The check can_bridge_firewall is here: http://s.apache.org/e1V
Needs - ipset - iptables physdev module On 4/10/13 12:08 AM, "Krishna PMV" <krishna....@gmail.com> wrote: >> Hello >>during the installation of XenServer host I ran the command > > xe-switch-network-backend "bridge" and installed XenServer Cloud >Support >Package. >>I followed all the instructions of the manual. > >Hey Sergio - Found a solution yet? I ran into same problem[1] with CS >4.0.1 >and XCP 1.1 and looking for answers here. Since I'm on XCP I don't need to >install CSP but as per docs[2], ebtables is not enabled by default. I did >following to enable it on my hypervisors but no luck: > > modprobe ebtables >modprobe arp_tables >net.bridge.bridge-nf-call-arptables = 1 >net.bridge.bridge-nf-call-iptables = 1 >net.bridge.bridge-nf-call-ip6tables = 1 > > >Anyone has got clues how to make security groups working on >xenserver(+csp) >/ xcp? > >[1] http://pastebin.com/gPTT4Rr4 >[2] http://www.xen.org/download/xcp/index_1.1.0.html > > >On Fri, Apr 5, 2013 at 1:02 PM, Sergio Tonani <sergio.ton...@csi.it> >wrote: > >> Hello >> during the installation of XenServer host I ran the command >> xe-switch-network-backend "bridge" and installed XenServer Cloud >> Support >> Package. >> I followed all the instructions of the manual. >> >> > >> >>_________________________________________________________________________ >> > >> > Il 5 aprile 2013 alle 7.56 Geoff Higginbottom >> > <geoff.higginbot...@shapeblue.com> ha scritto: >> > > Sergio, >> > > >> > > Did you install the XenServer Cloud Support Package, it's required >> if you >> > > are using Security Groups on XenServer 6.0.2 >> > > >> > > Regards >> > > >> > > Geoff Higginbottom >> > > CTO / Cloud Architect >> > > >> > > D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 >> > > 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581> >> > > >> > > geoff.higginbot...@shapeblue.com<mailto: >> geoff.higginbot...@shapeblue.com> >> > > |www.shapeblue.com | Twitter:@shapeblue< >> https://twitter.com/#!/shapeblue> >> > > >> > > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS >> > > >> > > >> > > On 5 Apr 2013, at 06:34, "Jayapal Reddy Uradi" >> > > >><jayapalreddy.ur...@citrix.com<mailto:jayapalreddy.ur...@citrix.com >> >> >> > > wrote: >> > > >> > > Did you run the following command in xenserver as part of host >>setup >> ? >> > > xe-switch-network-backend "bridge" >> > > >> > > Thanks, >> > > Jayapal >> > > -----Original Message----- >> > > From: Ignazio Cassano [mailto:ignaziocass...@gmail.com] >> > > Sent: Friday, 5 April 2013 5:35 AM >> > > To: >>users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>; >> > > Sergio Tonani >> > > Subject: Re: Problems with Security Groups over CloudStack 4.0.1 >>with >> > > XenServer 6.0.2 and Basic Zone >> > > >> > > Ciao Sergio, I suggest using Advanced Zones instead of Basic. >> > > I do not know very well CS4, but in previous versions Advanced >>zones >> have >> > > a lot of features. >> > > Ciao >> > > Ignazio >> > > PS (fammi sapere come questa nuova versione) >> > > >> > > >> > > 2013/4/4 Sergio Tonani <sergio.ton...@csi.it<mailto: >> sergio.ton...@csi.it>> >> > > >> > > Hi all, I am trying CloudStack 4.0.1 with XenServer 6.0.2 in a >>Basic >> > > Zone... >> > > Security Groups does not work. >> > > I follow all the instructions of the manual. CSP is installed and >> host >> > > network work in bridge mode. >> > > I have another cluster with KVM that work fine. >> > > >> > > On XenServer host, CS don't write any ebtable's rules neither >> > > iptables. On KVM host ebtable and iptables rule are populated >> > > correctly. >> > > >> > > Log file management-server.log show these messages when i create a >> new >> > > instance in a security group: >> > > >> > > 2013-04-04 15:02:03,611 WARN [xen.resource.CitrixResourceBase] >> > > (DirectAgent-214:null) Host 10.102.90.3 cannot do bridge >>firewalling >> > > 2013-04-04 15:02:03,612 DEBUG [agent.manager.DirectAgentAttache] >> > > (DirectAgent-214:null) Seq 8-949355071: Response Received: >> > > 2013-04-04 15:02:03,612 DEBUG [agent.transport.Request] >> > > (DirectAgent-214:null) >> > > Seq 8-949355071: Processing: { Ans: , MgmtId: 218022145849384, >>via: >> 8, >> > > Ver: v1, >> > > Flags: 110, >> > > >> > > >> [{"SecurityGroupRuleAnswer":{"logSequenceNumber":1,"vmId":13,"reason": >> > > "CANNOT_BRIDGE_FIREWALL","result":false,"details":"Host >> > > 10.102.90.3 cannot do bridge firewalling","wait":0}}] } >> > > 2013-04-04 15:02:03,615 DEBUG >> [network.security.SecurityGroupListener] >> > > (DirectAgent-214:null) Failed to program rule >> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to >>Host >> > > 10.102.90.3 >> > > cannot do bridge firewalling and updated jobs >> > > 2013-04-04 15:02:03,615 DEBUG >> [network.security.SecurityGroupListener] >> > > (DirectAgent-214:null) Not retrying security group rules for vm >>13 on >> > > failure since host 8 cannot do bridge firewalling >> > > 2013-04-04 15:02:03,617 DEBUG >> [network.security.SecurityGroupListener] >> > > (DirectAgent-214:null) Failed to program rule >> > > com.cloud.agent.api.SecurityGroupRuleAnswer into host 8 due to >>Host >> > > 10.102.90.3 >> > > cannot do bridge firewalling and updated jobs >> > > 2013-04-04 15:02:03,617 DEBUG >> [network.security.SecurityGroupListener] >> > > (DirectAgent-214:null) Not retrying security group rules for vm >>13 on >> > > failure since host 8 cannot do bridge firewalling >> > > >> > > Where could I start to troubleshoot SecurityGroups on XenServer? >>Any >> > > suggestions? >> > > >> > > __________________________________________________________________ >> > > Sergio Tonani >> > > >> > > >> > > This email and any attachments to it may be confidential and are >> intended >> > > solely for the use of the individual to whom it is addressed. Any >> views or >> > > opinions expressed are solely those of the author and do not >> necessarily >> > > represent those of Shape Blue Ltd or related companies. If you are >> not the >> > > intended recipient of this email, you must neither take any action >> based >> > > upon its contents, nor copy or show it to anyone. Please contact >>the >> > > sender if you believe you have received this email in error. Shape >> Blue >> > > Ltd is a company incorporated in England & Wales. ShapeBlue >>Services >> India >> > > LLP is operated under license from Shape Blue Ltd. ShapeBlue is a >> > > registered trademark. >> > >> __________________________________________________________________ >> Sergio Tonani >> >> CSI Piemonte - DIREZIONE TECNICA INFRASTRUTTURE E TECNOLOGIE - AREA >> RISORSE E >> SERVIZI >> C.so Tazzoli 215 B - 10135 Torino >> Tel. +39 011.316.5843 >> e-mail: sergio.ton...@csi.it >> www.csipiemonte.it >> __________________________________________________________________ >> Il presente messaggio, corredato degli eventuali allegati, contiene >> informazioni da considerarsi strettamente riservate e confidenziali. >> Ne è vietato l'uso improprio, la diffusione, la distribuzione o la >> riproduzione >> da parte di altre persone e/o entità diverse da quelle specificate. >> Qualora lo abbiate ricevuto per errore, vi preghiamo di distruggere il >> messaggio, comunicando l'errata ricezione tramite il reply all'indirizzo >> mittente. >> >> "A complex system that works is invariably found to have evolved from a >> simple >> system that workedŠA complex system designed from scratch never works >>and >> cannot be patched up to make it work. You have to start over with a >> working >> simple system." ‹ John Gall in Systemantics: How Systems Really Work and >> How >> They Fail >>
