I think we don't allow 0.0.0.0/32 anymore, I received a bug not allowing this in internal download site as it will change the default route
> -----Original Message----- > From: Chiradeep Vittal > Sent: Tuesday, June 12, 2012 6:37 PM > To: cloudstack-dev@incubator.apache.org > Cc: cloudstack-dev@incubator.apache.org; Frank Zhang > Subject: Re: Config public network without VLAN(error:no route to the host) > > This is effect of the allowed internal sites configuration. It is expected > that > the management (eth1) ip is RFC 1918 (it is a waste of a perfectly usable > ipv4). > Since end users can inject any URL for template download they can probe > the management network. This is why there is a firewall rule that prevents > http(s) downloads over eth1. If you know what you are doing the config flag > lets you override this behavior. You can put 0.0.0.0/32 there for example. > > All system vms have their publicly routable ip address on eth2 and the > default route is via eth2. Not sure how eth1 landed up as the default nic in > your case. > > -- > Chiradeep > > On Jun 12, 2012, at 18:13, "Anthony Xu" <xuefei...@citrix.com> wrote: > > >> 111.111.111.0/24 dev eth2 proto kernel scope link src > >> 111.111.111.18 default via 46.136.132.1 dev eth2 > > > > Hi Heng, > > > > The public ip address for SSVM is 111.111.111.18, the default gateway > > is 46.136.132.1, Is 111.111.111.18 and 46.136.132.1 in the same broadcast > domain? > > > > If not, it won't work, because 111.111.111.18 cannot get mac of > 46.136.132.1, then it cannot reach 46.136.132.1, package cannot go out. > > Normally , in this case, the gateway presumably like 111.111.111.1. > > > > > > Regards, > > Anthony > > > > > > > >> -----Original Message----- > >> From: Lu Heng [mailto:h...@anytimechinese.com] > >> Sent: Tuesday, June 12, 2012 5:35 PM > >> To: Frank Zhang > >> Cc: cloudstack-dev@incubator.apache.org > >> Subject: Re: Config public network without VLAN(error:no route to the > >> host) > >> > >> Hi > >> > >> I think I know where is the problem ,seems the SSVM can not visit > >> outside network. it can ping the public IP address within the range, > >> but it can not access anything outside of the three network range > >> which is listed below as well as in the first Email. > >> > >> So the real question is, in this network setup, how can we config > >> cloudstack network? > >> > >> " Hi > >> > >> We have following setup > >> > >> management network(public IP range, 123.123.123.0/24) storage > >> network(private IP range 10.2.0.0/24) public network(public IP range > >> 111.111.111.0/24) > >> > >> 1 CP > >> 1 Nic on management network > >> 1 Nic on storage network > >> > >> 2*Host > >> 1 Nic on management network > >> 1 Nic on storage network > >> 1 Nic on public network > >> > >> 1 storage > >> 1 Nic on management network > >> 1 nic on storage network > >> > >> Management server has an NFS share which mounted on the storage > >> network as secondary storage. > >> > >> So two questions: > >> > >> 1. for the public network, there is no vlan setup, the IP is direct > >> routed to both host server(they are on access point), the question > >> is, while I config the public network and guest network, it always > >> ask for vlan number, which we don't have. > >> > >> 2. We saw "no route to the host" error in all the template, ISOs, in > >> which we can not create any instance on. > >> > >> Please, if any one have good suggestion in this network setup, how > >> can we do it." > >> > >> On Wed, Jun 13, 2012 at 2:31 AM, Lu Heng <h...@anytimechinese.com> > >> wrote: > >> > >>> Hi > >>> > >>> Thanks for reply. I just added an ISO with following URL > >>> > >>> > >>> http://mirror.stanford.edu/yum/pub/centos/6.2/isos/x86_64/CentOS- > 6.2 > >>> - > >> x86_64-LiveDVD.iso > >>> > >>> It still shows no route to host, and for the default template(centos > >> 5.6), > >>> I saw the download complete when I do the preparation for secondary > >> storage. > >>> > >>> > >>> On Wed, Jun 13, 2012 at 2:24 AM, Frank Zhang > >> <frank.zh...@citrix.com>wrote: > >>> > >>>> Sorry for misleading before. The "no route to host" means > >>>> CloudStack > >> fail > >>>> to download template to secondary storage because it cannot access > >> the URL > >>>> of template. > >>>> > >>>> > >>>>>> It does download successfully during the setup. > >>>> So you have seen it's state in Ready sometimes before? And then it > >>>> changed to "No route to host"? > >>>> Emm this sounds weird to me. once the template is downloaded to > >> secondary > >>>> storage successfully, its state changes to Ready permanently in > >> database. > >>>> Is the centos template you mentioned the builtin template > >> automatically > >>>> downloaded by CloudStack after SSVM is running? > >>>> Have you tried wget in SSVM? > >>>> > >>>>>> And I have pasted the traffic rule on last Email, the both port > >> are > >>>> open. > >>>> > >>>> And If I mount the secondary storage to the SSVM, and write on it, > >> there > >>>> is no error with "no route to host" > >>>> On Wed, Jun 13, 2012 at 2:13 AM, Frank Zhang > >>>> <frank.zh...@citrix.com> > >>>> wrote: > >>>>> Hi > >>>>> > >>>>> please refer to my reply > >>>>> > >>>>> "The first template(the centos template in which already > >> downloaded > >>>> during > >>>>> preparation) is not even working, it also shows "no route to the > >> host"" > >>>> No that means it didn't download successfully. Login SSVM, try > >>>> downloading the template you want by wget. > >>>> You should face the problem of "no route to host", as > >>>> aforementioned, there is some firewall rules blocking the traffic. > >>>> Given the default centos failed to download, I suspect your 443 > >>>> port > >> or > >>>> 80 port to public network is blocked. > >>>> > >>>>> > >>>>> On Wed, Jun 13, 2012 at 1:57 AM, Chiradeep Vittal < > >>>>> chiradeep.vit...@citrix.com> wrote: > >>>>> > >>>>>> Because it results in the suppression of the initial ARP request > >> to > >>>>>> the gateway. This is how the Linux network stack reports an ARP > >> issue. > >>>>>> > >>>>>> -- > >>>>>> Chiradeep > >>>>>> > >>>>>> On Jun 12, 2012, at 16:31, "David Nalley" <da...@gnsa.us> wrote: > >>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On Jun 12, 2012, at 7:09 PM, Chiradeep Vittal < > >>>>>> chiradeep.vit...@citrix.com> wrote: > >>>>>>> > >>>>>>>> You might need to add the host ip of the web server where the > >>>>>>>> templates are hosted to "secstorage.allowed.internal.sites" > >> in the > >>>>>>>> global configuration. > >>>>>>> > >>>>>>> Why would lack of this result in no route to host. Firewall > >> issues > >>>>>>> would > >>>>>> die silently without that error. It isn't even trying. > >>>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> On 6/12/12 3:50 PM, "Lu Heng" <h...@anytimechinese.com> > wrote: > >>>>>>>> > >>>>>>>>> Hi > >>>>>>>>> > >>>>>>>>> Thanks for reply > >>>>>>>>> > >>>>>>>>> First, the SSVM can mount the secondary storage, and the > >>>>>>>>> ssvm-check.sh > >>>>>> is > >>>>>>>>> passed without error. the "no route to the host" problem > >> still > >>>> exsits. > >>>>>>>>> > >>>>>>>>> second, what should we fill in the vlan in the public > >> network > >>>>>>>>> setup > >>>>>> while > >>>>>>>>> the IP is simply in the access port? > >>>>>>>>> > >>>>>>>>> and the iptable rule on the ssvm host: > >>>>>>>>> Chain INPUT (policy ACCEPT) > >>>>>>>>> target prot opt source destination > >>>>>>>>> ACCEPT gre -- anywhere anywhere > >>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>>>>>> > >>>>>>>>> Chain FORWARD (policy ACCEPT) > >>>>>>>>> target prot opt source destination > >>>>>>>>> RH-Firewall-1-INPUT all -- anywhere anywhere > >>>>>>>>> > >>>>>>>>> Chain OUTPUT (policy ACCEPT) > >>>>>>>>> target prot opt source destination > >>>>>>>>> > >>>>>>>>> Chain RH-Firewall-1-INPUT (2 references) > >>>>>>>>> target prot opt source destination > >>>>>>>>> ACCEPT tcp -- anywhere anywhere > >> tcp > >>>>>>>>> dpts:5900:6099 > >>>>>>>>> ACCEPT all -- anywhere anywhere > >>>>>>>>> ACCEPT icmp -- anywhere anywhere > >> icmp > >>>> any > >>>>>>>>> ACCEPT esp -- anywhere anywhere > >>>>>>>>> ACCEPT ah -- anywhere anywhere > >>>>>>>>> ACCEPT udp -- anywhere 224.0.0.251 > >> udp > >>>>>> dpt:mdns > >>>>>>>>> ACCEPT udp -- anywhere anywhere > >> udp > >>>>>> dpt:ipp > >>>>>>>>> ACCEPT tcp -- anywhere anywhere > >> tcp > >>>>>> dpt:ipp > >>>>>>>>> ACCEPT udp -- anywhere anywhere > >> udp > >>>>>>>>> dpt:bootps > >>>>>>>>> ACCEPT all -- anywhere anywhere > >> state > >>>>>>>>> RELATED,ESTABLISHED > >>>>>>>>> ACCEPT udp -- anywhere anywhere > >>>> state NEW > >>>>>> udp > >>>>>>>>> dpt:ha-cluster > >>>>>>>>> ACCEPT tcp -- anywhere anywhere > >>>> state NEW > >>>>>> tcp > >>>>>>>>> dpt:ssh > >>>>>>>>> ACCEPT tcp -- anywhere anywhere > >>>> state NEW > >>>>>> tcp > >>>>>>>>> dpt:http > >>>>>>>>> ACCEPT tcp -- anywhere anywhere > >>>> state NEW > >>>>>> tcp > >>>>>>>>> dpt:https > >>>>>>>>> REJECT all -- anywhere anywhere > >>>>>> reject-with > >>>>>>>>> icmp-host-prohibited > >>>>>>>>> > >>>>>>>>> Output of ip route on ssvm: > >>>>>>>>> > >>>>>>>>> 204.13.152.2 via 46.136.128.1 dev eth1 > >>>>>>>>> 10.2.0.0/24 dev eth3 proto kernel scope link src > >> 10.2.0.189 > >>>>>>>>> 123.123.123.0/24 dev eth1 proto kernel scope link src > >>>>>>>>> 123.123.123.9 > >>>>>>>>> 111.111.111.0/24 dev eth2 proto kernel scope link src > >>>>>> 111.111.111.18 > >>>>>>>>> 169.254.0.0/16 dev eth0 proto kernel scope link src > >>>>>>>>> 169.254.2.83 default via 46.136.132.1 dev eth2 > >>>>>>>>> > >>>>>>>>> On Wed, Jun 13, 2012 at 12:42 AM, Frank Zhang > >>>>>>>>> <frank.zh...@citrix.com>wrote: > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Hi > >>>>>>>>>>> > >>>>>>>>>>> We have following setup > >>>>>>>>>>> > >>>>>>>>>>> management network(public IP range, 123.123.123.0/24) > >> storage > >>>>>>>>>>> network(private IP range 10.2.0.0/24) public > >> network(public IP > >>>>>>>>>>> range > >>>>>>>>>>> 111.111.111.0/24) > >>>>>>>>>>> > >>>>>>>>>>> 1 CP > >>>>>>>>>>> 1 Nic on management network > >>>>>>>>>>> 1 Nic on storage network > >>>>>>>>>>> > >>>>>>>>>>> 2*Host > >>>>>>>>>>> 1 Nic on management network > >>>>>>>>>>> 1 Nic on storage network > >>>>>>>>>>> 1 Nic on public network > >>>>>>>>>>> > >>>>>>>>>>> 1 storage > >>>>>>>>>>> 1 Nic on management network > >>>>>>>>>>> 1 nic on storage network > >>>>>>>>>>> > >>>>>>>>>>> Management server has an NFS share which mounted on the > >>>>> storage > >>>>>>>>>>> network as secondary storage. > >>>>>>>>>>> > >>>>>>>>>>> So two questions: > >>>>>>>>>>> > >>>>>>>>>>> 1. for the public network, there is no vlan setup, the IP > >> is > >>>>>>>>>>> direct > >>>>>>>>>> routed to > >>>>>>>>>>> both host server(they are on access point), the question > >> is, > >>>>>>>>>>> while I > >>>>>>>>>> config the > >>>>>>>>>>> public network and guest network, it always ask for vlan > >> number, > >>>>>>>>>> which we > >>>>>>>>>>> don't have. > >>>>>>>>>> > >>>>>>>>>> When you create zone, the vlan of public network is > >> optional you > >>>>>> should > >>>>>>>>>> be > >>>>>>>>>> able to > >>>>>>>>>> Safely ignore it. What's exact error you suffered? > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> 2. We saw "no route to the host" error in all the template, > >>>>>>>>>>> ISOs, in > >>>>>>>>>> which we > >>>>>>>>>>> can not create any instance on. > >>>>>>>>>>> > >>>>>>>>>>> Please, if any one have good suggestion in this network > >> setup, > >>>>>>>>>>> how > >>>>>>>>>> can we > >>>>>>>>>>> do it. > >>>>>>>>>> > >>>>>>>>>> Do this: > >>>>>>>>>> 1. login your SSVM > >>>>>>>>>> 1.a go to the host where the SSVM is running > >>>>>>>>>> 1.b ssh -i /root/.ssh/ id_rsa.cloud -p 30922 > >>>>>>>>>> link_local_ip_address > >>>>>>>>>> The link local ip address can be grabbed from > >> SSVM > >>>>>>>>>> page on UI which starts with 169 > >>>>>>>>>> 1.c try to mount your secondary storage to somewhere > >> in your > >>>>> SSVM > >>>>>>>>>> 1.d if 1.c won't work, check if you can mount > >> secondary > >>>>>>>>>> storage on the host where SSVM running. If failed, then > >> it's your > >>>>>>>>>> network issue > >>>>>>>>>> 1.e. if it works on your host, try to figure out any > >> ip > >>>>>>>>>> table rules in host blocking NFS traffic > >>>>>>>>>> 1.h check routes of SSVM by 'ip route', the traffic to > >>>>>>>>>> secondary storage should go thru storage network which is > >>>>>>>>>> (private IP range > >>>>>>>>>> 10.2.0.0/24) in you case > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> -- > >>>>>>>>>>> Kind regards. > >>>>>>>>>>> Lu > >>>>>>>>>>> > >>>>>>>>>>> This transmission is intended solely for the addressee(s) > >> shown > >>>>>> above. > >>>>>>>>>>> It may contain information that is privileged, > >> confidential or > >>>>>>>>>> otherwise > >>>>>>>>>>> protected from disclosure. Any review, dissemination or > >> use of > >>>>>>>>>>> this transmission or its contents by persons other than > >> the > >>>>>>>>>>> intended > >>>>>>>>>> addressee(s) > >>>>>>>>>>> is strictly prohibited. If you have received this > >> transmission > >>>>>>>>>>> in > >>>>>>>>>> error, > >>>>>>>>>> please > >>>>>>>>>>> notify this office immediately and e-mail the original at > >> the > >>>>>> sender's > >>>>>>>>>> address > >>>>>>>>>>> above by replying to this message and including the text > >> of the > >>>>>>>>>> transmission > >>>>>>>>>>> received. > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> -- > >>>>>>>>> Kind regards. > >>>>>>>>> Lu > >>>>>>>>> > >>>>>>>>> This transmission is intended solely for the addressee(s) > >> shown > >>>> above. > >>>>>>>>> It may contain information that is privileged, confidential > >> or > >>>>>>>>> otherwise protected from disclosure. Any review, > >> dissemination or > >>>>>>>>> use of this transmission or its contents by persons other > >> than the > >>>>>>>>> intended addressee(s) is strictly prohibited. If you have > >> received > >>>>>>>>> this transmission in error, please notify this office > >> immediately > >>>>>>>>> and e-mail the original at the sender's address above by > >> replying > >>>>>>>>> to this message and including the text of the transmission > >>>> received. > >>>>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> -- > >>>>> Kind regards. > >>>>> Lu > >>>>> > >>>>> This transmission is intended solely for the addressee(s) shown > >> above. > >>>>> It may contain information that is privileged, confidential or > >> otherwise > >>>>> protected from disclosure. Any review, dissemination or use of > >> this > >>>>> transmission or its contents by persons other than the intended > >>>> addressee(s) > >>>>> is strictly prohibited. If you have received this transmission in > >>>> error, please > >>>>> notify this office immediately and e-mail the original at the > >> sender's > >>>> address > >>>>> above by replying to this message and including the text of the > >>>> transmission > >>>>> received. > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> -- > >>>> Kind regards. > >>>> Lu > >>>> > >>>> This transmission is intended solely for the addressee(s) shown > >> above. > >>>> It may contain information that is privileged, confidential or > >>>> otherwise protected from disclosure. Any review, dissemination or > >> use > >>>> of this transmission or its contents by persons other than the > >>>> intended addressee(s) is strictly prohibited. If you have received > >>>> this transmission in error, please notify this office immediately > >> and > >>>> e-mail the original at the sender's address above by replying to > >> this > >>>> message and including the text of the transmission received. > >>>> > >>> > >>> > >>> > >>> -- > >>> -- > >>> Kind regards. > >>> Lu > >>> > >>> This transmission is intended solely for the addressee(s) shown above. > >>> It may contain information that is privileged, confidential or > >>> otherwise protected from disclosure. Any review, dissemination or > >>> use of this transmission or its contents by persons other than the > >>> intended addressee(s) is strictly prohibited. If you have received > >>> this transmission in error, please notify this office immediately > >>> and e-mail the original at the sender's address above by replying to > >>> this message and including the text of the transmission received. > >>> > >> > >> > >> > >> -- > >> -- > >> Kind regards. > >> Lu > >> > >> This transmission is intended solely for the addressee(s) shown above. > >> It may contain information that is privileged, confidential or > >> otherwise protected from disclosure. Any review, dissemination or use > >> of this transmission or its contents by persons other than the > >> intended addressee(s) is strictly prohibited. If you have received > >> this transmission in error, please notify this office immediately and > >> e-mail the original at the sender's address above by replying to this > >> message and including the text of the transmission received.
