incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepti Dohare <deepti.doh...@citrix.com>
Subject Copy template/ISO across zones is failing
Date Thu, 28 Feb 2013 09:51:48 GMT
Hi,
I am investigating the issue https://issues.apache.org/jira/browse/CLOUDSTACK-1337, copy template/Iso
across zones is failing in branch 4.1, giving the error "HTTP Server returned 403 (expected
200 OK)" and there is a workaround mentioned in https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSVM%2C+templates%2C+Secondary+storage+troubleshooting

The iptable rules in the destination as well as source ssvm:
root@s-9-VM:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N HTTP
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable

I removed the last rule "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443
-j REJECT --reject-with icmp-port-unreachable" which is blocking outgoing on 443 port and
 also modified .htaccess to

Options -Indexes
order deny,allow
#deny from all
allow from 10.102.193.95

Copy template worked after this modification.
The rule seems valid to me i.e. "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport
443 -j REJECT --reject-with icmp-port-unreachable" but copy template is not happening until
I
remove this rule. Also,  removing "deny from all" is a security threat.

I also noticed eth1 RX bytes was increasing during copy template, which possibly means it
is using eth1 port.

Previously my understanding was, Copy template happens on eth2 port, but from the above, it
seems eth1 is getting used.
Can someone confirm this behavior?

Also, What should be the right approach to fix this issue?

Regards
Deepti

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message