[
https://issues.apache.org/jira/browse/CLOUDSTACK-9339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15868238#comment-15868238
]
ASF GitHub Bot commented on CLOUDSTACK-9339:
--------------------------------------------
Github user blueorangutan commented on the issue:
https://github.com/apache/cloudstack/pull/1943
<b>Trillian test result (tid-825)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 28120 seconds
Marvin logs:
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr1943-t825-kvm-centos7.zip
Intermitten failure detected: /marvin/tests/smoke/test_privategw_acl.py
Test completed. 48 look ok, 1 have error(s)
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_04_rvpc_privategw_static_routes | `Failure` | 365.79 |
test_privategw_acl.py
test_01_vpc_site2site_vpn | Success | 160.33 | test_vpc_vpn.py
test_01_vpc_remote_access_vpn | Success | 61.21 | test_vpc_vpn.py
test_01_redundant_vpc_site2site_vpn | Success | 261.25 | test_vpc_vpn.py
test_02_VPC_default_routes | Success | 259.02 | test_vpc_router_nics.py
test_01_VPC_nics_after_destroy | Success | 475.40 | test_vpc_router_nics.py
test_05_rvpc_multi_tiers | Success | 507.43 | test_vpc_redundant.py
test_04_rvpc_network_garbage_collector_nics | Success | 1388.52 |
test_vpc_redundant.py
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers |
Success | 543.26 | test_vpc_redundant.py
test_02_redundant_VPC_default_routes | Success | 728.95 |
test_vpc_redundant.py
test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | Success | 1271.58 |
test_vpc_redundant.py
test_09_delete_detached_volume | Success | 151.63 | test_volumes.py
test_08_resize_volume | Success | 156.47 | test_volumes.py
test_07_resize_fail | Success | 156.47 | test_volumes.py
test_06_download_detached_volume | Success | 156.36 | test_volumes.py
test_05_detach_volume | Success | 150.76 | test_volumes.py
test_04_delete_attached_volume | Success | 151.21 | test_volumes.py
test_03_download_attached_volume | Success | 156.32 | test_volumes.py
test_02_attach_volume | Success | 89.22 | test_volumes.py
test_01_create_volume | Success | 711.25 | test_volumes.py
test_03_delete_vm_snapshots | Success | 275.15 | test_vm_snapshots.py
test_02_revert_vm_snapshots | Success | 95.76 | test_vm_snapshots.py
test_01_create_vm_snapshots | Success | 159.69 | test_vm_snapshots.py
test_deploy_vm_multiple | Success | 257.79 | test_vm_life_cycle.py
test_deploy_vm | Success | 0.04 | test_vm_life_cycle.py
test_advZoneVirtualRouter | Success | 0.03 | test_vm_life_cycle.py
test_10_attachAndDetach_iso | Success | 26.69 | test_vm_life_cycle.py
test_09_expunge_vm | Success | 125.66 | test_vm_life_cycle.py
test_08_migrate_vm | Success | 41.04 | test_vm_life_cycle.py
test_07_restore_vm | Success | 0.13 | test_vm_life_cycle.py
test_06_destroy_vm | Success | 125.88 | test_vm_life_cycle.py
test_03_reboot_vm | Success | 125.88 | test_vm_life_cycle.py
test_02_start_vm | Success | 10.19 | test_vm_life_cycle.py
test_01_stop_vm | Success | 40.36 | test_vm_life_cycle.py
test_CreateTemplateWithDuplicateName | Success | 70.66 | test_templates.py
test_08_list_system_templates | Success | 0.03 | test_templates.py
test_07_list_public_templates | Success | 0.05 | test_templates.py
test_05_template_permissions | Success | 0.08 | test_templates.py
test_04_extract_template | Success | 5.16 | test_templates.py
test_03_delete_template | Success | 5.10 | test_templates.py
test_02_edit_template | Success | 90.14 | test_templates.py
test_01_create_template | Success | 30.39 | test_templates.py
test_10_destroy_cpvm | Success | 161.76 | test_ssvm.py
test_09_destroy_ssvm | Success | 164.01 | test_ssvm.py
test_08_reboot_cpvm | Success | 131.71 | test_ssvm.py
test_07_reboot_ssvm | Success | 133.35 | test_ssvm.py
test_06_stop_cpvm | Success | 131.91 | test_ssvm.py
test_05_stop_ssvm | Success | 133.32 | test_ssvm.py
test_04_cpvm_internals | Success | 1.23 | test_ssvm.py
test_03_ssvm_internals | Success | 2.83 | test_ssvm.py
test_02_list_cpvm_vm | Success | 0.13 | test_ssvm.py
test_01_list_sec_storage_vm | Success | 0.13 | test_ssvm.py
test_01_snapshot_root_disk | Success | 11.25 | test_snapshots.py
test_04_change_offering_small | Success | 242.69 | test_service_offerings.py
test_03_delete_service_offering | Success | 0.04 | test_service_offerings.py
test_02_edit_service_offering | Success | 0.06 | test_service_offerings.py
test_01_create_service_offering | Success | 0.11 | test_service_offerings.py
test_02_sys_template_ready | Success | 0.13 | test_secondary_storage.py
test_01_sys_vm_start | Success | 0.18 | test_secondary_storage.py
test_09_reboot_router | Success | 35.30 | test_routers.py
test_08_start_router | Success | 25.25 | test_routers.py
test_07_stop_router | Success | 10.16 | test_routers.py
test_06_router_advanced | Success | 0.07 | test_routers.py
test_05_router_basic | Success | 0.04 | test_routers.py
test_04_restart_network_wo_cleanup | Success | 5.58 | test_routers.py
test_03_restart_network_cleanup | Success | 45.47 | test_routers.py
test_02_router_internal_adv | Success | 0.85 | test_routers.py
test_01_router_internal_basic | Success | 0.45 | test_routers.py
test_router_dns_guestipquery | Success | 76.75 | test_router_dns.py
test_router_dns_externalipquery | Success | 0.06 | test_router_dns.py
test_router_dhcphosts | Success | 301.62 | test_router_dhcphosts.py
test_router_dhcp_opts | Success | 21.60 | test_router_dhcphosts.py
test_01_updatevolumedetail | Success | 0.07 | test_resource_detail.py
test_01_reset_vm_on_reboot | Success | 161.07 | test_reset_vm_on_reboot.py
test_createRegion | Success | 0.04 | test_regions.py
test_create_pvlan_network | Success | 5.21 | test_pvlan.py
test_dedicatePublicIpRange | Success | 0.43 | test_public_ip_range.py
test_03_vpc_privategw_restart_vpc_cleanup | Success | 480.34 |
test_privategw_acl.py
test_02_vpc_privategw_static_routes | Success | 350.18 |
test_privategw_acl.py
test_01_vpc_privategw_acl | Success | 82.21 | test_privategw_acl.py
test_01_primary_storage_nfs | Success | 35.82 | test_primary_storage.py
test_createPortablePublicIPRange | Success | 15.20 |
test_portable_publicip.py
test_createPortablePublicIPAcquire | Success | 15.50 |
test_portable_publicip.py
test_isolate_network_password_server | Success | 86.42 |
test_password_server.py
test_UpdateStorageOverProvisioningFactor | Success | 0.15 |
test_over_provisioning.py
test_oobm_zchange_password | Success | 30.67 | test_outofbandmanagement.py
test_oobm_multiple_mgmt_server_ownership | Success | 16.40 |
test_outofbandmanagement.py
test_oobm_issue_power_status | Success | 10.33 | test_outofbandmanagement.py
test_oobm_issue_power_soft | Success | 10.35 | test_outofbandmanagement.py
test_oobm_issue_power_reset | Success | 15.74 | test_outofbandmanagement.py
test_oobm_issue_power_on | Success | 15.37 | test_outofbandmanagement.py
test_oobm_issue_power_off | Success | 10.36 | test_outofbandmanagement.py
test_oobm_issue_power_cycle | Success | 15.36 | test_outofbandmanagement.py
test_oobm_enabledisable_across_clusterzones | Success | 72.75 |
test_outofbandmanagement.py
test_oobm_enable_feature_valid | Success | 5.18 |
test_outofbandmanagement.py
test_oobm_enable_feature_invalid | Success | 0.12 |
test_outofbandmanagement.py
test_oobm_disable_feature_valid | Success | 5.20 |
test_outofbandmanagement.py
test_oobm_disable_feature_invalid | Success | 0.12 |
test_outofbandmanagement.py
test_oobm_configure_invalid_driver | Success | 0.09 |
test_outofbandmanagement.py
test_oobm_configure_default_driver | Success | 0.09 |
test_outofbandmanagement.py
test_oobm_background_powerstate_sync | Success | 23.46 |
test_outofbandmanagement.py
test_extendPhysicalNetworkVlan | Success | 15.37 |
test_non_contigiousvlan.py
test_01_nic | Success | 424.66 | test_nic.py
test_releaseIP | Success | 278.34 | test_network.py
test_reboot_router | Success | 423.58 | test_network.py
test_public_ip_user_account | Success | 10.28 | test_network.py
test_public_ip_admin_account | Success | 40.30 | test_network.py
test_network_rules_acquired_public_ip_3_Load_Balancer_Rule | Success |
67.16 | test_network.py
test_network_rules_acquired_public_ip_2_nat_rule | Success | 62.02 |
test_network.py
test_network_rules_acquired_public_ip_1_static_nat_rule | Success | 124.45
| test_network.py
test_delete_account | Success | 277.82 | test_network.py
test_02_port_fwd_on_non_src_nat | Success | 55.68 | test_network.py
test_01_port_fwd_on_src_nat | Success | 109.71 | test_network.py
test_nic_secondaryip_add_remove | Success | 217.75 |
test_multipleips_per_nic.py
login_test_saml_user | Success | 19.41 | test_login.py
test_assign_and_removal_lb | Success | 133.55 | test_loadbalance.py
test_02_create_lb_rule_non_nat | Success | 187.40 | test_loadbalance.py
test_01_create_lb_rule_src_nat | Success | 219.05 | test_loadbalance.py
test_03_list_snapshots | Success | 0.06 | test_list_ids_parameter.py
test_02_list_templates | Success | 0.04 | test_list_ids_parameter.py
test_01_list_volumes | Success | 0.03 | test_list_ids_parameter.py
test_07_list_default_iso | Success | 0.06 | test_iso.py
test_05_iso_permissions | Success | 0.06 | test_iso.py
test_04_extract_Iso | Success | 5.17 | test_iso.py
test_03_delete_iso | Success | 95.24 | test_iso.py
test_02_edit_iso | Success | 0.06 | test_iso.py
test_01_create_iso | Success | 21.01 | test_iso.py
test_04_rvpc_internallb_haproxy_stats_on_all_interfaces | Success | 208.55
| test_internal_lb.py
test_03_vpc_internallb_haproxy_stats_on_all_interfaces | Success | 134.03 |
test_internal_lb.py
test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80 | Success | 535.75 |
test_internal_lb.py
test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80 | Success | 425.51 |
test_internal_lb.py
test_dedicateGuestVlanRange | Success | 10.31 | test_guest_vlan_range.py
test_UpdateConfigParamWithScope | Success | 0.14 | test_global_settings.py
test_rolepermission_lifecycle_update | Success | 6.21 | test_dynamicroles.py
test_rolepermission_lifecycle_list | Success | 6.01 | test_dynamicroles.py
test_rolepermission_lifecycle_delete | Success | 5.89 | test_dynamicroles.py
test_rolepermission_lifecycle_create | Success | 5.90 | test_dynamicroles.py
test_rolepermission_lifecycle_concurrent_updates | Success | 6.05 |
test_dynamicroles.py
test_role_lifecycle_update_role_inuse | Success | 5.98 |
test_dynamicroles.py
test_role_lifecycle_update | Success | 11.01 | test_dynamicroles.py
test_role_lifecycle_list | Success | 5.91 | test_dynamicroles.py
test_role_lifecycle_delete | Success | 10.97 | test_dynamicroles.py
test_role_lifecycle_create | Success | 5.92 | test_dynamicroles.py
test_role_inuse_deletion | Success | 5.90 | test_dynamicroles.py
test_role_account_acls_multiple_mgmt_servers | Success | 8.16 |
test_dynamicroles.py
test_role_account_acls | Success | 8.41 | test_dynamicroles.py
test_default_role_deletion | Success | 6.00 | test_dynamicroles.py
test_04_create_fat_type_disk_offering | Success | 0.09 |
test_disk_offerings.py
test_03_delete_disk_offering | Success | 0.04 | test_disk_offerings.py
test_02_edit_disk_offering | Success | 0.05 | test_disk_offerings.py
test_02_create_sparse_type_disk_offering | Success | 0.07 |
test_disk_offerings.py
test_01_create_disk_offering | Success | 0.11 | test_disk_offerings.py
test_deployvm_userdispersing | Success | 20.74 |
test_deploy_vms_with_varied_deploymentplanners.py
test_deployvm_userconcentrated | Success | 20.64 |
test_deploy_vms_with_varied_deploymentplanners.py
test_deployvm_firstfit | Success | 80.84 |
test_deploy_vms_with_varied_deploymentplanners.py
test_deployvm_userdata_post | Success | 10.47 |
test_deploy_vm_with_userdata.py
test_deployvm_userdata | Success | 80.94 | test_deploy_vm_with_userdata.py
test_02_deploy_vm_root_resize | Success | 6.01 |
test_deploy_vm_root_resize.py
test_01_deploy_vm_root_resize | Success | 6.05 |
test_deploy_vm_root_resize.py
test_00_deploy_vm_root_resize | Success | 222.54 |
test_deploy_vm_root_resize.py
test_deploy_vm_from_iso | Success | 212.64 | test_deploy_vm_iso.py
test_DeployVmAntiAffinityGroup | Success | 50.90 | test_affinity_groups.py
test_01_test_vm_volume_snapshot | Skipped | 0.00 | test_vm_snapshots.py
test_06_copy_template | Skipped | 0.00 | test_templates.py
test_static_role_account_acls | Skipped | 0.05 | test_staticroles.py
test_11_ss_nfs_version_on_ssvm | Skipped | 0.02 | test_ssvm.py
test_01_scale_vm | Skipped | 0.00 | test_scale_vm.py
test_01_primary_storage_iscsi | Skipped | 0.04 | test_primary_storage.py
test_nested_virtualization_vmware | Skipped | 0.00 |
test_nested_virtualization.py
test_06_copy_iso | Skipped | 0.00 | test_iso.py
test_deploy_vgpu_enabled_vm | Skipped | 0.03 |
test_deploy_vgpu_enabled_vm.py
test_3d_gpu_support | Skipped | 0.04 | test_deploy_vgpu_enabled_vm.py
> Virtual Routers don't handle Multiple Public Interfaces
> -------------------------------------------------------
>
> Key: CLOUDSTACK-9339
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9339
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.8.0
> Reporter: dsclose
> Assignee: Murali Reddy
> Labels: firewall, nat, router
> Fix For: 4.10.0.0, 4.9.1.0
>
>
> There are a series of issues with the way Virtual Routers manage multiple
> public interfaces. These are more pronounced on redundant virtual router
> setups. I have not attempted to examine these issues in a VPC context.
> Outside of a VPC context, however, the following is expected behaviour:
> * eth0 connects the router to the guest network.
> * In RvR setups, keepalived manages the guests' gateway IP as a virtual IP on
> eth0.
> * eth1 provides a local link to the hypervisor, allowing Cloudstack to issue
> commands to the router.
> * eth2 is the routers public interface. By default, a single public IP will
> be setup on eth2 along with the necessary iptables and ip rules to source-NAT
> guest traffic to that public IP.
> * When a public IP address is assigned to the router that is on a separate
> subnet to the source-NAT IP, a new interface is configured, such as eth3, and
> the IP is assigned to that interface.
> * This can result in eth3, eth4, eth5, etc. being created depending upon how
> many public subnets the router has to work with.
> The above all works. The following, however, is currently not working:
> * Public interfaces should be set to DOWN on backup redundant routers. The
> master.py script is responsible for setting public interfaces to UP during a
> keepalived transition. Currently the check_is_up method of the CsIP class
> brings all interfaces UP on both RvR. A proposed fix for this has been
> discussed on the mailing list. That fix will leave public interfaces DOWN on
> RvR allowing the keepalived transition to control the state of public
> interfaces. Issue #1413 includes a commit that contradicts the proposed fix
> so it is unclear what the current state of the code should be.
> * Newly created interfaces should be set to UP on master redundant routers.
> Assuming public interfaces should be default be DOWN on an RvR we need to
> accommodate the fact that, as interfaces are created, no keepalived
> transition occurs. This means that assigning an IP from a new public subnet
> will have no effect (as the interface will be down) until the network is
> restarted with a "clean up."
> * Public interfaces other than eth2 do not forward traffic. There are two
> iptables rules in the FORWARD chain of the filter table created for eth2 that
> allow forwarding between eth2 and eth0. Equivalent rules are not created for
> other public interfaces so forwarded traffic is dropped.
> * Outbound traffic from guest VMs does not honour static-NAT rules. Instead,
> outbound traffic is source-NAT'd to the networks default source-NAT IP. New
> connections from guests that are destined for public networks are processed
> like so:
> 1. Traffic is matched against the following rule in the mangle table that
> marks the connection with a 0x0:
> *mangle
> -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark
> 0x0/0xffffffff
> 2. There are no "ip rule" statements that match a connection marked 0x0, so
> the kernel routes the connection via the default gateway. That gateway is on
> source-NAT subnet, so the connection is routed out of eth2.
> 3. The following iptables rules are then matched in the filter table:
> *filter
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -A FW_OUTBOUND -j FW_EGRESS_RULES
> -A FW_EGRESS_RULES -j ACCEPT
> 4. Finally, the following rule is matched from the nat table, where the IP
> address is the source-NAT IP:
> *nat
> -A POSTROUTING -o eth2 -j SNAT --to-source 123.4.5.67
>
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
