Re: Network ACL granularity
Hi Geoffrey, I asked a similar question a while back. You are correct - ACLs can be applied only to tiers in a VPC, and all rules apply to all *destination* IP addresses in the VPC. Of course any server without a static NAT will not receive traffic. If you want to open only port 25 to a mail server and only port 443 to a web server, they either need to be in different tiers or you need to use firewalls on the VM end to block the unwanted ports. The design of the tiers seems intended for a traditional web app with front end web servers, an app server tier, and a DB tier. It expects tiers to be used mostly for servers with similar firewalling requirements. What would make this much easier would be to provide both source and destination options in the ACL so that traffic could be limited to a specific destination IP address in the VPC. It could even be done by providing a drop-down of existing static NATs configured at the time of the ACL edit. Coming from a network administration background I would expect to see ACLs in VPCs work like a firewall normally does - source and destination IP and port. The current model of source, port and ingress/egress with the implied destination of the entire tier is a security risk in most actual use cases where an administrator doesn't want certain ports to be exposed for all the VMs in a tier. c From: "Geoffrey Corey" To: "Erik Weber" Cc: users@cloudstack.apache.org Sent: Wednesday, January 6, 2016 6:03:02 PM Subject: Re: Network ACL granularity So we have a vpc, and we are trying to carve it up. Ideally, we'd have an IP range for just "infrastructure" related vms, like MXs, LDAP, etc. We want to be able to apply an ACL specifically to the MXs whre only smtp and ssh (and possibly ping) are allowed into that VM, and similar for ldap, etc, and have th ability to select these ACLs on a per-vm basis (similar to how AWS allows this for network ACLs). Right now, from what I can tell in the UI, we'd have to carve up, so to speak, that "infrastructure" ip range into smaller networks in order to apply these service related network acls (Hope I was able to word that correctly) On Wed, Jan 6, 2016 at 2:55 PM, Erik Weber wrote: > Can't answer your question, but to help out with ideas; are you mostly > looking for ingress, egress or both? > > Also, is it primarily north-south traffic you want to isolate per vm or > east-west as well? > > -- > > Erik > > > Den mandag 4. januar 2016 skrev Geoffrey Corey > følgende: > >> What is the lowest granularity level that a network ACL can be applied? >> >> We would like to be able to apply a network ACL on a per-vm basis, but >> initial investigation points to only being able to apply it to a network >> tier. >> >> Also, if a network acl can be applied on a per-vm basis, how can that be >> accomplished? >> >> Thanks >> >> >> Geoff Corey >> Apache Infrastructure >> >
Re: Adding Second Zone
Thanks Geoff. On the secondary conversion to S3, can you give me more information about the problems there? I presume that the updateCloudToUseObjectStore API is designed for exactly this scenario. According to the docs from Citrix, which are very thin on the topic, the old NFS is retained as staging store after the conversion and the existing snaps etc. stay there, and templates/volumes can migrate with certain API fuctions (extractVolume, etc.). Is it just not recommended at all to convert to object store, even though there is functionality for it? The reason I am considering S3 is that we want region-wide secondary storage for DR purposes. If the primary datacenter suffers catastrophic failure I need to be able to restore VMs from snapshot on secondary storage to the secondary site. I am replicating my existing NFS secondary storage from each site to the other site, but it's a manual process to import VHDs for recovery if disaster strikes. Chris - Original Message - From: "Geoff Higginbottom" To: "" Sent: Thursday, May 7, 2015 4:16:34 PM Subject: Re: Adding Second Zone Hi Christopher, Re seeding secondary storage with system VM tempate, it's best if you do, however if the SSVM in the first zone has a route to the secondary storage in the new zone you can use the copy template command. If when you added other templates you added them as all zones and not specifically for the first zone, once the new zone is online and the SSVM is running you should see them automatically replicate across. You can copy templates between zones from the UI or API. Regarding adding S3 backed secondary storage at a later date, you will run into problems with volume snapshots and the cleanest approach would be to add it on day one, or if adding later delete all the snapshots and then remove the exiting secondary storage, before adding the the new one, but that can also be a tricky task. Regards Geoff Higginbottom CTO / Cloud Architect D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581 geoff.higginbot...@shapeblue.com<mailto:geoff.higginbot...@shapeblue.com> | www.shapeblue.com | Twitter:@cloudstackguru<https://twitter.com/#!/cloudstackguru> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS On 7 May 2015, at 21:01, Christopher Falk mailto:christopher.f...@reliablenetworks.com>> wrote: I'm running commercial CP 4.5 Hotfix 3 and we're about to deploy a second site. I've been searching the CP and CS docs and mailing list for some of the pitfalls and haven't found a lot of information so I'm jumping in here with some questions. I'd love to learn from those who've done it already. Our current environment looks like: * 6-host XenServer 6.2 SP1 cluster in a single pod/zone. * Two management servers and a DB master/slave in the same datacenter as the compute. * iSCSI primary storage, NFS secondary. We've got a brand new XenServer 6.5 cluster ready to go in our second datacenter with a high-bandwidth redundant link to the first DC. We intend to create a second zone in the new facility and leave management in the first one for now. I've got the following questions I was hoping for some wisdom on: * Do I need to seed the system VM template to the NFS secondary storage in the new zone before I create the zone, or does it get copied from the first zone SS when creating the second? * Is it possible to copy templates between zones directly without export/import? * Our eventual goal is S3 region-wide secondary storage later in the year. Has anybody done the conversion successfully? My lab tests have been challenging against a RiakCS backend, with a successful API call for the conversion, but failing snapshot copies from XenServer to S3. The lab was on XenServer 6.5 - I haven't tried 6.2SP1 with S3. Thanks, Chris Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show i
Adding Second Zone
I'm running commercial CP 4.5 Hotfix 3 and we're about to deploy a second site. I've been searching the CP and CS docs and mailing list for some of the pitfalls and haven't found a lot of information so I'm jumping in here with some questions. I'd love to learn from those who've done it already. Our current environment looks like: * 6-host XenServer 6.2 SP1 cluster in a single pod/zone. * Two management servers and a DB master/slave in the same datacenter as the compute. * iSCSI primary storage, NFS secondary. We've got a brand new XenServer 6.5 cluster ready to go in our second datacenter with a high-bandwidth redundant link to the first DC. We intend to create a second zone in the new facility and leave management in the first one for now. I've got the following questions I was hoping for some wisdom on: * Do I need to seed the system VM template to the NFS secondary storage in the new zone before I create the zone, or does it get copied from the first zone SS when creating the second? * Is it possible to copy templates between zones directly without export/import? * Our eventual goal is S3 region-wide secondary storage later in the year. Has anybody done the conversion successfully? My lab tests have been challenging against a RiakCS backend, with a successful API call for the conversion, but failing snapshot copies from XenServer to S3. The lab was on XenServer 6.5 - I haven't tried 6.2SP1 with S3. Thanks, Chris
Ubuntu 12.04 Guest in CS 4.2.1
Hi there, I am having trouble getting Ubuntu 12.04 64-bit to work reliably in CS 4.2.1 on XenServer 6.2 SP1. I've seen a few other threads in search that indicate others have had the same problem. My process (since ISO install does not work) was to build an Ubuntu VM on a standalone XS 6.2 SP1 server, prep it and then export the VHD, then register a template in CloudStack using that VHD. The instances I create from the template seem OK except when they boot they do not get an IP address and I get the following in their syslog. Load also pegs around 2.00 with basically no processes using any CPU and zero I/O wait states. Mar 25 10:58:07 ubuntutemplate kernel: [ 721.756497] INFO: task modprobe:897 blocked for more than 120 seconds. Mar 25 10:58:07 ubuntutemplate kernel: [ 721.756506] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Mar 26 14:43:33 ubuntutemplate kernel: [ 241.496213] INFO: task dhclient3:654 blocked for more than 120 seconds. Mar 26 14:43:33 ubuntutemplate kernel: [ 241.496236] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. This led me to discover that CS is mistakenly setting the vCPUS-max parameter for non-Windows VMs to 32, which is documented here: https://issues.apache.org/jira/browse/CLOUDSTACK-6063 I was wondering if anybody had seen this issue lead to problems on VMs themselves, such as this strange Ubuntu issue. I was able to reproduce it on a standalone host by manually setting VCPUs-max=32 and got the same kernel issues. With it set back to VCPUs-max=2 I haven't seen the problem again. Is there any known workaround at this time? Chris
