Cloudstack 4.9.2, Error on routes on systemvm

[Sebastian Gomez]

Hi all,


We are trying to upgrade our PRE environment from 4.5.2 to 4.9.2.0 to check
the behaviour and apply on our production environment.

I have noticed two problems on the new installation, one of them is that I
can't access the VMs console via the console proxy VM (the other will
arrive on other request ;)


Analyzing the problem I noticed that a new routes are added on systemvm,
for private networks:

root@s-262-VM:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         147.148.149.225   0.0.0.0         UG    0      0        0
eth2
*10.0.0.0        192.168.100.2   255.0.0.0       UG    0      0        0
eth1*
147.148.149.224   0.0.0.0         255.255.255.224 U     0      0        0
eth2
*172.16.0.0      192.168.100.2   255.240.0.0     UG    0      0        0
eth1*
*192.168.0.0     192.168.100.2   255.255.0.0     UG    0      0        0
eth1*
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3

(Public IPs are not real)

And searching into the systemvm scripts I realized that there is a script
"/etc/init.d/*cloud-early-config*" which is responsible of those new
routes, and more concretely, on the funciont
"setup_system_rfc1918_internal", that is called when setting the Console
proxy and Secondary Storage VM.

setup_system_rfc1918_internal() {
  public_ip=`getPublicIp`
*  echo "$public_ip" | grep -E
"^((127\.)|(10\.)|(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)|(192\.168\.))"*
  if [ "$?" == "0" ]; then
     log_it "Not setting up route of RFC1918 space to $LOCAL_GW befause
$public_ip is RFC1918."
  else
     log_it "Setting up route of RFC1918 space to $LOCAL_GW"
     # Setup general route for RFC 1918 space, as otherwise it will be sent
to
     # the public gateway and not work
     # More specific routes that may be set have preference over this
generic route.
     ip route add 10.0.0.0/8 via $LOCAL_GW
     ip route add 172.16.0.0/12 via $LOCAL_GW
     ip route add 192.168.0.0/16 via $LOCAL_GW
  fi
}

The problem on our environment is that we use real public IPs for public
network, but we use private addresses for internal use (10.x.0.0/16). In
this case, the "if" statement will enter into the "else" block, and the
private routes are added, one of them is 10.0.0.0/8, that includes our
private "public" network (10.x.0.0/16).

When I try to access the VM console, the console proxy is redirecting my
network traffic through the management network, and in consecuense I can't
reach the console due the routing rule:
10.0.0.0        192.168.100.2   255.0.0.0       UG    0      0        0 eth1


Dones anyone know how to avoid this behaviour?


Thanks in advanced.


Best regards,
Sebastián Gómez