Thanks, is there a way to remove deleted images? On Wed, May 27, 2015 at 9:08 AM, Josh Thompson <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Lewis, > > That is correct. However, if you can successfully make an imaging > reservation > and connect to it, you can use that as your starting point for updating > your > firewall configuration. Then, just save it off as a new revision of the > image > or as a new image. > > Josh > > On Tuesday, May 26, 2015 7:52:23 PM Litchfield, Elwin L. wrote: > > I assume this configuration must be done before the image is created. > > > > > > Lewis Litchfield > > Technology Services – Viking Center Lab > > University of South Florida Sarasota-Manatee > > 941-359-4231 > > > > ________________________________________ > > From: Josh Thompson <[email protected]> > > Sent: Tuesday, May 26, 2015 3:40 PM > > To: [email protected] > > Subject: Re: vcld.log > > > > Elwin, > > > > I can't find any docs on how you are supposed to configure the firewall > for > > a base linux image under 2.3.2, and I don't remember the details of it. > I > > think something like the following should get your working. > > > > First, stop iptables to clear all of the tables: > > > > service iptables stop > > > > Create a custom table - you can name it anything, we'll go with "VCL". > > > > iptables -N VCL > > > > Create a rule in INPUT that jumps to the VCL table for everything: > > > > iptables -A INPUT -j VCL > > > > Add a few important rules to the VCL table: > > > > iptables -A VCL -i lo -j ACCEPT > > iptables -A VCL -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A VCL -p icmp -m icmp --icmp-type any -j ACCEPT > > > > Add a rule to the VCL table to accept traffic from your management node: > > > > iptables -A VCL -s <management node IP> -m state --state NEW -m tcp -p > tcp > > -- dport 22 -j ACCEPT > > > > Add a rule to the VCL table to reject other traffic: > > > > iptables -A VCL -j REJECT --reject-with icmp-host-prohibited > > > > Save the new configuration: > > > > service iptables save > > > > If I remember correctly, VCL should then manage required additions and > > removals on the INPUT table, and leave the VCL table alone, and since the > > VCL table has a rule allowing traffic from your management node, it > should > > stop shutting itself out. > > > > Let me know if this works for you. > > > > Josh > > > > On Tuesday, May 26, 2015 1:13:37 PM Elwin Litchfield wrote: > > > Everything seemed to work till the reservation was over. Port 22 is > > > blocked, but ping is OK & port 3389 is still available & connection > with > > > admin ID & password presented at the beginning of the reservation. I > have > > > bee reading the vcld.log & am unable to make any sense of it. Can you > > > help > > > me understand what is hapening? > > > > > > > > > Thanks 2015-05-26 > > > 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > > > SSH command on VM7Cent6VCL1: > > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > > '/sbin/chkconfig --list iptables' 2>&1 > > > 2015-05-26 > > > 12:26:32|9344|46:46|timeout|Linux.pm:service_exists(3186)|'iptables' > > > service exists > > > 2015-05-26 > > > 12:26:32|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > > > SSH command on VM7Cent6VCL1: > > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > > 'iptables -L --line-number -n' 2>&1 > > > 2015-05-26 > > > 12:26:33|9344|46:46|timeout|utils.pm: > run_ssh_command(5020)|run_ssh_command > > > > > > output: > > > |9344|46:46|timeout| Chain INPUT (policy ACCEPT) > > > |9344|46:46|timeout| num target prot opt source destination > > > |9344|46:46|timeout| 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > > > > > > NEW,RELATED,ESTABLISHED tcp dpt:22 > > > > > > |9344|46:46|timeout| 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > > > > > > RELATED,ESTABLISHED > > > > > > |9344|46:46|timeout| 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > > > |9344|46:46|timeout| 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > > |9344|46:46|timeout| 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > > > dpt:443 > > > > > > |9344|46:46|timeout| 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > > > dpt:80 > > > > > > |9344|46:46|timeout| 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > > > > > > dpt:3389 > > > > > > |9344|46:46|timeout| 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp > > > > > > dpt:3389 > > > > > > |9344|46:46|timeout| 9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > > > > > > icmp-host-prohibited > > > > > > |9344|46:46|timeout| Chain FORWARD (policy ACCEPT) > > > |9344|46:46|timeout| num target prot opt source destination > > > |9344|46:46|timeout| 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > > > > > > icmp-host-prohibited > > > > > > |9344|46:46|timeout| Chain OUTPUT (policy ACCEPT) > > > |9344|46:46|timeout| num target prot opt source destination > > > > > > 2015-05-26 12:26:33|9344|46:46|timeout|utils.pm: > run_ssh_command(5034)|SSH > > > command executed on VM7Cent6VCL1, returning (0, "Chain INPUT (policy > > > ACCEPT) nu...") > > > 2015-05-26 > > > > 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > > ut Chain = INPUT > > > 2015-05-26 > > > > 12:26:33|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > > ut rule: 1, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 22 > > > 2015-05-26 > > > > 12:26:35|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > > ut rule: 5, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 443 > > > 2015-05-26 > > > > 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > > ut rule: 6, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 80 > > > 2015-05-26 > > > > 12:26:36|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > > ut rule: 7, ACCEPT, tcp, 0.0.0.0/0, 0.0.0.0/0, 3389 > > > 2015-05-26 12:26:36|26123|vcld:main(167)|lastcheckin time updated for > > > management node 1: 2015-05-26 12:26:36 > > > 2015-05-26 > > > > 12:26:37|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4007)|outp > > > ut rule: 8, ACCEPT, udp, 0.0.0.0/0, 0.0.0.0/0, 3389 > > > 2015-05-26 > > > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > > ut Chain = FORWARD > > > 2015-05-26 > > > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(3991)|outp > > > ut Chain = OUTPUT > > > 2015-05-26 > > > > 12:26:38|9344|46:46|timeout|Linux.pm:get_firewall_configuration(4050)|retr > > > ie ved > > > > > > firewall configuration from VM7Cent6VCL1: > > > |9344|46:46|timeout| : { > > > |9344|46:46|timeout| : "FORWARD" => { > > > |9344|46:46|timeout| : "1" => { > > > |9344|46:46|timeout| : "all" => { > > > |9344|46:46|timeout| : "any" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "any", > > > |9344|46:46|timeout| : "number" => 1, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "REJECT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "INPUT" => { > > > |9344|46:46|timeout| : "1" => { > > > |9344|46:46|timeout| : "tcp" => { > > > |9344|46:46|timeout| : "22" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "ssh", > > > |9344|46:46|timeout| : "number" => 1, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "2" => { > > > |9344|46:46|timeout| : "all" => { > > > |9344|46:46|timeout| : "any" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "any", > > > |9344|46:46|timeout| : "number" => 2, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "3" => { > > > |9344|46:46|timeout| : "icmp" => { > > > |9344|46:46|timeout| : "any" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "any", > > > |9344|46:46|timeout| : "number" => 3, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "4" => { > > > |9344|46:46|timeout| : "all" => { > > > |9344|46:46|timeout| : "any" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "any", > > > |9344|46:46|timeout| : "number" => 4, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "5" => { > > > |9344|46:46|timeout| : "tcp" => { > > > |9344|46:46|timeout| : "443" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "https", > > > |9344|46:46|timeout| : "number" => 5, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "6" => { > > > |9344|46:46|timeout| : "tcp" => { > > > |9344|46:46|timeout| : "80" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "http", > > > |9344|46:46|timeout| : "number" => 6, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "7" => { > > > |9344|46:46|timeout| : "tcp" => { > > > |9344|46:46|timeout| : "3389" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "ms-wbt-server", > > > |9344|46:46|timeout| : "number" => 7, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "8" => { > > > |9344|46:46|timeout| : "udp" => { > > > |9344|46:46|timeout| : "3389" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "ms-wbt-server", > > > |9344|46:46|timeout| : "number" => 8, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "ACCEPT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : }, > > > |9344|46:46|timeout| : "9" => { > > > |9344|46:46|timeout| : "all" => { > > > |9344|46:46|timeout| : "any" => { > > > |9344|46:46|timeout| : "destination" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "name" => "any", > > > |9344|46:46|timeout| : "number" => 9, > > > |9344|46:46|timeout| : "scope" => "0.0.0.0/0", > > > |9344|46:46|timeout| : "target" => "REJECT" > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > |9344|46:46|timeout| : } > > > > > > 2015-05-26 > > > > 12:26:38|9344|46:46|timeout|Linux.pm:disable_firewall_port(3783)|attemptin > > > g > > > to execute command on VM7Cent6VCL1: 'iptables -D INPUT 1' > > > 2015-05-26 > > > 12:26:38|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > > > SSH command on VM7Cent6VCL1: > > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > > 'iptables -D INPUT 1' 2>&1 > > > 2015-05-26 > > > 12:26:39|9344|46:46|timeout|utils.pm: > run_ssh_command(5020)|run_ssh_command > > > output: > > > 2015-05-26 12:26:39|9344|46:46|timeout|utils.pm: > run_ssh_command(5034)|SSH > > > command executed on VM7Cent6VCL1, returning (0, "") > > > 2015-05-26 > > > > 12:26:39|9344|46:46|timeout|Linux.pm:disable_firewall_port(3785)|executed > > > command on VM7Cent6VCL1: 'iptables -D INPUT 1' > > > 2015-05-26 > > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4902)|executing > > > > > > SSH command on VM7Cent6VCL1: > > > |9344|46:46|timeout| /usr/bin/ssh -i /etc/vcl/vcl.key -o > > > > > > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o > > > ConnectionAttempts=1 -o ConnectTimeout=3 -l root -p 22 -x VM7Cent6VCL1 > > > '/sbin/iptables-save > /etc/sysconfig/iptables' 2>&1 > > > > > > |9344|46:46|timeout| ---- WARNING ---- > > > |9344|46:46|timeout| 2015-05-26 > > > > > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(5006)|attempt > > > 1/3: failed to execute SSH command on VM7Cent6VCL1: > '/sbin/iptables-save > > > > > > > /etc/sysconfig/iptables', exit status: 255, output: > > > |9344|46:46|timeout| ssh output (/sbin/ipta...): ssh: connect to host > > > > > > VM7Cent6VCL1 port 22: No route to host > > > > > > |9344|46:46|timeout| ( 0) utils.pm, run_ssh_command (line: 5006) > > > |9344|46:46|timeout| (-1) OS.pm, execute (line: 1992) > > > |9344|46:46|timeout| (-2) Linux.pm, disable_firewall_port (line: 3794) > > > |9344|46:46|timeout| (-3) OS.pm, process_connect_methods (line: 2576) > > > |9344|46:46|timeout| (-4) Linux.pm, sanitize (line: 1172) > > > |9344|46:46|timeout| (-5) reclaim.pm, call_os_sanitize (line: 271) > > > > > > 2015-05-26 > > > 12:26:39|9344|46:46|timeout|utils.pm:run_ssh_command(4894)|sleeping > for 2 > > > seconds before making next SSH attempt > > > 201 > > > > > > Thanks > > > > > > Lewis > > > > -- > > ------------------------------- > > Josh Thompson > > VCL Developer > > North Carolina State University > > > > my GPG/PGP key can be found at pgp.mit.edu > > > > All electronic mail messages in connection with State business which > > are sent to or received by this account are subject to the NC Public > > Records Law and may be disclosed to third parties. > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iEYEARECAAYFAlVlweoACgkQV/LQcNdtPQMQMwCeKII154mTy404UH9lVj7Jay/C > BFkAn1bCP/vRTeQIFeOsz73Rx/dDUL13 > =1olU > -----END PGP SIGNATURE----- > >
