Status: New
Owner: ----
New issue 1072 by [email protected]: Use ICMP echo check rather than TCP
connect to port 1811 when checking instances
https://code.google.com/p/ganeti/issues/detail?id=1072
What software version are you running? Please provide the output of "gnt-
cluster --version", "gnt-cluster version", and "hspace --version".
gnt-cluster (ganeti v2.12.0) 2.12.0
Software version: 2.12.0
Internode protocol: 2120000
Configuration format: 2120000
OS api version: 20
Export interface: 0
VCS version: (ganeti) version v2.12.0
hspace (ganeti) version v2.12.0
compiled with ghc 7.6
running on linux x86_64
(but the problem appears to exist in master)
What distribution are you using?
Debian jessie
What steps will reproduce the problem?
1. Have a REJECT policy outbound iptables firewall
2. Try and create an instance without --no-ip-check, specifying an instance
name whose IP address is not reachable
What is the expected output? What do you see instead?
The instance IP address in question is not reachable; however the
port-unreachable ICMP message which comes back from the firewall confuses
the TcpPing check into thinking that it is alive (arguably icmp
admin-prohibited should be used instead and perhaps that would have the
desired effect, but shorewall doesn't appear to offer this).
In any case, it doesn't make sense to check with a connection to the ganeti
ports, since you wouldn't expect an instance to be using them, so even if
the above scenario is a little far-fetched, it would appear that this check
isn't very useful. An ICMP echo check would be more useful.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
