incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Zhang <Frank.Zh...@citrix.com>
Subject RE: Config public network without VLAN(error:no route to the host)
Date Wed, 13 Jun 2012 17:09:18 GMT
I think we don't allow 0.0.0.0/32 anymore, I received a bug not allowing this in internal download
site as it will change the default route

> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Tuesday, June 12, 2012 6:37 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: cloudstack-dev@incubator.apache.org; Frank Zhang
> Subject: Re: Config public network without VLAN(error:no route to the host)
>
> This is effect of the allowed internal sites configuration.  It is expected that
> the management (eth1) ip is RFC 1918 (it is a waste of a perfectly usable ipv4).
> Since end users can inject any URL for template download they can probe
> the management network. This is why there is a firewall rule that prevents
> http(s) downloads over eth1. If you know what you are doing the config flag
> lets you override this behavior. You can put 0.0.0.0/32 there for example.
>
> All system vms have their publicly routable ip address on eth2 and the
> default route is via eth2. Not sure how eth1 landed up as the default nic in
> your case.
>
> --
> Chiradeep
>
> On Jun 12, 2012, at 18:13, "Anthony Xu" <Xuefei.Xu@citrix.com> wrote:
>
> >> 111.111.111.0/24 dev eth2  proto kernel  scope link  src
> >> 111.111.111.18 default via 46.136.132.1 dev eth2
> >
> > Hi Heng,
> >
> > The public ip address for SSVM is 111.111.111.18, the default gateway
> > is 46.136.132.1, Is 111.111.111.18 and 46.136.132.1 in the same broadcast
> domain?
> >
> > If not, it won't work, because 111.111.111.18 cannot get mac of
> 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out.
> > Normally , in this case, the gateway presumably like 111.111.111.1.
> >
> >
> > Regards,
> > Anthony
> >
> >
> >
> >> -----Original Message-----
> >> From: Lu Heng [mailto:h.lu@anytimechinese.com]
> >> Sent: Tuesday, June 12, 2012 5:35 PM
> >> To: Frank Zhang
> >> Cc: cloudstack-dev@incubator.apache.org
> >> Subject: Re: Config public network without VLAN(error:no route to the
> >> host)
> >>
> >> Hi
> >>
> >> I think I know where is the problem ,seems the SSVM can not visit
> >> outside network. it can ping the public IP address within the range,
> >> but it can not access anything outside of the three network range
> >> which is listed below as well as in the first Email.
> >>
> >> So the real question is, in this network setup, how can we config
> >> cloudstack network?
> >>
> >> " Hi
> >>
> >> We have following setup
> >>
> >> management network(public IP range, 123.123.123.0/24) storage
> >> network(private IP range 10.2.0.0/24) public network(public IP range
> >> 111.111.111.0/24)
> >>
> >> 1 CP
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >>
> >> 2*Host
> >> 1 Nic on management network
> >> 1 Nic on storage network
> >> 1 Nic on public network
> >>
> >> 1 storage
> >> 1 Nic on management network
> >> 1 nic on storage network
> >>
> >> Management server has an NFS share which mounted on the storage
> >> network as secondary storage.
> >>
> >> So two questions:
> >>
> >> 1. for the public network, there is no vlan setup, the IP is direct
> >> routed to both host server(they are on access point), the question
> >> is, while I config the public network and guest network, it always
> >> ask for vlan number, which we don't have.
> >>
> >> 2. We saw "no route to the host" error in all the template, ISOs, in
> >> which we can not create any instance on.
> >>
> >> Please, if any one have good suggestion in this network setup, how
> >> can we do it."
> >>
> >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h.lu@anytimechinese.com>
> >> wrote:
> >>
> >>> Hi
> >>>
> >>> Thanks for reply. I just added an ISO with following URL
> >>>
> >>>
> >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS-
> 6.2
> >>> -
> >> x86_64-LiveDVD.iso
> >>>
> >>> It still shows no route to host, and for the default template(centos
> >> 5.6),
> >>> I saw the download complete when I do the preparation for secondary
> >> storage.
> >>>
> >>>
> >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang
> >> <Frank.Zhang@citrix.com>wrote:
> >>>
> >>>> Sorry for misleading before. The "no route to host" means
> >>>> CloudStack
> >> fail
> >>>> to download template to secondary storage because it cannot access
> >> the URL
> >>>> of template.
> >>>>
> >>>>
> >>>>>> It does download successfully during the setup.
> >>>> So you have seen it's state in Ready sometimes before? And then it
> >>>> changed to "No route to host"?
> >>>> Emm this sounds weird to me. once the template is downloaded to
> >> secondary
> >>>> storage successfully, its state changes to Ready permanently in
> >> database.
> >>>> Is the centos template you mentioned the builtin template
> >> automatically
> >>>> downloaded by CloudStack after SSVM is running?
> >>>> Have you tried wget in SSVM?
> >>>>
> >>>>>> And I have pasted the traffic rule on last Email, the both port
> >> are
> >>>> open.
> >>>>
> >>>> And If I mount the secondary storage to the SSVM, and write on it,
> >> there
> >>>> is no error with "no route to host"
> >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang
> >>>> <Frank.Zhang@citrix.com>
> >>>> wrote:
> >>>>> Hi
> >>>>>
> >>>>> please refer to my reply
> >>>>>
> >>>>> "The first template(the centos template in which already
> >> downloaded
> >>>> during
> >>>>> preparation) is not even working, it also shows "no route to the
> >> host""
> >>>> No that means it didn't download successfully.  Login SSVM, try
> >>>> downloading the template you want by wget.
> >>>> You should face the problem of "no route to host", as
> >>>> aforementioned, there is some firewall rules blocking the traffic.
> >>>> Given the default centos failed to download, I suspect your 443
> >>>> port
> >> or
> >>>> 80 port to public network is blocked.
> >>>>
> >>>>>
> >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal <
> >>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>
> >>>>>> Because it results in the suppression of the initial ARP request
> >> to
> >>>>>> the gateway. This is how the Linux network stack reports an
ARP
> >> issue.
> >>>>>>
> >>>>>> --
> >>>>>> Chiradeep
> >>>>>>
> >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <david@gnsa.us>
wrote:
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal <
> >>>>>> Chiradeep.Vittal@citrix.com> wrote:
> >>>>>>>
> >>>>>>>> You might need to add the host ip of the web server
where the
> >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites"
> >> in the
> >>>>>>>> global configuration.
> >>>>>>>
> >>>>>>> Why would lack of this result in no route to host. Firewall
> >> issues
> >>>>>>> would
> >>>>>> die silently without that error. It isn't even trying.
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h.lu@anytimechinese.com>
> wrote:
> >>>>>>>>
> >>>>>>>>> Hi
> >>>>>>>>>
> >>>>>>>>> Thanks for reply
> >>>>>>>>>
> >>>>>>>>> First, the SSVM can mount the secondary storage,
and the
> >>>>>>>>> ssvm-check.sh
> >>>>>> is
> >>>>>>>>> passed without error. the "no route to the host"
problem
> >> still
> >>>> exsits.
> >>>>>>>>>
> >>>>>>>>> second, what should we fill in the vlan in the public
> >> network
> >>>>>>>>> setup
> >>>>>> while
> >>>>>>>>> the IP is simply in the access port?
> >>>>>>>>>
> >>>>>>>>> and the iptable rule on the ssvm host:
> >>>>>>>>> Chain INPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     gre  --  anywhere             anywhere
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere         
   anywhere
> >>>>>>>>>
> >>>>>>>>> Chain FORWARD (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> RH-Firewall-1-INPUT  all  --  anywhere         
   anywhere
> >>>>>>>>>
> >>>>>>>>> Chain OUTPUT (policy ACCEPT)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>>
> >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references)
> >>>>>>>>> target     prot opt source               destination
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>>>>> dpts:5900:6099
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     icmp --  anywhere             anywhere
> >> icmp
> >>>> any
> >>>>>>>>> ACCEPT     esp  --  anywhere             anywhere
> >>>>>>>>> ACCEPT     ah   --  anywhere             anywhere
> >>>>>>>>> ACCEPT     udp  --  anywhere             224.0.0.251
> >> udp
> >>>>>> dpt:mdns
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >> tcp
> >>>>>> dpt:ipp
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >> udp
> >>>>>>>>> dpt:bootps
> >>>>>>>>> ACCEPT     all  --  anywhere             anywhere
> >> state
> >>>>>>>>> RELATED,ESTABLISHED
> >>>>>>>>> ACCEPT     udp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> udp
> >>>>>>>>> dpt:ha-cluster
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:ssh
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:http
> >>>>>>>>> ACCEPT     tcp  --  anywhere             anywhere
> >>>> state NEW
> >>>>>> tcp
> >>>>>>>>> dpt:https
> >>>>>>>>> REJECT     all  --  anywhere             anywhere
> >>>>>> reject-with
> >>>>>>>>> icmp-host-prohibited
> >>>>>>>>>
> >>>>>>>>> Output of ip route on ssvm:
> >>>>>>>>>
> >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1
> >>>>>>>>> 10.2.0.0/24 dev eth3  proto kernel  scope link 
src
> >> 10.2.0.189
> >>>>>>>>> 123.123.123.0/24 dev eth1  proto kernel  scope link
 src
> >>>>>>>>> 123.123.123.9
> >>>>>>>>> 111.111.111.0/24 dev eth2  proto kernel  scope link
 src
> >>>>>> 111.111.111.18
> >>>>>>>>> 169.254.0.0/16 dev eth0  proto kernel  scope link
 src
> >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2
> >>>>>>>>>
> >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang
> >>>>>>>>> <Frank.Zhang@citrix.com>wrote:
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Hi
> >>>>>>>>>>>
> >>>>>>>>>>> We have following setup
> >>>>>>>>>>>
> >>>>>>>>>>> management network(public IP range, 123.123.123.0/24)
> >> storage
> >>>>>>>>>>> network(private IP range 10.2.0.0/24) public
> >> network(public IP
> >>>>>>>>>>> range
> >>>>>>>>>>> 111.111.111.0/24)
> >>>>>>>>>>>
> >>>>>>>>>>> 1 CP
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> 2*Host
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 Nic on storage network
> >>>>>>>>>>> 1 Nic on public network
> >>>>>>>>>>>
> >>>>>>>>>>> 1 storage
> >>>>>>>>>>> 1 Nic on management network
> >>>>>>>>>>> 1 nic on storage network
> >>>>>>>>>>>
> >>>>>>>>>>> Management server has an NFS share which
mounted on the
> >>>>> storage
> >>>>>>>>>>> network as secondary storage.
> >>>>>>>>>>>
> >>>>>>>>>>> So two questions:
> >>>>>>>>>>>
> >>>>>>>>>>> 1. for the public network, there is no vlan
setup, the IP
> >> is
> >>>>>>>>>>> direct
> >>>>>>>>>> routed to
> >>>>>>>>>>> both host server(they are on access point),
the question
> >> is,
> >>>>>>>>>>> while I
> >>>>>>>>>> config the
> >>>>>>>>>>> public network and guest network, it always
ask for vlan
> >> number,
> >>>>>>>>>> which we
> >>>>>>>>>>> don't have.
> >>>>>>>>>>
> >>>>>>>>>> When you create zone, the vlan of public network
is
> >> optional you
> >>>>>> should
> >>>>>>>>>> be
> >>>>>>>>>> able to
> >>>>>>>>>> Safely ignore it. What's exact error you suffered?
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 2. We saw "no route to the host" error in
all the template,
> >>>>>>>>>>> ISOs, in
> >>>>>>>>>> which we
> >>>>>>>>>>> can not create any instance on.
> >>>>>>>>>>>
> >>>>>>>>>>> Please, if any one have good suggestion
in this network
> >> setup,
> >>>>>>>>>>> how
> >>>>>>>>>> can we
> >>>>>>>>>>> do it.
> >>>>>>>>>>
> >>>>>>>>>> Do this:
> >>>>>>>>>> 1. login your SSVM
> >>>>>>>>>>     1.a go to the host where the SSVM is running
> >>>>>>>>>>     1.b ssh -i  /root/.ssh/ id_rsa.cloud  -p
30922
> >>>>>>>>>> link_local_ip_address
> >>>>>>>>>>            The link local ip address can be
grabbed from
> >> SSVM
> >>>>>>>>>> page on UI which starts with 169
> >>>>>>>>>>     1.c try to mount your secondary storage
to somewhere
> >> in your
> >>>>> SSVM
> >>>>>>>>>>     1.d if 1.c won't work, check if you can
mount
> >> secondary
> >>>>>>>>>> storage on the host where SSVM running. If failed,
then
> >> it's your
> >>>>>>>>>> network issue
> >>>>>>>>>>     1.e. if it works on your host, try to figure
out any
> >> ip
> >>>>>>>>>> table rules in host blocking NFS traffic
> >>>>>>>>>>     1.h check routes of SSVM by 'ip route',
the traffic to
> >>>>>>>>>> secondary storage should go thru storage network
which is
> >>>>>>>>>> (private IP range
> >>>>>>>>>> 10.2.0.0/24) in you case
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> --
> >>>>>>>>>>> Kind regards.
> >>>>>>>>>>> Lu
> >>>>>>>>>>>
> >>>>>>>>>>> This transmission is intended solely for
the addressee(s)
> >> shown
> >>>>>> above.
> >>>>>>>>>>> It may contain information that is privileged,
> >> confidential or
> >>>>>>>>>> otherwise
> >>>>>>>>>>> protected from disclosure. Any review, dissemination
or
> >> use of
> >>>>>>>>>>> this transmission or its contents by persons
other than
> >> the
> >>>>>>>>>>> intended
> >>>>>>>>>> addressee(s)
> >>>>>>>>>>> is strictly prohibited. If you have received
this
> >> transmission
> >>>>>>>>>>> in
> >>>>>>>>>> error,
> >>>>>>>>>> please
> >>>>>>>>>>> notify this office immediately and e-mail
the original at
> >> the
> >>>>>> sender's
> >>>>>>>>>> address
> >>>>>>>>>>> above by replying to this message and including
the text
> >> of the
> >>>>>>>>>> transmission
> >>>>>>>>>>> received.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> --
> >>>>>>>>> Kind regards.
> >>>>>>>>> Lu
> >>>>>>>>>
> >>>>>>>>> This transmission is intended solely for the addressee(s)
> >> shown
> >>>> above.
> >>>>>>>>> It may contain information that is privileged, confidential
> >> or
> >>>>>>>>> otherwise protected from disclosure. Any review,
> >> dissemination or
> >>>>>>>>> use of this transmission or its contents by persons
other
> >> than the
> >>>>>>>>> intended addressee(s) is strictly prohibited. If
you have
> >> received
> >>>>>>>>> this transmission in error, please notify this office
> >> immediately
> >>>>>>>>> and e-mail the original at the sender's address
above by
> >> replying
> >>>>>>>>> to this message and including the text of the transmission
> >>>> received.
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> --
> >>>>> Kind regards.
> >>>>> Lu
> >>>>>
> >>>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>>> It may contain information that is privileged, confidential or
> >> otherwise
> >>>>> protected from disclosure. Any review, dissemination or use of
> >> this
> >>>>> transmission or its contents by persons other than the intended
> >>>> addressee(s)
> >>>>> is strictly prohibited. If you have received this transmission in
> >>>> error, please
> >>>>> notify this office immediately and e-mail the original at the
> >> sender's
> >>>> address
> >>>>> above by replying to this message and including the text of the
> >>>> transmission
> >>>>> received.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Kind regards.
> >>>> Lu
> >>>>
> >>>> This transmission is intended solely for the addressee(s) shown
> >> above.
> >>>> It may contain information that is privileged, confidential or
> >>>> otherwise protected from disclosure. Any review, dissemination or
> >> use
> >>>> of this transmission or its contents by persons other than the
> >>>> intended addressee(s) is strictly prohibited. If you have received
> >>>> this transmission in error, please notify this office immediately
> >> and
> >>>> e-mail the original at the sender's address above by replying to
> >> this
> >>>> message and including the text of the transmission received.
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> --
> >>> Kind regards.
> >>> Lu
> >>>
> >>> This transmission is intended solely for the addressee(s) shown above.
> >>> It may contain information that is privileged, confidential or
> >>> otherwise protected from disclosure. Any review, dissemination or
> >>> use of this transmission or its contents by persons other than the
> >>> intended addressee(s) is strictly prohibited. If you have received
> >>> this transmission in error, please notify this office immediately
> >>> and e-mail the original at the sender's address above by replying to
> >>> this message and including the text of the transmission received.
> >>>
> >>
> >>
> >>
> >> --
> >> --
> >> Kind regards.
> >> Lu
> >>
> >> This transmission is intended solely for the addressee(s) shown above.
> >> It may contain information that is privileged, confidential or
> >> otherwise protected from disclosure. Any review, dissemination or use
> >> of this transmission or its contents by persons other than the
> >> intended addressee(s) is strictly prohibited. If you have received
> >> this transmission in error, please notify this office immediately and
> >> e-mail the original at the sender's address above by replying to this
> >> message and including the text of the transmission received.

Mime
View raw message