[
https://issues.apache.org/jira/browse/CLOUDSTACK-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593836#comment-13593836
]
Marcus Sorensen commented on CLOUDSTACK-1452:
---------------------------------------------
I'm seeing some strange behavior as well. Results are always different.
Sometimes my SNAT IP won't come up, sometimes the guest VPC network gateways
don't. It looks as though the nics occasionally don't hotplug quickly enough to
receive their config. For example, I see in my router's /var/log/messages:
Mar 5 19:47:29 r-3-VM kernel: [ 11.072772] virtio-pci 0000:00:07.0: enabling
device (0000 -> 0003)
Mar 5 19:47:29 r-3-VM cloud: vpc_ipassoc.sh:Add routing 192.168.100.102 on
interface eth1
Mar 5 19:47:29 r-3-VM kernel: [ 11.110987] virtio-pci 0000:00:07.0: PCI INT
A -> Link[LNKC] -> GSI 11 (level, high) -> IRQ 11
That the script vpc_ipassoc.sh was actually executed WHILE the virtio NIC was
still coming up. I'm going to do a quick hack fix on this to see if the theory
is correct. If so, it may affect 4.0.x as well, might want to test that.
> Public IP's are assigned to private interface with VPC Restart [PF/LB rules
> are not functional]
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1452
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1452
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.1.0
> Reporter: Sailaja Mada
> Assignee: Kishan Kavala
> Priority: Critical
> Fix For: 4.1.0
>
> Attachments: management-server.log
>
>
> Steps:
> 1. Advanced Networking - KVM 6.3 host
> 2. Create VPC and add Tier1 with 1 instance
> 3. Configure PF or LB rule [22-22]
> 4. Access Instance and ensure that PF/LB rules are functional
> Statistics of Router & VM Before restart :
> Router :
> root@r-151-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:01:d3 brd ff:ff:ff:ff:ff:ff
> inet 169.254.1.211/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:1d3/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:de:46:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::4de:46ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> root@r-151-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:3922
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-151-VM:~#
> Instance :
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# ifconfig
> eth0 Link encap:Ethernet HWaddr 02:00:60:1C:00:02
> inet addr:10.2.0.127 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::60ff:fe1c:2/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:180 errors:0 dropped:0 overruns:0 frame:0
> TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:16010 (15.6 KiB) TX bytes:22842 (22.3 KiB)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:4076 (3.9 KiB) TX bytes:4076 (3.9 KiB)
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]#
> Statistics after restarting VPC :
> root@r-155-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:02:88 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.136/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:288/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:4a:24:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::44a:24ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> root@r-155-VM:~#
> root@r-155-VM:~# ifconfig
> eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:88
> inet addr:169.254.2.136 Bcast:169.254.255.255 Mask:255.255.0.0
> inet6 addr: fe80::c00:a9ff:fefe:288/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:410 errors:0 dropped:0 overruns:0 frame:0
> TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:63392 (61.9 KiB) TX bytes:64251 (62.7 KiB)
> eth1 Link encap:Ethernet HWaddr 06:4a:24:00:00:15
> inet addr:10.102.196.222 Bcast:10.102.196.255 Mask:255.255.255.0
> inet6 addr: fe80::44a:24ff:fe00:15/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:305 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:15516 (15.1 KiB) TX bytes:404 (404.0 B)
> eth2 Link encap:Ethernet HWaddr 06:74:de:00:00:16
> inet addr:10.2.0.1 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::474:deff:fe00:16/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:126 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:8080 (7.8 KiB) TX bytes:404 (404.0 B)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:414 (414.0 B) TX bytes:414 (414.0 B)
> root@r-155-VM:~#
> root@r-155-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:3922
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-155-VM:~#
> Observation before restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> Observation after restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> notes:
> a.Public IP's are assigned to private interface with VPC Restart
> b. PF/LB rules are not functional. Instances are not accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
