Re: Change VPC CIDR - and some Mailing List issues

2018-03-15 Thread Rafael Weingärtner 
Can people review this PR https://github.com/apache/cloudstack-www/pull/43.
It has to do with the mailing list search mechanism

On Wed, Mar 7, 2018 at 11:30 AM, Andrija Panic 
wrote:

> root@r-5015-VM:~# grep -ir "10.128.0.0/18" /etc/ ### this is VPC CIDR
>
> /etc/iptables/router_rules.v4:-A INPUT -s 10.128.64.0/18 -d 10.128.0.0/18
> -j MARK --set-xmark 0x524/0x
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.64.0/18 -d
> 10.128.0.0/18
> -j MARK --set-xmark 0x524/0x
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 -d
> 10.128.64.0/18
> -j MARK --set-xmark 0x525/0x
> /etc/iptables/router_rules.v4:-A OUTPUT -s 10.128.0.0/18 -d 10.128.64.0/18
> -j MARK --set-xmark 0x525/0x
> /etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 ! -d
> 10.128.0.0/18
> -j ACCEPT
> /etc/ipsec.d/ipsec.vpn-185.39.XXX.YYY.conf: leftsubnet=10.128.0.0/18
> /etc/cloudstack/cmdline.json:"vpccidr": "10.128.0.0/18"
> /etc/cloudstack/site2sitevpn.json:"local_guest_cidr": "
> 10.128.0.0/18
> ",
>
> So just restart VPC and be safe better than sorry :)
>
> Cheers
>
> On 7 March 2018 at 14:21,  wrote:
>
> > Hi,
> >
> > As far as I know, when creating a site 2 site VPN, you can only specify
> > the remote networks. The local network is always set to the whole VPC
> CIDR.
> > Or am I wrong?
> >
> > Regards
> > Daniel
> >
> > On 07.03.18, 12:39, "Rafael Weingärtner" 
> > wrote:
> >
> > I agree with you. I was not aware of that link in ACS website. I
> > already
> > created a task for myself to fix that.
> >
> > I thought the VPC CIDR was used only as a logical value internally in
> > ACS.
> > However, as you pointed out, you can create a VPN to the whole VPC.
> > Then,
> > yes, a restart would be required.
> >
> >
> > On Wed, Mar 7, 2018 at 8:33 AM, 
> > wrote:
> >
> > > Hi,
> > >
> > > Maybe we could link to the Apache search system at the page listing
> > the
> > > Cloudstack Mailing-Lists: https://cloudstack.apache.org/
> > mailing-lists.html
> > >
> > > If you click on the list there, you get to
> > http://mail-archives.apache.
> > > org/mod_mbox/cloudstack-users/. Then there is markmail linked and
> > the
> > > https://lists.apache.org/list.html?users@cloudstack.apache.org
> link
> > you
> > > shared (which btw looks best to me, thanks).
> > >
> > > The tiers are going to stay as they are currently. I guess the CIDR
> > is
> > > used in the Strongswan VPN configuration as local network, so I
> > guess a
> > > restart might be required.
> > >
> > > Other thoughts?
> > >
> > > Thanks
> > > Daniel
> > >
> > > On 07.03.18, 12:25, "Rafael Weingärtner" <
> > rafaelweingart...@gmail.com>
> > > wrote:
> > >
> > > MarkMail is not an Apache's system. If you want an Apache's
> > system to
> > > search mailing lists you can use:
> > > https://lists.apache.org/list.html?d...@cloudstack.apache.org.
> > >
> > > Do you intend on changing the Tiers CIDR as well? If it is only
> > the
> > > VPC,
> > > you might not even need to restart with a cleanup. Of course,
> it
> > is
> > > always
> > > a good practice to test before applying in production.
> > >
> > > On Wed, Mar 7, 2018 at 8:07 AM,  > fraunhofer.de>
> > > wrote:
> > >
> > > > Hi all,
> > > >
> > > >
> > > >
> > > > First of all: when trying to search the lists on MarkMail (
> > > > https://cloudstack.apache.org/mailing-lists.html) I get a
> > warning
> > > that
> > > > the entered information will be transmitted insecurely (no
> > HTTPs).
> > > If I
> > > > accept that, MarkMail redirects back to HTTPs but does not
> > present a
> > > valid
> > > > certificate (unknown issuer, Firefox 58.0.2
> > > >
> > > >
> > > >
> > > > Now, to the question:
> > > >
> > > >
> > > >
> > > > We have a VPC with a pretty large CIDR (172.19.0.0/16),
> which
> > > however
> > > > only has tiers in the upper half (172.19.128.0/17). We now
> > would
> > > like to
> > > > reduce the VPC CIDR. Is it safe to edit this in the database
> > and
> > > then do a
> > > > VPC restart with cleanup? Anything else to consider?
> > > >
> > > >
> > > >
> > > > We use VPN s2s tunnel, so I guess we need to change the
> remote
> > > subnet on
> > > > the other VPN endpoints, but other than that?
> > > >
> > > >
> > > >
> > > > Is it possible like that, any problems to expect?
> > > >
> > > >
> > > >
> > > > Thanks and regards
> > > >
> > > > Daniel
> > >
> > >
> >
> >
> > --
> > Rafael Weingärtner
> >
> >
>
>
> --
>
> Andrija Panić
>



-- 
Rafael Weingärtner

Re: Change VPC CIDR - and some Mailing List issues

2018-03-07 Thread Andrija Panic 
root@r-5015-VM:~# grep -ir "10.128.0.0/18" /etc/ ### this is VPC CIDR

/etc/iptables/router_rules.v4:-A INPUT -s 10.128.64.0/18 -d 10.128.0.0/18
-j MARK --set-xmark 0x524/0x
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.64.0/18 -d 10.128.0.0/18
-j MARK --set-xmark 0x524/0x
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 -d 10.128.64.0/18
-j MARK --set-xmark 0x525/0x
/etc/iptables/router_rules.v4:-A OUTPUT -s 10.128.0.0/18 -d 10.128.64.0/18
-j MARK --set-xmark 0x525/0x
/etc/iptables/router_rules.v4:-A FORWARD -s 10.128.0.0/18 ! -d 10.128.0.0/18
-j ACCEPT
/etc/ipsec.d/ipsec.vpn-185.39.XXX.YYY.conf: leftsubnet=10.128.0.0/18
/etc/cloudstack/cmdline.json:"vpccidr": "10.128.0.0/18"
/etc/cloudstack/site2sitevpn.json:"local_guest_cidr": "10.128.0.0/18
",

So just restart VPC and be safe better than sorry :)

Cheers

On 7 March 2018 at 14:21,  wrote:

> Hi,
>
> As far as I know, when creating a site 2 site VPN, you can only specify
> the remote networks. The local network is always set to the whole VPC CIDR.
> Or am I wrong?
>
> Regards
> Daniel
>
> On 07.03.18, 12:39, "Rafael Weingärtner" 
> wrote:
>
> I agree with you. I was not aware of that link in ACS website. I
> already
> created a task for myself to fix that.
>
> I thought the VPC CIDR was used only as a logical value internally in
> ACS.
> However, as you pointed out, you can create a VPN to the whole VPC.
> Then,
> yes, a restart would be required.
>
>
> On Wed, Mar 7, 2018 at 8:33 AM, 
> wrote:
>
> > Hi,
> >
> > Maybe we could link to the Apache search system at the page listing
> the
> > Cloudstack Mailing-Lists: https://cloudstack.apache.org/
> mailing-lists.html
> >
> > If you click on the list there, you get to
> http://mail-archives.apache.
> > org/mod_mbox/cloudstack-users/. Then there is markmail linked and
> the
> > https://lists.apache.org/list.html?users@cloudstack.apache.org link
> you
> > shared (which btw looks best to me, thanks).
> >
> > The tiers are going to stay as they are currently. I guess the CIDR
> is
> > used in the Strongswan VPN configuration as local network, so I
> guess a
> > restart might be required.
> >
> > Other thoughts?
> >
> > Thanks
> > Daniel
> >
> > On 07.03.18, 12:25, "Rafael Weingärtner" <
> rafaelweingart...@gmail.com>
> > wrote:
> >
> > MarkMail is not an Apache's system. If you want an Apache's
> system to
> > search mailing lists you can use:
> > https://lists.apache.org/list.html?d...@cloudstack.apache.org.
> >
> > Do you intend on changing the Tiers CIDR as well? If it is only
> the
> > VPC,
> > you might not even need to restart with a cleanup. Of course, it
> is
> > always
> > a good practice to test before applying in production.
> >
> > On Wed, Mar 7, 2018 at 8:07 AM,  fraunhofer.de>
> > wrote:
> >
> > > Hi all,
> > >
> > >
> > >
> > > First of all: when trying to search the lists on MarkMail (
> > > https://cloudstack.apache.org/mailing-lists.html) I get a
> warning
> > that
> > > the entered information will be transmitted insecurely (no
> HTTPs).
> > If I
> > > accept that, MarkMail redirects back to HTTPs but does not
> present a
> > valid
> > > certificate (unknown issuer, Firefox 58.0.2
> > >
> > >
> > >
> > > Now, to the question:
> > >
> > >
> > >
> > > We have a VPC with a pretty large CIDR (172.19.0.0/16), which
> > however
> > > only has tiers in the upper half (172.19.128.0/17). We now
> would
> > like to
> > > reduce the VPC CIDR. Is it safe to edit this in the database
> and
> > then do a
> > > VPC restart with cleanup? Anything else to consider?
> > >
> > >
> > >
> > > We use VPN s2s tunnel, so I guess we need to change the remote
> > subnet on
> > > the other VPN endpoints, but other than that?
> > >
> > >
> > >
> > > Is it possible like that, any problems to expect?
> > >
> > >
> > >
> > > Thanks and regards
> > >
> > > Daniel
> >
> >
>
>
> --
> Rafael Weingärtner
>
>


-- 

Andrija Panić

Re: Change VPC CIDR - and some Mailing List issues

2018-03-07 Thread daniel.herrmann 
Hi,

As far as I know, when creating a site 2 site VPN, you can only specify the 
remote networks. The local network is always set to the whole VPC CIDR. Or am I 
wrong?

Regards
Daniel

On 07.03.18, 12:39, "Rafael Weingärtner"  wrote:

I agree with you. I was not aware of that link in ACS website. I already
created a task for myself to fix that.

I thought the VPC CIDR was used only as a logical value internally in ACS.
However, as you pointed out, you can create a VPN to the whole VPC. Then,
yes, a restart would be required.


On Wed, Mar 7, 2018 at 8:33 AM,  wrote:

> Hi,
>
> Maybe we could link to the Apache search system at the page listing the
> Cloudstack Mailing-Lists: https://cloudstack.apache.org/mailing-lists.html
>
> If you click on the list there, you get to http://mail-archives.apache.
> org/mod_mbox/cloudstack-users/. Then there is markmail linked and the
> https://lists.apache.org/list.html?users@cloudstack.apache.org link you
> shared (which btw looks best to me, thanks).
>
> The tiers are going to stay as they are currently. I guess the CIDR is
> used in the Strongswan VPN configuration as local network, so I guess a
> restart might be required.
>
> Other thoughts?
>
> Thanks
> Daniel
>
> On 07.03.18, 12:25, "Rafael Weingärtner" 
> wrote:
>
> MarkMail is not an Apache's system. If you want an Apache's system to
> search mailing lists you can use:
> https://lists.apache.org/list.html?d...@cloudstack.apache.org.
>
> Do you intend on changing the Tiers CIDR as well? If it is only the
> VPC,
> you might not even need to restart with a cleanup. Of course, it is
> always
> a good practice to test before applying in production.
>
> On Wed, Mar 7, 2018 at 8:07 AM, 
> wrote:
>
> > Hi all,
> >
> >
> >
> > First of all: when trying to search the lists on MarkMail (
> > https://cloudstack.apache.org/mailing-lists.html) I get a warning
> that
> > the entered information will be transmitted insecurely (no HTTPs).
> If I
> > accept that, MarkMail redirects back to HTTPs but does not present a
> valid
> > certificate (unknown issuer, Firefox 58.0.2
> >
> >
> >
> > Now, to the question:
> >
> >
> >
> > We have a VPC with a pretty large CIDR (172.19.0.0/16), which
> however
> > only has tiers in the upper half (172.19.128.0/17). We now would
> like to
> > reduce the VPC CIDR. Is it safe to edit this in the database and
> then do a
> > VPC restart with cleanup? Anything else to consider?
> >
> >
> >
> > We use VPN s2s tunnel, so I guess we need to change the remote
> subnet on
> > the other VPN endpoints, but other than that?
> >
> >
> >
> > Is it possible like that, any problems to expect?
> >
> >
> >
> > Thanks and regards
> >
> > Daniel
>
>


-- 
Rafael Weingärtner



smime.p7s
Description: S/MIME cryptographic signature

Re: Change VPC CIDR - and some Mailing List issues

2018-03-07 Thread Rafael Weingärtner 
I agree with you. I was not aware of that link in ACS website. I already
created a task for myself to fix that.

I thought the VPC CIDR was used only as a logical value internally in ACS.
However, as you pointed out, you can create a VPN to the whole VPC. Then,
yes, a restart would be required.


On Wed, Mar 7, 2018 at 8:33 AM,  wrote:

> Hi,
>
> Maybe we could link to the Apache search system at the page listing the
> Cloudstack Mailing-Lists: https://cloudstack.apache.org/mailing-lists.html
>
> If you click on the list there, you get to http://mail-archives.apache.
> org/mod_mbox/cloudstack-users/. Then there is markmail linked and the
> https://lists.apache.org/list.html?users@cloudstack.apache.org link you
> shared (which btw looks best to me, thanks).
>
> The tiers are going to stay as they are currently. I guess the CIDR is
> used in the Strongswan VPN configuration as local network, so I guess a
> restart might be required.
>
> Other thoughts?
>
> Thanks
> Daniel
>
> On 07.03.18, 12:25, "Rafael Weingärtner" 
> wrote:
>
> MarkMail is not an Apache's system. If you want an Apache's system to
> search mailing lists you can use:
> https://lists.apache.org/list.html?d...@cloudstack.apache.org.
>
> Do you intend on changing the Tiers CIDR as well? If it is only the
> VPC,
> you might not even need to restart with a cleanup. Of course, it is
> always
> a good practice to test before applying in production.
>
> On Wed, Mar 7, 2018 at 8:07 AM, 
> wrote:
>
> > Hi all,
> >
> >
> >
> > First of all: when trying to search the lists on MarkMail (
> > https://cloudstack.apache.org/mailing-lists.html) I get a warning
> that
> > the entered information will be transmitted insecurely (no HTTPs).
> If I
> > accept that, MarkMail redirects back to HTTPs but does not present a
> valid
> > certificate (unknown issuer, Firefox 58.0.2
> >
> >
> >
> > Now, to the question:
> >
> >
> >
> > We have a VPC with a pretty large CIDR (172.19.0.0/16), which
> however
> > only has tiers in the upper half (172.19.128.0/17). We now would
> like to
> > reduce the VPC CIDR. Is it safe to edit this in the database and
> then do a
> > VPC restart with cleanup? Anything else to consider?
> >
> >
> >
> > We use VPN s2s tunnel, so I guess we need to change the remote
> subnet on
> > the other VPN endpoints, but other than that?
> >
> >
> >
> > Is it possible like that, any problems to expect?
> >
> >
> >
> > Thanks and regards
> >
> > Daniel
>
>


-- 
Rafael Weingärtner

Re: Change VPC CIDR - and some Mailing List issues

2018-03-07 Thread daniel.herrmann 
Hi,

Maybe we could link to the Apache search system at the page listing the 
Cloudstack Mailing-Lists: https://cloudstack.apache.org/mailing-lists.html

If you click on the list there, you get to 
http://mail-archives.apache.org/mod_mbox/cloudstack-users/. Then there is 
markmail linked and the 
https://lists.apache.org/list.html?users@cloudstack.apache.org link you shared 
(which btw looks best to me, thanks).

The tiers are going to stay as they are currently. I guess the CIDR is used in 
the Strongswan VPN configuration as local network, so I guess a restart might 
be required.

Other thoughts?

Thanks
Daniel

On 07.03.18, 12:25, "Rafael Weingärtner"  wrote:

MarkMail is not an Apache's system. If you want an Apache's system to
search mailing lists you can use:
https://lists.apache.org/list.html?d...@cloudstack.apache.org.

Do you intend on changing the Tiers CIDR as well? If it is only the VPC,
you might not even need to restart with a cleanup. Of course, it is always
a good practice to test before applying in production.

On Wed, Mar 7, 2018 at 8:07 AM,  wrote:

> Hi all,
>
>
>
> First of all: when trying to search the lists on MarkMail (
> https://cloudstack.apache.org/mailing-lists.html) I get a warning that
> the entered information will be transmitted insecurely (no HTTPs). If I
> accept that, MarkMail redirects back to HTTPs but does not present a valid
> certificate (unknown issuer, Firefox 58.0.2
>
>
>
> Now, to the question:
>
>
>
> We have a VPC with a pretty large CIDR (172.19.0.0/16), which however
> only has tiers in the upper half (172.19.128.0/17). We now would like to
> reduce the VPC CIDR. Is it safe to edit this in the database and then do a
> VPC restart with cleanup? Anything else to consider?
>
>
>
> We use VPN s2s tunnel, so I guess we need to change the remote subnet on
> the other VPN endpoints, but other than that?
>
>
>
> Is it possible like that, any problems to expect?
>
>
>
> Thanks and regards
>
> Daniel



smime.p7s
Description: S/MIME cryptographic signature

Re: Change VPC CIDR - and some Mailing List issues

2018-03-07 Thread Rafael Weingärtner 
MarkMail is not an Apache's system. If you want an Apache's system to
search mailing lists you can use:
https://lists.apache.org/list.html?d...@cloudstack.apache.org.

Do you intend on changing the Tiers CIDR as well? If it is only the VPC,
you might not even need to restart with a cleanup. Of course, it is always
a good practice to test before applying in production.

On Wed, Mar 7, 2018 at 8:07 AM,  wrote:

> Hi all,
>
>
>
> First of all: when trying to search the lists on MarkMail (
> https://cloudstack.apache.org/mailing-lists.html) I get a warning that
> the entered information will be transmitted insecurely (no HTTPs). If I
> accept that, MarkMail redirects back to HTTPs but does not present a valid
> certificate (unknown issuer, Firefox 58.0.2
>
>
>
> Now, to the question:
>
>
>
> We have a VPC with a pretty large CIDR (172.19.0.0/16), which however
> only has tiers in the upper half (172.19.128.0/17). We now would like to
> reduce the VPC CIDR. Is it safe to edit this in the database and then do a
> VPC restart with cleanup? Anything else to consider?
>
>
>
> We use VPN s2s tunnel, so I guess we need to change the remote subnet on
> the other VPN endpoints, but other than that?
>
>
>
> Is it possible like that, any problems to expect?
>
>
>
> Thanks and regards
>
> Daniel
>
>
>
> --
>
> Daniel Herrmann
>
> Network Engineer – Fraunhofer Private Cloud
>
> CCIE #55056 (Routing and Switching)
>
> Cisco CCDP, CCIP; Fluke CCTT
>
>
>
> Fraunhoferstraße 5
> ,
> 64283 Darmstadt
>
> Tel.: +49 6151 155346 <+49%206151%20155346>
>
> Mail: daniel.herrm...@zv.fraunhofer.de
>
>
>



-- 
Rafael Weingärtner