search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
1.99k stars 1.09k forks source link

Unable to use SSVM Or CPVM on 4.18/4.19 #9490

Open tamoorahmedntu opened 1 month ago

tamoorahmedntu commented 1 month ago
ISSUE TYPE
COMPONENT NAME
SSVM
CPVM
CLOUDSTACK VERSION
CloudStack 4.19.1.0
CONFIGURATION
Advance Networking
Security Group
OS / ENVIRONMENT
Ubuntu 22.04
KVM

1. Managment 
2. Host M
3. Host S
4. Storage Server NFS
SUMMARY
SSVM and CPVM doesn't show screen or website all unable to do anything when VM is up  unless I ssh to CPVM then run command to open all ports on iptables but this doesnt work on SSVM
STEPS TO REPRODUCE
Setup New Advance Networking with new Zone on Ubuntu 22.04 Using KVM
EXPECTED RESULTS
SSVM accessible all from Any IP ports 443 
CPVM accessible all from Any IP ports 443
ACTUAL RESULTS
SSVM Not accessible from Any IP ports 443 or Any Other except SSH 169
CPVM Not accessible from Any IP ports 443 or Any Other except SSH 169
CPVM allow all in iptables (ssh first then apply all ports allow iptables ) can access console screen 
Logs attached Below:

management-server.log agent.log

network:
  version: 2
  ethernets:
    ens160:
      dhcp4: false
    ens33:
      dhcp4: false
  bridges:
   cloudbr0:
    addresses: [0.0.168.2/23]
    routes:
     - to: default
       via: 0.0.168.254
    nameservers:
     addresses: [8.8.8.8]
    interfaces: [ens160]
    dhcp4: false
    dhcp6: false
    parameters:
       stp: false
       forward-delay: 0
   cloudbr1:
    dhcp4: false
    interfaces: [ens33]
    parameters:
       stp: false
rajujith commented 1 month ago

@tamoorahmedntu I am not sure whether I understood the issue you are facing but I believe you may be able to report the issue better after going through this document: https://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#accessing-system-vms.

tamoorahmedntu commented 1 month ago

The issue I'm facing is the Web console to CPVM is only accessible once I ssh into it and tell iptables to allow all ports. I'm sure this is not correct I should not be sshing into the vm and allowing all ports in order for the console to work.

weizhouapache commented 1 month ago

The issue I'm facing is the Web console to CPVM is only accessible once I ssh into it and tell iptables to allow all ports. I'm sure this is not correct I should not be sshing into the vm and allowing all ports in order for the console to work. ____ From: Jithin Raju @.> Sent: Tuesday, August 6, 2024 5:16:24 AM To: apache/cloudstack @.> Cc: Ahmed, Tamoor @.>; Mention @.> Subject: Re: [apache/cloudstack] Unable to use SSVM Or CPVM on 4.18/4.19 (Issue #9490) @tamoorahmedntuhttps://github.com/tamoorahmedntu I am not sure whether I understood the issue you are facing but I believe you may be able to report the issue better after going through this document: https://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#accessing-system-vms. — Reply to this email directly, view it on GitHub<#9490 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANH2J2QVU6JHBD5NUH3HWMTZQBEZRAVCNFSM6AAAAABMBE3ACGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZQGM2DQNBRGM. You are receiving this because you were mentioned.Message ID: @.***> DISCLAIMER: This email is intended solely for the addressee. It may contain private and confidential information. If you are not the intended addressee, please take no action based on it nor show a copy to anyone. In this case, please reply to this email to highlight the error. Opinions and information in this email that do not relate to the official business of Nottingham Trent University shall be understood as neither given nor endorsed by the University. Nottingham Trent University has taken steps to ensure that this email and any attachments are virus-free, but we do advise that the recipient should check that the email and its attachments are actually virus free. This is in keeping with good computing practice.

@tamoorahmedntu can you share the output of some commands inside CPVM ?

tamoorahmedntu commented 1 month ago

Unfortunately I'm unable to that until I solve another issue #9489

tamoorahmedntu commented 1 month ago 
root@v-3-VM:~# iptables-save
# Generated by iptables-save v1.8.7 on Fri Aug  9 18:12:41 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6571:370457]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Fri Aug  9 18:12:41 2024
# Generated by iptables-save v1.8.7 on Fri Aug  9 18:12:41 2024
*nat
:PREROUTING ACCEPT [8:528]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [18:1239]
:POSTROUTING ACCEPT [18:1239]
COMMIT
# Completed on Fri Aug  9 18:12:41 2024
root@v-3-VM:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0e:00:a9:fe:00:15 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    altname ens3
    inet 169.254.0.21/16 brd 169.254.255.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 1e:00:27:00:00:26 brd ff:ff:ff:ff:ff:ff
    altname enp0s4
    altname ens4
    inet 152.71.168.16/24 brd 152.71.168.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 1e:00:58:00:00:01 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 152.71.168.20/24 brd 152.71.168.255 scope global eth2
       valid_lft forever preferred_lft forever
root@v-3-VM:~# ip route
default via 152.71.168.254 dev eth2 
8.8.8.8 via 152.71.168.254 dev eth1 
10.0.0.0/8 via 152.71.168.254 dev eth1 
152.71.168.0/24 dev eth1 proto kernel scope link src 152.71.168.16 
152.71.168.0/24 dev eth2 proto kernel scope link src 152.71.168.20 
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.0.21 
172.16.0.0/12 via 152.71.168.254 dev eth1 
192.168.0.0/16 via 152.71.168.254 dev eth1 
root@v-3-VM:~#
rajujith commented 1 month ago

@tamoorahmedntu I suspect the issue is possibly caused by the same subnet in the management/pod and public traffic. Is it possible to use two different subnets for them?