[GitHub] [cloudstack] Hudratronium commented on issue #6698: Dedication of public IP ranges broken after upgrade to 4.17.0.1

GitBox Mon, 05 Sep 2022 06:21:29 -0700


Hudratronium commented on issue #6698:
URL: https://github.com/apache/cloudstack/issues/6698#issuecomment-1237019304


   @shwstppr 
   
   > I don't think there should be an entry in cloud.domain_vlan_map when the 
range is reserved for system vms.
   
   Takeing a look into your shared code i would think the same.
   But the point is, that this is not the thing we want to achieve imho with 
the configuration - like displayed in the GUI:
   We want a 'IP Range (vlan)' which is assigned to the domain 'Root' and 
dedicated for systemVMs.
   
   Creating a vlan (IP range) without the entry to either `domain_vlan_map` or 
`account_vlan_map` might be something like a "systempool" for the Zone which 
usage is controlled via the setting `use.system.public.ips`. 
   Although the nameing is a bit odd, as 'system' is a "Account" itself. And 
there is no reference for a vlan with usage for systemVMs in the db in 
`account_vlan_map` - Even if the GUI would make you think there is one:
   
   <img width="126" alt="details_1" 
src="https://user-images.githubusercontent.com/79725167/188442576-7f7fbc62-1400-4209-abfa-31df8fd714be.png";>
   
   This "zone" vlan is checked via the allocator sql-statements:
   `join search statement is com.mysql.cj.jdbc.ClientPreparedStatement: SELECT 
vlan.id, vlan.vlan_id, vlan.vlan_gateway, vlan.vlan_netmask, vlan.ip6_gateway, 
vlan.ip6_cidr, vlan.data_center_id, vlan.ip4_range, vlan.ip6_range, 
vlan.network_id, vlan.physical_network_id, vlan.vlan_type, vlan.uuid, 
vlan.removed, vlan.created FROM vlan  LEFT OUTER JOIN domain_vlan_map ON 
vlan.id=domain_vlan_map.vlan_db_id  LEFT OUTER JOIN account_vlan_map ON 
vlan.id=account_vlan_map.vlan_db_id WHERE vlan.**data_center_id = 1**  AND 
vlan.removed IS NULL  AND  (domain_vlan_map.domain_id IS NULL ) AND 
(account_vlan_map.account_id IS NULL )`
   
   And is availeable as a result - however it is not used for allocating ip 
addresses as, i guess, the settings avoid it. 
   
   The logic is also kind of represented in the allocation process i tried to 
describe above.
   
   Back to your questions regarding logs / outputs:
   
   `list vlanipranges`
   ~~~
   
+---------+---------------+--------+--------------------------------------+-------------+--------------+-------------------+------------+--------------------------------------+-----------------+--------------------------------------+--------------------------------------+-------------+-------------+--------------------------------------+
   | ACCOUNT |     CIDR      | DOMAIN |               DOMAINID               |  
  ENDIP    | FORSYSTEMVMS | FORVIRTUALNETWORK |  GATEWAY   |                  
ID                  |     NETMASK     |              NETWORKID               |  
        PHYSICALNETWORKID           |   STARTIP   |    VLAN     |               
 ZONEID                |
   
+---------+---------------+--------+--------------------------------------+-------------+--------------+-------------------+------------+--------------------------------------+-----------------+--------------------------------------+--------------------------------------+-------------+-------------+--------------------------------------+
   | system  | 10.129.0.0/25 | ROOT   | 0676360f-1d87-11ec-83ce-525400c9c662 | 
10.129.0.19 | true         | true              | 10.129.0.1 | 
adc15744-9b35-4bea-81f0-1fdbd5b544f3 | 255.255.255.128 | 
1b0bf965-a391-478d-833d-3e37e4a15eb8 | dec372e0-2fa3-436b-9265-8caba82f0620 | 
10.129.0.10 | vlan://1000 | 48e2e928-3300-43b5-8e3a-d9b358022502 |
   |         | 10.129.0.0/25 | ROOT   | 0676360f-1d87-11ec-83ce-525400c9c662 | 
10.129.0.29 | false        | true              | 10.129.0.1 | 
c52e9946-a8db-4d66-819f-ee11dfefbb37 | 255.255.255.128 | 
1b0bf965-a391-478d-833d-3e37e4a15eb8 | dec372e0-2fa3-436b-9265-8caba82f0620 | 
10.129.0.20 | vlan://1000 | 48e2e928-3300-43b5-8e3a-d9b358022502 |
   | xxxxxx  | 10.129.0.0/25 | xxxxxx | 8cbb6645-0f0f-4c25-a24d-101d1426bb8f | 
10.129.0.49 | false        | true              | 10.129.0.1 | 
1031a85e-35d9-4c81-aee2-6d43ed1185ae | 255.255.255.128 | 
1b0bf965-a391-478d-833d-3e37e4a15eb8 | dec372e0-2fa3-436b-9265-8caba82f0620 | 
10.129.0.30 | vlan://1000 | 48e2e928-3300-43b5-8e3a-d9b358022502 |
   
+---------+---------------+--------+--------------------------------------+-------------+--------------+-------------------+------------+--------------------------------------+-----------------+--------------------------------------+--------------------------------------+-------------+-------------+--------------------------------------+
   ~~~
   
   This output leads to the question: Where is the reference stored, that the 
Account 'system' has a mapped vlan?
   Currently i would think the only way to get this information is to look into 
`user_cloud_ip_address.forsystemvm = 1`. Or there is a table i haven't found 
yet where this information can be stored...Where ever it is, performing the SQL 
Queries from the log on my db, these 'value' isn't represented at all.
   
   `logs/API call for adding the new ip range`
   ~~~
   2022-09-05 13:15:12,138 DEBUG [c.c.a.ApiServlet] 
(qtp961160488-2321:ctx-a8d73839) (logid:e4b1e254) ===START===  192.126.0.168 -- 
GET  
gateway=10.129.0.1&netmask=255.255.255.128&startip=10.129.0.50&endip=10.129.0.59&zoneId=48e2e928-3300-43b5-8e3a-d9b358022502&vlan=1000&forsystemvms=true&forvirtualnetwork=true&command=createVlanIpRange&response=json
   2022-09-05 13:15:12,150 DEBUG [c.c.a.ApiServer] 
(qtp961160488-2321:ctx-a8d73839 ctx-683cd7e0) (logid:e4b1e254) CIDRs from which 
account 'Acct[60be55c5-1d8a-11ec-83ce-525400c9c662-admin] -- Account {"id": 2, 
"name": "admin", "uuid": "60be55c5-1d8a-11ec-83ce-525400c9c662"}' is allowed to 
perform API calls: 0.0.0.0/0,::/0
   2022-09-05 13:15:12,164 DEBUG [c.c.c.ConfigurationManagerImpl] 
(qtp961160488-2321:ctx-a8d73839 ctx-683cd7e0) (logid:e4b1e254) Acquiring lock 
for committing vlan
   2022-09-05 13:15:12,167 DEBUG [c.c.c.ConfigurationManagerImpl] 
(qtp961160488-2321:ctx-a8d73839 ctx-683cd7e0) (logid:e4b1e254) Access granted 
to Acct[60be55c5-1d8a-11ec-83ce-525400c9c662-admin] -- Account {"id": 2, 
"name": "admin", "uuid": "60be55c5-1d8a-11ec-83ce-525400c9c662"} to zone:1 by 
AffinityGroupAccessChecker
   2022-09-05 13:15:12,173 DEBUG [c.c.c.ConfigurationManagerImpl] 
(qtp961160488-2321:ctx-a8d73839 ctx-683cd7e0) (logid:e4b1e254) Saving vlan 
range 
Vlan[vlan://1000|10.129.0.1|255.255.255.128|null|null|10.129.0.50-10.129.0.59|null|200]
   2022-09-05 13:15:12,208 DEBUG [c.c.a.ApiServlet] 
(qtp961160488-2321:ctx-a8d73839 ctx-683cd7e0) (logid:e4b1e254) ===END===  
192.126.0.168 -- GET  
gateway=10.129.0.1&netmask=255.255.255.128&startip=10.129.0.50&endip=10.129.0.59&zoneId=48e2e928-3300-43b5-8e3a-d9b358022502&vlan=1000&forsystemvms=true&forvirtualnetwork=true&command=createVlanIpRange&response=json
   ~~~
   
   
   While working on this i stumpled upon the strictness setting for the 
Management IPs... and i guess one might find the same thing there.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [cloudstack] Hudratronium commented on issue #6698: Dedication of public IP ranges broken after upgrade to 4.17.0.1

Reply via email to