Re: How to block default allow egress 53 ?
Hi Swen, I will open one shortly today! Regards, Jordan On Mon, Feb 6, 2023 at 10:23 AM wrote: > Hi Jordan, > > can you please open an issue in github for the IP bug? > > Regards, > Swen > > -Ursprüngliche Nachricht- > Von: jordan j > Gesendet: Freitag, 3. Februar 2023 14:45 > An: users@cloudstack.apache.org > Betreff: How to block default allow egress 53 ? > > After deploying ACS 4.17.2 with XCP-NG and Security groups we noticed that > by default egress port 53 is always allowed. Is there a way to deny that? > > At first we thought it was allowed in the user network because the network > provider supported DNS service. However after removing the DNS service and > rebuilding the network the port is still open. > > Another issue unrelated to the topic but I thought it may be a bug. > Error pops when creating a new instance via the GUI and specifying IP > address. > the message is "Unable to start a VM due to insufficient address capacity" > However when starting an instance without specifying address works > properly. > After some investigation it seems that the IP address value is not passed > properly. > > For example: > > If the network is 172.20.0.0/16 and we pass a value for the instance of > 172.20.0.25 the management-server.log reports that the value passed is > 172.20.0.2 which is not valid. > > Regards, > Jordan > > >
ata1: lost interrupt
I have a guest vm, kvm based, and I’m seeing this ATA reset in dmesg. When this
happens, performance plummits.
Cloudstack-4.17.1
Guest VM is Rocky 9.1.
[ 1332.734551] ata1: lost interrupt (Status 0x58)
[ 1351.076960] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
[ 1351.077041] ata1.00: failed command: WRITE DMA EXT
[ 1351.077053] ata1.00: cmd 35/00:00:98:9e:dd/00:02:00:00:00/e0 tag 0 dma
262144 out
res 40/00:01:00:00:00/00:00:00:00:00/a0 Emask 0x4 (timeout)
[ 1351.077101] ata1.00: status: { DRDY }
[ 1351.077325] ata1: soft resetting link
[ 1351.235558] ata1: found unknown device (class 0)
[ 1351.237686] ata1.00: configured for MWDMA2
[ 1351.237733] ata1: EH complete
Since this is the only VM I’m experiencing this issue on, I don’t believe this
is hardware related. I’ve migrated the VM to multiple hosts and the vm carries
this issues wherever it goes.
Backend storage is Ceph.
How would I troubleshoot this?
Thanks
-jeremy
signature.asc
Description: PGP signature
Re: Instance with SSH Key pair
Great Stuart. Thanks for sharing ! -Wei On Mon, 6 Feb 2023 at 15:28, Stuart Whitman wrote: > I finally discovered the right google search terms to find this: > https://bugs.launchpad.net/cloud-init/+bug/1998655 > > Adding After=NetworkManager-wait-online.service to > /etc/systemd/system/cloud-init.target.wants/cloud-init.service resolved > the problem. > > -Stu > > From: Stuart Whitman > Sent: Friday, February 3, 2023 1:26 PM > To: users@cloudstack.apache.org > Subject: Re: Instance with SSH Key pair > > Hello Wei, > > I started a Rocky 8.7 minimum instance from an ISO file. I followed the > instructions you provided for installing and configuring cloud-init and > creating a template from an instance. However, when I boot the new > instance, the SSH key is not installed. When I use the password to sign in, > the cloud-init logs say it could not find the data-server. If I reboot from > the command line, my SSH key works, and the cloud-init logs indicate it > found the data-server IP address. If I stop and start the instance from > CloudStack, the SSH key still works, but the cloud-init logs again say it > cannot find the data-server. > > Any idea why cloud-init is able to find the IP for the data-server when > the instance is rebooted but not when it is started from CloudStack? > > -Stu > > > From: Wei ZHOU > Sent: Thursday, February 2, 2023 3:34 AM > To: users@cloudstack.apache.org > Subject: Re: Instance with SSH Key pair > > Hi Stuart, > > cloud-init does support Cloudstack . You need to specify the datasource in > cloud-init configuration. > The datasource can be ConfigDrive (if you use config drive to save > userdata) or CloudStack (if metadata/userdata server is CloudStack > VirtualRouter) > > Please refer to > > https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fdocs.cloudstack.apache.org%2Fen%2Flatest%2Fadminguide%2Ftemplates%2F_cloud_init.html=05%7C01%7Cswhitman%40groupw.com%7C886e783475554054037708db0614390d%7C5746ff41c91e439b81427cff90226280%7C0%7C0%7C638110456174147769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=mwaB%2BZ5gMto3qgp5Jg5dXP3cg8Zx%2FgAUmN2JKXgqbhY%3D=0 > > -Wei > > > > -Wei > > On Wed, 1 Feb 2023 at 20:12, Stuart Whitman > wrote: > > > Hello Wei, > > > > Using your template, I can sign into an instance using ssh keys. > > > > As the instance boots, I notice error messages about failing to mount > > /mnt/configdrive. Sorry, but I cannot find those messages in the log file > > to copy into this email. Should I try to fix this error? > > > > I noticed that the image has custom scripts in /etc/init.d to request > > passwords and SSH keys. Another user, Vivek Kumar, provided links > > discussing a script called cloud-init. I tried to use a Rocky Linux 8 > cloud > > image but failed to sign in using SSH keys. I believe I read that Rocky > > cloud images have cloud-init installed. Is cloud-init compatible with > > CloudStack's SSH key config, or are the scripts in your image required? > > > > I also tried to provide user data to create another account. It did not > > work. Does your image support user data? > > > > Thanks for the help, > > -Stu > > > > From: Wei ZHOU > > Sent: Tuesday, January 31, 2023 5:03 PM > > To: users@cloudstack.apache.org > > Subject: Re: Instance with SSH Key pair > > > > Hi, > > > > The built-in centos 5.5 template does not support sshkey in configdrive > > iso. > > > > You can use my template for testing , which is also used by component > test > > test_configdrive.py. You can register the template with url > > > > > https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fpeople.apache.org%2F~weizhou%2Fcentos55-sshkey-configdrive.qcow2.bz2=05%7C01%7Cswhitman%40groupw.com%7C886e783475554054037708db0614390d%7C5746ff41c91e439b81427cff90226280%7C0%7C0%7C638110456174147769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=IfkzP2PrDeMZeHEJl%2FODhc8ExLEiyh9pALYJbmc4OEs%3D=0 > > > > -Wei > > > > > > On Tuesday, 31 January 2023, Stuart Whitman > > > wrote: > > > > > Hello, > > > > > > When I launch an instance with an SSH key pair selected using the > CentOS > > > 5.5(64-bit) no GUI (KVM) template that comes with CloudStack, I cannot > > sign > > > in using the SSH key. I configured the zone with basic networking and > > > enabled the ConfigDrive network service provider. > > > > > > The instance runs, and I can use SSH to sign in to the root account > using > > > the default password. > > > > > > Any help would be appreciated; thanks, > > > -Stu > > > _ > > > The information contained in this e-mail and any attachments from > Group W > > > may contain confidential and/or proprietary information and is intended > > > only for the named recipient to whom it was originally addressed.
Re: Wrong network domain
I changed the network_domain field in the networks table using the MySQL command. After making the change, I stopped and restarted the virtual router. Instances now resolve hostnames correctly. Please let me know if other database changes are also needed. Thanks, -Stu From: Stuart Whitman Sent: Wednesday, February 1, 2023 2:25 PM To: users@cloudstack.apache.org Subject: Wrong network domain Hello, I entered an existing network domain when I set up my zone with basic networking. This is causing instances to fail to resolve host names on my local network. When I try to update the network domain, this error is returned: NetworkOffering and domain suffix upgrade can be perfomed for Isolated networks only Is there a way to resolve this problem without starting from scratch? Thanks, -Stu _ The information contained in this e-mail and any attachments from Group W may contain confidential and/or proprietary information and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, be aware that any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately of that fact by return e-mail and permanently delete the e-mail and any attachments to it.
Re: Instance with SSH Key pair
I finally discovered the right google search terms to find this: https://bugs.launchpad.net/cloud-init/+bug/1998655 Adding After=NetworkManager-wait-online.service to /etc/systemd/system/cloud-init.target.wants/cloud-init.service resolved the problem. -Stu From: Stuart Whitman Sent: Friday, February 3, 2023 1:26 PM To: users@cloudstack.apache.org Subject: Re: Instance with SSH Key pair Hello Wei, I started a Rocky 8.7 minimum instance from an ISO file. I followed the instructions you provided for installing and configuring cloud-init and creating a template from an instance. However, when I boot the new instance, the SSH key is not installed. When I use the password to sign in, the cloud-init logs say it could not find the data-server. If I reboot from the command line, my SSH key works, and the cloud-init logs indicate it found the data-server IP address. If I stop and start the instance from CloudStack, the SSH key still works, but the cloud-init logs again say it cannot find the data-server. Any idea why cloud-init is able to find the IP for the data-server when the instance is rebooted but not when it is started from CloudStack? -Stu From: Wei ZHOU Sent: Thursday, February 2, 2023 3:34 AM To: users@cloudstack.apache.org Subject: Re: Instance with SSH Key pair Hi Stuart, cloud-init does support Cloudstack . You need to specify the datasource in cloud-init configuration. The datasource can be ConfigDrive (if you use config drive to save userdata) or CloudStack (if metadata/userdata server is CloudStack VirtualRouter) Please refer to https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fdocs.cloudstack.apache.org%2Fen%2Flatest%2Fadminguide%2Ftemplates%2F_cloud_init.html=05%7C01%7Cswhitman%40groupw.com%7C886e783475554054037708db0614390d%7C5746ff41c91e439b81427cff90226280%7C0%7C0%7C638110456174147769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=mwaB%2BZ5gMto3qgp5Jg5dXP3cg8Zx%2FgAUmN2JKXgqbhY%3D=0 -Wei -Wei On Wed, 1 Feb 2023 at 20:12, Stuart Whitman wrote: > Hello Wei, > > Using your template, I can sign into an instance using ssh keys. > > As the instance boots, I notice error messages about failing to mount > /mnt/configdrive. Sorry, but I cannot find those messages in the log file > to copy into this email. Should I try to fix this error? > > I noticed that the image has custom scripts in /etc/init.d to request > passwords and SSH keys. Another user, Vivek Kumar, provided links > discussing a script called cloud-init. I tried to use a Rocky Linux 8 cloud > image but failed to sign in using SSH keys. I believe I read that Rocky > cloud images have cloud-init installed. Is cloud-init compatible with > CloudStack's SSH key config, or are the scripts in your image required? > > I also tried to provide user data to create another account. It did not > work. Does your image support user data? > > Thanks for the help, > -Stu > > From: Wei ZHOU > Sent: Tuesday, January 31, 2023 5:03 PM > To: users@cloudstack.apache.org > Subject: Re: Instance with SSH Key pair > > Hi, > > The built-in centos 5.5 template does not support sshkey in configdrive > iso. > > You can use my template for testing , which is also used by component test > test_configdrive.py. You can register the template with url > > https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fpeople.apache.org%2F~weizhou%2Fcentos55-sshkey-configdrive.qcow2.bz2=05%7C01%7Cswhitman%40groupw.com%7C886e783475554054037708db0614390d%7C5746ff41c91e439b81427cff90226280%7C0%7C0%7C638110456174147769%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=IfkzP2PrDeMZeHEJl%2FODhc8ExLEiyh9pALYJbmc4OEs%3D=0 > > -Wei > > > On Tuesday, 31 January 2023, Stuart Whitman > wrote: > > > Hello, > > > > When I launch an instance with an SSH key pair selected using the CentOS > > 5.5(64-bit) no GUI (KVM) template that comes with CloudStack, I cannot > sign > > in using the SSH key. I configured the zone with basic networking and > > enabled the ConfigDrive network service provider. > > > > The instance runs, and I can use SSH to sign in to the root account using > > the default password. > > > > Any help would be appreciated; thanks, > > -Stu > > _ > > The information contained in this e-mail and any attachments from Group W > > may contain confidential and/or proprietary information and is intended > > only for the named recipient to whom it was originally addressed. If you > > are not the intended recipient, be aware that any disclosure, > distribution, > > or copying of this e-mail or its attachments is strictly prohibited. If > you > > have received this e-mail in error, please notify the sender immediately > of > > that fact by return e-mail and permanently delete the
Re: [RELEASE][4.18]
Sven, For a release we need an RM and we have none for 4.17.3. This would also not include any features at all. Any new features always go into a .o release and fixes on top of that. We always have a conflict between people that want stability and people that want quick turnover. tl;dr what we do not have is someone to take care of 4.17.3 On Mon, Feb 6, 2023 at 9:31 AM wrote: > Hi Daan, > > I am looking forward to a RC1 as soon as possible, because it fixes some > usage record bugs which are very important for me. > I totally understand that you try to get those 2 new features included, > but from my point of view those a re not as much important as fixing usage > records and other bugs. > > To be honest, I am not so familiar with the release cycle of CS, but what > was the reason that there is no 4.17.3? With a new version number you feel > more "pressure" to release new features. Don't get me wrong, this is no > offense at all means. I am just asking for the reason, because I don't know > it. :-) > > Regards, > Swen > > -Ursprüngliche Nachricht- > Von: Daan Hoogland > Gesendet: Montag, 6. Februar 2023 08:47 > An: dev ; users > Cc: PMC > Betreff: Re: [RELEASE][4.18] > > LS, > As you might have noticed I have not created an RC yet. The reasons: > - the 2fa PR is not ready yet and it is one of the key features of this > release > - off-line I got complaints the the Tungsten Fabric PR did not include the > UI functionality that comes with it. This is merged forward and worked on > by Nicolas, Wei, me and David at the moment in PR 7166 [1]. Please give us > a hard time, by testing it if you will. Even if you don´t have tingsten. In > fact testing has extra value if you don´t as regressions are the biggest > worry. > > Next weekend I will re-evaluate if I can cut an RC (input on that is still > welcome) > > [1] https://github.com/apache/cloudstack/pull/7166 > > regards, > > On Tue, Jan 31, 2023 at 5:34 PM Daan Hoogland wrote: > > > LS, > > a small update. I was aiming to create a first RC before the end of > > the month, but there are two PRs still open that I would really want > > in: > > 1. the tungsten PR: https://github.com/apache/cloudstack/pull/7065 > > 2. 2 factor authentication: > > https://github.com/apache/cloudstack/pull/6924 > > > > Other than that I think we can move all of them to 4.18.1 or 4.19. If > > there are any that you think are either easy wins or vital for the > > release (i.e. regressions or critical issues), please let me know. > > > > I will postpone creating the RC to the weekend for now. > > > > > -- Daan
AW: [RELEASE][4.18]
Hi Daan, I am looking forward to a RC1 as soon as possible, because it fixes some usage record bugs which are very important for me. I totally understand that you try to get those 2 new features included, but from my point of view those a re not as much important as fixing usage records and other bugs. To be honest, I am not so familiar with the release cycle of CS, but what was the reason that there is no 4.17.3? With a new version number you feel more "pressure" to release new features. Don't get me wrong, this is no offense at all means. I am just asking for the reason, because I don't know it. :-) Regards, Swen -Ursprüngliche Nachricht- Von: Daan Hoogland Gesendet: Montag, 6. Februar 2023 08:47 An: dev ; users Cc: PMC Betreff: Re: [RELEASE][4.18] LS, As you might have noticed I have not created an RC yet. The reasons: - the 2fa PR is not ready yet and it is one of the key features of this release - off-line I got complaints the the Tungsten Fabric PR did not include the UI functionality that comes with it. This is merged forward and worked on by Nicolas, Wei, me and David at the moment in PR 7166 [1]. Please give us a hard time, by testing it if you will. Even if you don´t have tingsten. In fact testing has extra value if you don´t as regressions are the biggest worry. Next weekend I will re-evaluate if I can cut an RC (input on that is still welcome) [1] https://github.com/apache/cloudstack/pull/7166 regards, On Tue, Jan 31, 2023 at 5:34 PM Daan Hoogland wrote: > LS, > a small update. I was aiming to create a first RC before the end of > the month, but there are two PRs still open that I would really want > in: > 1. the tungsten PR: https://github.com/apache/cloudstack/pull/7065 > 2. 2 factor authentication: > https://github.com/apache/cloudstack/pull/6924 > > Other than that I think we can move all of them to 4.18.1 or 4.19. If > there are any that you think are either easy wins or vital for the > release (i.e. regressions or critical issues), please let me know. > > I will postpone creating the RC to the weekend for now. >
AW: How to block default allow egress 53 ?
Hi Jordan, can you please open an issue in github for the IP bug? Regards, Swen -Ursprüngliche Nachricht- Von: jordan j Gesendet: Freitag, 3. Februar 2023 14:45 An: users@cloudstack.apache.org Betreff: How to block default allow egress 53 ? After deploying ACS 4.17.2 with XCP-NG and Security groups we noticed that by default egress port 53 is always allowed. Is there a way to deny that? At first we thought it was allowed in the user network because the network provider supported DNS service. However after removing the DNS service and rebuilding the network the port is still open. Another issue unrelated to the topic but I thought it may be a bug. Error pops when creating a new instance via the GUI and specifying IP address. the message is "Unable to start a VM due to insufficient address capacity" However when starting an instance without specifying address works properly. After some investigation it seems that the IP address value is not passed properly. For example: If the network is 172.20.0.0/16 and we pass a value for the instance of 172.20.0.25 the management-server.log reports that the value passed is 172.20.0.2 which is not valid. Regards, Jordan
