You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Murali Reddy <Mu...@citrix.com> on 2012/10/16 16:57:38 UTC
[4.1 feature RFC] L4-L7 network services in shared network
CloudStack supports guest networks of type isolated and shared. While there is rich support of L4-L7 network services like firewall, NAT, LB in the isolated networks, similar network services are not available in the networks of shared type. While there is EIP and ELB services which provides NAT and LB service in basic zone which uses shared network, there are no firewall, NAT, LB services available to the shared networks created in the advanced zone. For enterprise/private clouds and simple deployments it make sense to enable L4-L7 services in the shared networks. I am proposing that CloudStack should enable L4-L7 network services in the shared networks created in the advanced zone. I opened new feature request for 4.1 release [1] and documented the functional requirements at [2]. Please comment.
[1].https://issues.apache.org/jira/browse/CLOUDSTACK-312
[2].https://cwiki.apache.org/confluence/display/CLOUDSTACK/L4-L7+network+services+in+shared+network
RE: Re:Re: kvm lacking of GetDomRVersionCmd implementation lead to
deployVm fail.
Posted by Edison Su <Ed...@citrix.com>.
There is a hack: http://markmail.org/message/bf5pbgxxpcsx76zu
> -----Original Message-----
> From: coudstacks [mailto:cloudstacks@163.com]
> Sent: Wednesday, October 17, 2012 2:26 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re:Re: kvm lacking of GetDomRVersionCmd implementation lead to
> deployVm fail.
>
> you are right. getDomRVersionCmd is implemented.
> but there is problem in debug environment. in my case(ant debug) ,
> user=root, no 'developer=true' column in configuratoin table. these
> two conditions will ignore producting id_rsa.cloud . so ssh to
> systemVM throught identity file always fail.
> i am not sure that's particular or general case.
> thanks.
>
>
>
>
>
> At 2012-10-17 00:39:25,"Marcus Sorensen" <sh...@gmail.com> wrote:
> >By the way, KVM doesn't lack GetDomRVersionCmd. It's in
> >core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourc
> e.java,
> >and it calls getDomRVersion, which runs router_proxy.sh (a script on
> >the host that will SSH into the router VM) to call
> >get_template_version.sh within the router.
> >
> >On Tue, Oct 16, 2012 at 10:30 AM, Marcus Sorensen
> <sh...@gmail.com> wrote:
> >> I have generally only seen the getDomRVersionCmd fail followed by
> >> stopping the vm if it can't ssh into the system VM to run the
> command.
> >> I am sure this is a general symptom of failing to set up or
> >> communicate with the virtual router rather than an actual issue
> >> related to getting the domr version.
> >>
> >> You should see if you can ssh into the router when it's in the
> running
> >> state, but before cloudstack sends a stop. In the past I have
> >> accomplished this by stopping the cloud-agent before it issues a
> >> stopcommand.
> >>
> >> Which version are you running? There have been several fixes in the
> >> past month or two to try to make the cloud ssh key copy over more
> >> reliably.
> >>
> >> On Tue, Oct 16, 2012 at 9:50 AM, <cl...@163.com> wrote:
> >>> i am tracing this problem. but i ask about it first.
> >>>
> >>> 1.what it use for? what kinds of data it return when launch
> GetDomRVersionCmd if i write missing parts?
> >>>
> >>> now i only know when new a routerVM(which created when new a
> userVM) because of missing GetDomRVersionCmd , its answer result is
> false , which will lead a stopcommand sent to stop this VM, actually
> vm is in running state now.
> >>>
> >>> 2. GetDomRVersionCmd is related to router or other kinds of VM?
> >>>
> >>> why secondarystorageVm and consoleVm success to deploy?
> >>>
> >>> thanks
Re:Re: kvm lacking of GetDomRVersionCmd implementation lead to
deployVm fail.
Posted by coudstacks <cl...@163.com>.
you are right. getDomRVersionCmd is implemented.
but there is problem in debug environment. in my case(ant debug) , user=root, no 'developer=true' column in configuratoin table. these two conditions will ignore producting id_rsa.cloud . so ssh to systemVM throught identity file always fail.
i am not sure that's particular or general case.
thanks.
At 2012-10-17 00:39:25,"Marcus Sorensen" <sh...@gmail.com> wrote:
>By the way, KVM doesn't lack GetDomRVersionCmd. It's in
>core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java,
>and it calls getDomRVersion, which runs router_proxy.sh (a script on
>the host that will SSH into the router VM) to call
>get_template_version.sh within the router.
>
>On Tue, Oct 16, 2012 at 10:30 AM, Marcus Sorensen <sh...@gmail.com> wrote:
>> I have generally only seen the getDomRVersionCmd fail followed by
>> stopping the vm if it can't ssh into the system VM to run the command.
>> I am sure this is a general symptom of failing to set up or
>> communicate with the virtual router rather than an actual issue
>> related to getting the domr version.
>>
>> You should see if you can ssh into the router when it's in the running
>> state, but before cloudstack sends a stop. In the past I have
>> accomplished this by stopping the cloud-agent before it issues a
>> stopcommand.
>>
>> Which version are you running? There have been several fixes in the
>> past month or two to try to make the cloud ssh key copy over more
>> reliably.
>>
>> On Tue, Oct 16, 2012 at 9:50 AM, <cl...@163.com> wrote:
>>> i am tracing this problem. but i ask about it first.
>>>
>>> 1.what it use for? what kinds of data it return when launch GetDomRVersionCmd if i write missing parts?
>>>
>>> now i only know when new a routerVM(which created when new a userVM) because of missing GetDomRVersionCmd , its answer result is false , which will lead a stopcommand sent to stop this VM, actually vm is in running state now.
>>>
>>> 2. GetDomRVersionCmd is related to router or other kinds of VM?
>>>
>>> why secondarystorageVm and consoleVm success to deploy?
>>>
>>> thanks
Re: kvm lacking of GetDomRVersionCmd implementation lead to deployVm fail.
Posted by Marcus Sorensen <sh...@gmail.com>.
By the way, KVM doesn't lack GetDomRVersionCmd. It's in
core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java,
and it calls getDomRVersion, which runs router_proxy.sh (a script on
the host that will SSH into the router VM) to call
get_template_version.sh within the router.
On Tue, Oct 16, 2012 at 10:30 AM, Marcus Sorensen <sh...@gmail.com> wrote:
> I have generally only seen the getDomRVersionCmd fail followed by
> stopping the vm if it can't ssh into the system VM to run the command.
> I am sure this is a general symptom of failing to set up or
> communicate with the virtual router rather than an actual issue
> related to getting the domr version.
>
> You should see if you can ssh into the router when it's in the running
> state, but before cloudstack sends a stop. In the past I have
> accomplished this by stopping the cloud-agent before it issues a
> stopcommand.
>
> Which version are you running? There have been several fixes in the
> past month or two to try to make the cloud ssh key copy over more
> reliably.
>
> On Tue, Oct 16, 2012 at 9:50 AM, <cl...@163.com> wrote:
>> i am tracing this problem. but i ask about it first.
>>
>> 1.what it use for? what kinds of data it return when launch GetDomRVersionCmd if i write missing parts?
>>
>> now i only know when new a routerVM(which created when new a userVM) because of missing GetDomRVersionCmd , its answer result is false , which will lead a stopcommand sent to stop this VM, actually vm is in running state now.
>>
>> 2. GetDomRVersionCmd is related to router or other kinds of VM?
>>
>> why secondarystorageVm and consoleVm success to deploy?
>>
>> thanks
Re: kvm lacking of GetDomRVersionCmd implementation lead to deployVm fail.
Posted by Marcus Sorensen <sh...@gmail.com>.
I have generally only seen the getDomRVersionCmd fail followed by
stopping the vm if it can't ssh into the system VM to run the command.
I am sure this is a general symptom of failing to set up or
communicate with the virtual router rather than an actual issue
related to getting the domr version.
You should see if you can ssh into the router when it's in the running
state, but before cloudstack sends a stop. In the past I have
accomplished this by stopping the cloud-agent before it issues a
stopcommand.
Which version are you running? There have been several fixes in the
past month or two to try to make the cloud ssh key copy over more
reliably.
On Tue, Oct 16, 2012 at 9:50 AM, <cl...@163.com> wrote:
> i am tracing this problem. but i ask about it first.
>
> 1.what it use for? what kinds of data it return when launch GetDomRVersionCmd if i write missing parts?
>
> now i only know when new a routerVM(which created when new a userVM) because of missing GetDomRVersionCmd , its answer result is false , which will lead a stopcommand sent to stop this VM, actually vm is in running state now.
>
> 2. GetDomRVersionCmd is related to router or other kinds of VM?
>
> why secondarystorageVm and consoleVm success to deploy?
>
> thanks
kvm lacking of GetDomRVersionCmd implementation lead to deployVm
fail.
Posted by cl...@163.com.
i am tracing this problem. but i ask about it first.
1.what it use for? what kinds of data it return when launch GetDomRVersionCmd if i write missing parts?
now i only know when new a routerVM(which created when new a userVM) because of missing GetDomRVersionCmd , its answer result is false , which will lead a stopcommand sent to stop this VM, actually vm is in running state now.
2. GetDomRVersionCmd is related to router or other kinds of VM?
why secondarystorageVm and consoleVm success to deploy?
thanks
Re: [4.1 feature RFC] L4-L7 network services in shared network
Posted by Alena Prokharchyk <Al...@citrix.com>.
Murali, I've added some comments inline, please review.
On 10/17/12 8:56 AM, "Venkata SwamyBabu Budumuru"
<ve...@citrix.com> wrote:
>Hi,
>
>Here is my list of comments/queries after reviewing the FS.
>
>(1) when the shared n/w scope is set to "domain/project", how is the
>external device allocation happen? Is it going to be dedicated to
>domain/project if we select "dedicated" during n/w offering creation ? I
>have this question because in case of isolated we dedicate devices to
>account.
>(2) how does network GC happen? What happens in the following cases
> (a) Do we GC the VR when the shared network is just enabled with DNS,
>DHCP but no L4-L7 features with external devices?
> (b) Do we GC the VR when the shared network is enabled with all the
>services including L4-L7 features with external devices?
We never do GC for Shared networks, only for Isolated. And we should keep
this logic.
>(3) I have a question about the following line mentioned in FS.
> " listPublicIpAddresses API shall be enhanced to take network ID
>corresponding to the shared network in the advanced zone. When listAll
>API parameter is set to true, API shall return list of the public IP's
>associated with the network which caller is authorised to see."
Murali, we already have a parameter for this in listPublicIpAddresses,
called "associatedNetworkId". This is the id of the network ip address is
associated with. Please re-use this one, just make sure it accepts Id of
the Shared network
>
> (a) What else is the caller (non-cloud-admin) is authorized to see
>apart from what his account owns?
> (b) Does this list sourceNAT IP ?
>(4) Since the shared n/w is used by multiple accounts, who is allowed to
>call "restartNetwork"? Is it only allowed by admin/normal accounts/
>(domain admins in case where shared n/w scope is "domain")
>(5) Any differences between restartNetwork with cleanup=true and false?
Yes, there is a diff. When cleanup=true, restart network does:
* delete current network rules
* shutdown network elements
* implement network elements
* re-apply the rules
When cleanup=false, the first 2 steps are skipped. In the past we didn't
allow cleanup to be true for Shared networks, but Rohit did some changes
in this area (I'm yet to submit his code to master). So cleanup=true can
be passed for all types of networks now.
>(6) Any support for offering upgrades? Like upgrade from an offering
>using F5 to an offering using NetScaler as LB provider?
I don't think we should support network offering upgrade for Shared
networks.
>(7) Any plans to support a different public pool for shared n/w's apart
>from what we define at zone level during creation?
We shouldn't divide the pool based on the network type this public ip
address can be possibly associated with.
>
>Thanks,
>SWAMY
>
>-----Original Message-----
>From: Murali Reddy [mailto:Murali.Reddy@citrix.com]
>Sent: Tuesday, October 16, 2012 8:28 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: [4.1 feature RFC] L4-L7 network services in shared network
>
>CloudStack supports guest networks of type isolated and shared. While
>there is rich support of L4-L7 network services like firewall, NAT, LB in
>the isolated networks, similar network services are not available in the
>networks of shared type. While there is EIP and ELB services which
>provides NAT and LB service in basic zone which uses shared network,
>there are no firewall, NAT, LB services available to the shared networks
>created in the advanced zone. For enterprise/private clouds and simple
>deployments it make sense to enable L4-L7 services in the shared
>networks. I am proposing that CloudStack should enable L4-L7 network
>services in the shared networks created in the advanced zone. I opened
>new feature request for 4.1 release [1] and documented the functional
>requirements at [2]. Please comment.
>
>[1].https://issues.apache.org/jira/browse/CLOUDSTACK-312
>[2].https://cwiki.apache.org/confluence/display/CLOUDSTACK/L4-L7+network+s
>ervices+in+shared+network
>
RE: [4.1 feature RFC] L4-L7 network services in shared network
Posted by Venkata SwamyBabu Budumuru <ve...@citrix.com>.
Hi,
Here is my list of comments/queries after reviewing the FS.
(1) when the shared n/w scope is set to "domain/project", how is the external device allocation happen? Is it going to be dedicated to domain/project if we select "dedicated" during n/w offering creation ? I have this question because in case of isolated we dedicate devices to account.
(2) how does network GC happen? What happens in the following cases
(a) Do we GC the VR when the shared network is just enabled with DNS, DHCP but no L4-L7 features with external devices?
(b) Do we GC the VR when the shared network is enabled with all the services including L4-L7 features with external devices?
(3) I have a question about the following line mentioned in FS.
" listPublicIpAddresses API shall be enhanced to take network ID corresponding to the shared network in the advanced zone. When listAll API parameter is set to true, API shall return list of the public IP's associated with the network which caller is authorised to see."
(a) What else is the caller (non-cloud-admin) is authorized to see apart from what his account owns?
(b) Does this list sourceNAT IP ?
(4) Since the shared n/w is used by multiple accounts, who is allowed to call "restartNetwork"? Is it only allowed by admin/normal accounts/ (domain admins in case where shared n/w scope is "domain")
(5) Any differences between restartNetwork with cleanup=true and false?
(6) Any support for offering upgrades? Like upgrade from an offering using F5 to an offering using NetScaler as LB provider?
(7) Any plans to support a different public pool for shared n/w's apart from what we define at zone level during creation?
Thanks,
SWAMY
-----Original Message-----
From: Murali Reddy [mailto:Murali.Reddy@citrix.com]
Sent: Tuesday, October 16, 2012 8:28 PM
To: cloudstack-dev@incubator.apache.org
Subject: [4.1 feature RFC] L4-L7 network services in shared network
CloudStack supports guest networks of type isolated and shared. While there is rich support of L4-L7 network services like firewall, NAT, LB in the isolated networks, similar network services are not available in the networks of shared type. While there is EIP and ELB services which provides NAT and LB service in basic zone which uses shared network, there are no firewall, NAT, LB services available to the shared networks created in the advanced zone. For enterprise/private clouds and simple deployments it make sense to enable L4-L7 services in the shared networks. I am proposing that CloudStack should enable L4-L7 network services in the shared networks created in the advanced zone. I opened new feature request for 4.1 release [1] and documented the functional requirements at [2]. Please comment.
[1].https://issues.apache.org/jira/browse/CLOUDSTACK-312
[2].https://cwiki.apache.org/confluence/display/CLOUDSTACK/L4-L7+network+services+in+shared+network
Re: [4.1 feature RFC] L4-L7 network services in shared network
Posted by Murali Reddy <Mu...@citrix.com>.
Checked in this feature into master with commits
7fcfcdf91e49d64375171c9ae7fe61067aa59b6e
d4c604cfd8ec6b385de7abf694a936e89add0f38
6657246cd44629c30e6ea21cc4bbd43a42788e12
0de5a145e4f06420a4eb1867309af674c16ace7c
28bbf6c52798c9bd298952844250fbc3cb92dce0
Now with this feature, one can enable PF/LB/Source and Static NAT/Firewall
services in the shared networks as well.
I have unit-tested with service combinations
- FW + PF + Source NAT
- FW + Source NAT
- FW + LB + Source NAT
- Source NAT +LB
Also unit-tested below service provider combinations
- Virtual Router providing DNS, DHCP, Firewall, LB, PF, Source Nat services
- VR providing DNS, DHCP services and SRX providing Firewall/NAT/PF
services
- VR providing DNS, DHCP services, SRX providing Firewall/NAT/PF services
and NetScaler providing LB service.
This is only a framework level change, so no expectation on specific
network service provider. All the combination of network services and
network service providers that are possible in 'isolated' networks are
possible with 'Shared' network as well. This feature only enables services
in the shared network in the advanced zone only.
On 16/10/12 8:27 PM, "Murali Reddy" <Mu...@citrix.com> wrote:
>CloudStack supports guest networks of type isolated and shared. While
>there is rich support of L4-L7 network services like firewall, NAT, LB in
>the isolated networks, similar network services are not available in the
>networks of shared type. While there is EIP and ELB services which
>provides NAT and LB service in basic zone which uses shared network,
>there are no firewall, NAT, LB services available to the shared networks
>created in the advanced zone. For enterprise/private clouds and simple
>deployments it make sense to enable L4-L7 services in the shared
>networks. I am proposing that CloudStack should enable L4-L7 network
>services in the shared networks created in the advanced zone. I opened
>new feature request for 4.1 release [1] and documented the functional
>requirements at [2]. Please comment.
>
>[1].https://issues.apache.org/jira/browse/CLOUDSTACK-312
>[2].https://cwiki.apache.org/confluence/display/CLOUDSTACK/L4-L7+network+s
>ervices+in+shared+network
>