From users-return-30335-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Wed Apr 11 14:01:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9A16E18064A for ; Wed, 11 Apr 2018 14:01:04 +0200 (CEST) Received: (qmail 50955 invoked by uid 500); 11 Apr 2018 12:01:03 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 50808 invoked by uid 99); 11 Apr 2018 12:01:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2018 12:01:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 177311A086B for ; Wed, 11 Apr 2018 12:01:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.381 X-Spam-Level: **** X-Spam-Status: No, score=4.381 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, KAM_NUMSUBJECT=0.5, KAM_SHORT=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id ALDw04Gqskwg for ; Wed, 11 Apr 2018 12:00:59 +0000 (UTC) Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 069C15FB2E for ; Wed, 11 Apr 2018 12:00:59 +0000 (UTC) Received: by mail-oi0-f52.google.com with SMTP id x9-v6so1421322oig.7 for ; Wed, 11 Apr 2018 05:00:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=omZzHlL61+fzfqz/6G8KAvj1JTV6ogsN191XzJrOXFs=; b=NkF9Ak9C2uqvdtiCw8oYmb8Hbzd5V23yl3ujXGw1iw01UIp50jINlMf6y7frzyAyys G/bNRLgBfPBYuYmDbDtWHYTGilfnWsFHHdHB/DvDLHc+88+5hks/Pxy6B7r7nYX9Ww3L QliYyaGQd6ZTbN1JB7mwQ5OaGrmd4KXar+Elg250JTcbEwSlN3jrVGpdkaxijZM8mK6b c9RvzqHrAzT2Gi7QKwfUI1+NQ2+GCGdnN6rZhc6ps7RjorPDOlRm/7ZouwdzbCNXR/rc bbU3jSm7eXhHZ3oHBuHWd6JHNqoSldXZIqlSAVwYmIRHEJlIoI6uXyqOPlMspVgGKZxD ikcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=omZzHlL61+fzfqz/6G8KAvj1JTV6ogsN191XzJrOXFs=; b=py3mskJHpaUGiQC9n5H70pFFfP4GvSBUd7GadpWc0biI2V1jSHd1i7W50XxuH8Cv7k 4A7GoDUy3tLhzXBQl/6qRkpd0/GMJJA1Se5NM18PI8uVwu9Ff5o+mQue2TqXIgUs7NVI gufaGyRVUL10k3j68cr9+WFuppUf0YUYuSOduDkCMykGC3Lhp6rYbOITiZAky3+rWJ0q qXX6OW6Xg+p67WRjh+qH03Yq0NClXpBjhVdeV3LEKpSscneyltKqopgijtUQP8DiV5RW TYGpzT9syWY4hxXDuhtcEPyJ2FgTJR8tx/UjCU+BOtnOkfBS3FKdWj077nERSNwEOtxi 8V3w== X-Gm-Message-State: ALQs6tDlsHEA+AYaCtLdOMcljVhvnrjxOV0sYLMYh5IiffiGXJSCxJib Bf9PdtxHItq9EkJf1xQK+qeKxJVOefFgQFi/UcAbuTVR X-Google-Smtp-Source: AIpwx48nS8JVnXaJLhakeiIGXMSj2AMm/FD6eXpsUuA+h8oulOZNEKXfQ1D8aUvQSnmeHgnTZpYFZk3pbWZDA86JP/c= X-Received: by 2002:aca:5d87:: with SMTP id r129-v6mr2580900oib.212.1523448051834; Wed, 11 Apr 2018 05:00:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:2a35:0:0:0:0:0 with HTTP; Wed, 11 Apr 2018 05:00:51 -0700 (PDT) In-Reply-To: <1523447741.19948.44.camel@heinlein-support.de> References: <0882e5a9-25f1-6d23-7244-2c3ed55c9f24@empolis.com> <1523446707.19948.36.camel@heinlein-support.de> <1523447441.19948.41.camel@heinlein-support.de> <1523447741.19948.44.camel@heinlein-support.de> From: =?UTF-8?Q?Rafael_Weing=C3=A4rtner?= Date: Wed, 11 Apr 2018 09:00:51 -0300 Message-ID: Subject: Re: Egress rules not applied in 4.11.0 To: users Content-Type: multipart/alternative; boundary="000000000000f6a5020569916360" --000000000000f6a5020569916360 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xen you execute the following command in your XenServer? > xe vm-param-list uuid=3D > Then, what is the content of these parameters? - PV-legacy-args - PV-bootloader - PV-bootloader-args - HVM-boot-policy - HVM-boot-params - HVM-shadow-multiplier It is just to make sure that the VM was indeed created using HVM mode. On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz wrote: > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x > Linux (64-bit)": > > # virt-what --version > 1.15 > # virt-what > hyperv > xen > xen-domU > # > > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz: > > AFAIK not for 6.5 SP1. > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ show= s > that 7.x is fixed and gives the hint, > > that HVM guests are not affected (at least for spectre) > > > > https://support.citrix.com/article/CTX231390 > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive > architectural changes to do so. Citrix is therefore not making hotfixes f= or > these versions available to customers, and will continue to > > work with hardware vendors on other mitigation strategies. Customers on > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a > more recent version. " > > > > I haven't tried it so far, but recent debian versions were kind of pick= y > with different kinds of Xen virtualization as I've seen on "regular" VMs. > > > > > > > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus: > > > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't > XenServer make some kind of change around this as a Meltdown/Spectre > migation? > > > > > > > > > Kind regards, > > > > > > Paul Angus > > > > > > paul.angus@shapeblue.com > > > www.shapeblue.com > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > @shapeblue > > > > > > > > > > > > > > > -----Original Message----- > > > From: Stephan Seitz > > > Sent: 11 April 2018 12:38 > > > To: users@cloudstack.apache.org > > > Subject: Re: Egress rules not applied in 4.11.0 > > > > > > Hi martin, > > > > > > I've just read your issue on github and was wondering how you;ve been > able to select Debian 9. > > > But maybe you did a fresh installation. > > > > > > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian > GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentatio= n > said to register the new systemvm-template before > > > updating the management server. > > > > > > Maybe your issue is hot-fixed by registering a template with Debian 7 > profile. > > > > > > Cheers, > > > > > > - Stephan > > > > > > > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich: > > > > > > > > > > > > I investigated further, and opened an issue: > > > > https://github.com/apache/cloudstack/issues/2561 > > > > > > > > Cheers, > > > > > > > > Martin > > > > > > > > > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich: > > > > > > > > > > > > > > > > > > > > Thanks... But I think something else is now broken, too...: > > > > > > > > > > The SystemVMs are now no longer being provisioned: They come up > > > > > "empty" with "systemvm type=3D". > > > > > > > > > > I also deleted the Console Proxy VM, and the new one is plain, > too... > > > > > > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), > same > > > > > effect... > > > > > > > > > > Cheers, > > > > > > > > > > Martin > > > > > > > > > > > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav: > > > > > > > > > > > > > > > > > > > > > > > > Hi Martin, > > > > > > > > > > > > > > > > > > This is a known issue, a freshly restarted VR may not have the > > > > > > EGREE related tables which is why any rules will fail to apply. > As > > > > > > a workaround, you can restart the network without selecting the > > > > > > cleanup option which will reconfigure the VR and add the egress > table. > > > > > > > > > > > > > > > > > > I've a fix in this PR: > > > > > > https://github.com/apache/cloudstack/pull/2508/files# > diff-2d3ea57d > > > > > > fd9156e3983b1bb2d64abecd > > > > > > > > > > > > > > > > > > > > > > > > - Rohit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > From: Martin Emrich > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM > > > > > > To: CloudStack-Users > > > > > > Subject: Egress rules not applied in 4.11.0 > > > > > > > > > > > > Hi! > > > > > > > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default policy > > > > > > for isolated networks is "Deny". > > > > > > > > > > > > But now, adding rules to allow egress traffic are not applied t= o > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the > > > > > > UI, but does not appear in the iptables output on the VR. > > > > > > > > > > > > Any Ideas? > > > > > > > > > > > > Thanks > > > > > > > > > > > > Martin > > > > > > > > > > > > > > > > > > rohit.yadav@shapeblue.com > > > > > > www.shapeblue.com > > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > > > > > Stephan Seitz > > > > > > -- > > > > > > Heinlein Support GmbH > > > Schwedter Str. 8/9b, 10119 Berlin > > > > > > http://www.heinlein-support.de > > > > > > Tel: 030 / 405051-44 > > > Fax: 030 / 405051-19 > > > > > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > Berlin-Charlottenburg, > > > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > > > Stephan Seitz > > > > -- > > > > Heinlein Support GmbH > > Schwedter Str. 8/9b, 10119 Berlin > > > > http://www.heinlein-support.de > > > > Tel: 030 / 405051-44 > > Fax: 030 / 405051-19 > > > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > > Berlin-Charlottenburg, > > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > Stephan Seitz > > -- > > Heinlein Support GmbH > Schwedter Str. 8/9b, 10119 Berlin > > http://www.heinlein-support.de > > Tel: 030 / 405051-44 > Fax: 030 / 405051-19 > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > Berlin-Charlottenburg, > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > --=20 Rafael Weing=C3=A4rtner --000000000000f6a5020569916360--