You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Bjoern Teipel <bj...@internetbrands.com> on 2013/10/14 10:03:10 UTC

Creating advanced network

Hi Guys,

I wanted to setup a advanced zone with security groups and saw this 
exceptions in the log while I was configuring the networks.
What does that mean, what are the limitations from a advanced zone + SG ?

ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ 
7c7e4264-721d-448b-8a75-b68ffeb52d56 ]) Unexpected exception while 
executing 
org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd
com.cloud.exception.InvalidParameterValueException: Can't add vnet range 
to the physical network in the zone that supports Advanced network, 
Security Group enabled: true
         at 
com.cloud.network.NetworkServiceImpl.updatePhysicalNetwork(NetworkServiceImpl.java:2527)
         at 
com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125)
         at 
org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd.execute(UpdatePhysicalNetworkCmd.java:98)
         at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:158)
         at 
com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:531)
         at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
         at 
java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
         at java.util.concurrent.FutureTask.run(FutureTask.java:166)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
         at java.lang.Thread.run(Thread.java:679)

Also I tagged the cloudstack storage network (specified Vlan ID in the 
wizard) but I see the interfaces are bound to cloudbr0 oppose to 
brxxx-VLANID
Does the storage network need to be untagged ?

Also is it true the guest network is the public network ? That confuses 
me a little bit since I configured a internal IP range but now I can't 
see how/where to configure the external/public IP.

Thanks in advance,
Bjoern

Re: Creating advanced network

Posted by "Teipel, Bjoern" <bj...@internetbrands.com>.

My problem is that I want to integrate f5 load balancer also. So I'm stuck with advanced mode. Also I don't like that VMs have per default public IPs in basic mode..

Bjoern

On Oct 18, 2013, at 6:22 AM, "Murali Reddy" <Mu...@citrix.com>> wrote:

Bjoern,

Sorry that commit, only fixes part of the problem. Still there are two more issues (source NAT and SG + source NAT combination is not permitted and public traffic type is not allowed in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug for this issue.

You may want to try basic zone model of CloudStack which provides security group based L3 isolation with EIP(1:1 NAT) & ELB services with NetScaler.

Thanks,
Murali

From: Bjoern Teipel <bj...@internetbrands.com>>
Reply-To: "users@cloudstack.apache.org<ma...@cloudstack.apache.org>" <us...@cloudstack.apache.org>>
Date: Thursday, 17 October 2013 10:29 AM
To: "users@cloudstack.apache.org<ma...@cloudstack.apache.org>" <us...@cloudstack.apache.org>>
Subject: Re: Creating advanced network

Hi Murali,

I saw your git commits. I want to compile now your changes into our  source code. Do i need just the one for 4.2 or also the master commits:


Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>

<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
[cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 06:18

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>

<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
[cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 14:45

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>


Thanks,
Bjoern

On 10/16/2013 2:35 AM, Murali Reddy wrote:

On 16/10/13 12:23 PM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:



Murali,

That would be great if you're right. But I'm now in a dead lock:

Adding new network offering including LB:

2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement]
(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp
UserData Lb ] without source NAT service
2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer]
(catalina-exec-19:null) unhandled exception executing api command:
createNetworkOffering
com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter
doesn't support services combination: [Dns, Dhcp, UserData, Lb]

That forces me to add source nat, but once I want add a guest network in
the zone I get the opposite error. I can't mix SG + sourceNat

013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer]
(catalina-exec-22:null) Service SourceNat is not allowed in security
group enabled zone


First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1.
Not sure why source NAT should not be allowed in SG network. Sorry, this
is indeed a dead lock situation. It does not look like you can use LB with
in shared network with SG in advanced zone.



So no internal lb ?

Thanks,
Bjoern

On 10/15/2013 11:28 PM, Murali Reddy wrote:


On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:



Wow, all user@cloudstack mails got catched in my spam filter, so sorry
for the late response.

After tinkering the whole day I gave up using a tagged VLAN for the
storage traffic, seems not to work. It ignores the VID and doesn't
create the VLAN on the hypervisor.
I added the vlan to the hypervisor now and bound cloudbr1 to it and
using it untagged in cloudstack.
Finally all is up. :-)

Now I was looking how to use a load balancer like the internal
cloudstack one or even the F5 and it seems it's not supported.
No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
According to the advanced network and security groups specification (

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o
n+
Security+Groups+in+Advance+zone)
AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
That's just a joke.


4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
network services are supported in shared network with or without SG so
you
should be able to use F5/VR/Netscaler for LB.



I'm really close to end the cloudstack adventure and move on with open
stack.
Having a shared network with SG and loadbalancer is not really a
uncommon solution

Re: Creating advanced network

Posted by Murali Reddy <Mu...@citrix.com>.

Bjoern,

Sorry that commit, only fixes part of the problem. Still there are two more issues (source NAT and SG + source NAT combination is not permitted and public traffic type is not allowed in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug for this issue.

You may want to try basic zone model of CloudStack which provides security group based L3 isolation with EIP(1:1 NAT) & ELB services with NetScaler.

Thanks,
Murali

From: Bjoern Teipel <bj...@internetbrands.com>>
Reply-To: "users@cloudstack.apache.org<ma...@cloudstack.apache.org>" <us...@cloudstack.apache.org>>
Date: Thursday, 17 October 2013 10:29 AM
To: "users@cloudstack.apache.org<ma...@cloudstack.apache.org>" <us...@cloudstack.apache.org>>
Subject: Re: Creating advanced network

Hi Murali,

I saw your git commits. I want to compile now your changes into our  source code. Do i need just the one for 4.2 or also the master commits:


Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>

<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
[cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 06:18

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>

<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
[cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 14:45

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>


Thanks,
Bjoern

On 10/16/2013 2:35 AM, Murali Reddy wrote:

On 16/10/13 12:23 PM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:



Murali,

That would be great if you're right. But I'm now in a dead lock:

Adding new network offering including LB:

2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement]
(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp
UserData Lb ] without source NAT service
2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer]
(catalina-exec-19:null) unhandled exception executing api command:
createNetworkOffering
com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter
doesn't support services combination: [Dns, Dhcp, UserData, Lb]

That forces me to add source nat, but once I want add a guest network in
the zone I get the opposite error. I can't mix SG + sourceNat

013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer]
(catalina-exec-22:null) Service SourceNat is not allowed in security
group enabled zone


First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1.
Not sure why source NAT should not be allowed in SG network. Sorry, this
is indeed a dead lock situation. It does not look like you can use LB with
in shared network with SG in advanced zone.



So no internal lb ?

Thanks,
Bjoern

On 10/15/2013 11:28 PM, Murali Reddy wrote:


On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:



Wow, all user@cloudstack mails got catched in my spam filter, so sorry
for the late response.

After tinkering the whole day I gave up using a tagged VLAN for the
storage traffic, seems not to work. It ignores the VID and doesn't
create the VLAN on the hypervisor.
I added the vlan to the hypervisor now and bound cloudbr1 to it and
using it untagged in cloudstack.
Finally all is up. :-)

Now I was looking how to use a load balancer like the internal
cloudstack one or even the F5 and it seems it's not supported.
No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
According to the advanced network and security groups specification (

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o
n+
Security+Groups+in+Advance+zone)
AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
That's just a joke.


4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
network services are supported in shared network with or without SG so
you
should be able to use F5/VR/Netscaler for LB.



I'm really close to end the cloudstack adventure and move on with open
stack.
Having a shared network with SG and loadbalancer is not really a
uncommon solution

Re: Creating advanced network

Posted by Bjoern Teipel <bj...@internetbrands.com>.

Hi Murali,

I saw your git commits. I want to compile now your changes into our  
source code. Do i need just the one for 4.2 or also the master commits:

Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 
fromMurali Reddy 
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>


<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
ASF subversion and git services 
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot>added 
a comment -Today 06:18

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch 
refs/heads/master fromMurali Reddy 
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>


<https://issues.apache.org/jira/browse/CLOUDSTACK-4717#>
ASF subversion and git services 
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot>added 
a comment -Today 14:45

Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch 
refs/heads/ui-restyle fromMurali Reddy 
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy>


Thanks,
Bjoern

On 10/16/2013 2:35 AM, Murali Reddy wrote:
> On 16/10/13 12:23 PM, "Bjoern Teipel" <bj...@internetbrands.com>
> wrote:
>
>> Murali,
>>
>> That would be great if you're right. But I'm now in a dead lock:
>>
>> Adding new network offering including LB:
>>
>> 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement]
>> (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp
>> UserData Lb ] without source NAT service
>> 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer]
>> (catalina-exec-19:null) unhandled exception executing api command:
>> createNetworkOffering
>> com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter
>> doesn't support services combination: [Dns, Dhcp, UserData, Lb]
>>
>> That forces me to add source nat, but once I want add a guest network in
>> the zone I get the opposite error. I can't mix SG + sourceNat
>>
>> 013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer]
>> (catalina-exec-22:null) Service SourceNat is not allowed in security
>> group enabled zone
> First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1.
> Not sure why source NAT should not be allowed in SG network. Sorry, this
> is indeed a dead lock situation. It does not look like you can use LB with
> in shared network with SG in advanced zone.
>
>> So no internal lb ?
>>
>> Thanks,
>> Bjoern
>>
>> On 10/15/2013 11:28 PM, Murali Reddy wrote:
>>> On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
>>> wrote:
>>>
>>>> Wow, all user@cloudstack mails got catched in my spam filter, so sorry
>>>> for the late response.
>>>>
>>>> After tinkering the whole day I gave up using a tagged VLAN for the
>>>> storage traffic, seems not to work. It ignores the VID and doesn't
>>>> create the VLAN on the hypervisor.
>>>> I added the vlan to the hypervisor now and bound cloudbr1 to it and
>>>> using it untagged in cloudstack.
>>>> Finally all is up. :-)
>>>>
>>>> Now I was looking how to use a load balancer like the internal
>>>> cloudstack one or even the F5 and it seems it's not supported.
>>>> No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
>>>> According to the advanced network and security groups specification (
>>>>
>>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o
>>>> n+
>>>> Security+Groups+in+Advance+zone)
>>>> AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
>>>> That's just a joke.
>>> 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
>>> network services are supported in shared network with or without SG so
>>> you
>>> should be able to use F5/VR/Netscaler for LB.
>>>
>>>> I'm really close to end the cloudstack adventure and move on with open
>>>> stack.
>>>> Having a shared network with SG and loadbalancer is not really a
>>>> uncommon solution
>>
>

Re: Creating advanced network

Posted by Murali Reddy <Mu...@citrix.com>.

On 16/10/13 12:23 PM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:

>Murali,
>
>That would be great if you're right. But I'm now in a dead lock:
>
>Adding new network offering including LB:
>
>2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement]
>(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp
>UserData Lb ] without source NAT service
>2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer]
>(catalina-exec-19:null) unhandled exception executing api command:
>createNetworkOffering
>com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter
>doesn't support services combination: [Dns, Dhcp, UserData, Lb]
>
>That forces me to add source nat, but once I want add a guest network in
>the zone I get the opposite error. I can't mix SG + sourceNat
>
>013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer]
>(catalina-exec-22:null) Service SourceNat is not allowed in security
>group enabled zone

First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1.
Not sure why source NAT should not be allowed in SG network. Sorry, this
is indeed a dead lock situation. It does not look like you can use LB with
in shared network with SG in advanced zone.

>
>So no internal lb ?
>
>Thanks,
>Bjoern
>
>On 10/15/2013 11:28 PM, Murali Reddy wrote:
>> On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
>> wrote:
>>
>>> Wow, all user@cloudstack mails got catched in my spam filter, so sorry
>>> for the late response.
>>>
>>> After tinkering the whole day I gave up using a tagged VLAN for the
>>> storage traffic, seems not to work. It ignores the VID and doesn't
>>> create the VLAN on the hypervisor.
>>> I added the vlan to the hypervisor now and bound cloudbr1 to it and
>>> using it untagged in cloudstack.
>>> Finally all is up. :-)
>>>
>>> Now I was looking how to use a load balancer like the internal
>>> cloudstack one or even the F5 and it seems it's not supported.
>>> No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
>>> According to the advanced network and security groups specification (
>>> 
>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o
>>>n+
>>> Security+Groups+in+Advance+zone)
>>> AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
>>> That's just a joke.
>> 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
>> network services are supported in shared network with or without SG so
>>you
>> should be able to use F5/VR/Netscaler for LB.
>>
>>> I'm really close to end the cloudstack adventure and move on with open
>>> stack.
>>> Having a shared network with SG and loadbalancer is not really a
>>> uncommon solution
>>
>
>

Re: Creating advanced network

Posted by Bjoern Teipel <bj...@internetbrands.com>.

Murali,

That would be great if you're right. But I'm now in a dead lock:

Adding new network offering including LB:

2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] 
(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp 
UserData Lb ] without source NAT service
2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] 
(catalina-exec-19:null) unhandled exception executing api command: 
createNetworkOffering
com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter 
doesn't support services combination: [Dns, Dhcp, UserData, Lb]

That forces me to add source nat, but once I want add a guest network in 
the zone I get the opposite error. I can't mix SG + sourceNat

013-10-15 23:46:30,896 INFO  [cloud.api.ApiServer] 
(catalina-exec-22:null) Service SourceNat is not allowed in security 
group enabled zone

So no internal lb ?

Thanks,
Bjoern

On 10/15/2013 11:28 PM, Murali Reddy wrote:
> On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
> wrote:
>
>> Wow, all user@cloudstack mails got catched in my spam filter, so sorry
>> for the late response.
>>
>> After tinkering the whole day I gave up using a tagged VLAN for the
>> storage traffic, seems not to work. It ignores the VID and doesn't
>> create the VLAN on the hypervisor.
>> I added the vlan to the hypervisor now and bound cloudbr1 to it and
>> using it untagged in cloudstack.
>> Finally all is up. :-)
>>
>> Now I was looking how to use a load balancer like the internal
>> cloudstack one or even the F5 and it seems it's not supported.
>> No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
>> According to the advanced network and security groups specification (
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+
>> Security+Groups+in+Advance+zone)
>> AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
>> That's just a joke.
> 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
> network services are supported in shared network with or without SG so you
> should be able to use F5/VR/Netscaler for LB.
>
>> I'm really close to end the cloudstack adventure and move on with open
>> stack.
>> Having a shared network with SG and loadbalancer is not really a
>> uncommon solution
>

Re: Creating advanced network

Posted by Murali Reddy <Mu...@citrix.com>.

On 16/10/13 7:17 AM, "Bjoern Teipel" <bj...@internetbrands.com>
wrote:

>Wow, all user@cloudstack mails got catched in my spam filter, so sorry
>for the late response.
>
>After tinkering the whole day I gave up using a tagged VLAN for the
>storage traffic, seems not to work. It ignores the VID and doesn't
>create the VLAN on the hypervisor.
>I added the vlan to the hypervisor now and bound cloudbr1 to it and
>using it untagged in cloudstack.
>Finally all is up. :-)
>
>Now I was looking how to use a load balancer like the internal
>cloudstack one or even the F5 and it seems it's not supported.
>No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
>According to the advanced network and security groups specification (
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+
>Security+Groups+in+Advance+zone)
>AddF5LoadBalancerCmd api commands will just fail in SG enabled zone.
>That's just a joke.

4.1 did not support PF/NAT/LB services in shared network. From 4.2, all
network services are supported in shared network with or without SG so you
should be able to use F5/VR/Netscaler for LB.

>
>I'm really close to end the cloudstack adventure and move on with open
>stack.
>Having a shared network with SG and loadbalancer is not really a
>uncommon solution

Re: Creating advanced network

Posted by Bjoern Teipel <bj...@internetbrands.com>.

Wow, all user@cloudstack mails got catched in my spam filter, so sorry 
for the late response.

After tinkering the whole day I gave up using a tagged VLAN for the 
storage traffic, seems not to work. It ignores the VID and doesn't 
create the VLAN on the hypervisor.
I added the vlan to the hypervisor now and bound cloudbr1 to it and 
using it untagged in cloudstack.
Finally all is up. :-)

Now I was looking how to use a load balancer like the internal 
cloudstack one or even the F5 and it seems it's not supported.
No cloudstack support for internal LB (the VR one) or F5 ? Really !!!
According to the advanced network and security groups specification ( 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+Security+Groups+in+Advance+zone) 
AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. 
That's just a joke.

I'm really close to end the cloudstack adventure and move on with open 
stack.
Having a shared network with SG and loadbalancer is not really a 
uncommon solution

Thanks,
Bjoern


On 10/14/2013 11:09 AM, motty cruz wrote:
> Hello Bjoern,
>
> I'm not an expert with Cloudstack, but I will share my limited knowledge.
> Guest traffic
> This is the network traffic generated by the communication between the guest
> VMs. This traffic flows over the guest network and it can be shared or
> isolated.
>
> I have Cloudstack 4.1 installed configured with Advance networking, my
> hypervisor has two network interfaces on for private (management/storage)
> one for public (public/guest) network
>
> private interface eth1 bridge to cloudbr1
> public interface eth0 bridge to cloudbr0
>    guest vlan eth0.100  (10.1.1.0/24 CIDR)
>
> my setup is partially working, I can create instances but can't ping my
> virtual router, I'm in the process as well,
> Thanks,
>
>
>
>
> On Mon, Oct 14, 2013 at 10:45 AM, Bjoern Teipel <
> bjoern.teipel@internetbrands.com> wrote:
>
>> Who can help me here ?
>> Right now the biggest issue for me  are the last questions.
>>
>>
>>
>>
>> On 10/14/2013 01:03 AM, Bjoern Teipel wrote:
>>
>>> Hi Guys,
>>>
>>> I wanted to setup a advanced zone with security groups and saw this
>>> exceptions in the log while I was configuring the networks.
>>> What does that mean, what are the limitations from a advanced zone + SG ?
>>>
>>> ERROR [cloud.async.**AsyncJobManagerImpl] (Job-Executor-23:job-23 = [
>>> 7c7e4264-721d-448b-8a75-**b68ffeb52d56 ]) Unexpected exception while
>>> executing org.apache.cloudstack.api.**command.admin.network.**
>>> UpdatePhysicalNetworkCmd
>>> com.cloud.exception.**InvalidParameterValueException**: Can't add vnet
>>> range to the physical network in the zone that supports Advanced network,
>>> Security Group enabled: true
>>>          at com.cloud.network.**NetworkServiceImpl.**
>>> updatePhysicalNetwork(**NetworkServiceImpl.java:2527)
>>>          at com.cloud.utils.component.**ComponentInstantiationPostProc**
>>> essor$InterceptorDispatcher.**intercept(**ComponentInstantiationPostProc*
>>> *essor.java:125)
>>>          at org.apache.cloudstack.api.**command.admin.network.**
>>> UpdatePhysicalNetworkCmd.**execute(**UpdatePhysicalNetworkCmd.java:**98)
>>>          at com.cloud.api.ApiDispatcher.**dispatch(ApiDispatcher.java:**
>>> 158)
>>>          at com.cloud.async.**AsyncJobManagerImpl$1.run(**
>>> AsyncJobManagerImpl.java:531)
>>>          at java.util.concurrent.**Executors$RunnableAdapter.**
>>> call(Executors.java:471)
>>>          at java.util.concurrent.**FutureTask$Sync.innerRun(**
>>> FutureTask.java:334)
>>>          at java.util.concurrent.**FutureTask.run(FutureTask.**java:166)
>>>          at java.util.concurrent.**ThreadPoolExecutor.runWorker(**
>>> ThreadPoolExecutor.java:1146)
>>>          at java.util.concurrent.**ThreadPoolExecutor$Worker.run(**
>>> ThreadPoolExecutor.java:615)
>>>          at java.lang.Thread.run(Thread.**java:679)
>>>
>>> Also I tagged the cloudstack storage network (specified Vlan ID in the
>>> wizard) but I see the interfaces are bound to cloudbr0 oppose to
>>> brxxx-VLANID
>>> Does the storage network need to be untagged ?
>>>
>>> Also is it true the guest network is the public network ? That confuses
>>> me a little bit since I configured a internal IP range but now I can't see
>>> how/where to configure the external/public IP.
>>>
>>> Thanks in advance,
>>> Bjoern
>>>
>>>

Re: Creating advanced network

Posted by motty cruz <mo...@gmail.com>.

Hello Bjoern,

I'm not an expert with Cloudstack, but I will share my limited knowledge.
Guest traffic
This is the network traffic generated by the communication between the guest
VMs. This traffic flows over the guest network and it can be shared or
isolated.

I have Cloudstack 4.1 installed configured with Advance networking, my
hypervisor has two network interfaces on for private (management/storage)
one for public (public/guest) network

private interface eth1 bridge to cloudbr1
public interface eth0 bridge to cloudbr0
  guest vlan eth0.100  (10.1.1.0/24 CIDR)

my setup is partially working, I can create instances but can't ping my
virtual router, I'm in the process as well,
Thanks,




On Mon, Oct 14, 2013 at 10:45 AM, Bjoern Teipel <
bjoern.teipel@internetbrands.com> wrote:

>
> Who can help me here ?
> Right now the biggest issue for me  are the last questions.
>
>
>
>
> On 10/14/2013 01:03 AM, Bjoern Teipel wrote:
>
>> Hi Guys,
>>
>> I wanted to setup a advanced zone with security groups and saw this
>> exceptions in the log while I was configuring the networks.
>> What does that mean, what are the limitations from a advanced zone + SG ?
>>
>> ERROR [cloud.async.**AsyncJobManagerImpl] (Job-Executor-23:job-23 = [
>> 7c7e4264-721d-448b-8a75-**b68ffeb52d56 ]) Unexpected exception while
>> executing org.apache.cloudstack.api.**command.admin.network.**
>> UpdatePhysicalNetworkCmd
>> com.cloud.exception.**InvalidParameterValueException**: Can't add vnet
>> range to the physical network in the zone that supports Advanced network,
>> Security Group enabled: true
>>         at com.cloud.network.**NetworkServiceImpl.**
>> updatePhysicalNetwork(**NetworkServiceImpl.java:2527)
>>         at com.cloud.utils.component.**ComponentInstantiationPostProc**
>> essor$InterceptorDispatcher.**intercept(**ComponentInstantiationPostProc*
>> *essor.java:125)
>>         at org.apache.cloudstack.api.**command.admin.network.**
>> UpdatePhysicalNetworkCmd.**execute(**UpdatePhysicalNetworkCmd.java:**98)
>>         at com.cloud.api.ApiDispatcher.**dispatch(ApiDispatcher.java:**
>> 158)
>>         at com.cloud.async.**AsyncJobManagerImpl$1.run(**
>> AsyncJobManagerImpl.java:531)
>>         at java.util.concurrent.**Executors$RunnableAdapter.**
>> call(Executors.java:471)
>>         at java.util.concurrent.**FutureTask$Sync.innerRun(**
>> FutureTask.java:334)
>>         at java.util.concurrent.**FutureTask.run(FutureTask.**java:166)
>>         at java.util.concurrent.**ThreadPoolExecutor.runWorker(**
>> ThreadPoolExecutor.java:1146)
>>         at java.util.concurrent.**ThreadPoolExecutor$Worker.run(**
>> ThreadPoolExecutor.java:615)
>>         at java.lang.Thread.run(Thread.**java:679)
>>
>> Also I tagged the cloudstack storage network (specified Vlan ID in the
>> wizard) but I see the interfaces are bound to cloudbr0 oppose to
>> brxxx-VLANID
>> Does the storage network need to be untagged ?
>>
>> Also is it true the guest network is the public network ? That confuses
>> me a little bit since I configured a internal IP range but now I can't see
>> how/where to configure the external/public IP.
>>
>> Thanks in advance,
>> Bjoern
>>
>>
>

Re: Creating advanced network

Posted by Bjoern Teipel <bj...@internetbrands.com>.

Who can help me here ?
Right now the biggest issue for me  are the last questions.



On 10/14/2013 01:03 AM, Bjoern Teipel wrote:
> Hi Guys,
>
> I wanted to setup a advanced zone with security groups and saw this 
> exceptions in the log while I was configuring the networks.
> What does that mean, what are the limitations from a advanced zone + SG ?
>
> ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ 
> 7c7e4264-721d-448b-8a75-b68ffeb52d56 ]) Unexpected exception while 
> executing 
> org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd
> com.cloud.exception.InvalidParameterValueException: Can't add vnet 
> range to the physical network in the zone that supports Advanced 
> network, Security Group enabled: true
>         at 
> com.cloud.network.NetworkServiceImpl.updatePhysicalNetwork(NetworkServiceImpl.java:2527)
>         at 
> com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125)
>         at 
> org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd.execute(UpdatePhysicalNetworkCmd.java:98)
>         at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:158)
>         at 
> com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:531)
>         at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at 
> java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:166)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:679)
>
> Also I tagged the cloudstack storage network (specified Vlan ID in the 
> wizard) but I see the interfaces are bound to cloudbr0 oppose to 
> brxxx-VLANID
> Does the storage network need to be untagged ?
>
> Also is it true the guest network is the public network ? That 
> confuses me a little bit since I configured a internal IP range but 
> now I can't see how/where to configure the external/public IP.
>
> Thanks in advance,
> Bjoern
>