Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B3541E6D2 for ; Mon, 26 Nov 2012 22:08:58 +0000 (UTC) Received: (qmail 14869 invoked by uid 500); 26 Nov 2012 22:08:58 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 14836 invoked by uid 500); 26 Nov 2012 22:08:58 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 14824 invoked by uid 99); 26 Nov 2012 22:08:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Nov 2012 22:08:58 +0000 Date: Mon, 26 Nov 2012 22:08:57 +0000 (UTC) From: "Iliya (JIRA)" To: cloudstack-dev@incubator.apache.org Message-ID: <8883765.24921.1353967738309.JavaMail.jiratomcat@arcas> In-Reply-To: <1190221546.24657.1353965578828.JavaMail.jiratomcat@arcas> Subject: [jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504173#comment-13504173 ] Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:07 PM: ------------------------------------------------------------- Thnx Marcus. in sysctl.conf net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables 0 [root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables 0 [root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables 0 [root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables 0 [root@bh1 run]# brctl show bridge name bridge id STP enabled interfaces cloud0 8000.fe00a9fe01ff no vnet0 vnet4 cloudVirBr50 8000.707be8f0d202 no bond2.50 vnet2 vnet6 cloudVirBr700 8000.fc48ef2fbd44 no bond1.700 vnet7 cloudbr0 8000.fc48ef2fbd44 yes bond1 cloudbr1 8000.707be8f0d202 yes bond2 cloudbrm 8000.fc48ef2fbd44 no bond1.40 vnet1 vnet3 vnet5 virbr0 8000.525400d54daf yes virbr0-nic [root@bh1 run]# [root@bh2 run]# brctl show bridge name bridge id STP enabled interfaces cloud0 8000.fe00a9fe011c no vnet1 cloudVirBr50 8000.707be8f0d200 no bond2.50 vnet2 cloudVirBr700 8000.fc48ef2fbd38 no bond1.700 vnet0 cloudbr0 8000.fc48ef2fbd38 yes bond1 cloudbr1 8000.707be8f0d200 yes bond2 cloudbrm 8000.fc48ef2fbd38 no bond1.40 virbr0 8000.525400c8b796 yes virbr0-nic [root@bh2 run]# [root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up [root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up [root@bh2 run]# ping 10.1.1.2 PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data. ^C --- 10.1.1.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1872ms Rules : -A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT -A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN -A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT -A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT should be established automatically ? or this was only in Cloudstack 2.2 version? was (Author: sunrash): Thnx Marcus. in sysctl.conf net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables 0 [root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables 0 [root@bh1 run]# brctl show bridge name bridge id STP enabled interfaces cloud0 8000.fe00a9fe01ff no vnet0 vnet4 cloudVirBr50 8000.707be8f0d202 no bond2.50 vnet2 vnet6 cloudVirBr700 8000.fc48ef2fbd44 no bond1.700 vnet7 cloudbr0 8000.fc48ef2fbd44 yes bond1 cloudbr1 8000.707be8f0d202 yes bond2 cloudbrm 8000.fc48ef2fbd44 no bond1.40 vnet1 vnet3 vnet5 virbr0 8000.525400d54daf yes virbr0-nic [root@bh1 run]# [root@bh2 run]# brctl show bridge name bridge id STP enabled interfaces cloud0 8000.fe00a9fe011c no vnet1 cloudVirBr50 8000.707be8f0d200 no bond2.50 vnet2 cloudVirBr700 8000.fc48ef2fbd38 no bond1.700 vnet0 cloudbr0 8000.fc48ef2fbd38 yes bond1 cloudbr1 8000.707be8f0d200 yes bond2 cloudbrm 8000.fc48ef2fbd38 no bond1.40 virbr0 8000.525400c8b796 yes virbr0-nic [root@bh2 run]# [root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up [root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up [root@bh2 run]# ping 10.1.1.2 PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data. ^C --- 10.1.1.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1872ms Rules : -A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT -A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN -A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT -A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT should be established automatically ? or this was only in Cloudstack 2.2 version? > KVM network trouble > -------------------- > > Key: CLOUDSTACK-540 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540 > Project: CloudStack > Issue Type: Bug > Components: Network Controller > Affects Versions: 4.0.0 > Environment: 2x Node CentOS 6.3 > 1x node Cloudstack 4.0.0.1234 > Hypervisor: KVM > Primary: CLVM > Reporter: Iliya > > I setup "the advanced setup". > cloudbrm - private > cloudbr0 - guest > cloudbr1 - public > VLAN50 - public > VLAN500-1000 - guest > I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700 > bh1 - 1 KVM host > bh2 - 2 KVM host > The VM booted successfully, but when router and vm is same host - ping good. > When router on bh1 and vm on bh2 network wasn't reachable: > 1. The VM couldn't ping the public network gateway > 2. The VM couldn't ping the Virtual Router > 3. The Virtual Router couldn't ping the VM > When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's. > I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no? > [root@bh2 1234]# iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [root@bh2 1234]# > [root@bh2 1234]# brctl show > bridge name bridge id STP enabled interfaces > cloud0 8000.fe00a9fe03da no vnet1 > cloudVirBr50 8000.707be8f0d200 no bond2.50 > vnet2 > cloudVirBr700 8000.fc48ef2fbd38 no bond1.700 > vnet0 > cloudbr0 8000.fc48ef2fbd38 yes bond1 > cloudbr1 8000.707be8f0d200 yes bond2 > cloudbrm 8000.fc48ef2fbd38 no bond1.40 > virbr0 8000.525400c8b796 yes virbr0-nic > [root@bh2 1234]# > it's freesh installation. > i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere > [root@bh2 cloud]# tail -100 security_group.log > 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains > 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2 > 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g' > 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains > 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/' > 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM > 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM > 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in > 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM > 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out > 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM > 2012-11-27 01:01:41,174 - iptables -F r-4-def > 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def > 2012-11-27 01:01:41,178 - iptables -X r-4-def > 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def > 2012-11-27 01:01:41,182 - iptables -F r-4-VM > 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM > 2012-11-27 01:01:41,186 - iptables -X r-4-VM > 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM > 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg > 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg > 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg > 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg > 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/' > 2012-11-27 01:01:41,202 - iptables -t nat > 2012-11-27 01:01:41,205 - Igoring failure to delete dnat: > 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log > 2012-11-27 01:10:47,269 - which iptables > 2012-11-27 01:10:47,273 - which ebtables > 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2 > 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g' > 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains > 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2 > 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g' > 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira