[
https://issues.apache.org/jira/browse/CLOUDSTACK-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593914#comment-13593914
]
Marcus Sorensen commented on CLOUDSTACK-1452:
---------------------------------------------
So, I hacked the vpc_ipassoc.sh script and the vpc_guestnw.sh script to sleep 5
seconds before doing anything. I've rebooted my router serveral times, and the
configuration has been consistent. Obviously this isn't how we want to fix
things, but I think it confirms that the commands are being run before the
hotplugged NICs are fully up.
In your example, are the 10.102's your guest networks and the 10.2 is supposed
to be your public?
Attaching patch, please test if you can. When I run this I see in
/var/log/messages that it is waiting occasionally for 1 second for the eth
devices to come up, and things seem to work properly. I'm not completely sure
this will fix the same problem you see, but it definitely fixes A problem :-)
If you could include a snippet of your /var/log/messages from the VPC router
when you see it get misconfigured it would help as well, since it has all of
the info on what was passed in to the scripts. Also as mentioned clarify the
10.102 vs the 10.2 and what they are supposed to be.
> Public IP's are assigned to private interface with VPC Restart [PF/LB rules
> are not functional]
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1452
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1452
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.1.0
> Reporter: Sailaja Mada
> Assignee: Kishan Kavala
> Priority: Critical
> Fix For: 4.1.0
>
> Attachments: management-server.log
>
>
> Steps:
> 1. Advanced Networking - KVM 6.3 host
> 2. Create VPC and add Tier1 with 1 instance
> 3. Configure PF or LB rule [22-22]
> 4. Access Instance and ensure that PF/LB rules are functional
> Statistics of Router & VM Before restart :
> Router :
> root@r-151-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:01:d3 brd ff:ff:ff:ff:ff:ff
> inet 169.254.1.211/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:1d3/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:de:46:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::4de:46ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> root@r-151-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:3922
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-151-VM:~#
> Instance :
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# ifconfig
> eth0 Link encap:Ethernet HWaddr 02:00:60:1C:00:02
> inet addr:10.2.0.127 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::60ff:fe1c:2/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:180 errors:0 dropped:0 overruns:0 frame:0
> TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:16010 (15.6 KiB) TX bytes:22842 (22.3 KiB)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:4076 (3.9 KiB) TX bytes:4076 (3.9 KiB)
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]#
> Statistics after restarting VPC :
> root@r-155-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:02:88 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.136/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:288/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:4a:24:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::44a:24ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> root@r-155-VM:~#
> root@r-155-VM:~# ifconfig
> eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:88
> inet addr:169.254.2.136 Bcast:169.254.255.255 Mask:255.255.0.0
> inet6 addr: fe80::c00:a9ff:fefe:288/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:410 errors:0 dropped:0 overruns:0 frame:0
> TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:63392 (61.9 KiB) TX bytes:64251 (62.7 KiB)
> eth1 Link encap:Ethernet HWaddr 06:4a:24:00:00:15
> inet addr:10.102.196.222 Bcast:10.102.196.255 Mask:255.255.255.0
> inet6 addr: fe80::44a:24ff:fe00:15/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:305 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:15516 (15.1 KiB) TX bytes:404 (404.0 B)
> eth2 Link encap:Ethernet HWaddr 06:74:de:00:00:16
> inet addr:10.2.0.1 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::474:deff:fe00:16/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:126 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:8080 (7.8 KiB) TX bytes:404 (404.0 B)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:414 (414.0 B) TX bytes:414 (414.0 B)
> root@r-155-VM:~#
> root@r-155-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:3922
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp
> dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-155-VM:~#
> Observation before restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> Observation after restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> notes:
> a.Public IP's are assigned to private interface with VPC Restart
> b. PF/LB rules are not functional. Instances are not accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
