Re: question about security group
%) because I created a advanced zone with isolation mode and that worked (access) ;) My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. Thank you but when I mean configuration my zone with security group, I talk about advanced network and I check Isolation mode :) . Hi Clement, Comments inline. On 08-Aug-2014, at 12:18 am, clement mutz c.m...@servitics.fr wrote: Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. From the VM instance, are you able to ICMP ping the virtual router? If you cant, then please check your network VLAN assignments and traffic label configurations I haven't access system vm (console, secondary storage). If you are not able to access the system VMs, then I would first make sure my Zone network configuration and the hypervisor network traffic types are configured correctly. My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. What's wrong with my configuration ? I forgot something ? Start by running tcpdump along the network path and try to isolate the faulty network configuration. Sorry my bad english. I learning ;) Thanks you very much. No problems. Clément Comments inline. On 07-Aug-2014, at 6:24 pm, clement mutz c.m...@servitics.fr wrote: Hi Shanker, Look under Network - Select View - Security Groups. Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;) Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules. How I can to configure the different access without security group ? Looking at your screenshot, go to Network - Isolated Network (vl400) - Egress Rules and Network - Isolated Network (vl400) - Source NAT - Configuration - Firewall Rules. The ML strips out attachment. You can use http://imgur.com to share images. Thanks for your information :) I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)... I don't understand why. When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png). - Mail original - De: Shanker Balan shanker.ba...@shapeblue.com À: CloudStack-Users users@cloudstack.apache.org Envoyé: Jeudi 7 Août 2014 13:49:40 Objet: Re: question about security group Comments inline. On 07-Aug-2014, at 3:44 pm, clement mutz c.m...@servitics.fr wrote: Hi Tejas, I cannot see the security group in network tab. Look under Network - Select View - Security Groups. I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why. When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4). The ML strips out attachment. You can use http://imgur.com to share images. -- @shankerbalan M: +91 98860 60539 | O: +91 (80) 67935867 shanker.ba...@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055 Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated
Re: question about security group
--- 10.254.50.123 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.345/0.906/1.468/0.562 ms From my computing node I can ping gateway but not system vm : root@ubuntu:/# ping -c2 10.254.50.254 PING 10.254.50.254 (10.254.50.254) 56(84) bytes of data. 64 bytes from 10.254.50.254: icmp_req=1 ttl=64 time=1.14 ms 64 bytes from 10.254.50.254: icmp_req=2 ttl=64 time=0.238 ms --- 10.254.50.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.238/0.691/1.145/0.454 ms root@ubuntu:/# ping -c2 10.254.50.209 PING 10.254.50.209 (10.254.50.209) 56(84) bytes of data. --- 10.254.50.209 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms There is a firewall hidden ? Hi Tejas, Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. From the VM instance, are you able to ICMP ping the virtual router? If you cant, then please check your network VLAN assignments and traffic label configurations Yes very good point ! I can't ping the virtual router from the VM instance. So for validate my network I duplicate the network configuration creating by cloudstack on another xenserver (same environment, same switch ...) ;) . So on another xenserver I created two VM (with xencenter) and PING worked. Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png . Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png I haven't access system vm (console, secondary storage). If you are not able to access the system VMs, then I would first make sure my Zone network configuration and the hypervisor network traffic types are configured correctly. --- interfaces | with isolation mode | without isolation mode administration | Vl50 | Vl50 public | NONE | Vl60 guest | Vl60 | Vl50 Storage | Vl20 | Vl20 --- Like you see It's traffic label configuration. With isolation mode cloudstack work without problem. With isolation mode I declared My guest network (labbel Vl60) like public network (testing). And I can ping my Vms system console and storage and my instances by Public NIC. I can ping the administration network too (not possible without isolation mode) I make sure my zone network configuration (at 99%) because I created a advanced zone with isolation mode and that worked (access) ;) My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. Thank you but when I mean configuration my zone with security group, I talk about advanced network and I check Isolation mode :) . Hi Clement, Comments inline. On 08-Aug-2014, at 12:18 am, clement mutz c.m...@servitics.fr wrote: Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. From the VM instance, are you able to ICMP ping the virtual router? If you cant, then please check your network VLAN assignments and traffic label configurations I haven't access system vm (console, secondary storage). If you are not able to access the system VMs, then I would first make sure my Zone network configuration and the hypervisor network traffic types are configured correctly. My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. What's wrong with my configuration ? I forgot something ? Start by running tcpdump along the network path and try to isolate the faulty network configuration. Sorry my bad english. I learning ;) Thanks you very much. No problems. Clément Comments inline. On 07-Aug-2014, at 6:24 pm, clement mutz c.m...@servitics.fr wrote: Hi Shanker, Look under Network - Select View - Security Groups. Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;) Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules. How I can to configure the different access without security group ? Looking at your screenshot, go to Network - Isolated Network (vl400
Re: question about security group
Hi Skrev, Get the verbose iptables output. iptables -Lnv root@v-2-VM:/var/www# iptables -vnL Chain INPUT (policy DROP 77 packets, 25256 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 988 75720 ACCEPT all -- eth0 * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 4242 411K ACCEPT all -- eth1 * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 327 25304 ACCEPT all -- eth2 * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP icmp -- * * 0.0.0.0/00.0.0.0/0 icmptype 13 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 10 600 ACCEPT tcp -- eth0 * 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:3922 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:8001 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:8001 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5334 packets, 603K bytes) pkts bytes target prot opt in out source destination Get the verbose iptables output. iptables -Lnv 15. aug. 2014 18:24 skrev clement mutz c.m...@servitics.fr følgende: Hi, What's wrong with my configuration ? I forgot something ? Start by running tcpdump along the network path and try to isolate the faulty network configuration. Ok i running tcpdump on console proxy and i can see packets. With the following command on console proxy : tcpdump -vv -i eth1 Quote 16:05:14.378905 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46 16:05:15.377608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46 16:05:16.377600 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46 16:05:17.395947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46 16:05:18.393719 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.254.50.209 tell 10.254.50.45, length 46 16:05:18.828127 IP (tos 0x0, ttl 64, id 30676, offset 0, flags [DF], proto TCP (6), length 56) 10.254.50.201.58036 10.254.50.45.8250: Flags [P.], cksum 0x7b1c (incorrect - 0xdd06), seq 3973496:3973500, ack 1507845368, win 2641, options [nop,nop,TS val 826858 ecr 954898], length 4 seq 3973496:3973500, ack 1507845368, win eq 1:5, ack 217, win 331, options [nop,nop,TS val 956151 ecr 826868], length 4 16:05:18.883024 IP (tos 0x0, ttl 64, id 30678, offset 0, flags [DF], proto TCP (6), length 52) I see paquets come on my console proxy I didn't touch iptables rules iptables -L on console proxy : Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP icmp -- anywhere anywhere icmp timestamp-request ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8001 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8001 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Thanks for your reply. Clément --- Hi, I give you my different tests, the first problem I can't ping system vm (internal nic and external nic) since same network (since computing node for exemple). I can ping a host from internal nic (10.254.50.0/24) since system vm. IP address of computing node 10.254.50.45. IP address of console proxy vm 10.254.50.209 On console proxy VM : root@v-2-VM:~# route -n Kernel IP routing table Destination
Re: question about security group
Hi Tejas, Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. From the VM instance, are you able to ICMP ping the virtual router? If you cant, then please check your network VLAN assignments and traffic label configurations Yes very good point ! I can't ping the virtual router from the VM instance. So for validate my network I duplicate the network configuration creating by cloudstack on another xenserver (same environment, same switch ...) ;) . So on another xenserver I created two VM (with xencenter) and PING worked. Picture with network configuration creating by cloudstack (see vl41) http://i.imgur.com/K8Bo3kK.png . Picture with network configuration creating by me on another xen pool http://i.imgur.com/ieYD5Oy.png On Cloudstack my traffic label http://i.imgur.com/P7ZRbf7.png I haven't access system vm (console, secondary storage). If you are not able to access the system VMs, then I would first make sure my Zone network configuration and the hypervisor network traffic types are configured correctly. --- interfaces | with isolation mode | without isolation mode administration | Vl50 | Vl50 public | NONE | Vl60 guest | Vl60 | Vl50 Storage | Vl20 | Vl20 --- Like you see It's traffic label configuration. With isolation mode cloudstack work without problem. With isolation mode I declared My guest network (labbel Vl60) like public network (testing). And I can ping my Vms system console and storage and my instances by Public NIC. I can ping the administration network too (not possible without isolation mode) I make sure my zone network configuration (at 99%) because I created a advanced zone with isolation mode and that worked (access) ;) My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. Thank you but when I mean configuration my zone with security group, I talk about advanced network and I check Isolation mode :) . Hi Clement, Comments inline. On 08-Aug-2014, at 12:18 am, clement mutz c.m...@servitics.fr wrote: Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. From the VM instance, are you able to ICMP ping the virtual router? If you cant, then please check your network VLAN assignments and traffic label configurations I haven't access system vm (console, secondary storage). If you are not able to access the system VMs, then I would first make sure my Zone network configuration and the hypervisor network traffic types are configured correctly. My network is ok because when I configure my zone with security groups I have access system vm and at my instances. Basic network and Advanced Networks work very differently. Advanced network uses VLANs which if configured incorrectly can lead to issues like the one you are facing. What's wrong with my configuration ? I forgot something ? Start by running tcpdump along the network path and try to isolate the faulty network configuration. Sorry my bad english. I learning ;) Thanks you very much. No problems. Clément Comments inline. On 07-Aug-2014, at 6:24 pm, clement mutz c.m...@servitics.fr wrote: Hi Shanker, Look under Network - Select View - Security Groups. Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;) Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules. How I can to configure the different access without security group ? Looking at your screenshot, go to Network - Isolated Network (vl400) - Egress Rules and Network - Isolated Network (vl400) - Source NAT - Configuration - Firewall Rules. The ML strips out attachment. You can use http://imgur.com to share images. Thanks for your information :) I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)... I don't understand why. When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png). - Mail original - De: Shanker Balan shanker.ba...@shapeblue.com À: CloudStack-Users users@cloudstack.apache.org Envoyé: Jeudi 7 Août 2014 13:49:40 Objet: Re: question
question about security group
Hi community ! I'll try to create a zone with public network. I can't ping my VMs (Instances, systems VM). How I can to configure the different access ? Appreciate all helps. Best regards, Cloudstack 4.3 on centos.
Re: question about security group
Thanks you for your reply. I already trying to configure the firewall Rules (ex : http://i.imgur.com/oiGMMle.png). not access at my instances. I haven't access system vm (console, secondary storage). My network is ok because when I configure my zone with security groups I have access system vm and at my instances. What's wrong with my configuration ? I forgot something ? Sorry my bad english. I learning ;) Thanks you very much. Clément Comments inline. On 07-Aug-2014, at 6:24 pm, clement mutz c.m...@servitics.fr wrote: Hi Shanker, Look under Network - Select View - Security Groups. Thanks you, but the problem appear when I choose a advanced zone without security group. So I can't see Security Groups(http://i.imgur.com/WR18PPl.png) ;) Advanced zones you dont have security groups by default. Only EGRESS and INGRESS rules. How I can to configure the different access without security group ? Looking at your screenshot, go to Network - Isolated Network (vl400) - Egress Rules and Network - Isolated Network (vl400) - Source NAT - Configuration - Firewall Rules. The ML strips out attachment. You can use http://imgur.com to share images. Thanks for your information :) I can't choose Security group, when I created a zone with public network (I mean with nic public) (http://i.imgur.com/52bjasU.png and http://i.imgur.com/UN9RXR2.png)... I don't understand why. When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (http://i.imgur.com/EhBAbvC.png and http://i.imgur.com/GjhFOZD.png). - Mail original - De: Shanker Balan shanker.ba...@shapeblue.com À: CloudStack-Users users@cloudstack.apache.org Envoyé: Jeudi 7 Août 2014 13:49:40 Objet: Re: question about security group Comments inline. On 07-Aug-2014, at 3:44 pm, clement mutz c.m...@servitics.fr wrote: Hi Tejas, I cannot see the security group in network tab. Look under Network - Select View - Security Groups. I can't choose Security group, when I created a zone with public network (I mean with nic public) (picture 1 and 2)... I don't understand why. When I created a zone with security group no problem, I can use ACC Ingress and Egress rules but I haven't public interface (picture 3 and 4). The ML strips out attachment. You can use http://imgur.com to share images. -- @shankerbalan M: +91 98860 60539 | O: +91 (80) 67935867 shanker.ba...@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055 Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark. -- @shankerbalan M: +91 98860 60539 | O: +91 (80) 67935867 shanker.ba...@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055 Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent
Re: VM management Shut down alone
Hi, Sorry I didn't see your reply. I find my error. I launched management VM in same hypervisor that i'll use as a compute node. http://discussions.citrix.com/topic/350142-management-server-shut-down-alone/ Thanks you very much for your reply. Clément. - Mail original - De: Anoop Mohan linux.an...@gmail.com À: users@cloudstack.apache.org Envoyé: Mercredi 9 Avril 2014 19:16:38 Objet: Re: VM management Shut down alone grep -i -E 'exception|unable|fail|invalid|leak|warn|error' /var/log/cloudstack/management/management-server.log you will find the error in Cloud-management log On Tue, Apr 8, 2014 at 3:28 PM, clement mutz c.m...@servitics.fr wrote: Hi everybody, I installed a virtual machine centos with this tutorial http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/latest/qig.html I have centos 6.5, xenserver 6.2 Installation finished with success. I have a web access http://IP:8080/client I'm ready for basic configuration. But 3 or 5 minute the VM shut down alone clearly. What's wrong with Virtual Machine. I must look where (log) ? Can you help me ? Thanks for your help. Clément. Responsable SI et RD -- Thanks Regards, Anoop Mohan
not access System vm without security group
Hi community, I use cloudstack 4.3 on centos with xenserver 6.2. I created an advanced zone without security group. I have 3 nics : - nics 1 for guest network (tagged Vlan 40) and administration network. - nics 2 for public network - nics 3 for storage network. I have a primary storage iscsi and my secondary storage locate on NFS server. I followed installation instruction (vhd-utils, cloud-install-sys-tmplt ...) No problem for creating my zone but I don't access (ping,ssh ...) at my system vms (network verified). I can add Instance ... But not access at my VMs and feature access console. When I created an advanced zone WITH security group. I don't have problems with System'vm. I can ping. I have access with view console when I create different instances. The only difference is nic public network. When I created an advanced zone WITH security group I can't use nic public network.. Why ? Where I can look for to help ? Thanks for your help ! Clément.
VM management Shut down alone
Hi everybody, I installed a virtual machine centos with this tutorial http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/latest/qig.html I have centos 6.5, xenserver 6.2 Installation finished with success. I have a web access http://IP:8080/client I'm ready for basic configuration. But 3 or 5 minute the VM shut down alone clearly. What's wrong with Virtual Machine. I must look where (log) ? Can you help me ? Thanks for your help. Clément. Responsable SI et RD
