You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Glen Baars <gl...@onsitecomputers.com.au> on 2018/06/12 03:40:42 UTC

Cloudstack 4.11 - Ubuntu 16.04 Agent UFW firewall issues

Hello Devs,

When we deployed cloudstack 4.11.0 into production, we found that the UFW rules for the KVM host overrides the firewall rules set by the user in cloudstack. This prevented network access to the VMs on most ports.

We followed the guide on this page for the advanced zone – ubuntu.
http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/4.11/hypervisor/kvm.html

Disabling UFW on the KVM host fixed the issue but obviously not a great solution ☹

Is there any logging that would help? I have a spare server in the production cluster that I can test the issue on.
Kind regards,
Glen Baars
This e-mail is intended solely for the benefit of the addressee(s) and any other named recipient. It is confidential and may contain legally privileged or confidential information. If you are not the recipient, any use, distribution, disclosure or copying of this e-mail is prohibited. The confidentiality and legal privilege attached to this communication is not waived or lost by reason of the mistaken transmission or delivery to you. If you have received this e-mail in error, please notify us immediately.

RE: Cloudstack 4.11 - Ubuntu 16.04 Agent UFW firewall issues

Posted by Glen Baars <gl...@onsitecomputers.com.au>.
Hello Dag,

Sorry for the delay.

Advanced zone
public - cloudbr1
guest public - cloudbr1
management - cloudbr0
storage - cloudbr2

Each cloudbr is a linux bond with two network cards.

Here is the cloudbr1 bonding config.

# The primary network interface
auto enp4s0f2
iface enp4s0f2 inet manual
bond-master bond1

# The second network interface
auto enp4s0f3
iface enp4s0f3 inet manual
bond-master bond1

auto bond1
iface bond1 inet manual
bond-slaves enp4s0f2 enp4s0f3
bond-mode 6
bond-miimon 100

# CloudStack Client network
auto cloudbr1
iface cloudbr1 inet manual
bridge_ports bond1
bridge_fd 5
bridge_stp off
bridge_maxwait 1

Kind regards,
Glen Baars

T  1300 733 328
NZ +64 9280 3561
MOB +61 447 991 234


This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-----Original Message-----
From: Dag Sonstebo <Da...@shapeblue.com>
Sent: Tuesday, 12 June 2018 3:52 PM
To: dev@cloudstack.apache.org
Subject: Re: Cloudstack 4.11 - Ubuntu 16.04 Agent UFW firewall issues

Hi Glen,

Are you using basic or advanced zone? How is your networking configured on your KVM host? My guess is you run guest traffic and management traffic on the same NICs?

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue

On 12/06/2018, 04:40, "Glen Baars" <gl...@onsitecomputers.com.au> wrote:

    Hello Devs,

    When we deployed cloudstack 4.11.0 into production, we found that the UFW rules for the KVM host overrides the firewall rules set by the user in cloudstack. This prevented network access to the VMs on most ports.

    We followed the guide on this page for the advanced zone – ubuntu.
    http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/4.11/hypervisor/kvm.html

    Disabling UFW on the KVM host fixed the issue but obviously not a great solution ☹

    Is there any logging that would help? I have a spare server in the production cluster that I can test the issue on.
    Kind regards,
    Glen Baars
    This e-mail is intended solely for the benefit of the addressee(s) and any other named recipient. It is confidential and may contain legally privileged or confidential information. If you are not the recipient, any use, distribution, disclosure or copying of this e-mail is prohibited. The confidentiality and legal privilege attached to this communication is not waived or lost by reason of the mistaken transmission or delivery to you. If you have received this e-mail in error, please notify us immediately.



Dag.Sonstebo@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK @shapeblue



This e-mail is intended solely for the benefit of the addressee(s) and any other named recipient. It is confidential and may contain legally privileged or confidential information. If you are not the recipient, any use, distribution, disclosure or copying of this e-mail is prohibited. The confidentiality and legal privilege attached to this communication is not waived or lost by reason of the mistaken transmission or delivery to you. If you have received this e-mail in error, please notify us immediately.

Re: Cloudstack 4.11 - Ubuntu 16.04 Agent UFW firewall issues

Posted by Dag Sonstebo <Da...@shapeblue.com>.
Hi Glen,

Are you using basic or advanced zone? How is your networking configured on your KVM host? My guess is you run guest traffic and management traffic on the same NICs?

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue

On 12/06/2018, 04:40, "Glen Baars" <gl...@onsitecomputers.com.au> wrote:

    Hello Devs,
    
    When we deployed cloudstack 4.11.0 into production, we found that the UFW rules for the KVM host overrides the firewall rules set by the user in cloudstack. This prevented network access to the VMs on most ports.
    
    We followed the guide on this page for the advanced zone – ubuntu.
    http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/4.11/hypervisor/kvm.html
    
    Disabling UFW on the KVM host fixed the issue but obviously not a great solution ☹
    
    Is there any logging that would help? I have a spare server in the production cluster that I can test the issue on.
    Kind regards,
    Glen Baars
    This e-mail is intended solely for the benefit of the addressee(s) and any other named recipient. It is confidential and may contain legally privileged or confidential information. If you are not the recipient, any use, distribution, disclosure or copying of this e-mail is prohibited. The confidentiality and legal privilege attached to this communication is not waived or lost by reason of the mistaken transmission or delivery to you. If you have received this e-mail in error, please notify us immediately.
    


Dag.Sonstebo@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue