subject:"Egress rules not applied in 4.11.0"

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Martin Emrich


Hi!


Am 11.04.18 um 13:38 schrieb Stephan Seitz:

Hi martin,

I've just read your issue on github and was wondering how you;ve been able to 
select Debian 9.
But maybe you did a fresh installation.

No, Upgrade from 4.9.2.0. I set the OS type to Debian 8 in ACS.
"Debian 9.3" is what XenCenter reports, they probably extract the actual 
OS version from the VM.

Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
I'll try that as my next step (changing the OS type in the database and 
recreating a sytem VM).


Ciao

Martin

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Stephan Seitz

Rafael,

don't get confused, I'm not the OP, just added a few thoughts. We are running a 
very similar Infrastructure than the OP, but our systemvm-template is Debian 7 
instead of Debian 9 (he has).
The recent host you questioned is "other linux2.x 64bit" so *should* be (as 
verified :) ) run in HVM.

- Stephan

Am Mittwoch, den 11.04.2018, 09:09 -0300 schrieb Rafael Weingärtner:
> That is interesting. The VM is indeed in HVM mode.
> 
> On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz <s.se...@heinlein-support.de>
> wrote:
> 
> > 
> > # xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e
> > PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
> >    HVM-boot-policy ( RW): BIOS order
> >    HVM-boot-params (MRW): order: dc
> >  HVM-shadow-multiplier ( RW): 1.000
> > PV-legacy-args ( RW):
> >  PV-bootloader ( RW):
> > PV-bootloader-args ( RW):
> > 
> > Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> > > 
> > > Xen you execute the following command in your XenServer?
> > > 
> > > > 
> > > > 
> > > > xe vm-param-list uuid=
> > > > 
> > > Then, what is the content of these parameters?
> > > 
> > >    - PV-legacy-args
> > >    - PV-bootloader
> > >    - PV-bootloader-args
> > >    - HVM-boot-policy
> > >    - HVM-boot-params
> > >    - HVM-shadow-multiplier
> > > 
> > > 
> > > It is just to make sure that the VM was indeed created using HVM mode.
> > > 
> > > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <
> > s.se...@heinlein-support.de>
> > > 
> > > wrote:
> > > 
> > > > 
> > > > 
> > > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other
> > 2.6x
> > > 
> > > > 
> > > > Linux (64-bit)":
> > > > 
> > > > # virt-what --version
> > > > 1.15
> > > > # virt-what
> > > > hyperv
> > > > xen
> > > > xen-domU
> > > > #
> > > > 
> > > > 
> > > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > > > 
> > > > > 
> > > > > AFAIK not for 6.5 SP1.
> > > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/
> > shows
> > > 
> > > > 
> > > > that 7.x is fixed and gives the hint,
> > > > > 
> > > > > 
> > > > > that HVM guests are not affected (at least for spectre)
> > > > > 
> > > > > https://support.citrix.com/article/CTX231390
> > > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > > > architectural changes to do so. Citrix is therefore not making
> > hotfixes for
> > > 
> > > > 
> > > > these versions available to customers, and will continue to
> > > > > 
> > > > > 
> > > > > work with hardware vendors on other mitigation strategies. Customers
> > on
> > > 
> > > > 
> > > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade
> > to a
> > > 
> > > > 
> > > > more recent version. "
> > > > > 
> > > > > 
> > > > > 
> > > > > I haven't tried it so far, but recent debian versions were kind of
> > picky
> > > 
> > > > 
> > > > with different kinds of Xen virtualization as I've seen on "regular"
> > VMs.
> > > 
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > > > XenServer make some kind of change around this as a Meltdown/Spectre
> > > > migation?
> > > > > 
> > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Kind regards,
> > > > > > 
> > > > > > Paul Angus
> > > > > > 
> > > > > > paul.

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Rafael Weingärtner

That is interesting. The VM is indeed in HVM mode.

On Wed, Apr 11, 2018 at 9:04 AM, Stephan Seitz <s.se...@heinlein-support.de>
wrote:

> # xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e
> PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
>HVM-boot-policy ( RW): BIOS order
>HVM-boot-params (MRW): order: dc
>  HVM-shadow-multiplier ( RW): 1.000
> PV-legacy-args ( RW):
>  PV-bootloader ( RW):
> PV-bootloader-args ( RW):
>
> Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> > Xen you execute the following command in your XenServer?
> >
> > >
> > > xe vm-param-list uuid=
> > >
> > Then, what is the content of these parameters?
> >
> >- PV-legacy-args
> >- PV-bootloader
> >- PV-bootloader-args
> >- HVM-boot-policy
> >- HVM-boot-params
> >- HVM-shadow-multiplier
> >
> >
> > It is just to make sure that the VM was indeed created using HVM mode.
> >
> > On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <
> s.se...@heinlein-support.de>
> > wrote:
> >
> > >
> > > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other
> 2.6x
> > > Linux (64-bit)":
> > >
> > > # virt-what --version
> > > 1.15
> > > # virt-what
> > > hyperv
> > > xen
> > > xen-domU
> > > #
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > >
> > > > AFAIK not for 6.5 SP1.
> > > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/
> shows
> > > that 7.x is fixed and gives the hint,
> > > >
> > > > that HVM guests are not affected (at least for spectre)
> > > >
> > > > https://support.citrix.com/article/CTX231390
> > > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > > architectural changes to do so. Citrix is therefore not making
> hotfixes for
> > > these versions available to customers, and will continue to
> > > >
> > > > work with hardware vendors on other mitigation strategies. Customers
> on
> > > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade
> to a
> > > more recent version. "
> > > >
> > > >
> > > > I haven't tried it so far, but recent debian versions were kind of
> picky
> > > with different kinds of Xen virtualization as I've seen on "regular"
> VMs.
> > > >
> > > >
> > > >
> > > >
> > > > Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> > > > >
> > > > >
> > > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > > XenServer make some kind of change around this as a Meltdown/Spectre
> > > migation?
> > > >
> > > > >
> > > > >
> > > > >
> > > > > Kind regards,
> > > > >
> > > > > Paul Angus
> > > > >
> > > > > paul.an...@shapeblue.com
> > > > > www.shapeblue.com
> > > > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > > > > @shapeblue
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -Original Message-
> > > > > From: Stephan Seitz <s.se...@heinlein-support.de>
> > > > > Sent: 11 April 2018 12:38
> > > > > To: users@cloudstack.apache.org
> > > > > Subject: Re: Egress rules not applied in 4.11.0
> > > > >
> > > > > Hi martin,
> > > > >
> > > > > I've just read your issue on github and was wondering how you;ve
> been
> > > able to select Debian 9.
> > > >
> > > > >
> > > > > But maybe you did a fresh installation.
> > > > >
> > > > > We did an update from 4.9.2 to 4.11.0 and were able to select
> "Debian
> > > GNU/Linux 7(64-bit)" as highest possible Debian-version. The
> documentation
> > > said to register the new systemvm-template before
> > > >
> > > > >
> > > > > updating the management server.
> > > > >
> > > > > Maybe your issue is hot-fixed by registe

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Stephan Seitz

# xe vm-param-list uuid=c1bcef11-ffc2-24bd-7c5e-0840fb4f8f49 | grep -e 
PV-legacy-args -e PV-boot -e HVM-boot -e HVM-shadow
   HVM-boot-policy ( RW): BIOS order
   HVM-boot-params (MRW): order: dc
 HVM-shadow-multiplier ( RW): 1.000
PV-legacy-args ( RW): 
 PV-bootloader ( RW): 
PV-bootloader-args ( RW): 

Am Mittwoch, den 11.04.2018, 09:00 -0300 schrieb Rafael Weingärtner:
> Xen you execute the following command in your XenServer?
> 
> > 
> > xe vm-param-list uuid=
> > 
> Then, what is the content of these parameters?
> 
>    - PV-legacy-args
>    - PV-bootloader
>    - PV-bootloader-args
>    - HVM-boot-policy
>    - HVM-boot-params
>    - HVM-shadow-multiplier
> 
> 
> It is just to make sure that the VM was indeed created using HVM mode.
> 
> On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s.se...@heinlein-support.de>
> wrote:
> 
> > 
> > Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
> > Linux (64-bit)":
> > 
> > # virt-what --version
> > 1.15
> > # virt-what
> > hyperv
> > xen
> > xen-domU
> > #
> > 
> > 
> > Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > > 
> > > AFAIK not for 6.5 SP1.
> > > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
> > that 7.x is fixed and gives the hint,
> > > 
> > > that HVM guests are not affected (at least for spectre)
> > > 
> > > https://support.citrix.com/article/CTX231390
> > > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> > architectural changes to do so. Citrix is therefore not making hotfixes for
> > these versions available to customers, and will continue to
> > > 
> > > work with hardware vendors on other mitigation strategies. Customers on
> > the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
> > more recent version. "
> > > 
> > > 
> > > I haven't tried it so far, but recent debian versions were kind of picky
> > with different kinds of Xen virtualization as I've seen on "regular" VMs.
> > > 
> > > 
> > > 
> > > 
> > > Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> > > > 
> > > > 
> > > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> > XenServer make some kind of change around this as a Meltdown/Spectre
> > migation?
> > > 
> > > > 
> > > > 
> > > > 
> > > > Kind regards,
> > > > 
> > > > Paul Angus
> > > > 
> > > > paul.an...@shapeblue.com
> > > > www.shapeblue.com
> > > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > > > @shapeblue
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -Original Message-
> > > > From: Stephan Seitz <s.se...@heinlein-support.de>
> > > > Sent: 11 April 2018 12:38
> > > > To: users@cloudstack.apache.org
> > > > Subject: Re: Egress rules not applied in 4.11.0
> > > > 
> > > > Hi martin,
> > > > 
> > > > I've just read your issue on github and was wondering how you;ve been
> > able to select Debian 9.
> > > 
> > > > 
> > > > But maybe you did a fresh installation.
> > > > 
> > > > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
> > GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
> > said to register the new systemvm-template before
> > > 
> > > > 
> > > > updating the management server.
> > > > 
> > > > Maybe your issue is hot-fixed by registering a template with Debian 7
> > profile.
> > > 
> > > > 
> > > > 
> > > > Cheers,
> > > > 
> > > > - Stephan
> > > > 
> > > > 
> > > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > > > 
> > > > > 
> > > > > 
> > > > > I investigated further, and opened an issue:
> > > > > https://github.com/apache/cloudstack/issues/2561
> > > > > 
> > > > > Cheers,
> > > > > 
> > > > > Martin
> > > > > 
> > > > > 
> > > > > Am 11.04.18 um 1

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Rafael Weingärtner

Xen you execute the following command in your XenServer?

> xe vm-param-list uuid=
>

Then, what is the content of these parameters?

   - PV-legacy-args
   - PV-bootloader
   - PV-bootloader-args
   - HVM-boot-policy
   - HVM-boot-params
   - HVM-shadow-multiplier


It is just to make sure that the VM was indeed created using HVM mode.

On Wed, Apr 11, 2018 at 8:55 AM, Stephan Seitz <s.se...@heinlein-support.de>
wrote:

> Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x
> Linux (64-bit)":
>
> # virt-what --version
> 1.15
> # virt-what
> hyperv
> xen
> xen-domU
> #
>
>
> Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> > AFAIK not for 6.5 SP1.
> > https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows
> that 7.x is fixed and gives the hint,
> > that HVM guests are not affected (at least for spectre)
> >
> > https://support.citrix.com/article/CTX231390
> > " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive
> architectural changes to do so. Citrix is therefore not making hotfixes for
> these versions available to customers, and will continue to
> > work with hardware vendors on other mitigation strategies. Customers on
> the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a
> more recent version. "
> >
> > I haven't tried it so far, but recent debian versions were kind of picky
> with different kinds of Xen virtualization as I've seen on "regular" VMs.
> >
> >
> >
> > Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> > >
> > > virt-what will give 'xen-domU' for paravirtualized guests. Didn't
> XenServer make some kind of change around this as a Meltdown/Spectre
> migation?
> > >
> > >
> > > Kind regards,
> > >
> > > Paul Angus
> > >
> > > paul.an...@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > > @shapeblue
> > >
> > >
> > >
> > >
> > > -Original Message-
> > > From: Stephan Seitz <s.se...@heinlein-support.de>
> > > Sent: 11 April 2018 12:38
> > > To: users@cloudstack.apache.org
> > > Subject: Re: Egress rules not applied in 4.11.0
> > >
> > > Hi martin,
> > >
> > > I've just read your issue on github and was wondering how you;ve been
> able to select Debian 9.
> > > But maybe you did a fresh installation.
> > >
> > > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian
> GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation
> said to register the new systemvm-template before
> > > updating the management server.
> > >
> > > Maybe your issue is hot-fixed by registering a template with Debian 7
> profile.
> > >
> > > Cheers,
> > >
> > > - Stephan
> > >
> > >
> > > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > >
> > > >
> > > > I investigated further, and opened an issue:
> > > > https://github.com/apache/cloudstack/issues/2561
> > > >
> > > > Cheers,
> > > >
> > > > Martin
> > > >
> > > >
> > > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > >
> > > > >
> > > > >
> > > > > Thanks... But I think something else is now broken, too...:
> > > > >
> > > > > The SystemVMs are now no longer being provisioned: They come up
> > > > > "empty" with "systemvm type=".
> > > > >
> > > > > I also deleted the Console Proxy VM, and the new one is plain,
> too...
> > > > >
> > > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs),
> same
> > > > > effect...
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Martin
> > > > >
> > > > >
> > > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hi Martin,
> > > > > >
> > > > > >
> > > > > > This is a known issue, a freshly restarted VR may not have the
> > > > > > EGREE related tables which is why any rules will fail to apply.
> As
> > > >

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Stephan Seitz

Just tried a Debian 9 running on XenServer 6.5 SP1 with model "Other 2.6x Linux 
(64-bit)":

# virt-what --version
1.15
# virt-what
hyperv
xen
xen-domU
#


Am Mittwoch, den 11.04.2018, 13:50 +0200 schrieb Stephan Seitz:
> AFAIK not for 6.5 SP1.
> https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows that 
> 7.x is fixed and gives the hint,
> that HVM guests are not affected (at least for spectre)
> 
> https://support.citrix.com/article/CTX231390
> " 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectural 
> changes to do so. Citrix is therefore not making hotfixes for these versions 
> available to customers, and will continue to
> work with hardware vendors on other mitigation strategies. Customers on the 
> 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more 
> recent version. "
> 
> I haven't tried it so far, but recent debian versions were kind of picky with 
> different kinds of Xen virtualization as I've seen on "regular" VMs.
> 
> 
> 
> Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> > 
> > virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer 
> > make some kind of change around this as a Meltdown/Spectre migation? 
> > 
> > 
> > Kind regards,
> > 
> > Paul Angus
> > 
> > paul.an...@shapeblue.com 
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >   
> >  
> > 
> > 
> > -Original Message-
> > From: Stephan Seitz <s.se...@heinlein-support.de> 
> > Sent: 11 April 2018 12:38
> > To: users@cloudstack.apache.org
> > Subject: Re: Egress rules not applied in 4.11.0
> > 
> > Hi martin,
> > 
> > I've just read your issue on github and was wondering how you;ve been able 
> > to select Debian 9.
> > But maybe you did a fresh installation.
> > 
> > We did an update from 4.9.2 to 4.11.0 and were able to select "Debian 
> > GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation 
> > said to register the new systemvm-template before
> > updating the management server.
> > 
> > Maybe your issue is hot-fixed by registering a template with Debian 7 
> > profile.
> > 
> > Cheers,
> > 
> > - Stephan
> > 
> > 
> > Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > > 
> > > 
> > > I investigated further, and opened an issue:
> > > https://github.com/apache/cloudstack/issues/2561
> > > 
> > > Cheers,
> > > 
> > > Martin
> > > 
> > > 
> > > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > > 
> > > > 
> > > > 
> > > > Thanks... But I think something else is now broken, too...:
> > > > 
> > > > The SystemVMs are now no longer being provisioned: They come up 
> > > > "empty" with "systemvm type=".
> > > > 
> > > > I also deleted the Console Proxy VM, and the new one is plain, too...
> > > > 
> > > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
> > > > effect...
> > > > 
> > > > Cheers,
> > > > 
> > > > Martin
> > > > 
> > > > 
> > > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi Martin,
> > > > > 
> > > > > 
> > > > > This is a known issue, a freshly restarted VR may not have the 
> > > > > EGREE related tables which is why any rules will fail to apply. As 
> > > > > a workaround, you can restart the network without selecting the 
> > > > > cleanup option which will reconfigure the VR and add the egress table.
> > > > > 
> > > > > 
> > > > > I've a fix in this PR:
> > > > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > > > fd9156e3983b1bb2d64abecd
> > > > > 
> > > > > 
> > > > > 
> > > > > - Rohit
> > > > > 
> > > > > <https://cloudstack.apache.org>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > From: Martin Emrich <martin.emr...@empolis.com>
> > > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> >

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Stephan Seitz

AFAIK not for 6.5 SP1.
https://xen-orchestra.com/blog/meltdown-and-spectre-for-xenserver/ shows that 
7.x is fixed and gives the hint,
that HVM guests are not affected (at least for spectre)

https://support.citrix.com/article/CTX231390
" 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectural 
changes to do so. Citrix is therefore not making hotfixes for these versions 
available to customers, and will continue to
work with hardware vendors on other mitigation strategies. Customers on the 6.2 
SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more recent 
version. "

I haven't tried it so far, but recent debian versions were kind of picky with 
different kinds of Xen virtualization as I've seen on "regular" VMs.



Am Mittwoch, den 11.04.2018, 11:42 + schrieb Paul Angus:
> virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer 
> make some kind of change around this as a Meltdown/Spectre migation? 
> 
> 
> Kind regards,
> 
> Paul Angus
> 
> paul.an...@shapeblue.com 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>   
>  
> 
> 
> -Original Message-
> From: Stephan Seitz <s.se...@heinlein-support.de> 
> Sent: 11 April 2018 12:38
> To: users@cloudstack.apache.org
> Subject: Re: Egress rules not applied in 4.11.0
> 
> Hi martin,
> 
> I've just read your issue on github and was wondering how you;ve been able to 
> select Debian 9.
> But maybe you did a fresh installation.
> 
> We did an update from 4.9.2 to 4.11.0 and were able to select "Debian 
> GNU/Linux 7(64-bit)" as highest possible Debian-version. The documentation 
> said to register the new systemvm-template before
> updating the management server.
> 
> Maybe your issue is hot-fixed by registering a template with Debian 7 profile.
> 
> Cheers,
> 
> - Stephan
> 
> 
> Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> > 
> > I investigated further, and opened an issue:
> > https://github.com/apache/cloudstack/issues/2561
> > 
> > Cheers,
> > 
> > Martin
> > 
> > 
> > Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > > 
> > > 
> > > Thanks... But I think something else is now broken, too...:
> > > 
> > > The SystemVMs are now no longer being provisioned: They come up 
> > > "empty" with "systemvm type=".
> > > 
> > > I also deleted the Console Proxy VM, and the new one is plain, too...
> > > 
> > > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
> > > effect...
> > > 
> > > Cheers,
> > > 
> > > Martin
> > > 
> > > 
> > > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > > 
> > > > 
> > > > Hi Martin,
> > > > 
> > > > 
> > > > This is a known issue, a freshly restarted VR may not have the 
> > > > EGREE related tables which is why any rules will fail to apply. As 
> > > > a workaround, you can restart the network without selecting the 
> > > > cleanup option which will reconfigure the VR and add the egress table.
> > > > 
> > > > 
> > > > I've a fix in this PR:
> > > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > > fd9156e3983b1bb2d64abecd
> > > > 
> > > > 
> > > > 
> > > > - Rohit
> > > > 
> > > > <https://cloudstack.apache.org>
> > > > 
> > > > 
> > > > 
> > > > 
> > > > From: Martin Emrich <martin.emr...@empolis.com>
> > > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > > To: CloudStack-Users
> > > > Subject: Egress rules not applied in 4.11.0
> > > > 
> > > > Hi!
> > > > 
> > > > I upgraded my test cluster from 4.9 to 4.11. The default policy 
> > > > for isolated networks is "Deny".
> > > > 
> > > > But now, adding rules to allow egress traffic are not applied to 
> > > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the 
> > > > UI, but does not appear in the iptables output on the VR.
> > > > 
> > > > Any Ideas?
> > > > 
> > > > Thanks
> > > > 
> > > > Martin
> > > > 
> > > > 
> > > > rohit.ya...@shapeblue.com
> > > > www.shapeblue.com
> > > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK @shapeblue
> > > > 
> Mit freundlichen Grüßen,
> 
> Stephan Seitz
> 
> --
> 
> Heinlein Support GmbH
> Schwedter Str. 8/9b, 10119 Berlin
> 
> http://www.heinlein-support.de
> 
> Tel: 030 / 405051-44
> Fax: 030 / 405051-19
> 
> Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
> Geschäftsführer: Peer Heinlein -- Sitz: Berlin
> 
> 
Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin




signature.asc
Description: This is a digitally signed message part

RE: Egress rules not applied in 4.11.0

2018-04-11 Thread Paul Angus

virt-what will give 'xen-domU' for paravirtualized guests. Didn't XenServer 
make some kind of change around this as a Meltdown/Spectre migation? 


Kind regards,

Paul Angus

paul.an...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


-Original Message-
From: Stephan Seitz <s.se...@heinlein-support.de> 
Sent: 11 April 2018 12:38
To: users@cloudstack.apache.org
Subject: Re: Egress rules not applied in 4.11.0

Hi martin,

I've just read your issue on github and was wondering how you;ve been able to 
select Debian 9.
But maybe you did a fresh installation.

We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 
7(64-bit)" as highest possible Debian-version. The documentation said to 
register the new systemvm-template before updating the management server.

Maybe your issue is hot-fixed by registering a template with Debian 7 profile.

Cheers,

- Stephan


Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> I investigated further, and opened an issue:
> https://github.com/apache/cloudstack/issues/2561
> 
> Cheers,
> 
> Martin
> 
> 
> Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > 
> > Thanks... But I think something else is now broken, too...:
> > 
> > The SystemVMs are now no longer being provisioned: They come up 
> > "empty" with "systemvm type=".
> > 
> > I also deleted the Console Proxy VM, and the new one is plain, too...
> > 
> > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
> > effect...
> > 
> > Cheers,
> > 
> > Martin
> > 
> > 
> > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > 
> > > Hi Martin,
> > > 
> > > 
> > > This is a known issue, a freshly restarted VR may not have the 
> > > EGREE related tables which is why any rules will fail to apply. As 
> > > a workaround, you can restart the network without selecting the 
> > > cleanup option which will reconfigure the VR and add the egress table.
> > > 
> > > 
> > > I've a fix in this PR:
> > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57d
> > > fd9156e3983b1bb2d64abecd
> > > 
> > > 
> > > 
> > > - Rohit
> > > 
> > > <https://cloudstack.apache.org>
> > > 
> > > 
> > > 
> > > 
> > > From: Martin Emrich <martin.emr...@empolis.com>
> > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > To: CloudStack-Users
> > > Subject: Egress rules not applied in 4.11.0
> > > 
> > > Hi!
> > > 
> > > I upgraded my test cluster from 4.9 to 4.11. The default policy 
> > > for isolated networks is "Deny".
> > > 
> > > But now, adding rules to allow egress traffic are not applied to 
> > > the virtual router. adding a 0.0.0.0/0 rule looks fine from the 
> > > UI, but does not appear in the iptables output on the VR.
> > > 
> > > Any Ideas?
> > > 
> > > Thanks
> > > 
> > > Martin
> > > 
> > > 
> > > rohit.ya...@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK @shapeblue
> > > 
Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Stephan Seitz

Hi martin,

I've just read your issue on github and was wondering how you;ve been able to 
select Debian 9.
But maybe you did a fresh installation.

We did an update from 4.9.2 to 4.11.0 and were able to select "Debian GNU/Linux 
7(64-bit)" as
highest possible Debian-version. The documentation said to register the new 
systemvm-template
before updating the management server.

Maybe your issue is hot-fixed by registering a template with Debian 7 profile.

Cheers,

- Stephan


Am Mittwoch, den 11.04.2018, 13:30 +0200 schrieb Martin Emrich:
> I investigated further, and opened an issue: 
> https://github.com/apache/cloudstack/issues/2561
> 
> Cheers,
> 
> Martin
> 
> 
> Am 11.04.18 um 12:18 schrieb Martin Emrich:
> > 
> > Thanks... But I think something else is now broken, too...:
> > 
> > The SystemVMs are now no longer being provisioned: They come up 
> > "empty" with "systemvm type=".
> > 
> > I also deleted the Console Proxy VM, and the new one is plain, too...
> > 
> > I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
> > effect...
> > 
> > Cheers,
> > 
> > Martin
> > 
> > 
> > Am 11.04.18 um 00:56 schrieb Rohit Yadav:
> > > 
> > > Hi Martin,
> > > 
> > > 
> > > This is a known issue, a freshly restarted VR may not have the EGREE 
> > > related tables which is why any rules will fail to apply. As a 
> > > workaround, you can restart the network without selecting the cleanup 
> > > option which will reconfigure the VR and add the egress table.
> > > 
> > > 
> > > I've a fix in this PR: 
> > > https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd
> > > 
> > > 
> > > 
> > > - Rohit
> > > 
> > > <https://cloudstack.apache.org>
> > > 
> > > 
> > > 
> > > 
> > > From: Martin Emrich <martin.emr...@empolis.com>
> > > Sent: Tuesday, April 10, 2018 2:13:57 PM
> > > To: CloudStack-Users
> > > Subject: Egress rules not applied in 4.11.0
> > > 
> > > Hi!
> > > 
> > > I upgraded my test cluster from 4.9 to 4.11. The default policy for
> > > isolated networks is "Deny".
> > > 
> > > But now, adding rules to allow egress traffic are not applied to the
> > > virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
> > > not appear in the iptables output on the VR.
> > > 
> > > Any Ideas?
> > > 
> > > Thanks
> > > 
> > > Martin
> > > 
> > > 
> > > rohit.ya...@shapeblue.com
> > > www.shapeblue.com
> > > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > > @shapeblue
> > > 
Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin



signature.asc
Description: This is a digitally signed message part

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Martin Emrich

I investigated further, and opened an issue: 
https://github.com/apache/cloudstack/issues/2561


Cheers,

Martin


Am 11.04.18 um 12:18 schrieb Martin Emrich:

Thanks... But I think something else is now broken, too...:

The SystemVMs are now no longer being provisioned: They come up 
"empty" with "systemvm type=".


I also deleted the Console Proxy VM, and the new one is plain, too...

I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
effect...


Cheers,

Martin


Am 11.04.18 um 00:56 schrieb Rohit Yadav:

Hi Martin,


This is a known issue, a freshly restarted VR may not have the EGREE 
related tables which is why any rules will fail to apply. As a 
workaround, you can restart the network without selecting the cleanup 
option which will reconfigure the VR and add the egress table.



I've a fix in this PR: 
https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd




- Rohit

<https://cloudstack.apache.org>




From: Martin Emrich <martin.emr...@empolis.com>
Sent: Tuesday, April 10, 2018 2:13:57 PM
To: CloudStack-Users
Subject: Egress rules not applied in 4.11.0

Hi!

I upgraded my test cluster from 4.9 to 4.11. The default policy for
isolated networks is "Deny".

But now, adding rules to allow egress traffic are not applied to the
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
not appear in the iptables output on the VR.

Any Ideas?

Thanks

Martin


rohit.ya...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue

Re: Egress rules not applied in 4.11.0

2018-04-11 Thread Martin Emrich


Thanks... But I think something else is now broken, too...:

The SystemVMs are now no longer being provisioned: They come up "empty" 
with "systemvm type=".


I also deleted the Console Proxy VM, and the new one is plain, too...

I tried with Git branch 4.11 (producing 4.11.1-SNAPSHOT RPMs), same 
effect...


Cheers,

Martin


Am 11.04.18 um 00:56 schrieb Rohit Yadav:

Hi Martin,


This is a known issue, a freshly restarted VR may not have the EGREE related 
tables which is why any rules will fail to apply. As a workaround, you can 
restart the network without selecting the cleanup option which will reconfigure 
the VR and add the egress table.


I've a fix in this PR: 
https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd



- Rohit

<https://cloudstack.apache.org>




From: Martin Emrich <martin.emr...@empolis.com>
Sent: Tuesday, April 10, 2018 2:13:57 PM
To: CloudStack-Users
Subject: Egress rules not applied in 4.11.0

Hi!

I upgraded my test cluster from 4.9 to 4.11. The default policy for
isolated networks is "Deny".

But now, adding rules to allow egress traffic are not applied to the
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
not appear in the iptables output on the VR.

Any Ideas?

Thanks

Martin


rohit.ya...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue

Re: Egress rules not applied in 4.11.0

2018-04-10 Thread Rohit Yadav

Hi Martin,


This is a known issue, a freshly restarted VR may not have the EGREE related 
tables which is why any rules will fail to apply. As a workaround, you can 
restart the network without selecting the cleanup option which will reconfigure 
the VR and add the egress table.


I've a fix in this PR: 
https://github.com/apache/cloudstack/pull/2508/files#diff-2d3ea57dfd9156e3983b1bb2d64abecd



- Rohit

<https://cloudstack.apache.org>




From: Martin Emrich <martin.emr...@empolis.com>
Sent: Tuesday, April 10, 2018 2:13:57 PM
To: CloudStack-Users
Subject: Egress rules not applied in 4.11.0

Hi!

I upgraded my test cluster from 4.9 to 4.11. The default policy for
isolated networks is "Deny".

But now, adding rules to allow egress traffic are not applied to the
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does
not appear in the iptables output on the VR.

Any Ideas?

Thanks

Martin


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue

Re: Egress rules not applied in 4.11.0

2018-04-10 Thread Martin Emrich


Hi!

Am 10.04.18 um 11:09 schrieb Stephan Seitz:

Hi!

I think your facing a bug already discussed here. After reloading (imho doesn't matter if 
you check "clean up") the network, the egress rules are applied.
So just reload every net with egress rules :)
IIRC I tried that several times with no success... But after I tried it 
again just now (to be sure), restarting the network hangs.


Looking in the cloud.log on the VR, it is quite short, with a line 
"Configuring systemvm type=" (nothing after the =).


That's obviously wrong, isn't it?

AFAIR a fresh systemvm gets its config via an iso image and via network.

systemvm.iso is in place on the XenServer, but the VM has no IP adress 
at all (not even a link-local one).

/usr/local/cloud is empty, so the ISO was never deployed...

Where could I look?

Oh and don't know if that made it already to 
https://github.com/apache/cloudstack/issues so if you would be so kind to open 
an issue?

I better wait until I am sure it was not my fault ;)

Thanks,

Martin

Re: Egress rules not applied in 4.11.0

2018-04-10 Thread Rafael Weingärtner

No need to open an issue ticket. There is already a PR to fix it.
https://github.com/apache/cloudstack/pull/2514

On Tue, Apr 10, 2018 at 6:09 AM, Stephan Seitz 
wrote:

> Hi!
>
> I think your facing a bug already discussed here. After reloading (imho
> doesn't matter if you check "clean up") the network, the egress rules are
> applied.
> So just reload every net with egress rules :)
>
> Oh and don't know if that made it already to https://github.com/apache/
> cloudstack/issues so if you would be so kind to open an issue?
>
> cheers,
>
> - Stephan
>
> Am Dienstag, den 10.04.2018, 10:43 +0200 schrieb Martin Emrich:
> > Hi!
> >
> > I upgraded my test cluster from 4.9 to 4.11. The default policy for
> > isolated networks is "Deny".
> >
> > But now, adding rules to allow egress traffic are not applied to the
> > virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but
> does
> > not appear in the iptables output on the VR.
>



-- 
Rafael Weingärtner

Re: Egress rules not applied in 4.11.0

2018-04-10 Thread Stephan Seitz

Hi!

I think your facing a bug already discussed here. After reloading (imho doesn't 
matter if you check "clean up") the network, the egress rules are applied.
So just reload every net with egress rules :)

Oh and don't know if that made it already to 
https://github.com/apache/cloudstack/issues so if you would be so kind to open 
an issue?

cheers,

- Stephan

Am Dienstag, den 10.04.2018, 10:43 +0200 schrieb Martin Emrich:
> Hi!
> 
> I upgraded my test cluster from 4.9 to 4.11. The default policy for 
> isolated networks is "Deny".
> 
> But now, adding rules to allow egress traffic are not applied to the 
> virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does 
> not appear in the iptables output on the VR.


signature.asc
Description: This is a digitally signed message part

Egress rules not applied in 4.11.0

2018-04-10 Thread Martin Emrich


Hi!

I upgraded my test cluster from 4.9 to 4.11. The default policy for 
isolated networks is "Deny".


But now, adding rules to allow egress traffic are not applied to the 
virtual router. adding a 0.0.0.0/0 rule looks fine from the UI, but does 
not appear in the iptables output on the VR.


Any Ideas?

Thanks

Martin

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

RE: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Re: Egress rules not applied in 4.11.0

Egress rules not applied in 4.11.0

16 matches

Site Navigation

Mail list logo

Footer information