Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
If would to change / add VPN protocol, I would suggest WiredGuard. OpenVPN is great, but key-based installation is much more difficult / painful to configure Windows Base Client. / Mobile Client (Android. IOS) OpenVPN easier deployment is on Access Server , which is paid services ( correct me if I am wrong ) On Thu, Jun 10, 2021 at 9:31 PM Stênio Firmino wrote: > OpenVPN support will be great. S2S > -- > Stênio Firmino Filho > Chefe de Seção Técnica - SCINT - CETiSP > Superintendência de Tecnologia da Informação > Universidade de São Paulo > Av. Prof. Luciano Gualberto, travessa 3, 71 > CEP 05.508-010 - São Paulo/SP > > > On Thu, Jun 10, 2021 at 8:46 AM Andrija Panic > wrote: > > > +1 > > > > as it's, these days, a de facto standard for every VPN device/provider - > > and there is great support with OpenVPN clients for all client Operating > > Systems. > > > > On Thu, 10 Jun 2021 at 11:24, Alex Mattioli > > > wrote: > > > > > +1 on OpenVPN, and then a framework later on. > > > > > > > > > > > > > > > -Original Message- > > > From: Rohit Yadav > > > Sent: 10 June 2021 10:25 > > > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > > > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > > > > > All, > > > > > > We've historically supported openswan and nowadays strongswan as the > VPN > > > provider in VR for both site-to-site and remote access modes. After > > > discussing the situation with a few users and colleagues I learnt that > > > OpenVPN is generally far easier to use, have clients for most OS and > > > platforms (desktop, laptop, tablet, phones...) and allows multiple > > clients > > > in the same public IP (for example, multiple people in the office > > sharing a > > > client-side public IP/nat while trying to connect to a VPC or an > isolated > > > network) and for these reasons many users actually deploy pfSense or > > setup > > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > > it > > > make sense to switch to OpenVPN? Or, are there users using > > > strongswan/ipsec/l2tpd for remote access VPN? > > > > > > A general-purpose VPN-framework/provider where an account or admin (via > > > offering) can specify which VPN provider they want in the network > > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > > complex > > > to implement and maintain. Any other thoughts in general about VPN > > > implementation and support in CloudStack? Thanks. > > > > > > [1] > > > > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > > > > -- > > > > Andrija Panić > > > -- Regards, Hean Seng
Re: Rebooted and now I see unable to find storage pool
2021-06-10 18:46:19,665 ERROR [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-5:null) (logid:34e88890) Failed to create RBD storage pool: org.libvirt.LibvirtException: failed to create the RBD IoCTX. Does the pool 'rbd' exist?: No such file or directory 2021-06-10 18:46:19,666 ERROR [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-5:null) (logid:34e88890) Failed to create the RBD storage pool, cleaning up the libvirt secret I should mention that I’ve defined a Ceph RBD primary storage volume. Disabling RBD allowed the vm hosts to rejoin the cluster, but I’d like to understand what happened here as I plan on using Ceph RBD as my primary storage. Thanks -jeremy > On Jun 10, 2021, at 6:45 PM, Jeremy Hansen wrote: > > > I removed all of my VMs and all volumes. I rebooted all the servers involved > in my cluster and now I see this: > > 2021-06-10 18:41:38,824 WARN [cloud.agent.Agent] > (agentRequest-Handler-2:null) (logid:4f4da278) Caught: > com.cloud.utils.exception.CloudRuntimeException: Failed to create storage > pool: a6768f2e-3e3c-3aad-938e-83a9efb6deab > at > com.cloud.hypervisor.kvm.storage.LibvirtStorageAdaptor.createStoragePool(LibvirtStorageAdaptor.java:645) > at > com.cloud.hypervisor.kvm.storage.KVMStoragePoolManager.createStoragePool(KVMStoragePoolManager.java:329) > at > com.cloud.hypervisor.kvm.storage.KVMStoragePoolManager.createStoragePool(KVMStoragePoolManager.java:323) > at > com.cloud.hypervisor.kvm.resource.wrapper.LibvirtModifyStoragePoolCommandWrapper.execute(LibvirtModifyStoragePoolCommandWrapper.java:42) > at > com.cloud.hypervisor.kvm.resource.wrapper.LibvirtModifyStoragePoolCommandWrapper.execute(LibvirtModifyStoragePoolCommandWrapper.java:35) > at > com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78) > at > com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:1643) > at com.cloud.agent.Agent.processRequest(Agent.java:661) > at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1079) > at com.cloud.utils.nio.Task.call(Task.java:83) > at com.cloud.utils.nio.Task.call(Task.java:29) > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.base/java.lang.Thread.run(Thread.java:829) > > and too of my VM hosts are unable to connect. > > How do I resolve this situation? How did I lose a storage pool? > > Thanks > -jeremy > > signature.asc Description: Message signed with OpenPGP
Rebooted and now I see unable to find storage pool
I removed all of my VMs and all volumes. I rebooted all the servers involved in my cluster and now I see this: 2021-06-10 18:41:38,824 WARN [cloud.agent.Agent] (agentRequest-Handler-2:null) (logid:4f4da278) Caught: com.cloud.utils.exception.CloudRuntimeException: Failed to create storage pool: a6768f2e-3e3c-3aad-938e-83a9efb6deab at com.cloud.hypervisor.kvm.storage.LibvirtStorageAdaptor.createStoragePool(LibvirtStorageAdaptor.java:645) at com.cloud.hypervisor.kvm.storage.KVMStoragePoolManager.createStoragePool(KVMStoragePoolManager.java:329) at com.cloud.hypervisor.kvm.storage.KVMStoragePoolManager.createStoragePool(KVMStoragePoolManager.java:323) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtModifyStoragePoolCommandWrapper.execute(LibvirtModifyStoragePoolCommandWrapper.java:42) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtModifyStoragePoolCommandWrapper.execute(LibvirtModifyStoragePoolCommandWrapper.java:35) at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78) at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:1643) at com.cloud.agent.Agent.processRequest(Agent.java:661) at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1079) at com.cloud.utils.nio.Task.call(Task.java:83) at com.cloud.utils.nio.Task.call(Task.java:29) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) and too of my VM hosts are unable to connect. How do I resolve this situation? How did I lose a storage pool? Thanks -jeremy signature.asc Description: Message signed with OpenPGP
Re: Alter Shared Guest Network?
Thanks. I’ll take a look table. -jeremy > On Jun 10, 2021, at 6:57 AM, Yordan Kostov wrote: > > Hello Jeremy, > >Once a shared network with DHCP offering is created the IPs fitting into > the defined range are created in table called "user_ip_address". >They are created one by one so if range between x.x.x.x.11 and x.x.x.210 > is created this will add 200 entries. So if you want to expand that you need > to add more entries manually, which is a bit unfortunate. > > Best regards, > Jordan > > -Original Message- > From: Jeremy Hansen > Sent: Thursday, June 10, 2021 12:12 AM > To: users@cloudstack.apache.org > Subject: Re: Alter Shared Guest Network? > > > [X] This message came from outside your organization > > >> On Jun 9, 2021, at 1:39 PM, Wido den Hollander wrote: >> >> >> On 6/9/21 3:55 PM, Jeremy Hansen wrote: >>> When I created my shared network config, I specified too narrow of an IP >>> range. >>> >>> I can’t seem to figure out how to alter this config via the web interface. >>> Is this possible? >>> >> >> Not via de UI nor API. You will need to hack this in the database. Or >> remove the network and create it again. But this is only possible if >> there are no VMs in the network. >> >> Wido > > Thanks, recreating it seems like the easiest option since I’m only in testing > phase right now, but I’m curious what it would take to alter tables to fix > this. Any clues as to what tables/fields would need to be updated? > >> >>> -jeremy >>> >
RE: Alter Shared Guest Network?
Hello Jeremy, Once a shared network with DHCP offering is created the IPs fitting into the defined range are created in table called "user_ip_address". They are created one by one so if range between x.x.x.x.11 and x.x.x.210 is created this will add 200 entries. So if you want to expand that you need to add more entries manually, which is a bit unfortunate. Best regards, Jordan -Original Message- From: Jeremy Hansen Sent: Thursday, June 10, 2021 12:12 AM To: users@cloudstack.apache.org Subject: Re: Alter Shared Guest Network? [X] This message came from outside your organization > On Jun 9, 2021, at 1:39 PM, Wido den Hollander wrote: > > > >> On 6/9/21 3:55 PM, Jeremy Hansen wrote: >> When I created my shared network config, I specified too narrow of an IP >> range. >> >> I can’t seem to figure out how to alter this config via the web interface. >> Is this possible? >> > > Not via de UI nor API. You will need to hack this in the database. Or > remove the network and create it again. But this is only possible if > there are no VMs in the network. > > Wido Thanks, recreating it seems like the easiest option since I’m only in testing phase right now, but I’m curious what it would take to alter tables to fix this. Any clues as to what tables/fields would need to be updated? > >> -jeremy >>
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
OpenVPN support will be great. S2S -- Stênio Firmino Filho Chefe de Seção Técnica - SCINT - CETiSP Superintendência de Tecnologia da Informação Universidade de São Paulo Av. Prof. Luciano Gualberto, travessa 3, 71 CEP 05.508-010 - São Paulo/SP On Thu, Jun 10, 2021 at 8:46 AM Andrija Panic wrote: > +1 > > as it's, these days, a de facto standard for every VPN device/provider - > and there is great support with OpenVPN clients for all client Operating > Systems. > > On Thu, 10 Jun 2021 at 11:24, Alex Mattioli > wrote: > > > +1 on OpenVPN, and then a framework later on. > > > > > > > > > > -Original Message- > > From: Rohit Yadav > > Sent: 10 June 2021 10:25 > > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > > > All, > > > > We've historically supported openswan and nowadays strongswan as the VPN > > provider in VR for both site-to-site and remote access modes. After > > discussing the situation with a few users and colleagues I learnt that > > OpenVPN is generally far easier to use, have clients for most OS and > > platforms (desktop, laptop, tablet, phones...) and allows multiple > clients > > in the same public IP (for example, multiple people in the office > sharing a > > client-side public IP/nat while trying to connect to a VPC or an isolated > > network) and for these reasons many users actually deploy pfSense or > setup > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > it > > make sense to switch to OpenVPN? Or, are there users using > > strongswan/ipsec/l2tpd for remote access VPN? > > > > A general-purpose VPN-framework/provider where an account or admin (via > > offering) can specify which VPN provider they want in the network > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > complex > > to implement and maintain. Any other thoughts in general about VPN > > implementation and support in CloudStack? Thanks. > > > > [1] > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > Regards. > > > > > > > > > > > > -- > > Andrija Panić >
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
+1 as it's, these days, a de facto standard for every VPN device/provider - and there is great support with OpenVPN clients for all client Operating Systems. On Thu, 10 Jun 2021 at 11:24, Alex Mattioli wrote: > +1 on OpenVPN, and then a framework later on. > > > > > -Original Message- > From: Rohit Yadav > Sent: 10 June 2021 10:25 > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > All, > > We've historically supported openswan and nowadays strongswan as the VPN > provider in VR for both site-to-site and remote access modes. After > discussing the situation with a few users and colleagues I learnt that > OpenVPN is generally far easier to use, have clients for most OS and > platforms (desktop, laptop, tablet, phones...) and allows multiple clients > in the same public IP (for example, multiple people in the office sharing a > client-side public IP/nat while trying to connect to a VPC or an isolated > network) and for these reasons many users actually deploy pfSense or setup > a OpenVPN server in their isolated network or VPC and use that instead. > > Therefore for the point-to-point VPN use-case of remote access [1] does it > make sense to switch to OpenVPN? Or, are there users using > strongswan/ipsec/l2tpd for remote access VPN? > > A general-purpose VPN-framework/provider where an account or admin (via > offering) can specify which VPN provider they want in the network > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex > to implement and maintain. Any other thoughts in general about VPN > implementation and support in CloudStack? Thanks. > > [1] > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > Regards. > > > > > -- Andrija Panić
RE: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
+1 on OpenVPN, and then a framework later on. -Original Message- From: Rohit Yadav Sent: 10 June 2021 10:25 To: d...@cloudstack.apache.org; users@cloudstack.apache.org Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider All, We've historically supported openswan and nowadays strongswan as the VPN provider in VR for both site-to-site and remote access modes. After discussing the situation with a few users and colleagues I learnt that OpenVPN is generally far easier to use, have clients for most OS and platforms (desktop, laptop, tablet, phones...) and allows multiple clients in the same public IP (for example, multiple people in the office sharing a client-side public IP/nat while trying to connect to a VPC or an isolated network) and for these reasons many users actually deploy pfSense or setup a OpenVPN server in their isolated network or VPC and use that instead. Therefore for the point-to-point VPN use-case of remote access [1] does it make sense to switch to OpenVPN? Or, are there users using strongswan/ipsec/l2tpd for remote access VPN? A general-purpose VPN-framework/provider where an account or admin (via offering) can specify which VPN provider they want in the network (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to implement and maintain. Any other thoughts in general about VPN implementation and support in CloudStack? Thanks. [1] http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn Regards.
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Hey! I’m personally a strong proponent of Wireguard. A couple years back, implementing a S2S or remote-access VPN with WG was complicated and it still is - but there’s definitely more tooling available these days. There are clients for just about every major platform - desktop and mobile. In the long term though, I think a general-purpose VPN provider like the one you outlined is far better - and I’d definitely like to take a stab at it, although I’ll admit my Java skills are basically..zero. But even so - a framework that allows users to select what platform they want - Strongswan vs OpenVPN vs Wireguard - would be awesome. Best! Rudraksh Mukta Kulshreshtha Vice-President - DevOps & R IndiQus Technologies O +91 11 4055 1411 | M +91 99589 54879 indiqus.com This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient please delete the original message and any copy of it from your computer system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited unless proper authorization has been obtained for such action. If you have received this communication in error, please notify the sender immediately. Although IndiQus attempts to sweep e-mail and attachments for viruses, it does not guarantee that both are virus-free and accepts no liability for any damage sustained as a result of viruses. On 10 Jun 2021, 1:55 PM +0530, Rohit Yadav , wrote: > All, > > We've historically supported openswan and nowadays strongswan as the VPN > provider in VR for both site-to-site and remote access modes. After > discussing the situation with a few users and colleagues I learnt that > OpenVPN is generally far easier to use, have clients for most OS and > platforms (desktop, laptop, tablet, phones...) and allows multiple clients in > the same public IP (for example, multiple people in the office sharing a > client-side public IP/nat while trying to connect to a VPC or an isolated > network) and for these reasons many users actually deploy pfSense or setup a > OpenVPN server in their isolated network or VPC and use that instead. > > Therefore for the point-to-point VPN use-case of remote access [1] does it > make sense to switch to OpenVPN? Or, are there users using > strongswan/ipsec/l2tpd for remote access VPN? > > A general-purpose VPN-framework/provider where an account or admin (via > offering) can specify which VPN provider they want in the network > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to > implement and maintain. Any other thoughts in general about VPN > implementation and support in CloudStack? Thanks. > > [1] > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > Regards. > > >
[DISCUSS] Moving to OpenVPN as the remote access VPN provider
All, We've historically supported openswan and nowadays strongswan as the VPN provider in VR for both site-to-site and remote access modes. After discussing the situation with a few users and colleagues I learnt that OpenVPN is generally far easier to use, have clients for most OS and platforms (desktop, laptop, tablet, phones...) and allows multiple clients in the same public IP (for example, multiple people in the office sharing a client-side public IP/nat while trying to connect to a VPC or an isolated network) and for these reasons many users actually deploy pfSense or setup a OpenVPN server in their isolated network or VPC and use that instead. Therefore for the point-to-point VPN use-case of remote access [1] does it make sense to switch to OpenVPN? Or, are there users using strongswan/ipsec/l2tpd for remote access VPN? A general-purpose VPN-framework/provider where an account or admin (via offering) can specify which VPN provider they want in the network (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to implement and maintain. Any other thoughts in general about VPN implementation and support in CloudStack? Thanks. [1] http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn Regards.
Re: Cloudstack source code compilation - RPMs build failed - LDAP
Hi David, Thank you for your response and pointers. For now with your suggestion, as a work around, I was able to skip the test and proceed with just source build by adding -DskipTests in mvn command in cloud.spec file. It helped. There are some java version mismatch errors in the source build in package 121/124 which I am debugging though pre-requisite was given as Java 11 but expecting Java 8. Error: A JNI error has occurred, please check your installation and try again Exception in thread "main" java.lang.UnsupportedClassVersionError: com/cloud/api/doc/ApiXmlDocWriter has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0 Will keep you posted once the RPMs are successfully built. I will revisit the test scripts error after completing the source build. Regards, Hema
NFS permissions?
Hi all, when adding separate NFS storage (based on a ZFS pool) as primary/secondary what is the minimum/safest file & folder permission you can get away with, when used in conjunction with: chown -R root:root /tank? chmod -R -f 755 /tank, or more restrictive chmod -R -f 644 /tank? This is helpful as an overview: http://docs.cloudstack.apache.org/en/latest/installguide/management-server/#prepare-nfs-shares .. but it doesn't mention recommended chmod values. TIA, Jim