From users-return-30337-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Wed Apr 11 14:09:27 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 8C4DE18064A for ; Wed, 11 Apr 2018 14:09:26 +0200 (CEST) Received: (qmail 65880 invoked by uid 500); 11 Apr 2018 12:09:25 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 65850 invoked by uid 99); 11 Apr 2018 12:09:24 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2018 12:09:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 121BDC7283 for ; Wed, 11 Apr 2018 12:09:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.371 X-Spam-Level: **** X-Spam-Status: No, score=4.371 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, KAM_NUMSUBJECT=0.5, KAM_SHORT=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id aM-ARGPhmyX5 for ; Wed, 11 Apr 2018 12:09:22 +0000 (UTC) Received: from mail-ot0-f169.google.com (mail-ot0-f169.google.com [74.125.82.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3EF555F3CC for ; Wed, 11 Apr 2018 12:09:22 +0000 (UTC) Received: by mail-ot0-f169.google.com with SMTP id f47-v6so1689840oth.2 for ; Wed, 11 Apr 2018 05:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=DNOJEej5gJ86Letjyax1sn9ZSk1MwUxRcUQlJJ31Ng8=; b=Zm2KoFgbfVNSVMX0465aHkhe9kRO403s2Pzy393ue20Bx9HtTI9Ute6jwEorp6mS3o WbwyXP6342jHzLMwQnh3lXgyiizVU6QGPk2jdubS2cH+9RlDBMIU7QwWcuRkD53jtMjf 0RBAoZXMyoB1TJGqyqFQnCr0QYvPG7x1nFn6/xBmnQniFNWbols+ryj3cqdjtQDYYq6o J5/ybZaRBCEl+2fXDWizsEsdzJg08lEqIhvpNiXjAtNo6J+gJPVGu2bbRadU7AF/UVLM 1EwOacLtDhsKsdB6qFQ9Pbmy0nsohUPgEZIAD19UvsBZQgHQW0G5t44Fg92wlEB3zriQ etTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=DNOJEej5gJ86Letjyax1sn9ZSk1MwUxRcUQlJJ31Ng8=; b=NCkFW+lycmL4wav3R+1/TZcILfXrqmHiCbPpkyJWftu4FCeU6ffUDYVDgqJfUU8Zmx ClIFB7FxHi9W9a3yoRagSfAZ7oPqWyrDyOo/mcB0YpCk0UQNlCi3vHshK8SU0YzY4Enl EL8dBU+CDQcn2ad1wLpB/Y+1HyCiy4Ihogm+Sl4METagj3uiSv0tZgUzTxsWx736U9as nb8UYygh/P8+pU+vXIeuh6c+w/uwtY3J9uLanf5xHq5hnoh6ShLw3xVxRppDSCM1Dd47 09ew9xcSCM9LkGiM5Sl81g+aEva4AFwbNAB7nzymLkwAxo+aFn6BcEFgUbkUdtpAd0xO u/4w== X-Gm-Message-State: ALQs6tCFlgQB1OxmfGOpjUvDMIkuvq7LKlFa7ZrhqFhpGcM5mTF4Z21X 6FFwlFjOXRiOD6wFmhpFs/KynG0qX6lL89H59i1xMQ== X-Google-Smtp-Source: AIpwx4+uDx1juni0rl6bqcpiEfJyQNa3X7YnqX0kax4ImhKDs0+fvElymyXcwZSFlErD4sPI6fcKkW/TbEjueSSIFeI= X-Received: by 2002:a9d:e84:: with SMTP id 4-v6mr3001776otj.14.1523448561321; Wed, 11 Apr 2018 05:09:21 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:2a35:0:0:0:0:0 with HTTP; Wed, 11 Apr 2018 05:09:20 -0700 (PDT) In-Reply-To: <1523448289.19948.45.camel@heinlein-support.de> References: <0882e5a9-25f1-6d23-7244-2c3ed55c9f24@empolis.com> <1523446707.19948.36.camel@heinlein-support.de> <1523447441.19948.41.camel@heinlein-support.de> <1523447741.19948.44.camel@heinlein-support.de> <1523448289.19948.45.camel@heinlein-support.de> From: =?UTF-8?Q?Rafael_Weing=C3=A4rtner?= Date: Wed, 11 Apr 2018 09:09:20 -0300 Message-ID: Subject: Re: Egress rules not applied in 4.11.0 To: users Content-Type: multipart/alternative; boundary="00000000000054cb840569918212" --00000000000054cb840569918212 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable That is interesting. The VM is indeed in HVM mode. On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz wrote: > # xe vm-param-list uuid=3Dc1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e > PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow > HVM-boot-policy ( RW): BIOS order > HVM-boot-params (MRW): order: dc > HVM-shadow-multiplier ( RW): 1.000 > PV-legacy-args ( RW): > PV-bootloader ( RW): > PV-bootloader-args ( RW): > > Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weing=C3=A4rtner: > > Xen you execute the following command in your XenServer? > > > > > > > > xe vm-param-list uuid=3D > > > > > Then, what is the content of these parameters? > > > > - PV-legacy-args > > - PV-bootloader > > - PV-bootloader-args > > - HVM-boot-policy > > - HVM-boot-params > > - HVM-shadow-multiplier > > > > > > It is just to make sure that the VM was indeed created using HVM mode. > > > > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz < > s.seitz@heinlein-support.de> > > wrote: > > > > > > > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other > 2.6x > > > Linux (64-bit)": > > > > > > # virt-what --version > > > 1.15 > > > # virt-what > > > hyperv > > > xen > > > xen-domU > > > # > > > > > > > > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz: > > > > > > > > AFAIK not for 6.5 SP1. > > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ > shows > > > that 7.x is fixed and gives the hint, > > > > > > > > that HVM guests are not affected (at least for spectre) > > > > > > > > https://support.citrix.com/article/CTX231390 > > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive > > > architectural changes to do so. Citrix is therefore not making > hotfixes for > > > these versions available to customers, and will continue to > > > > > > > > work with hardware vendors on other mitigation strategies. Customer= s > on > > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade > to a > > > more recent version. " > > > > > > > > > > > > I haven't tried it so far, but recent debian versions were kind of > picky > > > with different kinds of Xen virtualization as I've seen on "regular" > VMs. > > > > > > > > > > > > > > > > > > > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus: > > > > > > > > > > > > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't > > > XenServer make some kind of change around this as a Meltdown/Spectre > > > migation? > > > > > > > > > > > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > Paul Angus > > > > > > > > > > paul.angus@shapeblue.com > > > > > www.shapeblue.com > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > > > @shapeblue > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Stephan Seitz > > > > > Sent: 11 April 2018 12:38 > > > > > To: users@cloudstack.apache.org > > > > > Subject: Re: Egress rules not applied in 4.11.0 > > > > > > > > > > Hi martin, > > > > > > > > > > I've just read your issue on github and was wondering how you;ve > been > > > able to select Debian 9. > > > > > > > > > > > > > > But maybe you did a fresh installation. > > > > > > > > > > We did an update from 4.9.2 to 4.11.0 and were able to select > "Debian > > > GNU/Linux 7(64-bit)" as highest possible Debian-version. The > documentation > > > said to register the new systemvm-template before > > > > > > > > > > > > > > updating the management server. > > > > > > > > > > Maybe your issue is hot-fixed by registering a template with > Debian 7 > > > profile. > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > - Stephan > > > > > > > > > > > > > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich: > > > > > > > > > > > > > > > > > > > > > > > > I investigated further, and opened an issue: > > > > > > https://github.com/apache/cloudstack/issues/2561 > > > > > > > > > > > > Cheers, > > > > > > > > > > > > Martin > > > > > > > > > > > > > > > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks... But I think something else is now broken, too...: > > > > > > > > > > > > > > The SystemVMs are now no longer being provisioned: They come = up > > > > > > > "empty" with "systemvm type=3D". > > > > > > > > > > > > > > I also deleted the Console Proxy VM, and the new one is plain= , > > > too... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs)= , > > > same > > > > > > > > > > > > > > > > > > > > > > > > > > > > > effect... > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > Martin > > > > > > > > > > > > > > > > > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Martin, > > > > > > > > > > > > > > > > > > > > > > > > This is a known issue, a freshly restarted VR may not have > the > > > > > > > > EGREE related tables which is why any rules will fail to > apply. > > > As > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > a workaround, you can restart the network without selecting > the > > > > > > > > cleanup option which will reconfigure the VR and add the > egress > > > table. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've a fix in this PR: > > > > > > > > https://github.com/apache/cloudstack/pull/2508/files# > > > diff-2d3ea57d > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fd9156e3983b1bb2d64abecd > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - Rohit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: Martin Emrich > > > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM > > > > > > > > To: CloudStack-Users > > > > > > > > Subject: Egress rules not applied in 4.11.0 > > > > > > > > > > > > > > > > Hi! > > > > > > > > > > > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default > policy > > > > > > > > for isolated networks is "Deny". > > > > > > > > > > > > > > > > But now, adding rules to allow egress traffic are not > applied to > > > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from > the > > > > > > > > UI, but does not appear in the iptables output on the VR. > > > > > > > > > > > > > > > > Any Ideas? > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > Martin > > > > > > > > > > > > > > > > > > > > > > > > rohit.yadav@shapeblue.com > > > > > > > > www.shapeblue.com > > > > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > > > > > > > > > Stephan Seitz > > > > > > > > > > -- > > > > > > > > > > Heinlein Support GmbH > > > > > Schwedter Str. 8/9b, 10119 Berlin > > > > > > > > > > http://www.heinlein-support.de > > > > > > > > > > Tel: 030 / 405051-44 > > > > > Fax: 030 / 405051-19 > > > > > > > > > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > > > Berlin-Charlottenburg, > > > > > > > > > > > > > > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > > > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > > > > > > > Stephan Seitz > > > > > > > > -- > > > > > > > > Heinlein Support GmbH > > > > Schwedter Str. 8/9b, 10119 Berlin > > > > > > > > http://www.heinlein-support.de > > > > > > > > Tel: 030 / 405051-44 > > > > Fax: 030 / 405051-19 > > > > > > > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > > > > Berlin-Charlottenburg, > > > > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > > > > > Stephan Seitz > > > > > > -- > > > > > > Heinlein Support GmbH > > > Schwedter Str. 8/9b, 10119 Berlin > > > > > > http://www.heinlein-support.de > > > > > > Tel: 030 / 405051-44 > > > Fax: 030 / 405051-19 > > > > > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > > > Berlin-Charlottenburg, > > > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > > > > > > > > > > Mit freundlichen Gr=C3=BC=C3=9Fen, > > Stephan Seitz > > -- > > Heinlein Support GmbH > Schwedter Str. 8/9b, 10119 Berlin > > http://www.heinlein-support.de > > Tel: 030 / 405051-44 > Fax: 030 / 405051-19 > > Zwangsangaben lt. =C2=A735a GmbHG: HRB 93818 B / Amtsgericht > Berlin-Charlottenburg, > Gesch=C3=A4ftsf=C3=BChrer: Peer Heinlein -- Sitz: Berlin > > > --=20 Rafael Weing=C3=A4rtner --00000000000054cb840569918212--