cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Mikhailovsky <and...@arhont.com>
Subject Re: XenServer 6.2 blocks vm outgoing traffic
Date Wed, 21 May 2014 11:14:33 GMT


Sanjeev, 

thanks. Because of unclear instructions in the install guide, I've ran the commands to switch
to the bridge mode. Perhaps that was the reason why my systemvm network was not working. I've
done a clean install without running these commands and all is working okay. 

Cheers 

Andrei 

----- Original Message -----

From: "Sanjeev Neelarapu" <sanjeev.neelarapu@citrix.com> 
To: users@cloudstack.apache.org 
Sent: Wednesday, 21 May, 2014 5:06:53 AM 
Subject: RE: XenServer 6.2 blocks vm outgoing traffic 

Hi Andrei, 

As you said egress rules are not applicable for system vms. Since you are using advanced networking
you don’t have to add any iptable rules on the hypervisor. Also make sure that on the hypervisor
network is set to "openvswitch". 
If you are trying to download the template from any of your internal web servers add those
cidrs to "secstorage.allowed.internal.sites" in global setting parameters. 

I have a setup with XenServer6.2 with all updates. SSVM is able to resolve the domain names
without adding port 53 on hypervisor iptables. 

Thanks, 
Sanjeev 

-----Original Message----- 
From: Andrei Mikhailovsky [mailto:andrei@arhont.com] 
Sent: Wednesday, May 21, 2014 1:25 AM 
To: users@cloudstack.apache.org 
Subject: Re: XenServer 6.2 blocks vm outgoing traffic 



Jayapal, 

I would imagine this is the case for guest vms. However, I would think that the default policy
for system vms would allow dns resolution so that ssvm would be able to download templates
and isos from the internet. Is this not the case? 

Where would I control the default egress rules for the system vms? 

Thanks 

Andrei 

----- Original Message ----- 

From: "Jayapal Reddy Uradi" <jayapalreddy.uradi@citrix.com> 
To: "<users@cloudstack.apache.org>" <users@cloudstack.apache.org> 
Sent: Tuesday, 20 May, 2014 4:48:34 PM 
Subject: Re: XenServer 6.2 blocks vm outgoing traffic 

For user vms outgoing traffic to allow you need to add egress rules on network. 


Thanks, 
Jayapal 

On 20-May-2014, at 8:38 PM, Andrei Mikhailovsky <andrei@arhont.com> wrote: 

> Hello guys, 
> 
> Having a bit of an issue with clean installs of ACS 4.2.1. The same issue is present
on ACS 4.3. Both of the system vms are created and shown as Running. When I login either to
ssvm or cpvm I am able to ping internal and external dns servers, as well as I can ping public
hosts like 8.8.8.8, etc. I am able to access public IPs on ports 80 or 443 and that's pretty
much it.I am unable to resolve anything or access any other ports. This applies to the management
and public networks. 
> 
> I had a quick investigation and it seems that the XenServer iptables rules are not properly
setup. The default iptables policy that I have is: 
> 
> # iptables -L -nv 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot 
> opt in out source destination 6880K 9595M RH-Firewall-1-INPUT all -- * 
> * 0.0.0.0/0 0.0.0.0/0 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target 
> prot opt in out source destination 
> 40776 25M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 
> 
> Chain OUTPUT (policy ACCEPT 6152K packets, 15G bytes) pkts bytes 
> target prot opt in out source destination 
> 
> Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in 
> out source destination 2355K 5758M ACCEPT all -- lo * 0.0.0.0/0 
> 0.0.0.0/0 349K 21M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 
> 255 
> 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 
> 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 
> 3 261 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 
> 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 
> 0 0 ACCEPT udp -- xenapi * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4164K 3815M 
> ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 
> 19 1092 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 
> 13 732 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 
> 10542 632K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 
> 42147 26M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with 
> icmp-host-prohibited 
> 
> 
> In order for my system vms to resolve anything I have to manually add the following lines
on the hypervisor: 
> 
> iptables -I RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT iptables 
> -I RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT 
> 
> Has anyone seen this behaviour from a clean install? Did I miss an important step during
the hypervisor install? 
> 
> My networking is Advanced + XenServer 6.2 with latest updates. I have the following network
setup: 
> 
> NIC0 - Network Name in XenCenter - Management. ACS traffic label for 
> the Management network is Management 
> 
> NIC1 - Network name in XenCenter - CloudStack - ACS traffic labels for 
> Public and Guest networks is CloudStack 
> 
> Cheers 
> 
> Andrei 
> 
> 




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message