From users-return-30333-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Wed Apr 11 13:50:51 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0E4A418067B for ; Wed, 11 Apr 2018 13:50:50 +0200 (CEST) Received: (qmail 29134 invoked by uid 500); 11 Apr 2018 11:50:49 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 29089 invoked by uid 99); 11 Apr 2018 11:50:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2018 11:50:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9BB781806F8 for ; Wed, 11 Apr 2018 11:50:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.811 X-Spam-Level: X-Spam-Status: No, score=-1.811 tagged_above=-999 required=6.31 tests=[KAM_NUMSUBJECT=0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id zp6ylJD5TlUP for ; Wed, 11 Apr 2018 11:50:47 +0000 (UTC) Received: from mx1.heinlein-support.de (mx2.heinlein-support.de [91.198.250.20]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id AE2425F3CC for ; Wed, 11 Apr 2018 11:50:46 +0000 (UTC) Received: from spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [80.241.56.116]) by mx1.heinlein-support.de (Postfix) with ESMTP id 3DAE82E0DFA for ; Wed, 11 Apr 2018 13:50:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from mx1.heinlein-support.de ([91.198.250.20]) by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [91.198.250.170]) (amavisd-new, port 10024) with ESMTP id qysBbNgaca0y for ; Wed, 11 Apr 2018 13:50:43 +0200 (CEST) Received: from marchiv.heinlein-support.de (marchiv.heinlein-support.de [91.198.250.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.heinlein-support.de (Postfix) with ESMTPS for ; Wed, 11 Apr 2018 13:50:43 +0200 (CEST) Received: from MailAppDispatcher (localhost.localdomain [127.0.0.1]) by marchiv.heinlein-support.de (Postfix) with ESMTP id AF80648148 for ; Wed, 11 Apr 2018 13:50:43 +0200 (CEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by marchiv.heinlein-support.de (Postfix) with ESMTP id 7256248147 for ; Wed, 11 Apr 2018 13:50:43 +0200 (CEST) X-Virus-Scanned: Heinlein Anti-Spam at mail-archiv Received: from marchiv.heinlein-support.de ([127.0.0.1]) by localhost (marchiv.heinlein-support.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zmqa2YyXVzgL for ; Wed, 11 Apr 2018 13:50:42 +0200 (CEST) Received: from plasma2.jpberlin.de (plasma2.jpberlin.de [91.198.250.140]) by marchiv.heinlein-support.de (Postfix) with ESMTPS for ; Wed, 11 Apr 2018 13:50:42 +0200 (CEST) Received: from sseitz (p5084E338.dip0.t-ipconnect.de [80.132.227.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: s.seitz@heinlein-support.de) by plasma.jpberlin.de (Postfix) with ESMTPSA id 36976A5280 for ; Wed, 11 Apr 2018 13:50:42 +0200 (CEST) Message-ID: <1523447441.19948.41.camel@heinlein-support.de> Subject: Re: Egress rules not applied in 4.11.0 From: Stephan Seitz To: users@cloudstack.apache.org Date: Wed, 11 Apr 2018 13:50:41 +0200 In-Reply-To: References: <0882e5a9-25f1-6d23-7244-2c3ed55c9f24@empolis.com> <1523446707.19948.36.camel@heinlein-support.de> Organization: Heinlein Support GmbH Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-F2fDYAzDGa4IO5NoXone" X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 Mime-Version: 1.0 X-Mailarchiv-ID: 4408962 --=-F2fDYAzDGa4IO5NoXone Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable AFAIK not for 6.5 SP1. https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/=A0shows = that 7.x is fixed and gives the hint, that HVM guests are not affected (at least for spectre) https://support.citrix.com/article/CTX231390 " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectura= l changes to do so. Citrix is therefore not making hotfixes for these versi= ons available to customers, and will continue to work with hardware vendors on other mitigation strategies. Customers on the= 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more= recent version. " I haven't tried it so far, but recent debian versions were kind of picky wi= th different kinds of Xen virtualization as I've seen on "regular" VMs. Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus: > virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServ= er make some kind of change around this as a Meltdown/Spectre migation?=A0 >=20 >=20 > Kind regards, >=20 > Paul Angus >=20 > paul.angus@shapeblue.com=A0 > www.shapeblue.com > 53 Chandos Place, Covent Garden, London=A0=A0WC2N 4HSUK > @shapeblue > =A0=A0 > =A0 >=20 >=20 > -----Original Message----- > From: Stephan Seitz =A0 > Sent: 11 April 2018 12:38 > To: users@cloudstack.apache.org > Subject: Re: Egress rules not applied in 4.11.0 >=20 > Hi martin, >=20 > I've just read your issue on github and was wondering how you;ve been abl= e to select Debian 9. > But maybe you did a fresh installation. >=20 > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU= /Linux 7(64-bit)" as highest possible Debian-version. The documentation sai= d to register the new systemvm-template before > updating the management server. >=20 > Maybe your issue is hot-fixed by registering a template with Debian 7 pro= file. >=20 > Cheers, >=20 > - Stephan >=20 >=20 > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich: > >=20 > > I investigated further, and opened an issue: > > https://github.com/apache/cloudstack/issues/2561 > >=20 > > Cheers, > >=20 > > Martin > >=20 > >=20 > > Am 11.04.18 um 12:18 schrieb Martin Emrich: > > >=20 > > >=20 > > > Thanks... But I think something else is now broken, too...: > > >=20 > > > The SystemVMs are now no longer being provisioned: They come up=A0 > > > "empty" with "systemvm type=3D". > > >=20 > > > I also deleted the Console Proxy VM, and the new one is plain, too... > > >=20 > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same= =A0 > > > effect... > > >=20 > > > Cheers, > > >=20 > > > Martin > > >=20 > > >=20 > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav: > > > >=20 > > > >=20 > > > > Hi Martin, > > > >=20 > > > >=20 > > > > This is a known issue, a freshly restarted VR may not have the=A0 > > > > EGREE related tables which is why any rules will fail to apply. As= =A0 > > > > a workaround, you can restart the network without selecting the=A0 > > > > cleanup option which will reconfigure the VR and add the egress tab= le. > > > >=20 > > > >=20 > > > > I've a fix in this PR: > > > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d > > > > fd9156e3983b1bb2d64abecd > > > >=20 > > > >=20 > > > >=20 > > > > - Rohit > > > >=20 > > > > > > > >=20 > > > >=20 > > > >=20 > > > > ________________________________ > > > > From: Martin Emrich > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM > > > > To: CloudStack-Users > > > > Subject: Egress rules not applied in 4.11.0 > > > >=20 > > > > Hi! > > > >=20 > > > > I upgraded my test cluster from 4.9 to 4.11. The default policy=A0 > > > > for isolated networks is "Deny". > > > >=20 > > > > But now, adding rules to allow egress traffic are not applied to=A0 > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the=A0 > > > > UI, but does not appear in the iptables output on the VR. > > > >=20 > > > > Any Ideas? > > > >=20 > > > > Thanks > > > >=20 > > > > Martin > > > >=20 > > > >=20 > > > > rohit.yadav@shapeblue.com > > > > www.shapeblue.com > > > > 53 Chandos Place, Covent Garden, London=A0 WC2N 4HSUK @shapeblue > > > >=20 > Mit freundlichen Gr=FC=DFen, >=20 > Stephan Seitz >=20 > -- >=20 > Heinlein Support GmbH > Schwedter Str. 8/9b, 10119 Berlin >=20 > http://www.heinlein-support.de >=20 > Tel: 030 / 405051-44 > Fax: 030 / 405051-19 >=20 > Zwangsangaben lt. =A735a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlott= enburg, > Gesch=E4ftsf=FChrer: Peer Heinlein -- Sitz: Berlin >=20 >=20 Mit freundlichen Gr=FC=DFen, Stephan Seitz -- Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-44 Fax: 030 / 405051-19 Zwangsangaben lt. =A735a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Gesch=E4ftsf=FChrer: Peer Heinlein -- Sitz: Berlin --=-F2fDYAzDGa4IO5NoXone Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJazfaRAAoJECCNOmekH60E1lQP/2Zp8agK35Woqn+XaR2FoTmz 1jg7y51Ifp9mQdKyj111jv3Q2nJU6aCRXFX4PCbcHb8HkRXcy2X/GtOHIYTd/ZxU gKHvjOdF0iN4vnVSUXmPaYWr3PiqTeqizb1a6w5+ApDpyCI+IP8+yq/ENK0gEI9E WtlAJA4Omj22ObnSKvdaLHNJx9Q4I+5nYC1p0afZWf8UO44F7T3uCcTC6mIXu1/B 8iqPCGyyuSTguPxb3CSxb66Obkk4VaQOE9AVARxCLdjbfNOXwXmN/jYkgSeP3jAz zIM6KGs1DSMETgBD3b72vLUytoULboqYtxwlDossApMQllwjQfzqKNuciBcP6Ymi a9JXyPRfU9njLmPM0PD/Myn518ASoQBArkqG4bx51bfFmpbmbdR92NvZXLhPrPwW 1YFG6OX//hagKQgduIGewz1aGGdxHu+F3C7XXMtYrAvj1LapPYqHEPEzRfNDfEOb tXppum4CZgDbNJVsPPEbHuD/yYIb9IkFYJAQdOtYOLzAHCYBZav7wnqAwg3+R3jM 4J+VlRW49RjZqCHs983DGQzs693p+mmqJBtGKj56SDpGE1shwA/vfANCuShfJ/WR JI4AgQBIc4L5vXEY4AZgYANhneC+2u+/j+4rtUFvPylQ+GXw4upsWDHqz2+8C16K fBndZdgylB9HsoUhf+GF =Jx4P -----END PGP SIGNATURE----- --=-F2fDYAzDGa4IO5NoXone--