You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Iliya (JIRA)" <ji...@apache.org> on 2012/11/26 22:32:58 UTC
[jira] [Created] (CLOUDSTACK-540) KVM network trouble
Iliya created CLOUDSTACK-540:
--------------------------------
Summary: KVM network trouble
Key: CLOUDSTACK-540
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
Project: CloudStack
Issue Type: Bug
Components: Network Controller
Affects Versions: 4.0.0
Environment: 2x Node CentOS 6.3
1x node Cloudstack 4.0.0.1234
Hypervisor: KVM
Primary: CLVM
Reporter: Iliya
I setup "the advanced setup".
cloudbrm - private
cloudbr0 - guest
cloudbr1 - public
VLAN50 - public
VLAN500-1000 - guest
I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
bh1 - 1 KVM host
bh2 - 2 KVM host
The VM booted successfully, but when router and vm is same host - ping good.
When router on bh1 and vm on bh2 network wasn't reachable:
1. The VM couldn't ping the public network gateway
2. The VM couldn't ping the Virtual Router
3. The Virtual Router couldn't ping the VM
When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
[root@bh2 1234]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@bh2 1234]#
[root@bh2 1234]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe03da no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 1234]#
it's freesh installation.
i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
[root@bh2 cloud]# tail -100 security_group.log
2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
2012-11-27 01:01:41,174 - iptables -F r-4-def
2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
2012-11-27 01:01:41,178 - iptables -X r-4-def
2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
2012-11-27 01:01:41,182 - iptables -F r-4-VM
2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
2012-11-27 01:01:41,186 - iptables -X r-4-VM
2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
2012-11-27 01:01:41,202 - iptables -t nat
2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
2012-11-27 01:10:47,269 - which iptables
2012-11-27 01:10:47,273 - which ebtables
2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Marcus Sorensen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504176#comment-13504176 ]
Marcus Sorensen commented on CLOUDSTACK-540:
--------------------------------------------
Just for fun you can stop iptables to see if it is the culprit. It looks like your bridging should bypass iptables though. If it's not iptables, then it looks like there might be an issue with vlan 700 configured on the switch ports.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Marcus Sorensen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504193#comment-13504193 ]
Marcus Sorensen commented on CLOUDSTACK-540:
--------------------------------------------
Normally people put the IP addresses on the bridge device, so in this example cloudVirBr700, rather than the interface. Also make sure the bridge is up: "ifconfig clouVirBr700 up"
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504204#comment-13504204 ]
Iliya commented on CLOUDSTACK-540:
----------------------------------
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
>From 10.1.1.2 icmp_seq=2 Destination Host Unreachable
>From 10.1.1.2 icmp_seq=3 Destination Host Unreachable
>From 10.1.1.2 icmp_seq=4 Destination Host Unreachable
Firewall is not running.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Marcus Sorensen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504131#comment-13504131 ]
Marcus Sorensen commented on CLOUDSTACK-540:
--------------------------------------------
What do you see in '/proc/sys/net/bridge/bridge-nf-call-*'?
I would also try bringing up an IP address on your cloudVirBr700 (that's where the vm is, right?) on both bh1 and bh2, see if they can ping. If not then it's probably a switch/port config issue and needing to add the tagged vlans to the ports. If the two bridges can ping each other, then it's likely some sort of filtering at the host.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13508313#comment-13508313 ]
Iliya commented on CLOUDSTACK-540:
----------------------------------
when i checked /var/log/message i found this
cloudbr0: starting userspace STP failed, starting kernel STP
cloudbr1: starting userspace STP failed, starting kernel STP
i turned off stp on both servers for all bridges , and all work fine.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504204#comment-13504204 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:52 PM:
-------------------------------------------------------------
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=0.164 ms
Firewall is not running.
was (Author: sunrash):
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh620-3 network-scripts]# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=0.164 ms
Firewall is not running.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Iliya closed CLOUDSTACK-540.
----------------------------
Resolution: Not A Problem
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504173#comment-13504173 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:08 PM:
-------------------------------------------------------------
Thnx Marcus.
in sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe01ff no vnet0
vnet4
cloudVirBr50 8000.707be8f0d202 no bond2.50
vnet2
vnet6
cloudVirBr700 8000.fc48ef2fbd44 no bond1.700
vnet7
cloudbr0 8000.fc48ef2fbd44 yes bond1
cloudbr1 8000.707be8f0d202 yes bond2
cloudbrm 8000.fc48ef2fbd44 no bond1.40
vnet1
vnet3
vnet5
virbr0 8000.525400d54daf yes virbr0-nic
[root@bh1 run]#
[root@bh2 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe011c no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 run]#
[root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up
[root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up
[root@bh2 run]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1872ms
[root@bh1 run]# tcpdump -i bond1.700
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond1.700, link-type EN10MB (Ethernet), capture size 65535 bytes
02:08:06.957484 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:06.957494 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:07.957442 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:07.957448 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:08.957466 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:08.957472 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:09.966483 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:09.966490 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:10.966435 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
02:08:10.966442 ARP, Request who-has 10.1.1.2 tell 10.1.1.1, length 42
Rules :
-A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN
-A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT
-A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT
should be established automatically ? or this was only in Cloudstack 2.2 version?
was (Author: sunrash):
Thnx Marcus.
in sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe01ff no vnet0
vnet4
cloudVirBr50 8000.707be8f0d202 no bond2.50
vnet2
vnet6
cloudVirBr700 8000.fc48ef2fbd44 no bond1.700
vnet7
cloudbr0 8000.fc48ef2fbd44 yes bond1
cloudbr1 8000.707be8f0d202 yes bond2
cloudbrm 8000.fc48ef2fbd44 no bond1.40
vnet1
vnet3
vnet5
virbr0 8000.525400d54daf yes virbr0-nic
[root@bh1 run]#
[root@bh2 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe011c no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 run]#
[root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up
[root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up
[root@bh2 run]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1872ms
Rules :
-A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN
-A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT
-A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT
should be established automatically ? or this was only in Cloudstack 2.2 version?
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504187#comment-13504187 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:26 PM:
-------------------------------------------------------------
on the switch had been prescribed range vlan 50-1000, so this did not seem to be problems...
I created two interface
ifcfg-bond1.666
DEVICE=bond1.666
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
IPV6_AUTOCONF=no
VLAN=yes
on both hosts
and try test:
[root@bh1 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# ifconfig bond1.666 10.3.1.1 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ifconfig bond1.666 10.3.1.2 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
64 bytes from 10.3.1.1: icmp_seq=1 ttl=64 time=1.75 ms
64 bytes from 10.3.1.1: icmp_seq=2 ttl=64 time=0.161 ms
maybe there is some problem in the bridge???
I added the newly created interface bridge cloudVirBr700 and try ping again...
[root@bh2 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh1 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh1 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
^C
--- 10.3.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2677ms
was (Author: sunrash):
on the switch had been prescribed range vlan 50-1000, so this did not seem to be problems...
I created two interface
ifcfg-bond1.666
DEVICE=bond1.666
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
IPV6_AUTOCONF=no
VLAN=yes
on both hosts
and try test:
[root@bh1 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# ifconfig bond1.666 10.3.1.1 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ifconfig bond1.666 10.3.1.2 netmask 255.255.255.0 up
[root@bh620-3 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
64 bytes from 10.3.1.1: icmp_seq=1 ttl=64 time=1.75 ms
64 bytes from 10.3.1.1: icmp_seq=2 ttl=64 time=0.161 ms
maybe there is some problem in the bridge???
I added the newly created interface bridge cloudVirBr700 and try ping again...
[root@bh620-4 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh620-3 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh620-3 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
^C
--- 10.3.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2677ms
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504187#comment-13504187 ]
Iliya commented on CLOUDSTACK-540:
----------------------------------
on the switch had been prescribed range vlan 50-1000, so this did not seem to be problems...
I created two interface
ifcfg-bond1.666
DEVICE=bond1.666
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
IPV6_AUTOCONF=no
VLAN=yes
on both hosts
and try test:
[root@bh1 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@bh2 network-scripts]# ifconfig bond1.666 10.3.1.1 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ifconfig bond1.666 10.3.1.2 netmask 255.255.255.0 up
[root@bh620-3 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
64 bytes from 10.3.1.1: icmp_seq=1 ttl=64 time=1.75 ms
64 bytes from 10.3.1.1: icmp_seq=2 ttl=64 time=0.161 ms
maybe there is some problem in the bridge???
I added the newly created interface bridge cloudVirBr700 and try ping again...
[root@bh620-4 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh620-3 network-scripts]# brctl addif cloudVirBr700 bond1.666
[root@bh620-3 network-scripts]# ping 10.3.1.1
PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data.
^C
--- 10.3.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2677ms
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504173#comment-13504173 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:07 PM:
-------------------------------------------------------------
Thnx Marcus.
in sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh1 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe01ff no vnet0
vnet4
cloudVirBr50 8000.707be8f0d202 no bond2.50
vnet2
vnet6
cloudVirBr700 8000.fc48ef2fbd44 no bond1.700
vnet7
cloudbr0 8000.fc48ef2fbd44 yes bond1
cloudbr1 8000.707be8f0d202 yes bond2
cloudbrm 8000.fc48ef2fbd44 no bond1.40
vnet1
vnet3
vnet5
virbr0 8000.525400d54daf yes virbr0-nic
[root@bh1 run]#
[root@bh2 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe011c no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 run]#
[root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up
[root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up
[root@bh2 run]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1872ms
Rules :
-A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN
-A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT
-A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT
should be established automatically ? or this was only in Cloudstack 2.2 version?
was (Author: sunrash):
Thnx Marcus.
in sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe01ff no vnet0
vnet4
cloudVirBr50 8000.707be8f0d202 no bond2.50
vnet2
vnet6
cloudVirBr700 8000.fc48ef2fbd44 no bond1.700
vnet7
cloudbr0 8000.fc48ef2fbd44 yes bond1
cloudbr1 8000.707be8f0d202 yes bond2
cloudbrm 8000.fc48ef2fbd44 no bond1.40
vnet1
vnet3
vnet5
virbr0 8000.525400d54daf yes virbr0-nic
[root@bh1 run]#
[root@bh2 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe011c no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 run]#
[root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up
[root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up
[root@bh2 run]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1872ms
Rules :
-A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN
-A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT
-A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT
should be established automatically ? or this was only in Cloudstack 2.2 version?
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504204#comment-13504204 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:51 PM:
-------------------------------------------------------------
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh620-3 network-scripts]# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=0.164 ms
Firewall is not running.
was (Author: sunrash):
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.1.1.4
PING 10.1.1.4 (10.1.1.4) 56(84) bytes of data.
64 bytes from 10.1.1.4: icmp_seq=1 ttl=64 time=0.012 ms
Firewall is not running.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504204#comment-13504204 ]
Iliya edited comment on CLOUDSTACK-540 at 11/26/12 10:50 PM:
-------------------------------------------------------------
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.1.1.4
PING 10.1.1.4 (10.1.1.4) 56(84) bytes of data.
64 bytes from 10.1.1.4: icmp_seq=1 ttl=64 time=0.012 ms
Firewall is not running.
was (Author: sunrash):
it's already up on both hosts
cloudVirBr700 Link encap:Ethernet HWaddr FC:48:EF:2F:BD:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22206 (21.6 KiB) TX bytes:0 (0.0 b)
[root@bh1 network-scripts]# ifconfig cloudVirBr700 10.1.1.4 netmask 255.255.255.0 up
[root@bh2 network-scripts]# ifconfig cloudVirBr700 10.1.1.3 netmask 255.255.255.0 up
[root@bh1 network-scripts]# ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
>From 10.1.1.2 icmp_seq=2 Destination Host Unreachable
>From 10.1.1.2 icmp_seq=3 Destination Host Unreachable
>From 10.1.1.2 icmp_seq=4 Destination Host Unreachable
Firewall is not running.
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-540) KVM network trouble
Posted by "Iliya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504173#comment-13504173 ]
Iliya commented on CLOUDSTACK-540:
----------------------------------
Thnx Marcus.
in sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-arptables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
0
[root@bh2 run]# cat /proc/sys/net/bridge/bridge-nf-call-iptables
0
[root@bh1 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe01ff no vnet0
vnet4
cloudVirBr50 8000.707be8f0d202 no bond2.50
vnet2
vnet6
cloudVirBr700 8000.fc48ef2fbd44 no bond1.700
vnet7
cloudbr0 8000.fc48ef2fbd44 yes bond1
cloudbr1 8000.707be8f0d202 yes bond2
cloudbrm 8000.fc48ef2fbd44 no bond1.40
vnet1
vnet3
vnet5
virbr0 8000.525400d54daf yes virbr0-nic
[root@bh1 run]#
[root@bh2 run]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000.fe00a9fe011c no vnet1
cloudVirBr50 8000.707be8f0d200 no bond2.50
vnet2
cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
vnet0
cloudbr0 8000.fc48ef2fbd38 yes bond1
cloudbr1 8000.707be8f0d200 yes bond2
cloudbrm 8000.fc48ef2fbd38 no bond1.40
virbr0 8000.525400c8b796 yes virbr0-nic
[root@bh2 run]#
[root@bh2 run]# ifconfig bond1.700 10.1.1.1 netmask 255.255.255.0 up
[root@bh1 run]# ifconfig bond1.700 10.1.1.2 netmask 255.255.255.0 up
[root@bh2 run]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1872ms
Rules :
-A BF-cloudVirBr700 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-cloudVirBr700 -m physdev --physdev-is-in --physdev-is-bridged -j BF-cloudVirBr700-IN
-A BF-cloudVirBr700 -m physdev --physdev-is-out --physdev-is-bridged -j BF-cloudVirBr700-OUT
-A BF-cloudVirBr700 -m physdev --physdev-out eth0 --physdev-is-bridged -j ACCEPT
should be established automatically ? or this was only in Cloudstack 2.2 version?
> KVM network trouble
> --------------------
>
> Key: CLOUDSTACK-540
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-540
> Project: CloudStack
> Issue Type: Bug
> Components: Network Controller
> Affects Versions: 4.0.0
> Environment: 2x Node CentOS 6.3
> 1x node Cloudstack 4.0.0.1234
> Hypervisor: KVM
> Primary: CLVM
> Reporter: Iliya
>
> I setup "the advanced setup".
> cloudbrm - private
> cloudbr0 - guest
> cloudbr1 - public
> VLAN50 - public
> VLAN500-1000 - guest
> I created an instance (template CentOS 5.5(64-bit) no GUI (KVM)) and added a new network (DefaultIsolatedNetworkOfferingWithSourceNatService) in step 5 of the wizard. This network is deployed in cloudVirBr700
> bh1 - 1 KVM host
> bh2 - 2 KVM host
> The VM booted successfully, but when router and vm is same host - ping good.
> When router on bh1 and vm on bh2 network wasn't reachable:
> 1. The VM couldn't ping the public network gateway
> 2. The VM couldn't ping the Virtual Router
> 3. The Virtual Router couldn't ping the VM
> When tcpdump-ing cloudVirBr700 on the bh1 KVM host, I noticed "ICMP echo requests", but no reply's.
> I also noticed there were no iptables rules regarding cloudVirBr700. it's good or no?
> [root@bh2 1234]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@bh2 1234]#
> [root@bh2 1234]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000.fe00a9fe03da no vnet1
> cloudVirBr50 8000.707be8f0d200 no bond2.50
> vnet2
> cloudVirBr700 8000.fc48ef2fbd38 no bond1.700
> vnet0
> cloudbr0 8000.fc48ef2fbd38 yes bond1
> cloudbr1 8000.707be8f0d200 yes bond2
> cloudbrm 8000.fc48ef2fbd38 no bond1.40
> virbr0 8000.525400c8b796 yes virbr0-nic
> [root@bh2 1234]#
> it's freesh installation.
> i try it on 4.0.0.140 and 4.0.0.1234 releases the problem is the same everywhere
> [root@bh2 cloud]# tail -100 security_group.log
> 2012-11-27 00:39:23,025 - Cleaned up rules for 0 chains
> 2012-11-27 00:39:24,049 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 00:39:24,055 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 00:39:24,069 - Cleaned up rules for 0 chains
> 2012-11-27 01:01:41,150 - iptables-save | grep BF | grep r-4 | grep physdev-is-bridged | sed 's/-A/-D/'
> 2012-11-27 01:01:41,156 - ebtables -t nat -L PREROUTING | grep r-4-VM
> 2012-11-27 01:01:41,161 - ebtables -t nat -L POSTROUTING | grep r-4-VM
> 2012-11-27 01:01:41,166 - ebtables -t nat -F r-4-VM-in
> 2012-11-27 01:01:41,169 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,170 - ebtables -t nat -F r-4-VM-out
> 2012-11-27 01:01:41,174 - Ignoring failure to delete ebtables chain for vm r-4-VM
> 2012-11-27 01:01:41,174 - iptables -F r-4-def
> 2012-11-27 01:01:41,178 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,178 - iptables -X r-4-def
> 2012-11-27 01:01:41,182 - Ignoring failure to delete chain r-4-def
> 2012-11-27 01:01:41,182 - iptables -F r-4-VM
> 2012-11-27 01:01:41,186 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,186 - iptables -X r-4-VM
> 2012-11-27 01:01:41,190 - Ignoring failure to delete chain r-4-VM
> 2012-11-27 01:01:41,190 - iptables -F r-4-VM-eg
> 2012-11-27 01:01:41,193 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,194 - iptables -X r-4-VM-eg
> 2012-11-27 01:01:41,197 - Ignoring failure to delete chain r-4-VM-eg
> 2012-11-27 01:01:41,197 - iptables -t nat -S | grep vnet0 | sed 's/-A/-D/'
> 2012-11-27 01:01:41,202 - iptables -t nat
> 2012-11-27 01:01:41,205 - Igoring failure to delete dnat:
> 2012-11-27 01:01:41,206 - Failed to delete rule log file /var/run/cloud/r-4-VM.log
> 2012-11-27 01:10:47,269 - which iptables
> 2012-11-27 01:10:47,273 - which ebtables
> 2012-11-27 01:10:47,276 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:47,282 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:47,298 - Cleaned up rules for 0 chains
> 2012-11-27 01:10:48,209 - iptables-save | grep '^:' | grep -v '.*-def' | grep -v '.*-eg' | awk '{print $1}' | cut -d':' -f2
> 2012-11-27 01:10:48,215 - ebtables-save |grep :i |awk '{print $1}' |sed -e 's/\-in//g' |sed -e 's/\-out//g' |sed -e 's/^://g'
> 2012-11-27 01:10:48,230 - Cleaned up rules for 0 chains
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira