[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
I second Tony Maro: 10.10 does not add any masquerading for the node controllers. A quick workaround that works for me is adding in /etc/rc.local: iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth1 -j MASQUERADE iptables-save /var/run/eucalyptus/net/iptables-preload Here, my node controllers are in the .42.0/24 private network, using the CC as gateway (CC is connected to the network via eth0). Eth1 of the CC is connected to the outside word. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in Ubuntu. https://bugs.launchpad.net/bugs/579868 Title: Unable to use Eucalyptus' iptables-preload feature with UEC -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
Eitenne Goyer: Really? I just installed 10.10 RC and it does not add any MASQ rules for the private node network when in managed-novlan mode. I have yet to figure out how to give my nodes access to the Internet so I can download updates and access DNS. I even tried scripting at boot to place the file in /var/run but then after Eucalyptus starts I have an empty iptables. -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
This bug is affecting me too. A scenario where the iptables-preload feature would be needed is one where the NC are in a separate private network (where the CC would have its VNET_PRIVINTERFACE). If you wish to NAT traffic between the private NC network and the public one (where the Walrus presumably service reside) through the CC, you would need the iptables-preload feature. Technically, inthis topology, it would be possible to use another gateway between the private NC network and the outside, bu the CC is naturally positioned to provide this service. -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
Please disregard the previous command. Looking again, it seems like the iptables rules eucalyptus-cc set up are sufficient to NAT connection from NC to the outside world, so the private NC network topology is not made impossible by this bug. Still, iptables-preload sounds like a useful feature. It's a bummer it does not work on UEC due to /var/run being a tmpfs. We should change the location of the iptables-preload file so that it persist through reboot. Perhaps there is a compile-time option for this? Otherwise, I guess we could patch the path wherever it is hard-coded in the source. -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
Generally, on a Ubuntu system ufw is recommended as a wrapper around iptables. Can i suggest you add the iptables line to /usr/share/ufw/iptables/before.rules which should ensure the rule is persistent across reboot. If that solves the issue, then please report back here; otherwise we need to investigate why eucalyptus is dropping existing rules. Thanks. ** Changed in: eucalyptus (Ubuntu) Status: New = Incomplete ** Changed in: eucalyptus (Ubuntu) Importance: Undecided = Low -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
I know about ufw, the problem is that eucalyptus is not aware of ufw (at least from what I saw in the source code) and the cloud controller resets the iptables rules EVERY TIME it's restarted, not just on reboot. The only documented way to prevent it from clear your custom rules is to use the iptables-preload file I talked about. I know that the ideal solution would be that Eucalyptus use ufw, however I'm not sure that would be a trivial task so, until then, I just want to be able to use the official way to get it working instead of a hack I had to add so the file is copied there after each reboot. ** Changed in: eucalyptus (Ubuntu) Status: Incomplete = New -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 579868] Re: Unable to use Eucalyptus' iptables-preload feature with UEC
I forgot to mention that I'm talking about Ubuntu 10.04 -- Unable to use Eucalyptus' iptables-preload feature with UEC https://bugs.launchpad.net/bugs/579868 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs