cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rafael Weingärtner <rafaelweingart...@gmail.com>
Subject Re: Change VPC CIDR - and some Mailing List issues
Date Thu, 15 Mar 2018 12:33:19 GMT
Can people review this PR https://github.com/apache/cloudstack-www/pull/43.
It has to do with the mailing list search mechanism

On Wed, Mar 7, 2018 at 11:30 AM, Andrija Panic <andrija.panic@gmail.com>
wrote:

> root@r-5015-VM:~# grep -ir "10.128.0.0/18" /etc/ ### this is VPC CIDR
>
> /etc/iptables/router_rules.v4:-A INPUT -s 10.128.64.0/18 -d 10.128.0.0/18
> -j MARK --set-xmark 0x524/0xffffffff
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.64.0/18 -d
> 10.128.0.0/18
> -j MARK --set-xmark 0x524/0xffffffff
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 -d
> 10.128.64.0/18
> -j MARK --set-xmark 0x525/0xffffffff
> /etc/iptables/router_rules.v4:-A OUTPUT -s 10.128.0.0/18 -d 10.128.64.0/18
> -j MARK --set-xmark 0x525/0xffffffff
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 ! -d
> 10.128.0.0/18
> -j ACCEPT
> /etc/ipsec.d/ipsec.vpn-185.39.XXX.YYY.conf: leftsubnet=10.128.0.0/18
> /etc/cloudstack/cmdline.json:        "vpccidr": "10.128.0.0/18"
> /etc/cloudstack/site2sitevpn.json:        "local_guest_cidr": "
> 10.128.0.0/18
> ",
>
> So just restart VPC and be safe better than sorry :)
>
> Cheers
>
> On 7 March 2018 at 14:21, <daniel.herrmann@zv.fraunhofer.de> wrote:
>
> > Hi,
> >
> > As far as I know, when creating a site 2 site VPN, you can only specify
> > the remote networks. The local network is always set to the whole VPC
> CIDR.
> > Or am I wrong?
> >
> > Regards
> > Daniel
> >
> > On 07.03.18, 12:39, "Rafael Weingärtner" <rafaelweingartner@gmail.com>
> > wrote:
> >
> >     I agree with you. I was not aware of that link in ACS website. I
> > already
> >     created a task for myself to fix that.
> >
> >     I thought the VPC CIDR was used only as a logical value internally in
> > ACS.
> >     However, as you pointed out, you can create a VPN to the whole VPC.
> > Then,
> >     yes, a restart would be required.
> >
> >
> >     On Wed, Mar 7, 2018 at 8:33 AM, <daniel.herrmann@zv.fraunhofer.de>
> > wrote:
> >
> >     > Hi,
> >     >
> >     > Maybe we could link to the Apache search system at the page listing
> > the
> >     > Cloudstack Mailing-Lists: https://cloudstack.apache.org/
> > mailing-lists.html
> >     >
> >     > If you click on the list there, you get to
> > http://mail-archives.apache.
> >     > org/mod_mbox/cloudstack-users/. Then there is markmail linked and
> > the
> >     > https://lists.apache.org/list.html?users@cloudstack.apache.org
> link
> > you
> >     > shared (which btw looks best to me, thanks).
> >     >
> >     > The tiers are going to stay as they are currently. I guess the CIDR
> > is
> >     > used in the Strongswan VPN configuration as local network, so I
> > guess a
> >     > restart might be required.
> >     >
> >     > Other thoughts?
> >     >
> >     > Thanks
> >     > Daniel
> >     >
> >     > On 07.03.18, 12:25, "Rafael Weingärtner" <
> > rafaelweingartner@gmail.com>
> >     > wrote:
> >     >
> >     >     MarkMail is not an Apache's system. If you want an Apache's
> > system to
> >     >     search mailing lists you can use:
> >     >     https://lists.apache.org/list.html?dev@cloudstack.apache.org.
> >     >
> >     >     Do you intend on changing the Tiers CIDR as well? If it is only
> > the
> >     > VPC,
> >     >     you might not even need to restart with a cleanup. Of course,
> it
> > is
> >     > always
> >     >     a good practice to test before applying in production.
> >     >
> >     >     On Wed, Mar 7, 2018 at 8:07 AM, <daniel.herrmann@zv.
> > fraunhofer.de>
> >     > wrote:
> >     >
> >     >     > Hi all,
> >     >     >
> >     >     >
> >     >     >
> >     >     > First of all: when trying to search the lists on MarkMail (
> >     >     > https://cloudstack.apache.org/mailing-lists.html) I get a
> > warning
> >     > that
> >     >     > the entered information will be transmitted insecurely (no
> > HTTPs).
> >     > If I
> >     >     > accept that, MarkMail redirects back to HTTPs but does not
> > present a
> >     > valid
> >     >     > certificate (unknown issuer, Firefox 58.0.2
> >     >     >
> >     >     >
> >     >     >
> >     >     > Now, to the question:
> >     >     >
> >     >     >
> >     >     >
> >     >     > We have a VPC with a pretty large CIDR (172.19.0.0/16),
> which
> >     > however
> >     >     > only has tiers in the upper half (172.19.128.0/17). We now
> > would
> >     > like to
> >     >     > reduce the VPC CIDR. Is it safe to edit this in the database
> > and
> >     > then do a
> >     >     > VPC restart with cleanup? Anything else to consider?
> >     >     >
> >     >     >
> >     >     >
> >     >     > We use VPN s2s tunnel, so I guess we need to change the
> remote
> >     > subnet on
> >     >     > the other VPN endpoints, but other than that?
> >     >     >
> >     >     >
> >     >     >
> >     >     > Is it possible like that, any problems to expect?
> >     >     >
> >     >     >
> >     >     >
> >     >     > Thanks and regards
> >     >     >
> >     >     > Daniel
> >     >
> >     >
> >
> >
> >     --
> >     Rafael Weingärtner
> >
> >
>
>
> --
>
> Andrija Panić
>



-- 
Rafael Weingärtner

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message