Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9FA581033F for ; Fri, 19 Apr 2013 09:37:38 +0000 (UTC) Received: (qmail 99778 invoked by uid 500); 19 Apr 2013 09:37:20 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 99514 invoked by uid 500); 19 Apr 2013 09:37:20 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 97654 invoked by uid 500); 19 Apr 2013 09:37:16 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 97618 invoked by uid 99); 19 Apr 2013 09:37:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Apr 2013 09:37:15 +0000 Date: Fri, 19 Apr 2013 09:37:15 +0000 (UTC) From: "Jayapal Reddy (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-1850) IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13636212#comment-13636212 ] Jayapal Reddy commented on CLOUDSTACK-1850: ------------------------------------------- The iptables issue is not reproduced now. Checked in the master, the latest commit is 96cf79535fb68881d7d191109ffa6d8f504e3136 1. I created 6 routes in my setup (xenserver host). 2. All the router came up with the default iptables rules and FW_OUTBOUND chain is configured. When this issue happened earlier observed the below error messages on boot logs of router. iptables-restore v1.4.8: iptables-restore: unable to initialize table 'nat' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Twice observed the below message. iptables-restore: line 28 failed The above errors disappeared after cloud-passed-srvr script Required-Start: added with iptables-persistent Required-Start: mountkernfs $local_fs cloud-early-config iptables-persistent In current setup default iptables rules are loaded successfully. Pasted the router boot logs. In the below logs first iptables persistent start failed. insserv: Service iptables-persistent has to be enabled to start service cloud-passwd-srvr insserv: exiting now! After the cloud-early-config script iptables-persistent ran.You can see lsmod | grep nf_ output on the logs. I added lsmod command into iptables-persistent script. Now the iptables-restore successfully loaded the default iptables rules from the /etc/iptables/rules. I am marking this bug to can't reproduce now. It can be reopened if the issues seen again. ------ [ 3.228306] PCI: Fatal: No config space access function found [ 3.269467] isapnp: Write Data Register 0xa79 already used [ 3.274086] i8042.c: No controller found. Loading, please wait... INIT: version 2.88 booting Using makefile-style concurrent boot in runlevel S. Starting the hotplug events dispatcher: udevd. Synthesizing the initial hotplug events...done. Waiting for /dev to be fully populated...[ 4.004585] Error: Driver 'pcspkr' is already registered, aborting... done. Activating swap...done. Checking root file system...fsck from util-linux-ng 2.17.2 ROOT: clean, 17547/262144 files, 125021/524287 blocks done. Cleaning up ifupdown.... Loading kernel modules...done. Setting up networking.... Activating lvm and md swap...done. Checking file systems...fsck from util-linux-ng 2.17.2 done. Mounting local filesystems...done. Activating swapfile swap...done. Cleaning up temporary files.... Setting kernel variables ...done. Configuring network interfaces...done. Executing cloud-early-config...Executing cloud-early-config...Detected that we are running inside xen-domU guest...mount: none already mounted or /proc/xen busy mount: according to mtab, none is already mounted on /proc/xen Patching cloud service...mount: none already mounted or /proc/xen busy mount: according to mtab, none is already mounted on /proc/xen Cleaning up temporary files.... modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko): No such device modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko): No such device Loading IPsec SA/SP database: - /etc/ipsec-tools.conf done. insserv: Service iptables-persistent has to be enabled to start service cloud-passwd-srvr insserv: exiting now! /sbin/insserv failed, exit code 1 Setting up virtual router system vm...ifdown: interface eth0 not configured ifdown: interface eth1 not configured ifdown: interface eth2 not configured RTNETLINK answers: No such process checking that eth2 has IP before setting default route to 10.147.52.1...checking that eth2 has IP before setting default route to 10.147.52.1 PING 10.147.52.1 (10.147.52.1): 56 data bytes 64 bytes from 10.147.52.1: icmp_seq=0 ttl=64 time=6.283 ms 64 bytes from 10.147.52.1: icmp_seq=1 ttl=64 time=1.353 ms 64 bytes from 10.147.52.1: icmp_seq=2 ttl=64 time=1.403 ms --- 10.147.52.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.353/3.013/6.283/2.312 ms Checking udev NIC assignment order changes...WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be ignored in a future release. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be ignored in a future release. FATAL: Module aesni_intel not found. Setting up dnsmasq...Setting up apache web server...Enable service dnsmasq = 1...Enable service haproxy = 1...Enable service cloud-passwd-srvr = 1...Enable service cloud = 0...cloud: Tuning rp_filter on public interfaces...rpfilter public interfaces : eth2...cloud: disable rp_filter on public interfaces...cloud: disable rp_filter on public interface: eth2...cloud: Enabling rp_filter on Non-public interfaces(eth0,eth1,lo)...cloud: enable_fwding = 1...enable_fwding = 1...done. WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be ignored in a future release. nf_nat_ftp 1519 0 nf_nat 10568 1 nf_nat_ftp nf_conntrack_ftp 4272 1 nf_nat_ftp nf_conntrack_ipv4 7597 2 nf_nat nf_defrag_ipv4 779 1 nf_conntrack_ipv4 nf_conntrack 38083 4 nf_nat_ftp,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4 INIT: Entering runlevel: 2 Using makefile-style concurrent boot in runlevel 2. Starting haproxy: haproxy[WARNING] 108/015202 (1903) : config : 'stats' statement ignored for proxy 'cloud-default' as it requires HTTP mode. [WARNING] 108/015202 (1903) : config : 'option forwardfor' ignored for proxy 'cloud-default' as it requires HTTP mode. [WARNING] 108/015202 (1903) : config : 'option forceclose' ignored for proxy 'cloud-default' as it requires HTTP mode. . Not starting as we're not running in a vm. Starting enhanced syslogd: rsyslogd. Starting ACPI services...RTNETLINK1 answers: No such file or directory acpid: error talking to the kernel via netlink . Detecting Linux distribution version: OK Starting xe daemon: OK Starting DNS forwarder and DHCP server: dnsmasq. Starting the system activity data collector: sadc. Starting OpenBSD Secure Shell server: sshd. Starting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.1.1 for ServerName . Starting periodic command scheduler: cron. Starting OpenBSD Secure Shell server: sshd. Starting haproxy: haproxy/usr/sbin/haproxy already running. failed! Starting web server: apache2apache2: Could not reliably determine the server's > IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND chain is not present > ----------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-1850 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Network Controller > Affects Versions: 4.2.0 > Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a > - Advanced zone with Xen Cluster > root@r-6-VM:~# cat /etc/cloudstack-release > Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013 > Reporter: venkata swamybabu budumuru > Assignee: Jayapal Reddy > Priority: Blocker > Fix For: 4.2.0 > > Attachments: logs.29.tgz > > > Steps to reproduce : > 1. Have at least one ISLOATED network created > 2. Deploy a VM with at least one nic connected to the above isolate network > 3. Verify iptables on the newly deployed router VM for the above isolated network > Observations : > 1. It doesn't have any default outbound rules (like for ports 53,67 etc..,) configured. but, things go fine because the policy for INPUT chain is set to ACCEPT by default. > 2. All the egress from VM is by default working / allowed because FORWARD chain is not configured with "FW_OUTBOUND" Chain. > Here is the snippet of router vm for "iptables -L -nv" > root@r-6-VM:~# iptables -L -nv > Chain INPUT (policy ACCEPT 2032 packets, 305K bytes) > pkts bytes target prot opt in out source destination > 2149 320K NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 > Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes) > pkts bytes target prot opt in out source destination > 36 8380 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 > 18 6961 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.2.235 state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */ > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.1.2.235 tcp dpt:22 state NEW /* 10.147.44.61:22:22 */ > Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes) > pkts bytes target prot opt in out source destination > 2056 358K NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 > Chain NETWORK_STATS (3 references) > pkts bytes target prot opt in out source destination > 18 1419 all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 > 18 6961 all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0 > 0 0 tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0 > Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc.., -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira