You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Sergio Tonani <se...@csi.it> on 2013/04/04 21:24:09 UTC
Problems with Security Groups over CloudStack 4.0.1 with XenServer 6.0.2 and Basic Zone
Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic Zone...
Security Groups does not work.
I follow all the instructions of the manual. CSP is installed and host network
work in bridge mode.
I have another cluster with KVM that work fine.
On XenServer host, CS don't write any ebtable's rules neither iptables. On KVM
host ebtable and iptables rule are populated correctly.
Log file management-server.log show these messages when i create a new instance
in a security group:
2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
(DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
(DirectAgent-214:null) Seq 8-949355071: Response Received:
2013-04-04 15:02:03,612 DEBUG [agent.transport.Request] (DirectAgent-214:null)
Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8, Ver: v1,
Flags: 110,
[{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":"CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
10.102.90.3 cannot do bridge firewalling","wait":0}}] }
2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Failed to program rule
com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host 10.102.90.3
cannot do bridge firewalling and updated jobs
2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Not retrying security group rules for vm 13 on failure
since host 8 cannot do bridge firewalling
2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Failed to program rule
com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host 10.102.90.3
cannot do bridge firewalling and updated jobs
2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Not retrying security group rules for vm 13 on failure
since host 8 cannot do bridge firewalling
Where could I start to troubleshoot SecurityGroups on XenServer? Any
suggestions?
__________________________________________________________________
Sergio Tonani
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Chiradeep Vittal <Ch...@citrix.com>.
The check can_bridge_firewall is here:
http://s.apache.org/e1V
Needs
- ipset
- iptables physdev module
On 4/10/13 12:08 AM, "Krishna PMV" <kr...@gmail.com> wrote:
>> Hello
>>during the installation of XenServer host I ran the command
> > xe-switch-network-backend "bridge" and installed XenServer Cloud
>Support
>Package.
>>I followed all the instructions of the manual.
>
>Hey Sergio - Found a solution yet? I ran into same problem[1] with CS
>4.0.1
>and XCP 1.1 and looking for answers here. Since I'm on XCP I don't need to
>install CSP but as per docs[2], ebtables is not enabled by default. I did
>following to enable it on my hypervisors but no luck:
>
> modprobe ebtables
>modprobe arp_tables
>net.bridge.bridge-nf-call-arptables = 1
>net.bridge.bridge-nf-call-iptables = 1
>net.bridge.bridge-nf-call-ip6tables = 1
>
>
>Anyone has got clues how to make security groups working on
>xenserver(+csp)
>/ xcp?
>
>[1] http://pastebin.com/gPTT4Rr4
>[2] http://www.xen.org/download/xcp/index_1.1.0.html
>
>
>On Fri, Apr 5, 2013 at 1:02 PM, Sergio Tonani <se...@csi.it>
>wrote:
>
>> Hello
>> during the installation of XenServer host I ran the command
>> xe-switch-network-backend "bridge" and installed XenServer Cloud
>> Support
>> Package.
>> I followed all the instructions of the manual.
>>
>> >
>>
>>_________________________________________________________________________
>> >
>> > Il 5 aprile 2013 alle 7.56 Geoff Higginbottom
>> > <ge...@shapeblue.com> ha scritto:
>> > > Sergio,
>> > >
>> > > Did you install the XenServer Cloud Support Package, it's required
>> if you
>> > > are using Security Groups on XenServer 6.0.2
>> > >
>> > > Regards
>> > >
>> > > Geoff Higginbottom
>> > > CTO / Cloud Architect
>> > >
>> > > D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603
>> > > 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
>> > >
>> > > geoff.higginbottom@shapeblue.com<mailto:
>> geoff.higginbottom@shapeblue.com>
>> > > |www.shapeblue.com | Twitter:@shapeblue<
>> https://twitter.com/#!/shapeblue>
>> > >
>> > > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
>> > >
>> > >
>> > > On 5 Apr 2013, at 06:34, "Jayapal Reddy Uradi"
>> > >
>><jayapalreddy.uradi@citrix.com<mailto:jayapalreddy.uradi@citrix.com
>> >>
>> > > wrote:
>> > >
>> > > Did you run the following command in xenserver as part of host
>>setup
>> ?
>> > > xe-switch-network-backend "bridge"
>> > >
>> > > Thanks,
>> > > Jayapal
>> > > -----Original Message-----
>> > > From: Ignazio Cassano [mailto:ignaziocassano@gmail.com]
>> > > Sent: Friday, 5 April 2013 5:35 AM
>> > > To:
>>users@cloudstack.apache.org<ma...@cloudstack.apache.org>;
>> > > Sergio Tonani
>> > > Subject: Re: Problems with Security Groups over CloudStack 4.0.1
>>with
>> > > XenServer 6.0.2 and Basic Zone
>> > >
>> > > Ciao Sergio, I suggest using Advanced Zones instead of Basic.
>> > > I do not know very well CS4, but in previous versions Advanced
>>zones
>> have
>> > > a lot of features.
>> > > Ciao
>> > > Ignazio
>> > > PS (fammi sapere come questa nuova versione)
>> > >
>> > >
>> > > 2013/4/4 Sergio Tonani <sergio.tonani@csi.it<mailto:
>> sergio.tonani@csi.it>>
>> > >
>> > > Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a
>>Basic
>> > > Zone...
>> > > Security Groups does not work.
>> > > I follow all the instructions of the manual. CSP is installed and
>> host
>> > > network work in bridge mode.
>> > > I have another cluster with KVM that work fine.
>> > >
>> > > On XenServer host, CS don't write any ebtable's rules neither
>> > > iptables. On KVM host ebtable and iptables rule are populated
>> > > correctly.
>> > >
>> > > Log file management-server.log show these messages when i create a
>> new
>> > > instance in a security group:
>> > >
>> > > 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
>> > > (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge
>>firewalling
>> > > 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
>> > > (DirectAgent-214:null) Seq 8-949355071: Response Received:
>> > > 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
>> > > (DirectAgent-214:null)
>> > > Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384,
>>via:
>> 8,
>> > > Ver: v1,
>> > > Flags: 110,
>> > >
>> > >
>> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":
>> > > "CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
>> > > 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
>> > > 2013-04-04 15:02:03,615 DEBUG
>> [network.security.SecurityGroupListener]
>> > > (DirectAgent-214:null) Failed to program rule
>> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to
>>Host
>> > > 10.102.90.3
>> > > cannot do bridge firewalling and updated jobs
>> > > 2013-04-04 15:02:03,615 DEBUG
>> [network.security.SecurityGroupListener]
>> > > (DirectAgent-214:null) Not retrying security group rules for vm
>>13 on
>> > > failure since host 8 cannot do bridge firewalling
>> > > 2013-04-04 15:02:03,617 DEBUG
>> [network.security.SecurityGroupListener]
>> > > (DirectAgent-214:null) Failed to program rule
>> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to
>>Host
>> > > 10.102.90.3
>> > > cannot do bridge firewalling and updated jobs
>> > > 2013-04-04 15:02:03,617 DEBUG
>> [network.security.SecurityGroupListener]
>> > > (DirectAgent-214:null) Not retrying security group rules for vm
>>13 on
>> > > failure since host 8 cannot do bridge firewalling
>> > >
>> > > Where could I start to troubleshoot SecurityGroups on XenServer?
>>Any
>> > > suggestions?
>> > >
>> > > __________________________________________________________________
>> > > Sergio Tonani
>> > >
>> > >
>> > > This email and any attachments to it may be confidential and are
>> intended
>> > > solely for the use of the individual to whom it is addressed. Any
>> views or
>> > > opinions expressed are solely those of the author and do not
>> necessarily
>> > > represent those of Shape Blue Ltd or related companies. If you are
>> not the
>> > > intended recipient of this email, you must neither take any action
>> based
>> > > upon its contents, nor copy or show it to anyone. Please contact
>>the
>> > > sender if you believe you have received this email in error. Shape
>> Blue
>> > > Ltd is a company incorporated in England & Wales. ShapeBlue
>>Services
>> India
>> > > LLP is operated under license from Shape Blue Ltd. ShapeBlue is a
>> > > registered trademark.
>> >
>> __________________________________________________________________
>> Sergio Tonani
>>
>> CSI Piemonte - DIREZIONE TECNICA INFRASTRUTTURE E TECNOLOGIE - AREA
>> RISORSE E
>> SERVIZI
>> C.so Tazzoli 215 B - 10135 Torino
>> Tel. +39 011.316.5843
>> e-mail: sergio.tonani@csi.it
>> www.csipiemonte.it
>> __________________________________________________________________
>> Il presente messaggio, corredato degli eventuali allegati, contiene
>> informazioni da considerarsi strettamente riservate e confidenziali.
>> Ne è vietato l'uso improprio, la diffusione, la distribuzione o la
>> riproduzione
>> da parte di altre persone e/o entità diverse da quelle specificate.
>> Qualora lo abbiate ricevuto per errore, vi preghiamo di distruggere il
>> messaggio, comunicando l'errata ricezione tramite il reply all'indirizzo
>> mittente.
>>
>> "A complex system that works is invariably found to have evolved from a
>> simple
>> system that workedŠA complex system designed from scratch never works
>>and
>> cannot be patched up to make it work. You have to start over with a
>> working
>> simple system." ‹ John Gall in Systemantics: How Systems Really Work and
>> How
>> They Fail
>>
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Krishna PMV <kr...@gmail.com>.
> Hello
>during the installation of XenServer host I ran the command
> xe-switch-network-backend "bridge" and installed XenServer Cloud
Support
Package.
>I followed all the instructions of the manual.
Hey Sergio - Found a solution yet? I ran into same problem[1] with CS 4.0.1
and XCP 1.1 and looking for answers here. Since I'm on XCP I don't need to
install CSP but as per docs[2], ebtables is not enabled by default. I did
following to enable it on my hypervisors but no luck:
modprobe ebtables
modprobe arp_tables
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
Anyone has got clues how to make security groups working on xenserver(+csp)
/ xcp?
[1] http://pastebin.com/gPTT4Rr4
[2] http://www.xen.org/download/xcp/index_1.1.0.html
On Fri, Apr 5, 2013 at 1:02 PM, Sergio Tonani <se...@csi.it> wrote:
> Hello
> during the installation of XenServer host I ran the command
> xe-switch-network-backend "bridge" and installed XenServer Cloud
> Support
> Package.
> I followed all the instructions of the manual.
>
> >
> _________________________________________________________________________
> >
> > Il 5 aprile 2013 alle 7.56 Geoff Higginbottom
> > <ge...@shapeblue.com> ha scritto:
> > > Sergio,
> > >
> > > Did you install the XenServer Cloud Support Package, it's required
> if you
> > > are using Security Groups on XenServer 6.0.2
> > >
> > > Regards
> > >
> > > Geoff Higginbottom
> > > CTO / Cloud Architect
> > >
> > > D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603
> > > 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
> > >
> > > geoff.higginbottom@shapeblue.com<mailto:
> geoff.higginbottom@shapeblue.com>
> > > |www.shapeblue.com | Twitter:@shapeblue<
> https://twitter.com/#!/shapeblue>
> > >
> > > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
> > >
> > >
> > > On 5 Apr 2013, at 06:34, "Jayapal Reddy Uradi"
> > > <jayapalreddy.uradi@citrix.com<mailto:jayapalreddy.uradi@citrix.com
> >>
> > > wrote:
> > >
> > > Did you run the following command in xenserver as part of host setup
> ?
> > > xe-switch-network-backend "bridge"
> > >
> > > Thanks,
> > > Jayapal
> > > -----Original Message-----
> > > From: Ignazio Cassano [mailto:ignaziocassano@gmail.com]
> > > Sent: Friday, 5 April 2013 5:35 AM
> > > To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>;
> > > Sergio Tonani
> > > Subject: Re: Problems with Security Groups over CloudStack 4.0.1 with
> > > XenServer 6.0.2 and Basic Zone
> > >
> > > Ciao Sergio, I suggest using Advanced Zones instead of Basic.
> > > I do not know very well CS4, but in previous versions Advanced zones
> have
> > > a lot of features.
> > > Ciao
> > > Ignazio
> > > PS (fammi sapere come questa nuova versione)
> > >
> > >
> > > 2013/4/4 Sergio Tonani <sergio.tonani@csi.it<mailto:
> sergio.tonani@csi.it>>
> > >
> > > Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
> > > Zone...
> > > Security Groups does not work.
> > > I follow all the instructions of the manual. CSP is installed and
> host
> > > network work in bridge mode.
> > > I have another cluster with KVM that work fine.
> > >
> > > On XenServer host, CS don't write any ebtable's rules neither
> > > iptables. On KVM host ebtable and iptables rule are populated
> > > correctly.
> > >
> > > Log file management-server.log show these messages when i create a
> new
> > > instance in a security group:
> > >
> > > 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
> > > (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
> > > 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
> > > (DirectAgent-214:null) Seq 8-949355071: Response Received:
> > > 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
> > > (DirectAgent-214:null)
> > > Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via:
> 8,
> > > Ver: v1,
> > > Flags: 110,
> > >
> > >
> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":
> > > "CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
> > > 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
> > > 2013-04-04 15:02:03,615 DEBUG
> [network.security.SecurityGroupListener]
> > > (DirectAgent-214:null) Failed to program rule
> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> > > 10.102.90.3
> > > cannot do bridge firewalling and updated jobs
> > > 2013-04-04 15:02:03,615 DEBUG
> [network.security.SecurityGroupListener]
> > > (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> > > failure since host 8 cannot do bridge firewalling
> > > 2013-04-04 15:02:03,617 DEBUG
> [network.security.SecurityGroupListener]
> > > (DirectAgent-214:null) Failed to program rule
> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> > > 10.102.90.3
> > > cannot do bridge firewalling and updated jobs
> > > 2013-04-04 15:02:03,617 DEBUG
> [network.security.SecurityGroupListener]
> > > (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> > > failure since host 8 cannot do bridge firewalling
> > >
> > > Where could I start to troubleshoot SecurityGroups on XenServer? Any
> > > suggestions?
> > >
> > > __________________________________________________________________
> > > Sergio Tonani
> > >
> > >
> > > This email and any attachments to it may be confidential and are
> intended
> > > solely for the use of the individual to whom it is addressed. Any
> views or
> > > opinions expressed are solely those of the author and do not
> necessarily
> > > represent those of Shape Blue Ltd or related companies. If you are
> not the
> > > intended recipient of this email, you must neither take any action
> based
> > > upon its contents, nor copy or show it to anyone. Please contact the
> > > sender if you believe you have received this email in error. Shape
> Blue
> > > Ltd is a company incorporated in England & Wales. ShapeBlue Services
> India
> > > LLP is operated under license from Shape Blue Ltd. ShapeBlue is a
> > > registered trademark.
> >
> __________________________________________________________________
> Sergio Tonani
>
> CSI Piemonte - DIREZIONE TECNICA INFRASTRUTTURE E TECNOLOGIE - AREA
> RISORSE E
> SERVIZI
> C.so Tazzoli 215 B - 10135 Torino
> Tel. +39 011.316.5843
> e-mail: sergio.tonani@csi.it
> www.csipiemonte.it
> __________________________________________________________________
> Il presente messaggio, corredato degli eventuali allegati, contiene
> informazioni da considerarsi strettamente riservate e confidenziali.
> Ne è vietato l'uso improprio, la diffusione, la distribuzione o la
> riproduzione
> da parte di altre persone e/o entità diverse da quelle specificate.
> Qualora lo abbiate ricevuto per errore, vi preghiamo di distruggere il
> messaggio, comunicando l'errata ricezione tramite il reply all'indirizzo
> mittente.
>
> "A complex system that works is invariably found to have evolved from a
> simple
> system that worked…A complex system designed from scratch never works and
> cannot be patched up to make it work. You have to start over with a
> working
> simple system." — John Gall in Systemantics: How Systems Really Work and
> How
> They Fail
>
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Sergio Tonani <se...@csi.it>.
Hello
during the installation of XenServer host I ran the command
xe-switch-network-backend "bridge" and installed XenServer Cloud Support
Package.
I followed all the instructions of the manual.
> _________________________________________________________________________
>
> Il 5 aprile 2013 alle 7.56 Geoff Higginbottom
> <ge...@shapeblue.com> ha scritto:
> > Sergio,
> >
> > Did you install the XenServer Cloud Support Package, it's required if you
> > are using Security Groups on XenServer 6.0.2
> >
> > Regards
> >
> > Geoff Higginbottom
> > CTO / Cloud Architect
> >
> > D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603
> > 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
> >
> > geoff.higginbottom@shapeblue.com<ma...@shapeblue.com>
> > |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>
> >
> > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
> >
> >
> > On 5 Apr 2013, at 06:34, "Jayapal Reddy Uradi"
> > <ja...@citrix.com>>
> > wrote:
> >
> > Did you run the following command in xenserver as part of host setup ?
> > xe-switch-network-backend "bridge"
> >
> > Thanks,
> > Jayapal
> > -----Original Message-----
> > From: Ignazio Cassano [mailto:ignaziocassano@gmail.com]
> > Sent: Friday, 5 April 2013 5:35 AM
> > To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>;
> > Sergio Tonani
> > Subject: Re: Problems with Security Groups over CloudStack 4.0.1 with
> > XenServer 6.0.2 and Basic Zone
> >
> > Ciao Sergio, I suggest using Advanced Zones instead of Basic.
> > I do not know very well CS4, but in previous versions Advanced zones have
> > a lot of features.
> > Ciao
> > Ignazio
> > PS (fammi sapere come questa nuova versione)
> >
> >
> > 2013/4/4 Sergio Tonani <se...@csi.it>>
> >
> > Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
> > Zone...
> > Security Groups does not work.
> > I follow all the instructions of the manual. CSP is installed and host
> > network work in bridge mode.
> > I have another cluster with KVM that work fine.
> >
> > On XenServer host, CS don't write any ebtable's rules neither
> > iptables. On KVM host ebtable and iptables rule are populated
> > correctly.
> >
> > Log file management-server.log show these messages when i create a new
> > instance in a security group:
> >
> > 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
> > (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
> > 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
> > (DirectAgent-214:null) Seq 8-949355071: Response Received:
> > 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
> > (DirectAgent-214:null)
> > Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8,
> > Ver: v1,
> > Flags: 110,
> >
> > [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":
> > "CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
> > 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
> > 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> > (DirectAgent-214:null) Failed to program rule
> > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> > 10.102.90.3
> > cannot do bridge firewalling and updated jobs
> > 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> > (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> > failure since host 8 cannot do bridge firewalling
> > 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> > (DirectAgent-214:null) Failed to program rule
> > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> > 10.102.90.3
> > cannot do bridge firewalling and updated jobs
> > 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> > (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> > failure since host 8 cannot do bridge firewalling
> >
> > Where could I start to troubleshoot SecurityGroups on XenServer? Any
> > suggestions?
> >
> > __________________________________________________________________
> > Sergio Tonani
> >
> >
> > This email and any attachments to it may be confidential and are intended
> > solely for the use of the individual to whom it is addressed. Any views or
> > opinions expressed are solely those of the author and do not necessarily
> > represent those of Shape Blue Ltd or related companies. If you are not the
> > intended recipient of this email, you must neither take any action based
> > upon its contents, nor copy or show it to anyone. Please contact the
> > sender if you believe you have received this email in error. Shape Blue
> > Ltd is a company incorporated in England & Wales. ShapeBlue Services India
> > LLP is operated under license from Shape Blue Ltd. ShapeBlue is a
> > registered trademark.
>
__________________________________________________________________
Sergio Tonani
CSI Piemonte - DIREZIONE TECNICA INFRASTRUTTURE E TECNOLOGIE - AREA RISORSE E
SERVIZI
C.so Tazzoli 215 B - 10135 Torino
Tel. +39 011.316.5843
e-mail: sergio.tonani@csi.it
www.csipiemonte.it
__________________________________________________________________
Il presente messaggio, corredato degli eventuali allegati, contiene
informazioni da considerarsi strettamente riservate e confidenziali.
Ne è vietato l'uso improprio, la diffusione, la distribuzione o la riproduzione
da parte di altre persone e/o entità diverse da quelle specificate.
Qualora lo abbiate ricevuto per errore, vi preghiamo di distruggere il
messaggio, comunicando l'errata ricezione tramite il reply all'indirizzo
mittente.
"A complex system that works is invariably found to have evolved from a simple
system that worked…A complex system designed from scratch never works and
cannot be patched up to make it work. You have to start over with a working
simple system." — John Gall in Systemantics: How Systems Really Work and How
They Fail
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
Sergio,
Did you install the XenServer Cloud Support Package, it's required if you are using Security Groups on XenServer 6.0.2
Regards
Geoff Higginbottom
CTO / Cloud Architect
D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>
geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
On 5 Apr 2013, at 06:34, "Jayapal Reddy Uradi" <ja...@citrix.com>> wrote:
Did you run the following command in xenserver as part of host setup ?
xe-switch-network-backend "bridge"
Thanks,
Jayapal
-----Original Message-----
From: Ignazio Cassano [mailto:ignaziocassano@gmail.com]
Sent: Friday, 5 April 2013 5:35 AM
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>; Sergio Tonani
Subject: Re: Problems with Security Groups over CloudStack 4.0.1 with XenServer 6.0.2 and Basic Zone
Ciao Sergio, I suggest using Advanced Zones instead of Basic.
I do not know very well CS4, but in previous versions Advanced zones have a lot of features.
Ciao
Ignazio
PS (fammi sapere come questa nuova versione)
2013/4/4 Sergio Tonani <se...@csi.it>>
Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
Zone...
Security Groups does not work.
I follow all the instructions of the manual. CSP is installed and host
network work in bridge mode.
I have another cluster with KVM that work fine.
On XenServer host, CS don't write any ebtable's rules neither
iptables. On KVM host ebtable and iptables rule are populated
correctly.
Log file management-server.log show these messages when i create a new
instance in a security group:
2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
(DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
(DirectAgent-214:null) Seq 8-949355071: Response Received:
2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
(DirectAgent-214:null)
Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8,
Ver: v1,
Flags: 110,
[{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":
"CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
10.102.90.3 cannot do bridge firewalling","wait":0}}] }
2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Failed to program rule
com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
10.102.90.3
cannot do bridge firewalling and updated jobs
2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Not retrying security group rules for vm 13 on
failure since host 8 cannot do bridge firewalling
2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Failed to program rule
com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
10.102.90.3
cannot do bridge firewalling and updated jobs
2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
(DirectAgent-214:null) Not retrying security group rules for vm 13 on
failure since host 8 cannot do bridge firewalling
Where could I start to troubleshoot SecurityGroups on XenServer? Any
suggestions?
__________________________________________________________________
Sergio Tonani
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
RE: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Jayapal Reddy Uradi <ja...@citrix.com>.
Did you run the following command in xenserver as part of host setup ?
xe-switch-network-backend "bridge"
Thanks,
Jayapal
-----Original Message-----
From: Ignazio Cassano [mailto:ignaziocassano@gmail.com]
Sent: Friday, 5 April 2013 5:35 AM
To: users@cloudstack.apache.org; Sergio Tonani
Subject: Re: Problems with Security Groups over CloudStack 4.0.1 with XenServer 6.0.2 and Basic Zone
Ciao Sergio, I suggest using Advanced Zones instead of Basic.
I do not know very well CS4, but in previous versions Advanced zones have a lot of features.
Ciao
Ignazio
PS (fammi sapere come questa nuova versione)
2013/4/4 Sergio Tonani <se...@csi.it>
> Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
> Zone...
> Security Groups does not work.
> I follow all the instructions of the manual. CSP is installed and host
> network work in bridge mode.
> I have another cluster with KVM that work fine.
>
> On XenServer host, CS don't write any ebtable's rules neither
> iptables. On KVM host ebtable and iptables rule are populated
> correctly.
>
> Log file management-server.log show these messages when i create a new
> instance in a security group:
>
> 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
> (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
> 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
> (DirectAgent-214:null) Seq 8-949355071: Response Received:
> 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
> (DirectAgent-214:null)
> Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8,
> Ver: v1,
> Flags: 110,
>
> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":
> "CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
> 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure since host 8 cannot do bridge firewalling
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure since host 8 cannot do bridge firewalling
>
> Where could I start to troubleshoot SecurityGroups on XenServer? Any
> suggestions?
>
> __________________________________________________________________
> Sergio Tonani
>
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Ignazio Cassano <ig...@gmail.com>.
Ciao Sergio, I suggest using Advanced Zones instead of Basic.
I do not know very well CS4, but in previous versions Advanced zones have a
lot of features.
Ciao
Ignazio
PS (fammi sapere come questa nuova versione)
2013/4/4 Sergio Tonani <se...@csi.it>
> Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
> Zone...
> Security Groups does not work.
> I follow all the instructions of the manual. CSP is installed and host
> network
> work in bridge mode.
> I have another cluster with KVM that work fine.
>
> On XenServer host, CS don't write any ebtable's rules neither iptables. On
> KVM
> host ebtable and iptables rule are populated correctly.
>
> Log file management-server.log show these messages when i create a new
> instance
> in a security group:
>
> 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
> (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
> 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
> (DirectAgent-214:null) Seq 8-949355071: Response Received:
> 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
> (DirectAgent-214:null)
> Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8,
> Ver: v1,
> Flags: 110,
>
> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":"CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
> 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure
> since host 8 cannot do bridge firewalling
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure
> since host 8 cannot do bridge firewalling
>
> Where could I start to troubleshoot SecurityGroups on XenServer? Any
> suggestions?
>
> __________________________________________________________________
> Sergio Tonani
>
Re: Problems with Security Groups over CloudStack 4.0.1 with
XenServer 6.0.2 and Basic Zone
Posted by Ahmad Emneina <ae...@gmail.com>.
have you changed the networking backend on xenserver to bridged mode?
>(DirectAgent-214:null) Not retrying security group rules for vm 13 on
failure
since host 8 cannot do bridge firewalling
this line is why I ask.
On Thu, Apr 4, 2013 at 12:24 PM, Sergio Tonani <se...@csi.it> wrote:
> Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a Basic
> Zone...
> Security Groups does not work.
> I follow all the instructions of the manual. CSP is installed and host
> network
> work in bridge mode.
> I have another cluster with KVM that work fine.
>
> On XenServer host, CS don't write any ebtable's rules neither iptables. On
> KVM
> host ebtable and iptables rule are populated correctly.
>
> Log file management-server.log show these messages when i create a new
> instance
> in a security group:
>
> 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase]
> (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge firewalling
> 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache]
> (DirectAgent-214:null) Seq 8-949355071: Response Received:
> 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request]
> (DirectAgent-214:null)
> Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, via: 8,
> Ver: v1,
> Flags: 110,
>
> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason":"CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host
> 10.102.90.3 cannot do bridge firewalling","wait":0}}] }
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,615 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure
> since host 8 cannot do bridge firewalling
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Failed to program rule
> com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to Host
> 10.102.90.3
> cannot do bridge firewalling and updated jobs
> 2013-04-04 15:02:03,617 DEBUG [network.security.SecurityGroupListener]
> (DirectAgent-214:null) Not retrying security group rules for vm 13 on
> failure
> since host 8 cannot do bridge firewalling
>
> Where could I start to troubleshoot SecurityGroups on XenServer? Any
> suggestions?
>
> __________________________________________________________________
> Sergio Tonani
>