Copy template/ISO across zones is failing

Thu, 28 Feb 2013 01:52:26 -0800 

Hi,
I am investigating the issue 
https://issues.apache.org/jira/browse/CLOUDSTACK-1337, copy template/Iso across 
zones is failing in branch 4.1, giving the error "HTTP Server returned 403 
(expected 200 OK)" and there is a workaround mentioned in 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSVM%2C+templates%2C+Secondary+storage+troubleshooting

The iptable rules in the destination as well as source ssvm:
root@s-9-VM:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N HTTP
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT 
--reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j REJECT 
--reject-with icmp-port-unreachable

I removed the last rule "-A OUTPUT -o eth1 -p tcp -m state --state NEW -m tcp 
--dport 443 -j REJECT --reject-with icmp-port-unreachable" which is blocking 
outgoing on 443 port and  also modified .htaccess to

Options -Indexes
order deny,allow
#deny from all
allow from 10.102.193.95

Copy template worked after this modification.
The rule seems valid to me i.e. "-A OUTPUT -o eth1 -p tcp -m state --state NEW 
-m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable" but copy 
template is not happening until I
remove this rule. Also,  removing "deny from all" is a security threat.

I also noticed eth1 RX bytes was increasing during copy template, which 
possibly means it is using eth1 port.

Previously my understanding was, Copy template happens on eth2 port, but from 
the above, it seems eth1 is getting used.
Can someone confirm this behavior?

Also, What should be the right approach to fix this issue?

Regards
Deepti

Reply via email to