Re: Fresh 4.14 install - UI won't start after reboot

[Andrija Panic <an...@gmail.com>]

So, the issue is that we rely on iptables service and not firewalld - and
when both starts, firewalld will "win" and basically remove any iptables
rules from memory that are loaded from /etc/sysconfig/iptable file - I've
reproduced the issue partially.

In general, we need to update the cloudstack-setup-management  - but there
is a problem:

CentOS7: firewalld is present by default
Ubuntu 18.04 does not have firewalld installed by default

My idea would be to either ensure (in the cloudstack-setup-management) that
both firewalld/ufw are disabled and continue operating with pure iptables
 OR  to not add rules at all, but instead print a message on the
requirements to open access to ports 8080/8250/9090 with whatever firewall
management tool the user uses.

Best,

On Thu, 25 Jun 2020 at 17:46, Corey, Mike <mi...@sap.com> wrote:

> Shutting down the firewall resolved the UI access issue.  Funny I didn't
> think to check that as the UI worked immediately after the setup.
>
> Besides 8080, what else does the setup configure in the firewall rules?
> For whatever reason, it doesn’t appear my CentOS is keeping that
> configuration after the reboot.
>
> Mike
>
>
>
> -----Original Message-----
> From: Andrija Panic <an...@gmail.com>
> Sent: Tuesday, June 23, 2020 6:05 PM
> To: users <us...@cloudstack.apache.org>
> Subject: Re: Fresh 4.14 install - UI won't start after reboot
>
> Hi Mike,
>
> I've checked the "after" log file - and everything seems fine - there is DB
> update happening from 4.0.0 version all the way to 4.14.0.0 version (this
> is clean install obviously) and the exception you see "can not ping
> management server" - is NORMAL, i.e. in every ACS installation this happens
> only one time during the boot process of the mgmt server and any next
> occurrence of a similar thing would mean a real issue.
>
> I can see that your mgmt server started just fine.
> Can you check your firewall on that server/VM - does it allow access to
> port 8080
>
> Temporarily stop the firewall with       systemctl stop firewalls
> and see if that solves the problem.
>
> if you have used the "cloudstack-setup-management" command, as a way to
> "configure" mgmt (it adds firewal rules and starts the mgmt server for you)
> - then all should be fine.
> Otherwise, fix your firewall accordingly / as you want it.
>
> Cheers,
>
> On Tue, 23 Jun 2020 at 17:37, Corey, Mike <mi...@sap.com> wrote:
>
> > Hi,
> >
> > Sorry for the delay, I had other stuff to work on last week.
> >
> > Here is the link to the log files, before & after a reboot of the
> > management VM.  The reboot occurred at June 23 @ 1100 local
> time...anything
> > before that time would be the installation/setup of CSM.
> >
> > I hope you can help figure this out.
> >
> > Thanks!
> >
> > https://tinyurl.com/yc5tebts
> >
> >
> > -----Original Message-----
> > From: Andrija Panic <an...@gmail.com>
> > Sent: Thursday, June 11, 2020 4:23 PM
> > To: users <us...@cloudstack.apache.org>
> > Subject: Re: Fresh 4.14 install - UI won't start after reboot
> >
> > Mike,
> >
> > those are the same packages, built by ShapeBlue and we are using them
> > already (CentOS7) on a few places.
> >
> > That error is visible for many versions of ACS, that it can not connect
> to
> > itself (kind of nonsense, but is there during mgmt server starting, only
> > once! and to be ignored).
> >
> > Can you restart management-server and report if you still have issues?
> >
> > If so, please uploading your management-server.log to some external file
> > sharing Web site, post link here so we can download it, and also share
> time
> > at which you rebooted it or the VM.
> >
> > Best,
> > Andrija
> >
> > On Thu, 11 Jun 2020, 20:45 Corey, Mike, <mi...@sap.com> wrote:
> >
> > > Sorry, but the problem still exists.  Both distros give me the error "
> > > Unable to ping management server at 10.4.32.163:9090 due to
> > > ConnectException java.net.ConnectException: Connection refused" now.
> > >
> > > I wonder whatever changes the setup does to the firewall, they don't
> > stick
> > > after a reboot.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Corey, Mike <mi...@sap.com>
> > > Sent: Thursday, June 11, 2020 1:13 PM
> > > To: users@cloudstack.apache.org
> > > Subject: [CAUTION] RE: Fresh 4.14 install - UI won't start after reboot
> > >
> > > I think I solved my own problem, but may have uncovered a bug with one
> of
> > > the distros.
> > >
> > > My first 3 attempts used the repo "baseurl=
> > > http://packages.shapeblue.com/cloudstack/upstream/centos7/4.14" and
> the
> > > UI would work after initial setup completion; however, it did not work
> > > after a reboot of the VM.  The error I'm guessing is the issue is this:
> > >
> > > 2020-06-11 10:00:29,431 ERROR [c.c.c.ClusterManagerImpl] (main:null)
> > > (logid:) Unable to ping management server at 10.4.32.163:9090 due to
> > > ConnectException
> > > java.net.ConnectException: Connection refused
> > >
> > > My recent attempt used the repo "baseurl=
> > > http://download.cloudstack.org/centos/7/4.14" and the UI works even
> > after
> > > a reboot of the VM.
> > >
> > > I'd have to assume that the shapeblue and apache versions have
> something
> > > different in how they handle the firewall rules.  Just a guess.
> > >
> > > Mike
> > >
> > >
> > >
> > > From: Corey, Mike <mi...@sap.com>
> > > Sent: Thursday, June 11, 2020 9:52 AM
> > > To: users@cloudstack.apache.org
> > > Subject: [CAUTION] Fresh 4.14 install - UI won't start after reboot
> > >
> > > Hi,
> > >
> > > Still new here so please be patient.  I just ran through a fresh
> > > installation (MySQL & CS on same VM) and all looked good (no errors in
> > > logs, installation completed, UI console loaded in browser) until I
> > > rebooted the management server.  The UI came online after the initial
> > setup
> > > ran through; however, after a reboot the UI won't load (30 mins so
> far).
> > >
> > > Besides watching the management-server.log and greping it for errors,
> is
> > > there anything I can look at to troubleshoot the UI portal connectivity
> > > events?
> > >
> > > Thanks!
> > >
> > >
> > > Mike Corey
> > >
> > > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> > Service
> > > US
> > >
> > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > > States
> > >
> > > T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> > > mike.corey@sap.com>
> > >
> > >
> > > [cid:image003.png@01D63FD5.FBDDCF50]
> > >
> > >
> > >
> >
>
>
> --
>
> Andrija Panić
>


-- 

Andrija Panić

Re: Fresh 4.14 install - UI won't start after reboot

[David Jumani <Da...@shapeblue.com>]

Hi,

I've created a PR with a message for the same

https://github.com/apache/cloudstack/pull/4239
[https://avatars3.githubusercontent.com/u/47359?s=400&v=4]<https://github.com/apache/cloudstack/pull/4239>
Adding message to ensure ports are open by davidjumani · Pull Request #4239 · apache/cloudstack<https://github.com/apache/cloudstack/pull/4239>
Description Displays a message so that the user knows to open up the following ports on the management server since the host might be using unsupported firewall management tools Types of changes ...
github.com


Haven't removed the part that adds the rules so existing functionality remains the same but lets the user know that the ports need to be opened. Let me know what you all think!

Thanks,
David
________________________________
From: Andrija Panic <an...@gmail.com>
Sent: Friday, July 31, 2020 4:34 PM
To: users <us...@cloudstack.apache.org>
Subject: Re: Fresh 4.14 install - UI won't start after reboot

Fully agree.... anyone up for a PR that would edit the script to avoid
firewall rules setup but instead print a descriptive message advising ports
8080, 8443, 8250 and possibly 8096 should be open?

cheers,

On Fri, 31 Jul 2020 at 10:26, Riepl, Gregor (SWISS TXT) <
Gregor.Riepl@swisstxt.ch> wrote:

> Hi Andrija,
>
> My idea would be to either ensure (in the cloudstack-setup-management) that
> both firewalld/ufw are disabled and continue operating with pure iptables
>  OR  to not add rules at all, but instead print a message on the
> requirements to open access to ports 8080/8250/9090 with whatever firewall
> management tool the user uses
>
> ​Supporting many different firewall management tools will be a Herculean
> effort and may still fail when new tools emerge.
> I think it would be ok to drop automatic firewall rule creation and let
> the user manage their own rules instead.
>
> It's always been this way on Debian (and derivates), and I don't see why
> other distributions should be different.
> Perhaps RHEL/CentOS has handled this differently in the past, and
> firewalld is supposed to solve the distribution fragmentation problem, just
> like systemd did. But there's far less adoption of firewalld than systemd,
> so I don't think it makes sense to try to solve this in CloudStack.
>
> (just my 2¢)
>
> Regards,
> Gregor
>


--

Andrija Panić

David.Jumani@shapeblue.com 
www.shapeblue.com
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue
  
 

Re: Fresh 4.14 install - UI won't start after reboot

[Andrija Panic <an...@gmail.com>]

Fully agree.... anyone up for a PR that would edit the script to avoid
firewall rules setup but instead print a descriptive message advising ports
8080, 8443, 8250 and possibly 8096 should be open?

cheers,

On Fri, 31 Jul 2020 at 10:26, Riepl, Gregor (SWISS TXT) <
Gregor.Riepl@swisstxt.ch> wrote:

> Hi Andrija,
>
> My idea would be to either ensure (in the cloudstack-setup-management) that
> both firewalld/ufw are disabled and continue operating with pure iptables
>  OR  to not add rules at all, but instead print a message on the
> requirements to open access to ports 8080/8250/9090 with whatever firewall
> management tool the user uses
>
> ​Supporting many different firewall management tools will be a Herculean
> effort and may still fail when new tools emerge.
> I think it would be ok to drop automatic firewall rule creation and let
> the user manage their own rules instead.
>
> It's always been this way on Debian (and derivates), and I don't see why
> other distributions should be different.
> Perhaps RHEL/CentOS has handled this differently in the past, and
> firewalld is supposed to solve the distribution fragmentation problem, just
> like systemd did. But there's far less adoption of firewalld than systemd,
> so I don't think it makes sense to try to solve this in CloudStack.
>
> (just my 2¢)
>
> Regards,
> Gregor
>


-- 

Andrija Panić

Re: Fresh 4.14 install - UI won't start after reboot

["Riepl, Gregor (SWISS TXT)" <Gr...@swisstxt.ch>]

Hi Andrija,

My idea would be to either ensure (in the cloudstack-setup-management) that
both firewalld/ufw are disabled and continue operating with pure iptables
 OR  to not add rules at all, but instead print a message on the
requirements to open access to ports 8080/8250/9090 with whatever firewall
management tool the user uses

​Supporting many different firewall management tools will be a Herculean effort and may still fail when new tools emerge.
I think it would be ok to drop automatic firewall rule creation and let the user manage their own rules instead.

It's always been this way on Debian (and derivates), and I don't see why other distributions should be different.
Perhaps RHEL/CentOS has handled this differently in the past, and firewalld is supposed to solve the distribution fragmentation problem, just like systemd did. But there's far less adoption of firewalld than systemd, so I don't think it makes sense to try to solve this in CloudStack.

(just my 2¢)

Regards,
Gregor