You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2013/12/09 12:18:08 UTC
[jira] [Commented] (CLOUDSTACK-5403) Shared network - None of PF,
LB rules work after router restart, firewall rules dropped from iptables
post restart
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13843066#comment-13843066 ]
Jayapal Reddy commented on CLOUDSTACK-5403:
-------------------------------------------
Hi,
>From the logs it is observed that the the server it is not started by default. By default on VR the haproxy daemon should run, pid file get create created.
Can you please make sure with the hyper router template there is no issues with haproxy daemon start.
SSH execution of command /root/loadbalancer.sh -i 10.102.195.178 -f /tmp/10_102_195_178.cfg -a 10.102.196.240:888:, -s 10.102.196.238:8081:0/0:,, has an error status code in return. result output: mv: cannot stat `/var/run/haproxy.pid': No such file or directory
cat: /var/run/haproxy.pid.old: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[WARNING] 339/184353 (3747) : config : 'option forwardfor' ignored for proxy '10_102_196_240-888' as it requires HTTP mode.
[WARNING] 339/184353 (3747) : config : 'option forceclose' ignored for proxy '10_102_196_240-888' as it requires HTTP mode.
[ALERT] 339/184353 (3747) : Starting proxy 10_102_196_240-888: cannot bind socket
cat: /var/run/haproxy.pid.old: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
mv: cannot stat `/var/run/haproxy.pid.old': No such file or directory
2013-12-06 17:14:17,313 ERROR [c.c.h.h.r.HypervDirectConnectResource] (DirectAgent-398:ctx-fe77f054) LoadBalancerConfigCommand on domain router 10.102.195.178 failed. message: mv: cannot stat `/var/run/haproxy.pid': No such file or directory
cat: /var/run/haproxy.pid.old: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[WARNING] 339/184353 (3747) : config : 'option forwardfor' ignored for proxy '10_102_196_240-888' as it requires HTTP mode.
[WARNING] 339/184353 (3747) : config : 'option forceclose' ignored for proxy '10_102_196_240-888' as it requires HTTP mode.
[ALERT] 339/184353 (3747) : Starting proxy 10_102_196_240-888: cannot bind socket
cat: /var/run/haproxy.pid.old: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
mv: cannot stat `/var/run/haproxy.pid.old': No such file or directory
> Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart
> ------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5403
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server, Network Controller
> Affects Versions: 4.3.0
> Environment: Advanced zone, shared network on Hyper-V
> Reporter: Sowmya Krishnan
> Assignee: Devdeep Singh
> Priority: Critical
> Labels: hyper-V,
> Fix For: 4.3.0
>
> Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz, restart_vr_agent.log.log
>
>
> None of PF, LB or firewall rules work after router is restarted in shared network, advanced zone
> Steps:
> Create a shared network in advanced zone
> Acquire IP
> Create PF and corresponding Firewall rule
> Acquire another IP
> Create LB and corresponding Firewall rule
> Ensure all the rules work
> Restart router
> Check all rules
> Result:
> None of PF or LB rules work after router restart
> I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test in any other hypervisor as well.
> The following rules are dropped from iptables FORWARD chain after restart:
> ACCEPT tcp -- anywhere shareduser1vm1 state RELATED,ESTABLISHED /* 10.102.196.239:888:888 */
> ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http state NEW /* 10.102.196.239:888:888 */
> So also the firewall rules corresponding to the LB rule source ip
> The rules themselves exist in DB though:
> mysql> select * from firewall_rules;
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | id | uuid | ip_address_id | start_port | end_port | state | protocol | purpose | account_id | domain_id | network_id | xid | created | icmp_code | icmp_type | related | type | vpc_id | traffic_type |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL | NULL | NULL | User | NULL | Ingress |
> | 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 | 888 | Active | tcp | PortForwarding | 4 | 2 | 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL | NULL | NULL | User | NULL | NULL |
> | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL | NULL | NULL | User | NULL | Ingress |
> | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 | 888 | Active | tcp | LoadBalancing | 4 | 2 | 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL | NULL | NULL | User | NULL | NULL |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> 4 rows in set (0.00 sec)
> mysql> select * from load_balancing_rules;
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | id | name | description | default_port_start | default_port_end | algorithm | source_ip_address | source_ip_address_network_id | scheme | lb_protocol |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | 14 | lbshared | NULL | 80 | 80 | roundrobin | NULL | NULL | Public | NULL |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select * from port_forwarding_rules;
> +----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +----+-------------+-----------------+-----------------+---------------+
> | 2 | 5 | 10.102.198.2 | 80 | 80 |
> +----+-------------+-----------------+-----------------+---------------+
> 1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)