ccycv opened a new issue #4158:
URL: https://github.com/apache/cloudstack/issues/4158
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
-->
~~~
VR
~~~
##### CLOUDSTACK VERSION
<!--
-->
~~~
4.14
~~~
##### CONFIGURATION
<!--
-->
~~~
Upgraded to 4.14 from 4.11, Cloudstack + VMware 6.0 configured with Basic
Networking
~~~
##### OS / ENVIRONMENT
<!--
CentOS 7
-->
~~~
CentOS 7
~~~
##### SUMMARY
~~~ I found out that there is a firewall issue and sshd config issue on VR
on this ACS version (4.14) when it is configured with basic networking.
By default management server is able to establish ssh connection only via
local IP with VR: eth1 172.11.0.167/24, but in order to run health check it
trying to connect via public IPs of the VR, this is not possible because of
this:
sshd config :
Port 3922
#AddressFamily any
ListenAddress 172.11.0.167, here i changed to 0.0.0.0
iptables :
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED
-j ACCEPT ( rule for eth0 is missing ) in basic network it will not work
without this. I have added a rule to allow also for eth0
Regarding password issue:
in VR iptables there is only this rule :
-A INPUT -s 158.xx.xx.224/28 -i eth0 -p tcp -m tcp --dport 8080 -m state
--state NEW -j ACCEPT, only for the first, main public IP, not for all the IPs,
so i have added a rule to allow 8080 on each public IP from this router.
oot@r-3480-VM:~#
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 1e:00:91:00:00:33 brd ff:ff:ff:ff:ff:ff
inet 158.xx.xx.226/28 brd 158.xx.xx.239 scope global eth0
valid_lft forever preferred_lft forever
inet 167.xxx.xx.246/28 brd 167.xxx.xx.255 scope global eth0
valid_lft forever preferred_lft forever
inet 149.xx.xxx.80/27 brd 149.xx.xxx.95 scope global eth0
valid_lft forever preferred_lft forever
inet 192.xx.xxx.79/26 brd 192.xx.xxx.127 scope global eth0
valid_lft forever preferred_lft forever
inet 198.xx.xxx.162/27 brd 198.xx.xxx.191 scope global eth0
valid_lft forever preferred_lft forever
inet 149.xx.xxx.99/27 brd 149.xx.xxx.127 scope global eth0
valid_lft forever preferred_lft forever
inet 144.xxx.xx.199/27 brd 144.xxx.xx.223 scope global eth0
valid_lft forever preferred_lft forever
inet 144.xxx.xxx.177/27 brd 144.xxx.xxx.191 scope global eth0
valid_lft forever preferred_lft forever
inet 66.xxx.xxx.133/27 brd 66.xx.xxx.159 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 02:00:57:d0:02:14 brd ff:ff:ff:ff:ff:ff
inet 172.11.0.167/24 brd 172.11.0.255 scope global eth1
valid_lft forever preferred_lft forever
root@r-3480-VM:~#
VR Log : https://gist.github.com/ccycv/027f31366afe909772bf0592df7b1030
Management log :
https://gist.github.com/ccycv/1990d18d0d970fb4e90b0e8f96415c12
Everything works now, till i destroy the router and i have to reconfigure
again.
~~~
##### STEPS TO REPRODUCE
<!--
-->
~~~
Destroy router, redeploy.
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
No issue, generated password for VM to work and health check (VR) to be
performed without issue.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
password for VMs not working, didn't updated the password, health check for
VR failing.
~~~
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
