Skip to content

CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR #842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
asfgit merged 1 commit into from
Sep 27, 2015
Merged

CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR #842

asfgit merged 1 commit into from
Sep 27, 2015

Conversation

@jayapalu
Copy link
Contributor

@jayapalu jayapalu commented Sep 16, 2015

On basic zone share network VR default iptables rules are not applied correctly. Due to this ssh to VR got failed.
In shared network the VR type is 'dhcpsrvr' not router. So corrected it in the ''del_standard' method to select the correct type.

Testing:

  1. VR is deployed correctly.
  2. Tested restart, stop, start VR.
  3. New VM deployment is success.
  4. ssh to VR from the host is successful.
  5. iptables rules on the VR came up correctly.
    below is the output from the VR:
    iptables -L INPUT -nv
    Chain INPUT (policy DROP 16 packets, 1056 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
    0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
    104 9800 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    281 36500 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    2 656 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
    13 780 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3922 state NEW,ESTABLISHED
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
    0 0 ACCEPT tcp -- eth0 * 10.147.40.0/23 0.0.0.0/0 state NEW tcp dpt:8080

@asfbot
Copy link

asfbot commented Sep 16, 2015

cloudstack-pull-rats #631 SUCCESS
This pull request looks good

@asfbot
Copy link

asfbot commented Sep 16, 2015

cloudstack-pull-analysis #570 ABORTED

@wilderrodrigues
Copy link
Contributor

wilderrodrigues commented Sep 17, 2015

Thanks, @jayapalu

I will try to take some time today to test your PR.

Cheers,
Wilder

@wilderrodrigues
Copy link
Contributor

wilderrodrigues commented Sep 17, 2015

@jayapalu

Which integration tests did you execute?

Cheers,
Wilder

@asfbot
Copy link

asfbot commented Sep 17, 2015

cloudstack-pull-analysis #588 SUCCESS
This pull request looks good

@jayapalu
Copy link
Contributor Author

jayapalu commented Sep 18, 2015

@wilderrodrigues
I have tested the changes on my local against the VR. It is specific to shared network and the fix is also specific to shared network VR. I think it will not impact the other type of VRs.

But I have not run the integration tests on it. Let me try running test cases on it.

@rajap9711
Copy link

rajap9711 commented Sep 21, 2015

Ran XS Basic/EIP BVTs and passrate is at 97% - couple of tests failed due to unrelated bug/issue.

@rajap9711
Copy link

rajap9711 commented Sep 21, 2015

All Failed Tests
integration.smoke.test_vm_snapshots.TestSnapshots.test_01_test_vm_volume_snapshot

All Passed Tests
integration.smoke.test_affinity_groups 2 min 22 sec 0 0 1 1
integration.smoke.test_deploy_vgpu_enabled_vm 4 ms 0 1 0 1
integration.smoke.test_deploy_vm_iso 5 min 53 sec 0 0 1 1
integration.smoke.test_deploy_vm_root_resize 19 sec 0 0 3 3
integration.smoke.test_deploy_vm_with_userdata 36 sec 0 0 2 2
integration.smoke.test_deploy_vms_with_varied_deploymentplanners 1 min 7 sec 0 0 3 3
integration.smoke.test_disk_offerings 0.49 sec 0 0 5 5
integration.smoke.test_global_settings 0.36 sec 0 0 1 1
integration.smoke.test_iso 2 min 47 sec 0 1 6 7
integration.smoke.test_multipleips_per_nic 53 sec 0 0 1 1
integration.smoke.test_over_provisioning 0.14 sec 0 0 1 1
integration.smoke.test_portable_publicip 6.6 sec 0 0 1 1
integration.smoke.test_primary_storage 1 min 55 sec 0 0 2 2
integration.smoke.test_regions 73 ms 0 0 1 1
integration.smoke.test_reset_vm_on_reboot 20 sec 0 0 1 1
integration.smoke.test_routers 0.1 sec 0 1 +1 0 -1 1
integration.smoke.test_scale_vm 5.3 sec 0 0 1 1
integration.smoke.test_secondary_storage 0.67 sec 0 0 2 2
integration.smoke.test_service_offerings 0.28 sec 0 0 3 3
integration.smoke.test_ssvm 25 min 0 6 +6 4 -6 10
integration.smoke.test_templates 1 min 40 sec 0 1 6 7
integration.smoke.test_vm_life_cycle 6 min 49 sec 0 0 10 10
integration.smoke.test_vm_snapshots 1 min 22 sec 1 0 0 1
integration.smoke.test_volumes 15 min 0 -1 0 9 +1 9

@jayapalu
Copy link
Contributor Author

jayapalu commented Sep 22, 2015

@wilderrodrigues Can you please review and give LGTM

@kishankavala
Copy link
Contributor

kishankavala commented Sep 22, 2015

LGTM
integration.smoke.test_vm_life_cycle test case validates ssh access to Vm as part of test_10_attachAndDetach_iso test
Would be better if test_deploy_vm test in test_vm_life_cycle also validates that Vm is accessible via SSH.

remibergsma added a commit to remibergsma/cloudstack that referenced this pull request Sep 24, 2015
@remibergsma
Merge pull request apache#842 from jayapalu/shareNwVR
4c8f4ac 
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VROn basic zone share network VR default iptables rules are not applied correctly. Due to this ssh to VR got failed.
In shared network the VR type is 'dhcpsrvr' not router. So corrected it in the ''del_standard' method to select the correct type.

Testing:
1. VR is deployed correctly.
2. Tested restart, stop, start VR.
3. New VM deployment is success.
4. ssh to VR from the host is successful.
5. iptables rules on the VR came up correctly.
below is the output from the VR:
iptables -L INPUT -nv
Chain INPUT (policy DROP 16 packets, 1056 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50
  104  9800 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  281 36500 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    6   504 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    2   656 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
   13   780 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3922 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
    0     0 ACCEPT     tcp  --  eth0   *       10.147.40.0/23       0.0.0.0/0            state NEW tcp dpt:8080

* pr/842:
  CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR

Signed-off-by: Remi Bergsma <[email protected]>
@remibergsma remibergsma mentioned this pull request Sep 24, 2015
Merged
@asfgit asfgit merged commit a15df05 into apache:master Sep 27, 2015
asfgit pushed a commit that referenced this pull request Sep 27, 2015
@remibergsma
Merge pull request #887 from schubergphilis/vr_fixes_combined
3ded3e9 
[BLOCKER] Combined PRs that fix VR issuesTonight I worked with @wilderrodrigues to figure out what is wrong with the virtual router. As we couldn't test single PRs any more (because of other issues with them causing tests to fail) we added all VR related PRs in a separate branch and started testing from there.

We combined the following PRs into this PR:
#836 #851 #867 #870 #881 #882 #842

After that, one issue remains: the VPC does not get a default gateway. Which is strange, because we already solved it in PR #738. When I look back, it was fixed again in PR #784. It could very well be that either one fixed one specific case, but also breaking the other. We need to investigate this, and make sure there will be a fix that works both for VPCs and VRs.

When we manually add the default gateway on the VPC, most tests pass and also spinning up two VPCs with one tier each, having a VM and them using s2s to VPN them together works fine. See for more details the report Wilder sent earlier.

Tomorrow we'll try to figure out how to fix the default gateway and merge this. Then we should have a base to work from again. Any PR that fixes another blocker, should at least then be rebased against the fixed master so we can run the tests against the PR branch. I'm not saying everything is fixed, I'm just saying that we can spin up a cloud that has working VMs.

When, in the mean time, someone has the time to checkout this branch and make the default route work for both VPC and VR that would be awesome. After that we should double check and verify the test results.

Pinging @karuturi to let her know the current status.

Regards,
Wilder / Remi

* pr/887:
  Fixing the index out of bounds error in the check_if_link_up() function
  small cleanups
  Fixing the defaut route for VPC routers
  Formatting the get_gateway() method in the CsDatabag.py file
  Fixing the dhcpsrvr iptables file
  Formatting the router_proxy.sh script
  CLOUDSTACK-8881: Fixed Static and PF configuration issue
  CLOUDSTACK-8905: Fixed hooking egress rules
  CLOUDSTACK-8891: Fixed default iptables rules on VR  for guest traffic
  Configured dnsmasq to listen on all interfaces so that vpn  client gets dns
  CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports
  CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE
  CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR

Signed-off-by: Remi Bergsma <[email protected]>
rohityadavcloud pushed a commit that referenced this pull request Jan 20, 2021
@davidjumani @rohityadavcloud
Using post for uploadSslCert api (#842)
fafaf11 
* Adding post param to actions

* Using post for uploadSslCert api

Signed-off-by: Rohit Yadav <[email protected]>
JoaoJandre pushed a commit to scclouds/cloudstack that referenced this pull request Nov 24, 2022
Merge branch 'fix-npe-on-create-volume-from-snapshot' into '4.16.0.0-…
211f5a7 
…scclouds'

Criação de volume à partir de _snapshots_ consertada

Closes apache#842

See merge request scclouds/scclouds!350
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jayapalu @asfbot @wilderrodrigues @rajap9711 @kishankavala @asfgit