.1...checking that eth2
has IP before setting default route to 10.147.52.1
PING 10.147.52.1 (10.147.52.1): 56 data bytes
64 bytes from 10.147.52.1: icmp_seq=0 ttl=64 time=6.283 ms
64 bytes from 10.147.52.1: icmp_seq=1 ttl=64 time=1.353 ms
64 bytes from 10.147.52.1: icmp_seq=2 ttl=64 time=1.403 ms
--- 10.147.52.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.353/3.013/6.283/2.312 ms
Checking udev NIC assignment order changes...WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel,
it will be ignored in a future release.
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be ignored in a
future release.
FATAL: Module aesni_intel not found.
Setting up dnsmasq...Setting up apache web server...Enable service dnsmasq = 1...Enable service
haproxy = 1...Enable service cloud-passwd-srvr = 1...Enable service cloud = 0...cloud: Tuning
rp_filter on public interfaces...rpfilter public interfaces :  eth2...cloud: disable rp_filter
on public interfaces...cloud: disable rp_filter on public interface: eth2...cloud: Enabling
rp_filter on Non-public interfaces(eth0,eth1,lo)...cloud: enable_fwding = 1...enable_fwding
= 1...done.
WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be ignored in a
future release.
nf_nat_ftp              1519  0 
nf_nat                 10568  1 nf_nat_ftp
nf_conntrack_ftp        4272  1 nf_nat_ftp
nf_conntrack_ipv4       7597  2 nf_nat
nf_defrag_ipv4           779  1 nf_conntrack_ipv4
nf_conntrack           38083  4 nf_nat_ftp,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Starting haproxy: haproxy[WARNING] 108/015202 (1903) : config : 'stats' statement ignored
for proxy 'cloud-default' as it requires HTTP mode.
[WARNING] 108/015202 (1903) : config : 'option forwardfor' ignored for proxy 'cloud-default'
as it requires HTTP mode.
[WARNING] 108/015202 (1903) : config : 'option forceclose' ignored for proxy 'cloud-default'
as it requires HTTP mode.
.
Not starting as we're not running in a vm.
Starting enhanced syslogd: rsyslogd.
Starting ACPI services...RTNETLINK1 answers: No such file or directory
acpid: error talking to the kernel via netlink
.
Detecting Linux distribution version: OK
Starting xe daemon:  OK
Starting DNS forwarder and DHCP server: dnsmasq.
Starting the system activity data collector: sadc.
Starting OpenBSD Secure Shell server: sshd.
Starting web server: apache2apache2: Could not reliably determine the server's fully qualified
domain name, using 10.1.1.1 for ServerName
.
Starting periodic command scheduler: cron.
Starting OpenBSD Secure Shell server: sshd.
Starting haproxy: haproxy/usr/sbin/haproxy already running.
 failed!
Starting web server: apache2apache2: Could not reliably determine the server's 
                
> IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is
not present 
> -----------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-1850
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.2.0
>         Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a
> - Advanced zone with Xen Cluster 
> root@r-6-VM:~# cat /etc/cloudstack-release 
> Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013
>            Reporter: venkata swamybabu budumuru
>            Assignee: Jayapal Reddy
>            Priority: Blocker
>             Fix For: 4.2.0
>
>         Attachments: logs.29.tgz
>
>
> Steps to reproduce :
> 1. Have at least one ISLOATED network created
> 2. Deploy a VM with at least one nic connected to the above isolate network
> 3. Verify iptables on the newly deployed router VM for the above isolated network
> Observations :
> 1. It doesn't have any default outbound rules (like for ports 53,67 etc..,) configured.
but, things go fine because the policy for INPUT chain is set to ACCEPT  by default.
> 2. All the egress from VM is by default working / allowed because FORWARD chain is not
configured with "FW_OUTBOUND" Chain.
> Here is the snippet of router vm for "iptables -L -nv"
> root@r-6-VM:~# iptables -L -nv
> Chain INPUT (policy ACCEPT 2032 packets, 305K bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>  2149  320K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
> Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>    36  8380 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
>    18  6961 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235      
    state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.2.235      
    tcp dpt:22 state NEW /* 10.147.44.61:22:22 */
> Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>  2056  358K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       
> Chain NETWORK_STATS (3 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>    18  1419            all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0       
   
>    18  6961            all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
   
>     0     0            tcp  --  !eth0  eth2    0.0.0.0/0            0.0.0.0/0       
   
>     0     0            tcp  --  eth2   !eth0   0.0.0.0/0            0.0.0.0/0   
> Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc..,

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message