Re: Bank Client requires VM Firewall in between subnets
Bryan, there is a Palo Alto plugin, but I am not sure how advanced it is. As for intrusion detection I would put it in front of the CloudStack installation. The virtual router is one thing you want to protect for instance. I'd need to see the proposed design to give any more judgemental advice. On Tue, Nov 21, 2023 at 8:19 AM Bryan Tiang wrote: > > Hi All, > > I have a potential client who is a bank, and requires a VPC, 3 Subnets, with > each subnet segregated by a firewall. > > We proposed the idea of using Network ACLs, but they didn’t accept the idea. > They want packet filtering, intrusion prevention features etc which are all > features of a full fledge firewall. > > Is it possible to install a VM Firewall from Fortinet/Palo Alto, use those to > segregate the traffic between the 3 subnets instead? All via cloudstack? > > If not, any idea how I could go around this? > > Regards, > Bryan -- Daan
Re: Documentation on instances live migration with KVM
For documentation: you - fork/clone https://github.com/apache/cloudstack-documentation/ - create a new branch for your changes - edit the docs in your branch - push your changes to your upstream fork - use https://github.com/apache/cloudstack-documentation/pull/new to create the PR It might require some studying if you're totally new to this. call for help if need be On Mon, Nov 20, 2023 at 5:27 PM Jimmy Huybrechts wrote: > > I actually have never created a PR before ;) Where do I start? > > -- > Jimmy > > Van: Daan Hoogland > Datum: maandag, 20 november 2023 om 16:57 > Aan: users@cloudstack.apache.org > Onderwerp: Re: Documentation on instances live migration with KVM > :D > looking forward to your doc PR ;) > > On Mon, Nov 20, 2023 at 2:34 PM Jimmy Huybrechts wrote: > > > > I noticed the documentation on instances is not entirely correct as it it > > says: > > > > (KVM) The Instance must not be using local disk storage. (On XenServer and > > VMware, Instance live migration with local disk is enabled by CloudStack > > support for XenMotion and vMotion.) > > > > Well, I’m using local storage on KVM and I’ve done like 6 live migrations > > with local storage until now, it worked fine every of those 6 times :) > > > > -- > > Jimmy > > > > -- > Daan -- Daan
Bank Client requires VM Firewall in between subnets
Hi All, I have a potential client who is a bank, and requires a VPC, 3 Subnets, with each subnet segregated by a firewall. We proposed the idea of using Network ACLs, but they didn’t accept the idea. They want packet filtering, intrusion prevention features etc which are all features of a full fledge firewall. Is it possible to install a VM Firewall from Fortinet/Palo Alto, use those to segregate the traffic between the 3 subnets instead? All via cloudstack? If not, any idea how I could go around this? Regards, Bryan
VM Firewalls In Between Subnets
Hi All, I have a financial client who requires 3 subnets, each filtered by a firewall. They didnt accept the idea of using Network ACLs. They want packet filtering, intrusion prevention systems etc which are all features of a full fledged firewall. Can i install a VM Firewall from Fortinet or Palo Alto, and get achieve the subnet segregation? All via cloudstack? Regards, Bryan Sent with Spark
Re: VM serial number change when instance stop/start
Hi Jose, I think currently cloudstack can’t set a fixed serial number on the instance creation on XCP-ng, are you able to set the serial number directly on XCP-ng? if possible you could open an improvement request in github. -Jithin From: José Sánchez Date: Monday, 20 November 2023 at 12:47 PM To: users@cloudstack.apache.org Subject: VM serial number change when instance stop/start Hi. We use XCP + CloudStack. We have some software installed on VM's that depends on the VM serial number for licensing. When we stop and start the instance the VM serial number changes because the VM is removed from the hypervisor during that action. Is there any way to set a fixed serial number to the instances on creation stage? Thanks.
RE: Swapping Public IP Addresses
Hi Bryan, Which type of network are you using? From 4.19 it will be possible to change SourceNAT IP. You can change the IP of each network and then decommission the "public" range. To change the IP of the systemVMs you have to disable the zone, destroy the current systemVMs, remove the "public" range and then re-enable the zone. Regards, Alex -Original Message- From: Bryan Tiang Sent: Monday, November 20, 2023 2:17 PM To: Vivek Kumar via users Subject: Re: Swapping Public IP Addresses Hi Community, Our current Cloudstack is setup with old public IP addresses is assigned to our zone infrastructure. Ongoing next month, we are going to change telco and require re-assigning all our public IP addresses 1. Can CloudStack do public IP migration from old to new in different zones? 2. Assuming item 1 is feasible, can cloudstack remove all old public instances, system VMs, and VRs that are currently in use 3. As some of my current VPC networks use an old public network (in source-nat mode), can we change to a new public IP to replace the old public network (in source-nat mode) 4. Any docs for items 1, 2, and 3 or workflow on how to make it work? Regards, Bryan On 20 Nov 2023 at 9:12 PM +0800, Bryan Tiang , wrote: > Hi Community, > > Our current Cloudstack is setup with old public IP addresses is assigned to > our zone infrastructure. > > Ongoing next month, we are going to change telco and require re-assigning all > our public IP addresses. > > 1. Can CloudStack do public IP migration from old to new in different zones? > > > > 2. Assuming item 1 is feasible, can cloudstack remove all old public > > instances, system VMs, and VRs that are currently in use? > > > > 3. As some of my current VPC networks use an old public network (in > > source-nat mode), can we change to a new public IP to replace the old > > public network (in source-nat mode)? > > > > 4. Any docs for items 1, 2, and 3 or workflow on how to make it work? > > Regards, > Bryan
Re: Service offerings for root domain visible by other domains
Hi Pearl, That’s a little bit annoying since you can actually choose the domain root :) Which I guess would mean the same as just leaving it public, but good to know, then I can work around it. :) -- Jimmy Van: Pearl d'Silva Datum: maandag, 20 november 2023 om 17:06 Aan: users@cloudstack.apache.org Onderwerp: Re: Service offerings for root domain visible by other domains Hi Jimmy, An offering that is set to be accessible by ROOT domain, is available to its children too. i.e., since Domain A is a child domain of ROOT, the offering - Admin Test that was created for ROOT domain, would be accessible to Domain A as well. Afaik, there currently is no way to restrict it only to the ROOT domain (or only to a specific domain). But to have offerings accessible only to a specific child domain(of ROOT) and its children, specify the child domain id. Regards, Pearl From: Jimmy Huybrechts Sent: November 20, 2023 10:25 AM To: users@cloudstack.apache.org Subject: Service offerings for root domain visible by other domains Hi, I’m trying to create some offerings now, according to the documentation I can set domains for which it should be visible, so I created one called “Admin Test” and assigned only ROOT to the offering, now logged in with my test account from domain A which is a domain admin for domain A (no access to root domain). Now when I try to create an instance on my domain admin in domain A I can still see and even use Admin Test which should not be possible to even see for that domain admin. Is there any option I should change for that? As to use that for customers it would be helpful if they can only see what they should see in offerings. -- Jimmy
Re: Documentation on instances live migration with KVM
I actually have never created a PR before ;) Where do I start? -- Jimmy Van: Daan Hoogland Datum: maandag, 20 november 2023 om 16:57 Aan: users@cloudstack.apache.org Onderwerp: Re: Documentation on instances live migration with KVM :D looking forward to your doc PR ;) On Mon, Nov 20, 2023 at 2:34 PM Jimmy Huybrechts wrote: > > I noticed the documentation on instances is not entirely correct as it it > says: > > (KVM) The Instance must not be using local disk storage. (On XenServer and > VMware, Instance live migration with local disk is enabled by CloudStack > support for XenMotion and vMotion.) > > Well, I’m using local storage on KVM and I’ve done like 6 live migrations > with local storage until now, it worked fine every of those 6 times :) > > -- > Jimmy -- Daan
Re: Service offerings for root domain visible by other domains
Hi Jimmy, An offering that is set to be accessible by ROOT domain, is available to its children too. i.e., since Domain A is a child domain of ROOT, the offering - Admin Test that was created for ROOT domain, would be accessible to Domain A as well. Afaik, there currently is no way to restrict it only to the ROOT domain (or only to a specific domain). But to have offerings accessible only to a specific child domain(of ROOT) and its children, specify the child domain id. Regards, Pearl From: Jimmy Huybrechts Sent: November 20, 2023 10:25 AM To: users@cloudstack.apache.org Subject: Service offerings for root domain visible by other domains Hi, I’m trying to create some offerings now, according to the documentation I can set domains for which it should be visible, so I created one called “Admin Test” and assigned only ROOT to the offering, now logged in with my test account from domain A which is a domain admin for domain A (no access to root domain). Now when I try to create an instance on my domain admin in domain A I can still see and even use Admin Test which should not be possible to even see for that domain admin. Is there any option I should change for that? As to use that for customers it would be helpful if they can only see what they should see in offerings. -- Jimmy
Re: Documentation on instances live migration with KVM
:D looking forward to your doc PR ;) On Mon, Nov 20, 2023 at 2:34 PM Jimmy Huybrechts wrote: > > I noticed the documentation on instances is not entirely correct as it it > says: > > (KVM) The Instance must not be using local disk storage. (On XenServer and > VMware, Instance live migration with local disk is enabled by CloudStack > support for XenMotion and vMotion.) > > Well, I’m using local storage on KVM and I’ve done like 6 live migrations > with local storage until now, it worked fine every of those 6 times :) > > -- > Jimmy -- Daan
Service offerings for root domain visible by other domains
Hi, I’m trying to create some offerings now, according to the documentation I can set domains for which it should be visible, so I created one called “Admin Test” and assigned only ROOT to the offering, now logged in with my test account from domain A which is a domain admin for domain A (no access to root domain). Now when I try to create an instance on my domain admin in domain A I can still see and even use Admin Test which should not be possible to even see for that domain admin. Is there any option I should change for that? As to use that for customers it would be helpful if they can only see what they should see in offerings. -- Jimmy
Documentation on instances live migration with KVM
I noticed the documentation on instances is not entirely correct as it it says: (KVM) The Instance must not be using local disk storage. (On XenServer and VMware, Instance live migration with local disk is enabled by CloudStack support for XenMotion and vMotion.) Well, I’m using local storage on KVM and I’ve done like 6 live migrations with local storage until now, it worked fine every of those 6 times :) -- Jimmy
Re: Swapping Public IP Addresses
Hi Community, Our current Cloudstack is setup with old public IP addresses is assigned to our zone infrastructure. Ongoing next month, we are going to change telco and require re-assigning all our public IP addresses 1. Can CloudStack do public IP migration from old to new in different zones? 2. Assuming item 1 is feasible, can cloudstack remove all old public instances, system VMs, and VRs that are currently in use 3. As some of my current VPC networks use an old public network (in source-nat mode), can we change to a new public IP to replace the old public network (in source-nat mode) 4. Any docs for items 1, 2, and 3 or workflow on how to make it work? Regards, Bryan On 20 Nov 2023 at 9:12 PM +0800, Bryan Tiang , wrote: > Hi Community, > > Our current Cloudstack is setup with old public IP addresses is assigned to > our zone infrastructure. > > Ongoing next month, we are going to change telco and require re-assigning all > our public IP addresses. > > 1. Can CloudStack do public IP migration from old to new in different zones? > > > > 2. Assuming item 1 is feasible, can cloudstack remove all old public > > instances, system VMs, and VRs that are currently in use? > > > > 3. As some of my current VPC networks use an old public network (in > > source-nat mode), can we change to a new public IP to replace the old > > public network (in source-nat mode)? > > > > 4. Any docs for items 1, 2, and 3 or workflow on how to make it work? > > Regards, > Bryan
Swapping Public IP Addresses
Hi Community, Our current Cloudstack is setup with old public IP addresses is assigned to our zone infrastructure. Ongoing next month, we are going to change telco and require re-assigning all our public IP addresses. > 1. Can CloudStack do public IP migration from old to new in different zones? > > 2. Assuming item 1 is feasible, can cloudstack remove all old public > instances, system VMs, and VRs that are currently in use? > > 3. As some of my current VPC networks use an old public network (in > source-nat mode), can we change to a new public IP to replace the old public > network (in source-nat mode)? > > 4. Any docs for items 1, 2, and 3 or workflow on how to make it work? Regards, Bryan
Re: Creating a CloudStack AutoScale VM Group with Terraform
Hi Palash Could you please log a improvement issue here for creating autoscale vm groups via terraform https://github.com/apache/cloudstack-terraform-provider/issues Regards Kiran From: Marco Sinhoreli Date: Monday, 20 November 2023 at 10:48 AM To: users@cloudstack.apache.org Subject: Re: Creating a CloudStack AutoScale VM Group with Terraform Hi Palash The Autoscale VM group API call is not exposed to the CloudStack Terraform Provider. You can find the complete supported CloudStack resources here: https://registry.terraform.io/providers/cloudstack/cloudstack/latest/docs From: Palash Biswas Date: Tuesday, 14 November 2023 at 16:40 To: users@cloudstack.apache.org Subject: Creating a CloudStack AutoScale VM Group with Terraform Hello, I'm looking to create a CloudStack AutoScale VM Group using Terraform, but I couldn't find clear documentation on how to achieve this, especially regarding the creation of AutoScale policies and AutoScale VM groups. My goal is to deploy and manage the entire AutoScale VM Group using Terraform. I'm currently using Terraform version 1.6.2. I would greatly appreciate any advice or guidance on how to accomplish this task. Thank you for your assistance. Regards, Palash Biswas
VM serial number change when instance stop/start
Hi. We use XCP + CloudStack. We have some software installed on VM's that depends on the VM serial number for licensing. When we stop and start the instance the VM serial number changes because the VM is removed from the hypervisor during that action. Is there any way to set a fixed serial number to the instances on creation stage? Thanks.
RE: Difference between VM Snapshot and Snapshot
Adding to that, from ACS 4.19 volume snapshots can be copied to other zones (SnapshotsCopy) Regards, Alex -Original Message- From: m...@swen.io Sent: Friday, November 17, 2023 9:58 PM To: users@cloudstack.apache.org Subject: AW: Difference between VM Snapshot and Snapshot One more difference is that a VM Snapshot will stay on primary storage and a Snapshot will be copied to secondary storage. Regards, Swen -Ursprüngliche Nachricht- Von: Suresh Kumar Anaparti Gesendet: Freitag, 17. November 2023 18:37 An: users@cloudstack.apache.org Betreff: Re: Difference between VM Snapshot and Snapshot Hi Murilo, "Snapshots" corresponds to Disk/Volume, and "VM Snapshots" corresponds to VM/Instance. You can use VM Snapshots to revert to the machine's state. Regards, Suresh On Fri, Nov 17, 2023 at 7:59 PM Murilo Moura wrote: > > Hi! > > What is the difference between the "Snapshots" and "VM Snapshots" features? > In practice, what changes between the snapshots created in these two menus? > Do any of them have limitations in restoring the machine's state completely?
CloudStack Collaboration Conference 2023 starts this week!
Hi All, This is my final reminder that the CloudStack Collaboration Conference 2023 starts this week. On Thursday we will be welcoming all event attendees in Paris. You can also get the full conference experience online through the advanced event platform. Just register here: https://events.hubilo.com/cloudstack-collaboration-conference-2023/register For all online attendees - here is a list of things you can do in the event platform: - watch all sessions live or on demand - ask questions to speakers and panelists - connect with other event attendees - connect with speakers - book meetings with event participants - meet the exhibitors, chat or have a live call with them All available after a registration: https://events.hubilo.com/cloudstack-collaboration-conference-2023/register We start on Thursday! Kind regards,
Re: KVM clustering with Cloudstack
You either do it with Cloudstack or you don't. Using corosync etc is not supported. On 2023-11-20 10:12, Francisco Arencibia Quesada wrote: Good morning guys, What is recommended from your point of view? Create a KVM cluster with corosync and pacemaker, or directly handle the cluster with CloudStack. Is it fully supported? Kind regards.
KVM clustering with Cloudstack
Good morning guys, What is recommended from your point of view? Create a KVM cluster with corosync and pacemaker, or directly handle the cluster with CloudStack. Is it fully supported? Kind regards. -- *Francisco Arencibia Quesada.* *DevOps Engineer*
Re: Creating a CloudStack AutoScale VM Group with Terraform
Hi Palash The Autoscale VM group API call is not exposed to the CloudStack Terraform Provider. You can find the complete supported CloudStack resources here: https://registry.terraform.io/providers/cloudstack/cloudstack/latest/docs From: Palash Biswas Date: Tuesday, 14 November 2023 at 16:40 To: users@cloudstack.apache.org Subject: Creating a CloudStack AutoScale VM Group with Terraform Hello, I'm looking to create a CloudStack AutoScale VM Group using Terraform, but I couldn't find clear documentation on how to achieve this, especially regarding the creation of AutoScale policies and AutoScale VM groups. My goal is to deploy and manage the entire AutoScale VM Group using Terraform. I'm currently using Terraform version 1.6.2. I would greatly appreciate any advice or guidance on how to accomplish this task. Thank you for your assistance. Regards, Palash Biswas
AW: How does Cloudstack limit bandwidth
Hi Marty, what do you mean by "RX pauses"? Are you using xoa as management interface for xcp-ng? You should be able to see speed limits on the nic attached to the VM and the VR. Regards, Swen -Ursprüngliche Nachricht- Von: ma...@gonsource.com Gesendet: Montag, 20. November 2023 05:31 An: users@cloudstack.apache.org Betreff: RE: How does Cloudstack limit bandwidth Thank you for the explanation Jayanth. So, could the RX pauses be caused by the hypervisor for bandwidth control? I am using XCP-NG. Thoughts? -Original Message- From: Jayanth Reddy Sent: Sunday, November 19, 2023 10:50 PM To: users@cloudstack.apache.org Subject: Re: How does Cloudstack limit bandwidth Hello Marty, Yes, at the hypervisor level and applied on the bridge ports. It is defined in the VM domxml. An example is as below and you may also do # virsh dumpxml to get it. 25600 KB/s is 200 Mbps in this case. If we're taking about the network as a whole, it applies on all the interfaces connected to the Virtual Router in a similar manner defined above. Also note that there is also a network limit defined in the Compute Offering which limits the bandwidth at the TAP port of the VM connected to the bridge. Thanks, Jayanth From: ma...@gonsource.com Sent: Monday, November 20, 2023 8:47:27 AM To: users@cloudstack.apache.org Subject: How does Cloudstack limit bandwidth Hello CS Community, When you create a network, it, by default, has a bandwidth limit of 500Mb. My question is how does it do this? Since CS is not interacting with switches and is creating the network on the hypervisor, does it do this at the hypervisor level or in a different manner? The reason I ask this is I am seeing a large number of pause frames on the interfaces that are used for the internal traffic in my CS cluster. These are 40G ports and I know we don't have the load to be seeing this many pause frames. So how does CS limit the bandwidth? Thanks guys. Marty
