[
https://issues.apache.org/jira/browse/CLOUDSTACK-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13636212#comment-13636212
]
Jayapal Reddy commented on CLOUDSTACK-1850:
-------------------------------------------
The iptables issue is not reproduced now.
Checked in the master, the latest commit is
96cf79535fb68881d7d191109ffa6d8f504e3136
1. I created 6 routes in my setup (xenserver host).
2. All the router came up with the default iptables rules and FW_OUTBOUND chain
is configured.
When this issue happened earlier observed the below error messages on boot logs
of router.
iptables-restore v1.4.8: iptables-restore: unable to initialize table 'nat'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Twice observed the below message.
iptables-restore: line 28 failed
The above errors disappeared after cloud-passed-srvr script Required-Start:
added with iptables-persistent
Required-Start: mountkernfs $local_fs cloud-early-config iptables-persistent
In current setup default iptables rules are loaded successfully.
Pasted the router boot logs.
In the below logs first iptables persistent start failed.
insserv: Service iptables-persistent has to be enabled to start service
cloud-passwd-srvr
insserv: exiting now!
After the cloud-early-config script iptables-persistent ran.You can see lsmod |
grep nf_ output on the logs.
I added lsmod command into iptables-persistent script.
Now the iptables-restore successfully loaded the default iptables rules from
the /etc/iptables/rules.
I am marking this bug to can't reproduce now.
It can be reopened if the issues seen again.
------
[ 3.228306] PCI: Fatal: No config space access function found
[ 3.269467] isapnp: Write Data Register 0xa79 already used
[ 3.274086] i8042.c: No controller found.
Loading, please wait...
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Starting the hotplug events dispatcher: udevd.
Synthesizing the initial hotplug events...done.
Waiting for /dev to be fully populated...[ 4.004585] Error: Driver 'pcspkr'
is already registered, aborting...
done.
Activating swap...done.
Checking root file system...fsck from util-linux-ng 2.17.2
ROOT: clean, 17547/262144 files, 125021/524287 blocks
done.
Cleaning up ifupdown....
Loading kernel modules...done.
Setting up networking....
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux-ng 2.17.2
done.
Mounting local filesystems...done.
Activating swapfile swap...done.
Cleaning up temporary files....
Setting kernel variables ...done.
Configuring network interfaces...done.
Executing cloud-early-config...Executing cloud-early-config...Detected that we
are running inside xen-domU guest...mount: none already mounted or /proc/xen
busy
mount: according to mtab, none is already mounted on /proc/xen
Patching cloud service...mount: none already mounted or /proc/xen busy
mount: according to mtab, none is already mounted on /proc/xen
Cleaning up temporary files....
modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko): No
such device
modprobe: FATAL: Error inserting padlock_sha
(/lib/modules/2.6.32-5-686-bigmem/kernel/drivers/crypto/padlock-sha.ko): No
such device
Loading IPsec SA/SP database:
- /etc/ipsec-tools.conf
done.
insserv: Service iptables-persistent has to be enabled to start service
cloud-passwd-srvr
insserv: exiting now!
/sbin/insserv failed, exit code 1
Setting up virtual router system vm...ifdown: interface eth0 not configured
ifdown: interface eth1 not configured
ifdown: interface eth2 not configured
RTNETLINK answers: No such process
checking that eth2 has IP before setting default route to
10.147.52.1...checking that eth2 has IP before setting default route to
10.147.52.1
PING 10.147.52.1 (10.147.52.1): 56 data bytes
64 bytes from 10.147.52.1: icmp_seq=0 ttl=64 time=6.283 ms
64 bytes from 10.147.52.1: icmp_seq=1 ttl=64 time=1.353 ms
64 bytes from 10.147.52.1: icmp_seq=2 ttl=64 time=1.403 ms
--- 10.147.52.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.353/3.013/6.283/2.312 ms
Checking udev NIC assignment order changes...WARNING: All config files need
.conf: /etc/modprobe.d/aesni_intel, it will be ignored in a future release.
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be
ignored in a future release.
FATAL: Module aesni_intel not found.
Setting up dnsmasq...Setting up apache web server...Enable service dnsmasq =
1...Enable service haproxy = 1...Enable service cloud-passwd-srvr = 1...Enable
service cloud = 0...cloud: Tuning rp_filter on public interfaces...rpfilter
public interfaces : eth2...cloud: disable rp_filter on public
interfaces...cloud: disable rp_filter on public interface: eth2...cloud:
Enabling rp_filter on Non-public interfaces(eth0,eth1,lo)...cloud:
enable_fwding = 1...enable_fwding = 1...done.
WARNING: All config files need .conf: /etc/modprobe.d/aesni_intel, it will be
ignored in a future release.
nf_nat_ftp 1519 0
nf_nat 10568 1 nf_nat_ftp
nf_conntrack_ftp 4272 1 nf_nat_ftp
nf_conntrack_ipv4 7597 2 nf_nat
nf_defrag_ipv4 779 1 nf_conntrack_ipv4
nf_conntrack 38083 4
nf_nat_ftp,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Starting haproxy: haproxy[WARNING] 108/015202 (1903) : config : 'stats'
statement ignored for proxy 'cloud-default' as it requires HTTP mode.
[WARNING] 108/015202 (1903) : config : 'option forwardfor' ignored for proxy
'cloud-default' as it requires HTTP mode.
[WARNING] 108/015202 (1903) : config : 'option forceclose' ignored for proxy
'cloud-default' as it requires HTTP mode.
.
Not starting as we're not running in a vm.
Starting enhanced syslogd: rsyslogd.
Starting ACPI services...RTNETLINK1 answers: No such file or directory
acpid: error talking to the kernel via netlink
.
Detecting Linux distribution version: OK
Starting xe daemon: OK
Starting DNS forwarder and DHCP server: dnsmasq.
Starting the system activity data collector: sadc.
Starting OpenBSD Secure Shell server: sshd.
Starting web server: apache2apache2: Could not reliably determine the server's
fully qualified domain name, using 10.1.1.1 for ServerName
.
Starting periodic command scheduler: cron.
Starting OpenBSD Secure Shell server: sshd.
Starting haproxy: haproxy/usr/sbin/haproxy already running.
failed!
Starting web server: apache2apache2: Could not reliably determine the server's
> IPTABLE default rules are not configured in the INPUT chain & FW_OUTBOUND
> chain is not present
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1850
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1850
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.2.0
> Environment: - Commit Id # 94de31ebada689a766809e0b73faf567a079c79a
> - Advanced zone with Xen Cluster
> root@r-6-VM:~# cat /etc/cloudstack-release
> Cloudstack Release 4.2.0 Thu Mar 28 04:09:55 UTC 2013
> Reporter: venkata swamybabu budumuru
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
> Attachments: logs.29.tgz
>
>
> Steps to reproduce :
> 1. Have at least one ISLOATED network created
> 2. Deploy a VM with at least one nic connected to the above isolate network
> 3. Verify iptables on the newly deployed router VM for the above isolated
> network
> Observations :
> 1. It doesn't have any default outbound rules (like for ports 53,67 etc..,)
> configured. but, things go fine because the policy for INPUT chain is set to
> ACCEPT by default.
> 2. All the egress from VM is by default working / allowed because FORWARD
> chain is not configured with "FW_OUTBOUND" Chain.
> Here is the snippet of router vm for "iptables -L -nv"
> root@r-6-VM:~# iptables -L -nv
> Chain INPUT (policy ACCEPT 2032 packets, 305K bytes)
> pkts bytes target prot opt in out source
> destination
> 2149 320K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FORWARD (policy ACCEPT 18 packets, 1419 bytes)
> pkts bytes target prot opt in out source
> destination
> 36 8380 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 18 6961 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 10.1.2.235 state RELATED,ESTABLISHED /* 10.147.44.61:22:22 */
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 10.1.2.235 tcp dpt:22 state NEW /* 10.147.44.61:22:22 */
> Chain OUTPUT (policy ACCEPT 1930 packets, 340K bytes)
> pkts bytes target prot opt in out source
> destination
> 2056 358K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain NETWORK_STATS (3 references)
> pkts bytes target prot opt in out source
> destination
> 18 1419 all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
>
> 18 6961 all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
>
> 0 0 tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0
>
> 0 0 tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0
>
> Attaching vmops.log, api.log, /var/log/messages, cloud.log from router etc..,
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
