From users-return-33151-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Tue Jul 9 16:52:16 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 8050518062B for ; Tue, 9 Jul 2019 18:52:16 +0200 (CEST) Received: (qmail 23888 invoked by uid 500); 9 Jul 2019 16:52:12 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 23014 invoked by uid 99); 9 Jul 2019 16:52:08 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jul 2019 16:52:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1900B1A31F1 for ; Tue, 9 Jul 2019 16:52:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 5.098 X-Spam-Level: ***** X-Spam-Status: No, score=5.098 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, KAM_SHORT=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, PDS_NO_HELO_DNS=1.294, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id i5G7eJcNJxH0 for ; Tue, 9 Jul 2019 16:52:05 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::536; helo=mail-ed1-x536.google.com; envelope-from=andrija.panic@gmail.com; receiver= Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id EC9E47E210 for ; Tue, 9 Jul 2019 16:52:04 +0000 (UTC) Received: by mail-ed1-x536.google.com with SMTP id e2so11695714edi.12 for ; Tue, 09 Jul 2019 09:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Sj74wg/SK1OM1WxdRpcIYV5QgmhTc+gklTUqayonTG4=; b=Tjjc0mDPXowxFo2A4vsAn0wP/DemZ0It4xHuEvfSCqY80f8c1YUCkTXNIQ9X6U5nGM T3YL4Mvr9LeHZcZ0XXl63AixNDh6SCPddNv++YKGfTKc5wF+bPbk02BRghnh7sx/T8Wx Rdrlf1rXSx0+Xu5OcKk3j4FPFQbjNMxvLU63LIResjyewxRvdXpA1Dp96DBDY6TvfhvG DkAX8H0BAd8+vwZTM2kwqsi73y0qpbHpB/zgaoWjGeNJmFBPAM93zDjH0KuDumb9E2ck 9bWJWgYVEbCi4aFykfRxof5dliBqdeCPQI5PiqbZEM1m43JmR+Gxp9bixOK8lVpoRfWd thpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Sj74wg/SK1OM1WxdRpcIYV5QgmhTc+gklTUqayonTG4=; b=G+Hf1TpAdKCMZ+4YNzVlVYBXC+xY5yQGvTbGuHlqS7GNSEi6RIz1srFJsmfNBqqc/F 7uweDUlTXe217GroFYKfp3yutS162uWcod3H5A7JFi3KoNWz7JlZtXR3mgAfRkdH7wPL UPH2nkzYWodhaTh34TO5TfEmA0nFk6Jzmuc2MNeLkXukG7naZE9qWVZmO4qhD/RUaGns CpwCcq1odrMgt+/qfM4tJpEcuLLaXpTDGH8wX+d9uvU/iftGu6NR+mPTsBP8bJWKKiS+ 0LwrhAl7nQzK0hpwa7L1lVh2Uk9YiOEanw/405EfisRsMr5gGrPvZfIy6NtedFgxPESX VtpA== X-Gm-Message-State: APjAAAVioiAUtrc9sSkizs/XoQEQHkI6I1n5KI67OHzWfqxjbIO7vD7g wL51aM2PEK2gVBlOHP5R55YRc46oVUIVw3bxJ6fGCg== X-Google-Smtp-Source: APXvYqxKbaDHi1FekcSiWe9ndva2uB2dCeBsQFAx3SKTY+HnqTKGon02oDF/j9JZlKjHLokcW3BzfIRiTzCivDwU3js= X-Received: by 2002:a17:906:1c94:: with SMTP id g20mr22064367ejh.179.1562691117586; Tue, 09 Jul 2019 09:51:57 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Andrija Panic Date: Tue, 9 Jul 2019 22:51:46 +0600 Message-ID: Subject: Re: DHCP instance/vm issue To: users Content-Type: multipart/alternative; boundary="000000000000f51f54058d4260c1" --000000000000f51f54058d4260c1 Content-Type: text/plain; charset="UTF-8" Don't kill dhcp client (don't force renew of IP), since again it will NOT work if you repeat that a few times - a VM will broadcast dhcp discover messages, all DHCP server will receive it and all DHCP servers will offer a lease/ip to your VMs - the one DHCP server to be "quicker" to send its dhcp offer, will "win" and VM will get its IP... you have "race condition" in any network with more than 1 DHCP server... It's a "wrong" setup effectively. Cheers On Tue, Jul 9, 2019, 22:47 Andrija Panic wrote: > Jesse, > > You can experiment with firewall rules/SG, but in general you should not > have more than 1 DHCP server in a single network. I assume your VMs would > be assigned one part of the net/subnet, while your external DHCP server > should be serving your non-ACS infra - i.e. if your acs network for VMs is > 192.168.1.1-128, while 192.168.1.129-254(non-ACS infra) should be served by > your external DHCP, then I would think of blocking dhcp ports (dhcp > discover) from whole 192.168.1.1-128 network on your external DHCP server - > i.e. this way your external DHCP SERVER would be "deaf" to all dhcp > discover messages sent from ACS VMs to itself and thus would not issue > leases to ACS VMs. > > Hope that makes sense. > > Best > Andrija > > On Tue, Jul 9, 2019, 21:16 wrote: > >> My vm was assigned an ip from our endpoint DHCP server, not from VR. Do I >> need to add firewall rule(s) to force DHCP request to VR? I probably >> missed >> a part of setup w/KVM hosts and or within management when I defined the >> zone/pod/... >> >> This seems to be correct, VR is running on a different host then the vm. >> >> Chain i-2-11-VM-eg (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 RETURN all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain i-2-11-def (2 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 ACCEPT udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> udp spt:68 dpt:67 >> 0 0 ACCEPT udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 >> --physdev-is-bridged >> udp spt:67 dpt:68 >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> ! match-set i-2-11-VM src >> 0 0 RETURN udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src udp dpt:53 >> 0 0 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src tcp dpt:53 >> 0 0 i-2-11-VM-eg all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src >> 15 1963 i-2-11-VM all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 >> --physdev-is-bridged >> >> >> >> Thanks for quick response Andrija! >> >> - Jesse >> >> >> >> >> On Tue, Jul 9, 2019 at 10:39 AM Andrija Panic >> wrote: >> >> > ACS will only offer DHCP leases to its VMs, via DHCP reservation.. If >> you >> > have another DHCP server in your area, than it might be quicker to >> offer a >> > lease to a VM. You have to either remove your non-ACS DHCP server >> > completely, OR make sure it uses reservation for non-ACS servers/hosts >> i.e. >> > NOT let it issue leases freely to anyone who asks for it. Pure DHCP >> > "problem" - i.e. nothing to do with ACS specifically. >> > >> > Best, >> > Andrija >> > >> > On Tue, Jul 9, 2019, 20:27 wrote: >> > >> > > Have a DHCP issue where vm pulls from ACS proxy properly sometimes and >> > > other when it pulls from our normal dhcp server for end-points. >> > > >> > > Network layout is flat, and I ACS is using basic network with security >> > > groups. IP range for acs is within range of our normal network so vms >> > and >> > > endpoints will flow without additional hardware. How do I ensure dhcp >> > > requests are served by router vm and not our normal dhcp server? >> > > >> > > TIA, >> > > Jesse >> > > >> > >> > --000000000000f51f54058d4260c1--