You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Martin Emrich <ma...@empolis.com> on 2018/04/10 08:43:57 UTC
Egress rules not applied in 4.11.0
Hi!
I upgraded my test cluster from 4.9 to 4.11. The default policy for
isolated networks is "Deny".
But now, adding rules to allow egress traffic are not applied to the
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
not appear in the iptables output on the VR.
Any Ideas?
Thanks
Martin
Re: Egress rules not applied in 4.11.0
Posted by Martin Emrich <ma...@empolis.com>.
For me:
[root@csdev-xen1 ~]# xe vm-param-list
uuid=68daf990-0cc6-174c-c114-30f52940af1d
uuid ( RO) : 68daf990-0cc6-174c-c114-30f52940af1d
HVM-boot-policy ( RW): BIOS order
HVM-boot-params (MRW): order: dc
HVM-shadow-multiplier ( RW): 1.000
PV-kernel ( RW):
PV-ramdisk ( RW):
PV-args ( RW):
%template=domP%type=consoleproxy%host=172.24.186.96%port=8250%name=v-21-VM%zone=1%pod=1%guid=Proxy.21%proxy_vm=21%disable_rp_filter=true%eth2ip=172.24.186.226%eth2mask=255.255.254.0%gateway=172.24.186.1%eth0ip=169.254.1.130%eth0mask=255.255.0.0%eth1ip=172.24.186.241%eth1mask=255.255.254.0%mgmtcidr=172.24.186.0/23%localgw=172.24.186.1%internaldns1=172.24.187.196%internaldns2=172.24.187.33%dns1=172.24.187.196%dns2=172.24.187.33
PV-legacy-args ( RW):
PV-bootloader ( RW):
PV-bootloader-args ( RW):
OS Type in Cloudstack is "Debian GNU/Linux 8 (64-bit)". (The docs said:
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release
number available in the dropdown)
)
Ciao
Martin
Am 11.04.18 um 14:00 schrieb Rafael Weingärtner:
> Xen you execute the following command in your XenServer?
>
>> xe vm-param-list uuid=<UuidOfDebian9Vm>
>>
> Then, what is the content of these parameters?
>
> - PV-legacy-args
> - PV-bootloader
> - PV-bootloader-args
> - HVM-boot-policy
> - HVM-boot-params
> - HVM-shadow-multiplier
>
>
> It is just to make sure that the VM was indeed created using HVM mode.
>
> On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s....@heinlein-support.de>
> wrote:
>
>> Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
>> Linux (64-bit)":
>>
>> # virt-what --version
>> 1.15
>> # virt-what
>> hyperv
>> xen
>> xen-domU
>> #
>>
>>
>> Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
>>> AFAIK not for 6.5 SP1.
>>> https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
>> that 7.x is fixed and gives the hint,
>>> that HVM guests are not affected (at least for spectre)
>>>
>>> https://support.citrix.com/article/CTX231390
>>> " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
>> architectural changes to do so. Citrix is therefore not making hotfixes for
>> these versions available to customers, and will continue to
>>> work with hardware vendors on other mitigation strategies. Customers on
>> the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
>> more recent version. "
>>> I haven't tried it so far, but recent debian versions were kind of picky
>> with different kinds of Xen virtualization as I've seen on "regular" VMs.
>>>
>>>
>>> Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
>>>> virt-what will give 'xen-domU' for paravirtualized guests. Didn't
>> XenServer make some kind of change around this as a Meltdown/Spectre
>> migation?
>>>>
>>>> Kind regards,
>>>>
>>>> Paul Angus
>>>>
>>>> paul.angus@shapeblue.com
>>>> www.shapeblue.com
>>>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
>>>> @shapeblue
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Stephan Seitz <s....@heinlein-support.de>
>>>> Sent: 11 April 2018 12:38
>>>> To: users@cloudstack.apache.org
>>>> Subject: Re: Egress rules not applied in 4.11.0
>>>>
>>>> Hi martin,
>>>>
>>>> I've just read your issue on github and was wondering how you;ve been
>> able to select Debian 9.
>>>> But maybe you did a fresh installation.
>>>>
>>>> We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
>> GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
>> said to register the new systemvm-template before
>>>> updating the management server.
>>>>
>>>> Maybe your issue is hot-fixed by registering a template with Debian 7
>> profile.
>>>> Cheers,
>>>>
>>>> - Stephan
>>>>
>>>>
>>>> Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
>>>>>
>>>>> I investigated further, and opened an issue:
>>>>> https://github.com/apache/cloudstack/issues/2561
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>>> Am 11.04.18 um 12:18 schrieb Martin Emrich:
>>>>>>
>>>>>>
>>>>>> Thanks... But I think something else is now broken, too...:
>>>>>>
>>>>>> The SystemVMs are now no longer being provisioned: They come up
>>>>>> "empty" with "systemvm type=".
>>>>>>
>>>>>> I also deleted the Console Proxy VM, and the new one is plain,
>> too...
>>>>>> I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
>> same
>>>>>> effect...
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>> Am 11.04.18 um 00:56 schrieb Rohit Yadav:
>>>>>>>
>>>>>>>
>>>>>>> Hi Martin,
>>>>>>>
>>>>>>>
>>>>>>> This is a known issue, a freshly restarted VR may not have the
>>>>>>> EGREE related tables which is why any rules will fail to apply.
>> As
>>>>>>> a workaround, you can restart the network without selecting the
>>>>>>> cleanup option which will reconfigure the VR and add the egress
>> table.
>>>>>>>
>>>>>>> I've a fix in this PR:
>>>>>>> https://github.com/apache/cloudstack/pull/2508/files#
>> diff-2d3ea57d
>>>>>>> fd9156e3983b1bb2d64abecd
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> - Rohit
>>>>>>>
>>>>>>> <https://cloudstack.apache.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________________
>>>>>>> From: Martin Emrich <ma...@empolis.com>
>>>>>>> Sent: Tuesday, April 10, 2018 2:13:57 PM
>>>>>>> To: CloudStack-Users
>>>>>>> Subject: Egress rules not applied in 4.11.0
>>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> I upgraded my test cluster from 4.9 to 4.11. The default policy
>>>>>>> for isolated networks is "Deny".
>>>>>>>
>>>>>>> But now, adding rules to allow egress traffic are not applied to
>>>>>>> the virtual router. adding a 0.0.0.0/0 rule looks fine from the
>>>>>>> UI, but does not appear in the iptables output on the VR.
>>>>>>>
>>>>>>> Any Ideas?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>>
>>>>>>> rohit.yadav@shapeblue.com
>>>>>>> www.shapeblue.com
>>>>>>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
>>>>>>>
>>>> Mit freundlichen Grüßen,
>>>>
>>>> Stephan Seitz
>>>>
>>>> --
>>>>
>>>> Heinlein Support GmbH
>>>> Schwedter Str. 8/9b, 10119 Berlin
>>>>
>>>> http://www.heinlein-support.de
>>>>
>>>> Tel: 030 / 405051-44
>>>> Fax: 030 / 405051-19
>>>>
>>>> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
>> Berlin-Charlottenburg,
>>>> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>>>>
>>>>
>>> Mit freundlichen Grüßen,
>>>
>>> Stephan Seitz
>>>
>>> --
>>>
>>> Heinlein Support GmbH
>>> Schwedter Str. 8/9b, 10119 Berlin
>>>
>>> http://www.heinlein-support.de
>>>
>>> Tel: 030 / 405051-44
>>> Fax: 030 / 405051-19
>>>
>>> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
>>> Berlin-Charlottenburg,
>>> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>>>
>>>
>> Mit freundlichen Grüßen,
>>
>> Stephan Seitz
>>
>> --
>>
>> Heinlein Support GmbH
>> Schwedter Str. 8/9b, 10119 Berlin
>>
>> http://www.heinlein-support.de
>>
>> Tel: 030 / 405051-44
>> Fax: 030 / 405051-19
>>
>> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
>> Berlin-Charlottenburg,
>> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>>
>>
>>
>
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
Rafael,
don't get confused, I'm not the OP, just added a few thoughts. We are running a very similar Infrastructure than the OP, but our systemvm-template is Debian 7 instead of Debian 9 (he has).
The recent host you questioned is "other linux2.x 64bit" so *should* be (as verified :) ) run in HVM.
- Stephan
Am Mittwoch, den 11.04.2018, 09:09 -0300 schrieb Rafael Weingärtner:
> That is interesting. The VM is indeed in HVM mode.
>
> On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz <s....@heinlein-support.de>
> wrote:
>
> >
> > # xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e
> > PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
> > HVM-boot-policy ( RW): BIOS order
> > HVM-boot-params (MRW): order: dc
> > HVM-shadow-multiplier ( RW): 1.000
> > PV-legacy-args ( RW):
> > PV-bootloader ( RW):
> > PV-bootloader-args ( RW):
> >
> > Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> > >
> > > Xen you execute the following command in your XenServer?
> > >
> > > >
> > > >
> > > > xe vm-param-list uuid=<UuidOfDebian9Vm>
> > > >
> > > Then, what is the content of these parameters?
> > >
> > > - PV-legacy-args
> > > - PV-bootloader
> > > - PV-bootloader-args
> > > - HVM-boot-policy
> > > - HVM-boot-params
> > > - HVM-shadow-multiplier
> > >
> > >
> > > It is just to make sure that the VM was indeed created using HVM mode.
> > >
> > > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <
> > s.seitz@heinlein-support.de>
> > >
> > > wrote:
> > >
> > > >
> > > >
> > > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other
> > 2.6x
> > >
> > > >
> > > > Linux (64-bit)":
> > > >
> > > > # virt-what --version
> > > > 1.15
> > > > # virt-what
> > > > hyperv
> > > > xen
> > > > xen-domU
> > > > #
> > > >
> > > >
> > > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > > >
> > > > >
> > > > > AFAIK not for 6.5 SP1.
> > > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/
> > shows
> > >
> > > >
> > > > that 7.x is fixed and gives the hint,
> > > > >
> > > > >
> > > > > that HVM guests are not affected (at least for spectre)
> > > > >
> > > > > https://support.citrix.com/article/CTX231390
> > > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > > > architectural changes to do so. Citrix is therefore not making
> > hotfixes for
> > >
> > > >
> > > > these versions available to customers, and will continue to
> > > > >
> > > > >
> > > > > work with hardware vendors on other mitigation strategies. Customers
> > on
> > >
> > > >
> > > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade
> > to a
> > >
> > > >
> > > > more recent version. "
> > > > >
> > > > >
> > > > >
> > > > > I haven't tried it so far, but recent debian versions were kind of
> > picky
> > >
> > > >
> > > > with different kinds of Xen virtualization as I've seen on "regular"
> > VMs.
> > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> > > > > >
> > > > > >
> > > > > >
> > > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > > > XenServer make some kind of change around this as a Meltdown/Spectre
> > > > migation?
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Kind regards,
> > > > > >
> > > > > > Paul Angus
> > > > > >
> > > > > > paul.angus@shapeblue.com
> > > > > > www.shapeblue.com
> > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > > > > @shapeblue
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Stephan Seitz <s....@heinlein-support.de>
> > > > > > Sent: 11 April 2018 12:38
> > > > > > To: users@cloudstack.apache.org
> > > > > > Subject: Re: Egress rules not applied in 4.11.0
> > > > > >
> > > > > > Hi martin,
> > > > > >
> > > > > > I've just read your issue on github and was wondering how you;ve
> > been
> > >
> > > >
> > > > able to select Debian 9.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > But maybe you did a fresh installation.
> > > > > >
> > > > > > We did an update from 4.9.2 to 4.11.0 and were able to select
> > "Debian
> > >
> > > >
> > > > GNU/Linux 7(64-bit)" as highest possible Debian-version. The
> > documentation
> > >
> > > >
> > > > said to register the new systemvm-template before
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > updating the management server.
> > > > > >
> > > > > > Maybe your issue is hot-fixed by registering a template with
> > Debian 7
> > >
> > > >
> > > > profile.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > - Stephan
> > > > > >
> > > > > >
> > > > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I investigated further, and opened an issue:
> > > > > > > https://github.com/apache/cloudstack/issues/2561
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > >
> > > > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks... But I think something else is now broken, too...:
> > > > > > > >
> > > > > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > > > > "empty" with "systemvm type=".
> > > > > > > >
> > > > > > > > I also deleted the Console Proxy VM, and the new one is plain,
> > > > too...
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> > > > same
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > effect...
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > >
> > > > > > > > Martin
> > > > > > > >
> > > > > > > >
> > > > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hi Martin,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > This is a known issue, a freshly restarted VR may not have
> > the
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > EGREE related tables which is why any rules will fail to
> > apply.
> > >
> > > >
> > > > As
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > a workaround, you can restart the network without selecting
> > the
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > cleanup option which will reconfigure the VR and add the
> > egress
> > >
> > > >
> > > > table.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I've a fix in this PR:
> > > > > > > > > https://github.com/apache/cloudstack/pull/2508/files#
> > > > diff-2d3ea57d
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > fd9156e3983b1bb2d64abecd
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > - Rohit
> > > > > > > > >
> > > > > > > > > <https://cloudstack.apache.org>
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ________________________________
> > > > > > > > > From: Martin Emrich <ma...@empolis.com>
> > > > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > > > > > To: CloudStack-Users
> > > > > > > > > Subject: Egress rules not applied in 4.11.0
> > > > > > > > >
> > > > > > > > > Hi!
> > > > > > > > >
> > > > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default
> > policy
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > for isolated networks is "Deny".
> > > > > > > > >
> > > > > > > > > But now, adding rules to allow egress traffic are not
> > applied to
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from
> > the
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > UI, but does not appear in the iptables output on the VR.
> > > > > > > > >
> > > > > > > > > Any Ideas?
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > > > Martin
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > > www.shapeblue.com
> > > > > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > @shapeblue
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > Mit freundlichen Grüßen,
> > > > > >
> > > > > > Stephan Seitz
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Heinlein Support GmbH
> > > > > > Schwedter Str. 8/9b, 10119 Berlin
> > > > > >
> > > > > > http://www.heinlein-support.de
> > > > > >
> > > > > > Tel: 030 / 405051-44
> > > > > > Fax: 030 / 405051-19
> > > > > >
> > > > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > > Berlin-Charlottenburg,
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > > > >
> > > > > >
> > > > > Mit freundlichen Grüßen,
> > > > >
> > > > > Stephan Seitz
> > > > >
> > > > > --
> > > > >
> > > > > Heinlein Support GmbH
> > > > > Schwedter Str. 8/9b, 10119 Berlin
> > > > >
> > > > > http://www.heinlein-support.de
> > > > >
> > > > > Tel: 030 / 405051-44
> > > > > Fax: 030 / 405051-19
> > > > >
> > > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > > > Berlin-Charlottenburg,
> > > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > > >
> > > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Stephan Seitz
> > > >
> > > > --
> > > >
> > > > Heinlein Support GmbH
> > > > Schwedter Str. 8/9b, 10119 Berlin
> > > >
> > > > http://www.heinlein-support.de
> > > >
> > > > Tel: 030 / 405051-44
> > > > Fax: 030 / 405051-19
> > > >
> > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > > Berlin-Charlottenburg,
> > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > >
> > > >
> > > >
> > Mit freundlichen Grüßen,
> >
> > Stephan Seitz
> >
> > --
> >
> > Heinlein Support GmbH
> > Schwedter Str. 8/9b, 10119 Berlin
> >
> > http://www.heinlein-support.de
> >
> > Tel: 030 / 405051-44
> > Fax: 030 / 405051-19
> >
> > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > Berlin-Charlottenburg,
> > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> >
> >
> >
>
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: Egress rules not applied in 4.11.0
Posted by Rafael Weingärtner <ra...@gmail.com>.
That is interesting. The VM is indeed in HVM mode.
On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz <s....@heinlein-support.de>
wrote:
> # xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e
> PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
> HVM-boot-policy ( RW): BIOS order
> HVM-boot-params (MRW): order: dc
> HVM-shadow-multiplier ( RW): 1.000
> PV-legacy-args ( RW):
> PV-bootloader ( RW):
> PV-bootloader-args ( RW):
>
> Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> > Xen you execute the following command in your XenServer?
> >
> > >
> > > xe vm-param-list uuid=<UuidOfDebian9Vm>
> > >
> > Then, what is the content of these parameters?
> >
> > - PV-legacy-args
> > - PV-bootloader
> > - PV-bootloader-args
> > - HVM-boot-policy
> > - HVM-boot-params
> > - HVM-shadow-multiplier
> >
> >
> > It is just to make sure that the VM was indeed created using HVM mode.
> >
> > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <
> s.seitz@heinlein-support.de>
> > wrote:
> >
> > >
> > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other
> 2.6x
> > > Linux (64-bit)":
> > >
> > > # virt-what --version
> > > 1.15
> > > # virt-what
> > > hyperv
> > > xen
> > > xen-domU
> > > #
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > >
> > > > AFAIK not for 6.5 SP1.
> > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/
> shows
> > > that 7.x is fixed and gives the hint,
> > > >
> > > > that HVM guests are not affected (at least for spectre)
> > > >
> > > > https://support.citrix.com/article/CTX231390
> > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > > architectural changes to do so. Citrix is therefore not making
> hotfixes for
> > > these versions available to customers, and will continue to
> > > >
> > > > work with hardware vendors on other mitigation strategies. Customers
> on
> > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade
> to a
> > > more recent version. "
> > > >
> > > >
> > > > I haven't tried it so far, but recent debian versions were kind of
> picky
> > > with different kinds of Xen virtualization as I've seen on "regular"
> VMs.
> > > >
> > > >
> > > >
> > > >
> > > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> > > > >
> > > > >
> > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > > XenServer make some kind of change around this as a Meltdown/Spectre
> > > migation?
> > > >
> > > > >
> > > > >
> > > > >
> > > > > Kind regards,
> > > > >
> > > > > Paul Angus
> > > > >
> > > > > paul.angus@shapeblue.com
> > > > > www.shapeblue.com
> > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > > > @shapeblue
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Stephan Seitz <s....@heinlein-support.de>
> > > > > Sent: 11 April 2018 12:38
> > > > > To: users@cloudstack.apache.org
> > > > > Subject: Re: Egress rules not applied in 4.11.0
> > > > >
> > > > > Hi martin,
> > > > >
> > > > > I've just read your issue on github and was wondering how you;ve
> been
> > > able to select Debian 9.
> > > >
> > > > >
> > > > > But maybe you did a fresh installation.
> > > > >
> > > > > We did an update from 4.9.2 to 4.11.0 and were able to select
> "Debian
> > > GNU/Linux 7(64-bit)" as highest possible Debian-version. The
> documentation
> > > said to register the new systemvm-template before
> > > >
> > > > >
> > > > > updating the management server.
> > > > >
> > > > > Maybe your issue is hot-fixed by registering a template with
> Debian 7
> > > profile.
> > > >
> > > > >
> > > > >
> > > > > Cheers,
> > > > >
> > > > > - Stephan
> > > > >
> > > > >
> > > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > > > >
> > > > > >
> > > > > >
> > > > > > I investigated further, and opened an issue:
> > > > > > https://github.com/apache/cloudstack/issues/2561
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > >
> > > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Thanks... But I think something else is now broken, too...:
> > > > > > >
> > > > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > > > "empty" with "systemvm type=".
> > > > > > >
> > > > > > > I also deleted the Console Proxy VM, and the new one is plain,
> > > too...
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> > > same
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > effect...
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > >
> > > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Martin,
> > > > > > > >
> > > > > > > >
> > > > > > > > This is a known issue, a freshly restarted VR may not have
> the
> > > > > > > > EGREE related tables which is why any rules will fail to
> apply.
> > > As
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > a workaround, you can restart the network without selecting
> the
> > > > > > > > cleanup option which will reconfigure the VR and add the
> egress
> > > table.
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I've a fix in this PR:
> > > > > > > > https://github.com/apache/cloudstack/pull/2508/files#
> > > diff-2d3ea57d
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > fd9156e3983b1bb2d64abecd
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > - Rohit
> > > > > > > >
> > > > > > > > <https://cloudstack.apache.org>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ________________________________
> > > > > > > > From: Martin Emrich <ma...@empolis.com>
> > > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > > > > To: CloudStack-Users
> > > > > > > > Subject: Egress rules not applied in 4.11.0
> > > > > > > >
> > > > > > > > Hi!
> > > > > > > >
> > > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default
> policy
> > > > > > > > for isolated networks is "Deny".
> > > > > > > >
> > > > > > > > But now, adding rules to allow egress traffic are not
> applied to
> > > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from
> the
> > > > > > > > UI, but does not appear in the iptables output on the VR.
> > > > > > > >
> > > > > > > > Any Ideas?
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > > Martin
> > > > > > > >
> > > > > > > >
> > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > www.shapeblue.com
> > > > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
> > > > > > > >
> > > > > Mit freundlichen Grüßen,
> > > > >
> > > > > Stephan Seitz
> > > > >
> > > > > --
> > > > >
> > > > > Heinlein Support GmbH
> > > > > Schwedter Str. 8/9b, 10119 Berlin
> > > > >
> > > > > http://www.heinlein-support.de
> > > > >
> > > > > Tel: 030 / 405051-44
> > > > > Fax: 030 / 405051-19
> > > > >
> > > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > Berlin-Charlottenburg,
> > > >
> > > > >
> > > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > > >
> > > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Stephan Seitz
> > > >
> > > > --
> > > >
> > > > Heinlein Support GmbH
> > > > Schwedter Str. 8/9b, 10119 Berlin
> > > >
> > > > http://www.heinlein-support.de
> > > >
> > > > Tel: 030 / 405051-44
> > > > Fax: 030 / 405051-19
> > > >
> > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > > Berlin-Charlottenburg,
> > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > >
> > > >
> > > Mit freundlichen Grüßen,
> > >
> > > Stephan Seitz
> > >
> > > --
> > >
> > > Heinlein Support GmbH
> > > Schwedter Str. 8/9b, 10119 Berlin
> > >
> > > http://www.heinlein-support.de
> > >
> > > Tel: 030 / 405051-44
> > > Fax: 030 / 405051-19
> > >
> > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > Berlin-Charlottenburg,
> > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > >
> > >
> > >
> >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
>
--
Rafael Weingärtner
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
# xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
HVM-boot-policy ( RW): BIOS order
HVM-boot-params (MRW): order: dc
HVM-shadow-multiplier ( RW): 1.000
PV-legacy-args ( RW):
PV-bootloader ( RW):
PV-bootloader-args ( RW):
Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> Xen you execute the following command in your XenServer?
>
> >
> > xe vm-param-list uuid=<UuidOfDebian9Vm>
> >
> Then, what is the content of these parameters?
>
> - PV-legacy-args
> - PV-bootloader
> - PV-bootloader-args
> - HVM-boot-policy
> - HVM-boot-params
> - HVM-shadow-multiplier
>
>
> It is just to make sure that the VM was indeed created using HVM mode.
>
> On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s....@heinlein-support.de>
> wrote:
>
> >
> > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
> > Linux (64-bit)":
> >
> > # virt-what --version
> > 1.15
> > # virt-what
> > hyperv
> > xen
> > xen-domU
> > #
> >
> >
> > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > >
> > > AFAIK not for 6.5 SP1.
> > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
> > that 7.x is fixed and gives the hint,
> > >
> > > that HVM guests are not affected (at least for spectre)
> > >
> > > https://support.citrix.com/article/CTX231390
> > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > architectural changes to do so. Citrix is therefore not making hotfixes for
> > these versions available to customers, and will continue to
> > >
> > > work with hardware vendors on other mitigation strategies. Customers on
> > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
> > more recent version. "
> > >
> > >
> > > I haven't tried it so far, but recent debian versions were kind of picky
> > with different kinds of Xen virtualization as I've seen on "regular" VMs.
> > >
> > >
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> > > >
> > > >
> > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > XenServer make some kind of change around this as a Meltdown/Spectre
> > migation?
> > >
> > > >
> > > >
> > > >
> > > > Kind regards,
> > > >
> > > > Paul Angus
> > > >
> > > > paul.angus@shapeblue.com
> > > > www.shapeblue.com
> > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > > @shapeblue
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Stephan Seitz <s....@heinlein-support.de>
> > > > Sent: 11 April 2018 12:38
> > > > To: users@cloudstack.apache.org
> > > > Subject: Re: Egress rules not applied in 4.11.0
> > > >
> > > > Hi martin,
> > > >
> > > > I've just read your issue on github and was wondering how you;ve been
> > able to select Debian 9.
> > >
> > > >
> > > > But maybe you did a fresh installation.
> > > >
> > > > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
> > GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
> > said to register the new systemvm-template before
> > >
> > > >
> > > > updating the management server.
> > > >
> > > > Maybe your issue is hot-fixed by registering a template with Debian 7
> > profile.
> > >
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > - Stephan
> > > >
> > > >
> > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > > >
> > > > >
> > > > >
> > > > > I investigated further, and opened an issue:
> > > > > https://github.com/apache/cloudstack/issues/2561
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Martin
> > > > >
> > > > >
> > > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks... But I think something else is now broken, too...:
> > > > > >
> > > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > > "empty" with "systemvm type=".
> > > > > >
> > > > > > I also deleted the Console Proxy VM, and the new one is plain,
> > too...
> > >
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> > same
> > >
> > > >
> > > > >
> > > > > >
> > > > > > effect...
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > >
> > > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Hi Martin,
> > > > > > >
> > > > > > >
> > > > > > > This is a known issue, a freshly restarted VR may not have the
> > > > > > > EGREE related tables which is why any rules will fail to apply.
> > As
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > a workaround, you can restart the network without selecting the
> > > > > > > cleanup option which will reconfigure the VR and add the egress
> > table.
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I've a fix in this PR:
> > > > > > > https://github.com/apache/cloudstack/pull/2508/files#
> > diff-2d3ea57d
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > fd9156e3983b1bb2d64abecd
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > - Rohit
> > > > > > >
> > > > > > > <https://cloudstack.apache.org>
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ________________________________
> > > > > > > From: Martin Emrich <ma...@empolis.com>
> > > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > > > To: CloudStack-Users
> > > > > > > Subject: Egress rules not applied in 4.11.0
> > > > > > >
> > > > > > > Hi!
> > > > > > >
> > > > > > > I upgraded my test cluster from 4.9 to 4.11. The default policy
> > > > > > > for isolated networks is "Deny".
> > > > > > >
> > > > > > > But now, adding rules to allow egress traffic are not applied to
> > > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the
> > > > > > > UI, but does not appear in the iptables output on the VR.
> > > > > > >
> > > > > > > Any Ideas?
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > >
> > > > > > > rohit.yadav@shapeblue.com
> > > > > > > www.shapeblue.com
> > > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
> > > > > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Stephan Seitz
> > > >
> > > > --
> > > >
> > > > Heinlein Support GmbH
> > > > Schwedter Str. 8/9b, 10119 Berlin
> > > >
> > > > http://www.heinlein-support.de
> > > >
> > > > Tel: 030 / 405051-44
> > > > Fax: 030 / 405051-19
> > > >
> > > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > Berlin-Charlottenburg,
> > >
> > > >
> > > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > > >
> > > >
> > > Mit freundlichen Grüßen,
> > >
> > > Stephan Seitz
> > >
> > > --
> > >
> > > Heinlein Support GmbH
> > > Schwedter Str. 8/9b, 10119 Berlin
> > >
> > > http://www.heinlein-support.de
> > >
> > > Tel: 030 / 405051-44
> > > Fax: 030 / 405051-19
> > >
> > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > > Berlin-Charlottenburg,
> > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > >
> > >
> > Mit freundlichen Grüßen,
> >
> > Stephan Seitz
> >
> > --
> >
> > Heinlein Support GmbH
> > Schwedter Str. 8/9b, 10119 Berlin
> >
> > http://www.heinlein-support.de
> >
> > Tel: 030 / 405051-44
> > Fax: 030 / 405051-19
> >
> > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > Berlin-Charlottenburg,
> > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> >
> >
> >
>
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: Egress rules not applied in 4.11.0
Posted by Rafael Weingärtner <ra...@gmail.com>.
Xen you execute the following command in your XenServer?
> xe vm-param-list uuid=<UuidOfDebian9Vm>
>
Then, what is the content of these parameters?
- PV-legacy-args
- PV-bootloader
- PV-bootloader-args
- HVM-boot-policy
- HVM-boot-params
- HVM-shadow-multiplier
It is just to make sure that the VM was indeed created using HVM mode.
On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s....@heinlein-support.de>
wrote:
> Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
> Linux (64-bit)":
>
> # virt-what --version
> 1.15
> # virt-what
> hyperv
> xen
> xen-domU
> #
>
>
> Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > AFAIK not for 6.5 SP1.
> > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
> that 7.x is fixed and gives the hint,
> > that HVM guests are not affected (at least for spectre)
> >
> > https://support.citrix.com/article/CTX231390
> > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> architectural changes to do so. Citrix is therefore not making hotfixes for
> these versions available to customers, and will continue to
> > work with hardware vendors on other mitigation strategies. Customers on
> the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
> more recent version. "
> >
> > I haven't tried it so far, but recent debian versions were kind of picky
> with different kinds of Xen virtualization as I've seen on "regular" VMs.
> >
> >
> >
> > Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> > >
> > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> XenServer make some kind of change around this as a Meltdown/Spectre
> migation?
> > >
> > >
> > > Kind regards,
> > >
> > > Paul Angus
> > >
> > > paul.angus@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Stephan Seitz <s....@heinlein-support.de>
> > > Sent: 11 April 2018 12:38
> > > To: users@cloudstack.apache.org
> > > Subject: Re: Egress rules not applied in 4.11.0
> > >
> > > Hi martin,
> > >
> > > I've just read your issue on github and was wondering how you;ve been
> able to select Debian 9.
> > > But maybe you did a fresh installation.
> > >
> > > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
> GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
> said to register the new systemvm-template before
> > > updating the management server.
> > >
> > > Maybe your issue is hot-fixed by registering a template with Debian 7
> profile.
> > >
> > > Cheers,
> > >
> > > - Stephan
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > >
> > > >
> > > > I investigated further, and opened an issue:
> > > > https://github.com/apache/cloudstack/issues/2561
> > > >
> > > > Cheers,
> > > >
> > > > Martin
> > > >
> > > >
> > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > >
> > > > >
> > > > >
> > > > > Thanks... But I think something else is now broken, too...:
> > > > >
> > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > "empty" with "systemvm type=".
> > > > >
> > > > > I also deleted the Console Proxy VM, and the new one is plain,
> too...
> > > > >
> > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> same
> > > > > effect...
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Martin
> > > > >
> > > > >
> > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hi Martin,
> > > > > >
> > > > > >
> > > > > > This is a known issue, a freshly restarted VR may not have the
> > > > > > EGREE related tables which is why any rules will fail to apply.
> As
> > > > > > a workaround, you can restart the network without selecting the
> > > > > > cleanup option which will reconfigure the VR and add the egress
> table.
> > > > > >
> > > > > >
> > > > > > I've a fix in this PR:
> > > > > > https://github.com/apache/cloudstack/pull/2508/files#
> diff-2d3ea57d
> > > > > > fd9156e3983b1bb2d64abecd
> > > > > >
> > > > > >
> > > > > >
> > > > > > - Rohit
> > > > > >
> > > > > > <https://cloudstack.apache.org>
> > > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > From: Martin Emrich <ma...@empolis.com>
> > > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > > To: CloudStack-Users
> > > > > > Subject: Egress rules not applied in 4.11.0
> > > > > >
> > > > > > Hi!
> > > > > >
> > > > > > I upgraded my test cluster from 4.9 to 4.11. The default policy
> > > > > > for isolated networks is "Deny".
> > > > > >
> > > > > > But now, adding rules to allow egress traffic are not applied to
> > > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the
> > > > > > UI, but does not appear in the iptables output on the VR.
> > > > > >
> > > > > > Any Ideas?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > >
> > > > > > rohit.yadav@shapeblue.com
> > > > > > www.shapeblue.com
> > > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
> > > > > >
> > > Mit freundlichen Grüßen,
> > >
> > > Stephan Seitz
> > >
> > > --
> > >
> > > Heinlein Support GmbH
> > > Schwedter Str. 8/9b, 10119 Berlin
> > >
> > > http://www.heinlein-support.de
> > >
> > > Tel: 030 / 405051-44
> > > Fax: 030 / 405051-19
> > >
> > > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> > > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> > >
> > >
> > Mit freundlichen Grüßen,
> >
> > Stephan Seitz
> >
> > --
> >
> > Heinlein Support GmbH
> > Schwedter Str. 8/9b, 10119 Berlin
> >
> > http://www.heinlein-support.de
> >
> > Tel: 030 / 405051-44
> > Fax: 030 / 405051-19
> >
> > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> > Berlin-Charlottenburg,
> > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> >
> >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
>
--
Rafael Weingärtner
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x Linux (64-bit)":
# virt-what --version
1.15
# virt-what
hyperv
xen
xen-domU
#
Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> AFAIK not for 6.5 SP1.
> https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows that 7.x is fixed and gives the hint,
> that HVM guests are not affected (at least for spectre)
>
> https://support.citrix.com/article/CTX231390
> " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectural changes to do so. Citrix is therefore not making hotfixes for these versions available to customers, and will continue to
> work with hardware vendors on other mitigation strategies. Customers on the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more recent version. "
>
> I haven't tried it so far, but recent debian versions were kind of picky with different kinds of Xen virtualization as I've seen on "regular" VMs.
>
>
>
> Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> >
> > virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer make some kind of change around this as a Meltdown/Spectre migation?
> >
> >
> > Kind regards,
> >
> > Paul Angus
> >
> > paul.angus@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> >
> > -----Original Message-----
> > From: Stephan Seitz <s....@heinlein-support.de>
> > Sent: 11 April 2018 12:38
> > To: users@cloudstack.apache.org
> > Subject: Re: Egress rules not applied in 4.11.0
> >
> > Hi martin,
> >
> > I've just read your issue on github and was wondering how you;ve been able to select Debian 9.
> > But maybe you did a fresh installation.
> >
> > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation said to register the new systemvm-template before
> > updating the management server.
> >
> > Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
> >
> > Cheers,
> >
> > - Stephan
> >
> >
> > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > >
> > >
> > > I investigated further, and opened an issue:
> > > https://github.com/apache/cloudstack/issues/2561
> > >
> > > Cheers,
> > >
> > > Martin
> > >
> > >
> > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > >
> > > >
> > > >
> > > > Thanks... But I think something else is now broken, too...:
> > > >
> > > > The SystemVMs are now no longer being provisioned: They come up
> > > > "empty" with "systemvm type=".
> > > >
> > > > I also deleted the Console Proxy VM, and the new one is plain, too...
> > > >
> > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
> > > > effect...
> > > >
> > > > Cheers,
> > > >
> > > > Martin
> > > >
> > > >
> > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > >
> > > > >
> > > > >
> > > > > Hi Martin,
> > > > >
> > > > >
> > > > > This is a known issue, a freshly restarted VR may not have the
> > > > > EGREE related tables which is why any rules will fail to apply. As
> > > > > a workaround, you can restart the network without selecting the
> > > > > cleanup option which will reconfigure the VR and add the egress table.
> > > > >
> > > > >
> > > > > I've a fix in this PR:
> > > > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > > > fd9156e3983b1bb2d64abecd
> > > > >
> > > > >
> > > > >
> > > > > - Rohit
> > > > >
> > > > > <https://cloudstack.apache.org>
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > > > From: Martin Emrich <ma...@empolis.com>
> > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > > To: CloudStack-Users
> > > > > Subject: Egress rules not applied in 4.11.0
> > > > >
> > > > > Hi!
> > > > >
> > > > > I upgraded my test cluster from 4.9 to 4.11. The default policy
> > > > > for isolated networks is "Deny".
> > > > >
> > > > > But now, adding rules to allow egress traffic are not applied to
> > > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the
> > > > > UI, but does not appear in the iptables output on the VR.
> > > > >
> > > > > Any Ideas?
> > > > >
> > > > > Thanks
> > > > >
> > > > > Martin
> > > > >
> > > > >
> > > > > rohit.yadav@shapeblue.com
> > > > > www.shapeblue.com
> > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
> > > > >
> > Mit freundlichen Grüßen,
> >
> > Stephan Seitz
> >
> > --
> >
> > Heinlein Support GmbH
> > Schwedter Str. 8/9b, 10119 Berlin
> >
> > http://www.heinlein-support.de
> >
> > Tel: 030 / 405051-44
> > Fax: 030 / 405051-19
> >
> > Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
> > Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> >
> >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
> Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
AFAIK not for 6.5 SP1.
https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows that 7.x is fixed and gives the hint,
that HVM guests are not affected (at least for spectre)
https://support.citrix.com/article/CTX231390
" 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectural changes to do so. Citrix is therefore not making hotfixes for these versions available to customers, and will continue to
work with hardware vendors on other mitigation strategies. Customers on the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more recent version. "
I haven't tried it so far, but recent debian versions were kind of picky with different kinds of Xen virtualization as I've seen on "regular" VMs.
Am Mittwoch, den 11.04.2018, 11:42 +0000 schrieb Paul Angus:
> virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer make some kind of change around this as a Meltdown/Spectre migation?
>
>
> Kind regards,
>
> Paul Angus
>
> paul.angus@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
> -----Original Message-----
> From: Stephan Seitz <s....@heinlein-support.de>
> Sent: 11 April 2018 12:38
> To: users@cloudstack.apache.org
> Subject: Re: Egress rules not applied in 4.11.0
>
> Hi martin,
>
> I've just read your issue on github and was wondering how you;ve been able to select Debian 9.
> But maybe you did a fresh installation.
>
> We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation said to register the new systemvm-template before
> updating the management server.
>
> Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
>
> Cheers,
>
> - Stephan
>
>
> Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> >
> > I investigated further, and opened an issue:
> > https://github.com/apache/cloudstack/issues/2561
> >
> > Cheers,
> >
> > Martin
> >
> >
> > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > >
> > >
> > > Thanks... But I think something else is now broken, too...:
> > >
> > > The SystemVMs are now no longer being provisioned: They come up
> > > "empty" with "systemvm type=".
> > >
> > > I also deleted the Console Proxy VM, and the new one is plain, too...
> > >
> > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
> > > effect...
> > >
> > > Cheers,
> > >
> > > Martin
> > >
> > >
> > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > >
> > > >
> > > > Hi Martin,
> > > >
> > > >
> > > > This is a known issue, a freshly restarted VR may not have the
> > > > EGREE related tables which is why any rules will fail to apply. As
> > > > a workaround, you can restart the network without selecting the
> > > > cleanup option which will reconfigure the VR and add the egress table.
> > > >
> > > >
> > > > I've a fix in this PR:
> > > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > > fd9156e3983b1bb2d64abecd
> > > >
> > > >
> > > >
> > > > - Rohit
> > > >
> > > > <https://cloudstack.apache.org>
> > > >
> > > >
> > > >
> > > > ________________________________
> > > > From: Martin Emrich <ma...@empolis.com>
> > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > To: CloudStack-Users
> > > > Subject: Egress rules not applied in 4.11.0
> > > >
> > > > Hi!
> > > >
> > > > I upgraded my test cluster from 4.9 to 4.11. The default policy
> > > > for isolated networks is "Deny".
> > > >
> > > > But now, adding rules to allow egress traffic are not applied to
> > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the
> > > > UI, but does not appear in the iptables output on the VR.
> > > >
> > > > Any Ideas?
> > > >
> > > > Thanks
> > > >
> > > > Martin
> > > >
> > > >
> > > > rohit.yadav@shapeblue.com
> > > > www.shapeblue.com
> > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
> > > >
> Mit freundlichen Grüßen,
>
> Stephan Seitz
>
> --
>
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
>
> http://www.heinlein-support.de
>
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
>
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
>
>
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
RE: Egress rules not applied in 4.11.0
Posted by Paul Angus <pa...@shapeblue.com>.
virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer make some kind of change around this as a Meltdown/Spectre migation?
Kind regards,
Paul Angus
paul.angus@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
-----Original Message-----
From: Stephan Seitz <s....@heinlein-support.de>
Sent: 11 April 2018 12:38
To: users@cloudstack.apache.org
Subject: Re: Egress rules not applied in 4.11.0
Hi martin,
I've just read your issue on github and was wondering how you;ve been able to select Debian 9.
But maybe you did a fresh installation.
We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation said to register the new systemvm-template before updating the management server.
Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
Cheers,
- Stephan
Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> I investigated further, and opened an issue:
> https://github.com/apache/cloudstack/issues/2561
>
> Cheers,
>
> Martin
>
>
> Am 11.04.18 um 12:18 schrieb Martin Emrich:
> >
> > Thanks... But I think something else is now broken, too...:
> >
> > The SystemVMs are now no longer being provisioned: They come up
> > "empty" with "systemvm type=".
> >
> > I also deleted the Console Proxy VM, and the new one is plain, too...
> >
> > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
> > effect...
> >
> > Cheers,
> >
> > Martin
> >
> >
> > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > >
> > > Hi Martin,
> > >
> > >
> > > This is a known issue, a freshly restarted VR may not have the
> > > EGREE related tables which is why any rules will fail to apply. As
> > > a workaround, you can restart the network without selecting the
> > > cleanup option which will reconfigure the VR and add the egress table.
> > >
> > >
> > > I've a fix in this PR:
> > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > fd9156e3983b1bb2d64abecd
> > >
> > >
> > >
> > > - Rohit
> > >
> > > <https://cloudstack.apache.org>
> > >
> > >
> > >
> > > ________________________________
> > > From: Martin Emrich <ma...@empolis.com>
> > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > To: CloudStack-Users
> > > Subject: Egress rules not applied in 4.11.0
> > >
> > > Hi!
> > >
> > > I upgraded my test cluster from 4.9 to 4.11. The default policy
> > > for isolated networks is "Deny".
> > >
> > > But now, adding rules to allow egress traffic are not applied to
> > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the
> > > UI, but does not appear in the iptables output on the VR.
> > >
> > > Any Ideas?
> > >
> > > Thanks
> > >
> > > Martin
> > >
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
> > >
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: Egress rules not applied in 4.11.0
Posted by Martin Emrich <ma...@empolis.com>.
Hi!
Am 11.04.18 um 13:38 schrieb Stephan Seitz:
> Hi martin,
>
> I've just read your issue on github and was wondering how you;ve been able to select Debian 9.
> But maybe you did a fresh installation.
No, Upgrade from 4.9.2.0. I set the OS type to Debian 8 in ACS.
"Debian 9.3" is what XenCenter reports, they probably extract the actual
OS version from the VM.
> Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
I'll try that as my next step (changing the OS type in the database and
recreating a sytem VM).
Ciao
Martin
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
Hi martin,
I've just read your issue on github and was wondering how you;ve been able to select Debian 9.
But maybe you did a fresh installation.
We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 7(64-bit)" as
highest possible Debian-version. The documentation said to register the new systemvm-template
before updating the management server.
Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
Cheers,
- Stephan
Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> I investigated further, and opened an issue:
> https://github.com/apache/cloudstack/issues/2561
>
> Cheers,
>
> Martin
>
>
> Am 11.04.18 um 12:18 schrieb Martin Emrich:
> >
> > Thanks... But I think something else is now broken, too...:
> >
> > The SystemVMs are now no longer being provisioned: They come up
> > "empty" with "systemvm type=".
> >
> > I also deleted the Console Proxy VM, and the new one is plain, too...
> >
> > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
> > effect...
> >
> > Cheers,
> >
> > Martin
> >
> >
> > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > >
> > > Hi Martin,
> > >
> > >
> > > This is a known issue, a freshly restarted VR may not have the EGREE
> > > related tables which is why any rules will fail to apply. As a
> > > workaround, you can restart the network without selecting the cleanup
> > > option which will reconfigure the VR and add the egress table.
> > >
> > >
> > > I've a fix in this PR:
> > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd
> > >
> > >
> > >
> > > - Rohit
> > >
> > > <https://cloudstack.apache.org>
> > >
> > >
> > >
> > > ________________________________
> > > From: Martin Emrich <ma...@empolis.com>
> > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > To: CloudStack-Users
> > > Subject: Egress rules not applied in 4.11.0
> > >
> > > Hi!
> > >
> > > I upgraded my test cluster from 4.9 to 4.11. The default policy for
> > > isolated networks is "Deny".
> > >
> > > But now, adding rules to allow egress traffic are not applied to the
> > > virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
> > > not appear in the iptables output on the VR.
> > >
> > > Any Ideas?
> > >
> > > Thanks
> > >
> > > Martin
> > >
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> > > @shapeblue
> > >
Mit freundlichen Grüßen,
Stephan Seitz
--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-44
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Re: Egress rules not applied in 4.11.0
Posted by Martin Emrich <ma...@empolis.com>.
I investigated further, and opened an issue:
https://github.com/apache/cloudstack/issues/2561
Cheers,
Martin
Am 11.04.18 um 12:18 schrieb Martin Emrich:
> Thanks... But I think something else is now broken, too...:
>
> The SystemVMs are now no longer being provisioned: They come up
> "empty" with "systemvm type=".
>
> I also deleted the Console Proxy VM, and the new one is plain, too...
>
> I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
> effect...
>
> Cheers,
>
> Martin
>
>
> Am 11.04.18 um 00:56 schrieb Rohit Yadav:
>> Hi Martin,
>>
>>
>> This is a known issue, a freshly restarted VR may not have the EGREE
>> related tables which is why any rules will fail to apply. As a
>> workaround, you can restart the network without selecting the cleanup
>> option which will reconfigure the VR and add the egress table.
>>
>>
>> I've a fix in this PR:
>> https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd
>>
>>
>>
>> - Rohit
>>
>> <https://cloudstack.apache.org>
>>
>>
>>
>> ________________________________
>> From: Martin Emrich <ma...@empolis.com>
>> Sent: Tuesday, April 10, 2018 2:13:57 PM
>> To: CloudStack-Users
>> Subject: Egress rules not applied in 4.11.0
>>
>> Hi!
>>
>> I upgraded my test cluster from 4.9 to 4.11. The default policy for
>> isolated networks is "Deny".
>>
>> But now, adding rules to allow egress traffic are not applied to the
>> virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
>> not appear in the iptables output on the VR.
>>
>> Any Ideas?
>>
>> Thanks
>>
>> Martin
>>
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com
>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
>> @shapeblue
>>
>
Re: Egress rules not applied in 4.11.0
Posted by Martin Emrich <ma...@empolis.com>.
Thanks... But I think something else is now broken, too...:
The SystemVMs are now no longer being provisioned: They come up "empty"
with "systemvm type=".
I also deleted the Console Proxy VM, and the new one is plain, too...
I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same
effect...
Cheers,
Martin
Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> Hi Martin,
>
>
> This is a known issue, a freshly restarted VR may not have the EGREE related tables which is why any rules will fail to apply. As a workaround, you can restart the network without selecting the cleanup option which will reconfigure the VR and add the egress table.
>
>
> I've a fix in this PR: https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd
>
>
>
> - Rohit
>
> <https://cloudstack.apache.org>
>
>
>
> ________________________________
> From: Martin Emrich <ma...@empolis.com>
> Sent: Tuesday, April 10, 2018 2:13:57 PM
> To: CloudStack-Users
> Subject: Egress rules not applied in 4.11.0
>
> Hi!
>
> I upgraded my test cluster from 4.9 to 4.11. The default policy for
> isolated networks is "Deny".
>
> But now, adding rules to allow egress traffic are not applied to the
> virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
> not appear in the iptables output on the VR.
>
> Any Ideas?
>
> Thanks
>
> Martin
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
Re: Egress rules not applied in 4.11.0
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Martin,
This is a known issue, a freshly restarted VR may not have the EGREE related tables which is why any rules will fail to apply. As a workaround, you can restart the network without selecting the cleanup option which will reconfigure the VR and add the egress table.
I've a fix in this PR: https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd
- Rohit
<https://cloudstack.apache.org>
________________________________
From: Martin Emrich <ma...@empolis.com>
Sent: Tuesday, April 10, 2018 2:13:57 PM
To: CloudStack-Users
Subject: Egress rules not applied in 4.11.0
Hi!
I upgraded my test cluster from 4.9 to 4.11. The default policy for
isolated networks is "Deny".
But now, adding rules to allow egress traffic are not applied to the
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
not appear in the iptables output on the VR.
Any Ideas?
Thanks
Martin
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Egress rules not applied in 4.11.0
Posted by Rafael Weingärtner <ra...@gmail.com>.
No need to open an issue ticket. There is already a PR to fix it.
https://github.com/apache/cloudstack/pull/2514
On Tue, Apr 10, 2018 at 6:09 AM, Stephan Seitz <s....@heinlein-support.de>
wrote:
> Hi!
>
> I think your facing a bug already discussed here. After reloading (imho
> doesn't matter if you check "clean up") the network, the egress rules are
> applied.
> So just reload every net with egress rules :)
>
> Oh and don't know if that made it already to https://github.com/apache/
> cloudstack/issues so if you would be so kind to open an issue?
>
> cheers,
>
> - Stephan
>
> Am Dienstag, den 10.04.2018, 10:43 +0200 schrieb Martin Emrich:
> > Hi!
> >
> > I upgraded my test cluster from 4.9 to 4.11. The default policy for
> > isolated networks is "Deny".
> >
> > But now, adding rules to allow egress traffic are not applied to the
> > virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but
> does
> > not appear in the iptables output on the VR.
>
--
Rafael Weingärtner
Re: Egress rules not applied in 4.11.0
Posted by Martin Emrich <ma...@empolis.com>.
Hi!
Am 10.04.18 um 11:09 schrieb Stephan Seitz:
> Hi!
>
> I think your facing a bug already discussed here. After reloading (imho doesn't matter if you check "clean up") the network, the egress rules are applied.
> So just reload every net with egress rules :)
IIRC I tried that several times with no success... But after I tried it
again just now (to be sure), restarting the network hangs.
Looking in the cloud.log on the VR, it is quite short, with a line
"Configuring systemvm type=" (nothing after the =).
That's obviously wrong, isn't it?
AFAIR a fresh systemvm gets its config via an iso image and via network.
systemvm.iso is in place on the XenServer, but the VM has no IP adress
at all (not even a link-local one).
/usr/local/cloud is empty, so the ISO was never deployed...
Where could I look?
> Oh and don't know if that made it already to https://github.com/apache/cloudstack/issues so if you would be so kind to open an issue?
I better wait until I am sure it was not my fault ;)
Thanks,
Martin
Re: Egress rules not applied in 4.11.0
Posted by Stephan Seitz <s....@heinlein-support.de>.
Hi!
I think your facing a bug already discussed here. After reloading (imho doesn't matter if you check "clean up") the network, the egress rules are applied.
So just reload every net with egress rules :)
Oh and don't know if that made it already to https://github.com/apache/cloudstack/issues so if you would be so kind to open an issue?
cheers,
- Stephan
Am Dienstag, den 10.04.2018, 10:43 +0200 schrieb Martin Emrich:
> Hi!
>
> I upgraded my test cluster from 4.9 to 4.11. The default policy for
> isolated networks is "Deny".
>
> But now, adding rules to allow egress traffic are not applied to the
> virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
> not appear in the iptables output on the VR.