Creating advanced network
Hi Guys, I wanted to setup a advanced zone with security groups and saw this exceptions in the log while I was configuring the networks. What does that mean, what are the limitations from a advanced zone + SG ? ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ 7c7e4264-721d-448b-8a75-b68ffeb52d56 ]) Unexpected exception while executing org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd com.cloud.exception.InvalidParameterValueException: Can't add vnet range to the physical network in the zone that supports Advanced network, Security Group enabled: true at com.cloud.network.NetworkServiceImpl.updatePhysicalNetwork(NetworkServiceImpl.java:2527) at com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125) at org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd.execute(UpdatePhysicalNetworkCmd.java:98) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:158) at com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:531) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:679) Also I tagged the cloudstack storage network (specified Vlan ID in the wizard) but I see the interfaces are bound to cloudbr0 oppose to brxxx-VLANID Does the storage network need to be untagged ? Also is it true the guest network is the public network ? That confuses me a little bit since I configured a internal IP range but now I can't see how/where to configure the external/public IP. Thanks in advance, Bjoern
Re: Creating advanced network
Who can help me here ? Right now the biggest issue for me are the last questions. On 10/14/2013 01:03 AM, Bjoern Teipel wrote: Hi Guys, I wanted to setup a advanced zone with security groups and saw this exceptions in the log while I was configuring the networks. What does that mean, what are the limitations from a advanced zone + SG ? ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ 7c7e4264-721d-448b-8a75-b68ffeb52d56 ]) Unexpected exception while executing org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd com.cloud.exception.InvalidParameterValueException: Can't add vnet range to the physical network in the zone that supports Advanced network, Security Group enabled: true at com.cloud.network.NetworkServiceImpl.updatePhysicalNetwork(NetworkServiceImpl.java:2527) at com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125) at org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd.execute(UpdatePhysicalNetworkCmd.java:98) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:158) at com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:531) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:679) Also I tagged the cloudstack storage network (specified Vlan ID in the wizard) but I see the interfaces are bound to cloudbr0 oppose to brxxx-VLANID Does the storage network need to be untagged ? Also is it true the guest network is the public network ? That confuses me a little bit since I configured a internal IP range but now I can't see how/where to configure the external/public IP. Thanks in advance, Bjoern
Re: Creating advanced network
Hello Bjoern, I'm not an expert with Cloudstack, but I will share my limited knowledge. Guest traffic This is the network traffic generated by the communication between the guest VMs. This traffic flows over the guest network and it can be shared or isolated. I have Cloudstack 4.1 installed configured with Advance networking, my hypervisor has two network interfaces on for private (management/storage) one for public (public/guest) network private interface eth1 bridge to cloudbr1 public interface eth0 bridge to cloudbr0 guest vlan eth0.100 (10.1.1.0/24 CIDR) my setup is partially working, I can create instances but can't ping my virtual router, I'm in the process as well, Thanks, On Mon, Oct 14, 2013 at 10:45 AM, Bjoern Teipel < bjoern.tei...@internetbrands.com> wrote: > > Who can help me here ? > Right now the biggest issue for me are the last questions. > > > > > On 10/14/2013 01:03 AM, Bjoern Teipel wrote: > >> Hi Guys, >> >> I wanted to setup a advanced zone with security groups and saw this >> exceptions in the log while I was configuring the networks. >> What does that mean, what are the limitations from a advanced zone + SG ? >> >> ERROR [cloud.async.**AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ >> 7c7e4264-721d-448b-8a75-**b68ffeb52d56 ]) Unexpected exception while >> executing org.apache.cloudstack.api.**command.admin.network.** >> UpdatePhysicalNetworkCmd >> com.cloud.exception.**InvalidParameterValueException**: Can't add vnet >> range to the physical network in the zone that supports Advanced network, >> Security Group enabled: true >> at com.cloud.network.**NetworkServiceImpl.** >> updatePhysicalNetwork(**NetworkServiceImpl.java:2527) >> at com.cloud.utils.component.**ComponentInstantiationPostProc** >> essor$InterceptorDispatcher.**intercept(**ComponentInstantiationPostProc* >> *essor.java:125) >> at org.apache.cloudstack.api.**command.admin.network.** >> UpdatePhysicalNetworkCmd.**execute(**UpdatePhysicalNetworkCmd.java:**98) >> at com.cloud.api.ApiDispatcher.**dispatch(ApiDispatcher.java:** >> 158) >> at com.cloud.async.**AsyncJobManagerImpl$1.run(** >> AsyncJobManagerImpl.java:531) >> at java.util.concurrent.**Executors$RunnableAdapter.** >> call(Executors.java:471) >> at java.util.concurrent.**FutureTask$Sync.innerRun(** >> FutureTask.java:334) >> at java.util.concurrent.**FutureTask.run(FutureTask.**java:166) >> at java.util.concurrent.**ThreadPoolExecutor.runWorker(** >> ThreadPoolExecutor.java:1146) >> at java.util.concurrent.**ThreadPoolExecutor$Worker.run(** >> ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.**java:679) >> >> Also I tagged the cloudstack storage network (specified Vlan ID in the >> wizard) but I see the interfaces are bound to cloudbr0 oppose to >> brxxx-VLANID >> Does the storage network need to be untagged ? >> >> Also is it true the guest network is the public network ? That confuses >> me a little bit since I configured a internal IP range but now I can't see >> how/where to configure the external/public IP. >> >> Thanks in advance, >> Bjoern >> >> >
Re: Creating advanced network
Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution Thanks, Bjoern On 10/14/2013 11:09 AM, motty cruz wrote: Hello Bjoern, I'm not an expert with Cloudstack, but I will share my limited knowledge. Guest traffic This is the network traffic generated by the communication between the guest VMs. This traffic flows over the guest network and it can be shared or isolated. I have Cloudstack 4.1 installed configured with Advance networking, my hypervisor has two network interfaces on for private (management/storage) one for public (public/guest) network private interface eth1 bridge to cloudbr1 public interface eth0 bridge to cloudbr0 guest vlan eth0.100 (10.1.1.0/24 CIDR) my setup is partially working, I can create instances but can't ping my virtual router, I'm in the process as well, Thanks, On Mon, Oct 14, 2013 at 10:45 AM, Bjoern Teipel < bjoern.tei...@internetbrands.com> wrote: Who can help me here ? Right now the biggest issue for me are the last questions. On 10/14/2013 01:03 AM, Bjoern Teipel wrote: Hi Guys, I wanted to setup a advanced zone with security groups and saw this exceptions in the log while I was configuring the networks. What does that mean, what are the limitations from a advanced zone + SG ? ERROR [cloud.async.**AsyncJobManagerImpl] (Job-Executor-23:job-23 = [ 7c7e4264-721d-448b-8a75-**b68ffeb52d56 ]) Unexpected exception while executing org.apache.cloudstack.api.**command.admin.network.** UpdatePhysicalNetworkCmd com.cloud.exception.**InvalidParameterValueException**: Can't add vnet range to the physical network in the zone that supports Advanced network, Security Group enabled: true at com.cloud.network.**NetworkServiceImpl.** updatePhysicalNetwork(**NetworkServiceImpl.java:2527) at com.cloud.utils.component.**ComponentInstantiationPostProc** essor$InterceptorDispatcher.**intercept(**ComponentInstantiationPostProc* *essor.java:125) at org.apache.cloudstack.api.**command.admin.network.** UpdatePhysicalNetworkCmd.**execute(**UpdatePhysicalNetworkCmd.java:**98) at com.cloud.api.ApiDispatcher.**dispatch(ApiDispatcher.java:** 158) at com.cloud.async.**AsyncJobManagerImpl$1.run(** AsyncJobManagerImpl.java:531) at java.util.concurrent.**Executors$RunnableAdapter.** call(Executors.java:471) at java.util.concurrent.**FutureTask$Sync.innerRun(** FutureTask.java:334) at java.util.concurrent.**FutureTask.run(FutureTask.**java:166) at java.util.concurrent.**ThreadPoolExecutor.runWorker(** ThreadPoolExecutor.java:1146) at java.util.concurrent.**ThreadPoolExecutor$Worker.run(** ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.**java:679) Also I tagged the cloudstack storage network (specified Vlan ID in the wizard) but I see the interfaces are bound to cloudbr0 oppose to brxxx-VLANID Does the storage network need to be untagged ? Also is it true the guest network is the public network ? That confuses me a little bit since I configured a internal IP range but now I can't see how/where to configure the external/public IP. Thanks in advance, Bjoern
Re: Creating advanced network
On 16/10/13 7:17 AM, "Bjoern Teipel" wrote: >Wow, all user@cloudstack mails got catched in my spam filter, so sorry >for the late response. > >After tinkering the whole day I gave up using a tagged VLAN for the >storage traffic, seems not to work. It ignores the VID and doesn't >create the VLAN on the hypervisor. >I added the vlan to the hypervisor now and bound cloudbr1 to it and >using it untagged in cloudstack. >Finally all is up. :-) > >Now I was looking how to use a load balancer like the internal >cloudstack one or even the F5 and it seems it's not supported. >No cloudstack support for internal LB (the VR one) or F5 ? Really !!! >According to the advanced network and security groups specification ( >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+ >Security+Groups+in+Advance+zone) >AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. >That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. > >I'm really close to end the cloudstack adventure and move on with open >stack. >Having a shared network with SG and loadbalancer is not really a >uncommon solution
Re: Creating advanced network
Murali, That would be great if you're right. But I'm now in a dead lock: Adding new network offering including LB: 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp UserData Lb ] without source NAT service 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] (catalina-exec-19:null) unhandled exception executing api command: createNetworkOffering com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter doesn't support services combination: [Dns, Dhcp, UserData, Lb] That forces me to add source nat, but once I want add a guest network in the zone I get the opposite error. I can't mix SG + sourceNat 013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] (catalina-exec-22:null) Service SourceNat is not allowed in security group enabled zone So no internal lb ? Thanks, Bjoern On 10/15/2013 11:28 PM, Murali Reddy wrote: On 16/10/13 7:17 AM, "Bjoern Teipel" wrote: Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+ Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution
Re: Creating advanced network
On 16/10/13 12:23 PM, "Bjoern Teipel" wrote: >Murali, > >That would be great if you're right. But I'm now in a dead lock: > >Adding new network offering including LB: > >2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] >(catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp >UserData Lb ] without source NAT service >2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] >(catalina-exec-19:null) unhandled exception executing api command: >createNetworkOffering >com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter >doesn't support services combination: [Dns, Dhcp, UserData, Lb] > >That forces me to add source nat, but once I want add a guest network in >the zone I get the opposite error. I can't mix SG + sourceNat > >013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] >(catalina-exec-22:null) Service SourceNat is not allowed in security >group enabled zone First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1. Not sure why source NAT should not be allowed in SG network. Sorry, this is indeed a dead lock situation. It does not look like you can use LB with in shared network with SG in advanced zone. > >So no internal lb ? > >Thanks, >Bjoern > >On 10/15/2013 11:28 PM, Murali Reddy wrote: >> On 16/10/13 7:17 AM, "Bjoern Teipel" >> wrote: >> >>> Wow, all user@cloudstack mails got catched in my spam filter, so sorry >>> for the late response. >>> >>> After tinkering the whole day I gave up using a tagged VLAN for the >>> storage traffic, seems not to work. It ignores the VID and doesn't >>> create the VLAN on the hypervisor. >>> I added the vlan to the hypervisor now and bound cloudbr1 to it and >>> using it untagged in cloudstack. >>> Finally all is up. :-) >>> >>> Now I was looking how to use a load balancer like the internal >>> cloudstack one or even the F5 and it seems it's not supported. >>> No cloudstack support for internal LB (the VR one) or F5 ? Really !!! >>> According to the advanced network and security groups specification ( >>> >>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o >>>n+ >>> Security+Groups+in+Advance+zone) >>> AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. >>> That's just a joke. >> 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all >> network services are supported in shared network with or without SG so >>you >> should be able to use F5/VR/Netscaler for LB. >> >>> I'm really close to end the cloudstack adventure and move on with open >>> stack. >>> Having a shared network with SG and loadbalancer is not really a >>> uncommon solution >> > >
Re: Creating advanced network
Hi Murali, I saw your git commits. I want to compile now your changes into our source code. Do i need just the one for 4.2 or also the master commits: Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy ASF subversion and git services added a comment - Today 06:18 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy ASF subversion and git services added a comment - Today 14:45 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy Thanks, Bjoern On 10/16/2013 2:35 AM, Murali Reddy wrote: On 16/10/13 12:23 PM, "Bjoern Teipel" wrote: Murali, That would be great if you're right. But I'm now in a dead lock: Adding new network offering including LB: 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp UserData Lb ] without source NAT service 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] (catalina-exec-19:null) unhandled exception executing api command: createNetworkOffering com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter doesn't support services combination: [Dns, Dhcp, UserData, Lb] That forces me to add source nat, but once I want add a guest network in the zone I get the opposite error. I can't mix SG + sourceNat 013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] (catalina-exec-22:null) Service SourceNat is not allowed in security group enabled zone First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1. Not sure why source NAT should not be allowed in SG network. Sorry, this is indeed a dead lock situation. It does not look like you can use LB with in shared network with SG in advanced zone. So no internal lb ? Thanks, Bjoern On 10/15/2013 11:28 PM, Murali Reddy wrote: On 16/10/13 7:17 AM, "Bjoern Teipel" wrote: Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o n+ Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution
Re: Creating advanced network
Bjoern, Sorry that commit, only fixes part of the problem. Still there are two more issues (source NAT and SG + source NAT combination is not permitted and public traffic type is not allowed in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug for this issue. You may want to try basic zone model of CloudStack which provides security group based L3 isolation with EIP(1:1 NAT) & ELB services with NetScaler. Thanks, Murali From: Bjoern Teipel mailto:bjoern.tei...@internetbrands.com>> Reply-To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" mailto:users@cloudstack.apache.org>> Date: Thursday, 17 October 2013 10:29 AM To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" mailto:users@cloudstack.apache.org>> Subject: Re: Creating advanced network Hi Murali, I saw your git commits. I want to compile now your changes into our source code. Do i need just the one for 4.2 or also the master commits: Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 06:18 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 14:45 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> Thanks, Bjoern On 10/16/2013 2:35 AM, Murali Reddy wrote: On 16/10/13 12:23 PM, "Bjoern Teipel" <mailto:bjoern.tei...@internetbrands.com> wrote: Murali, That would be great if you're right. But I'm now in a dead lock: Adding new network offering including LB: 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp UserData Lb ] without source NAT service 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] (catalina-exec-19:null) unhandled exception executing api command: createNetworkOffering com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter doesn't support services combination: [Dns, Dhcp, UserData, Lb] That forces me to add source nat, but once I want add a guest network in the zone I get the opposite error. I can't mix SG + sourceNat 013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] (catalina-exec-22:null) Service SourceNat is not allowed in security group enabled zone First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1. Not sure why source NAT should not be allowed in SG network. Sorry, this is indeed a dead lock situation. It does not look like you can use LB with in shared network with SG in advanced zone. So no internal lb ? Thanks, Bjoern On 10/15/2013 11:28 PM, Murali Reddy wrote: On 16/10/13 7:17 AM, "Bjoern Teipel" <mailto:bjoern.tei...@internetbrands.com> wrote: Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o n+ Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution
Re: Creating advanced network
My problem is that I want to integrate f5 load balancer also. So I'm stuck with advanced mode. Also I don't like that VMs have per default public IPs in basic mode.. Bjoern On Oct 18, 2013, at 6:22 AM, "Murali Reddy" mailto:murali.re...@citrix.com>> wrote: Bjoern, Sorry that commit, only fixes part of the problem. Still there are two more issues (source NAT and SG + source NAT combination is not permitted and public traffic type is not allowed in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug for this issue. You may want to try basic zone model of CloudStack which provides security group based L3 isolation with EIP(1:1 NAT) & ELB services with NetScaler. Thanks, Murali From: Bjoern Teipel mailto:bjoern.tei...@internetbrands.com>> Reply-To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" mailto:users@cloudstack.apache.org>> Date: Thursday, 17 October 2013 10:29 AM To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" mailto:users@cloudstack.apache.org>> Subject: Re: Creating advanced network Hi Murali, I saw your git commits. I want to compile now your changes into our source code. Do i need just the one for 4.2 or also the master commits: Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 06:18 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 14:45 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> Thanks, Bjoern On 10/16/2013 2:35 AM, Murali Reddy wrote: On 16/10/13 12:23 PM, "Bjoern Teipel" <mailto:bjoern.tei...@internetbrands.com> wrote: Murali, That would be great if you're right. But I'm now in a dead lock: Adding new network offering including LB: 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp UserData Lb ] without source NAT service 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] (catalina-exec-19:null) unhandled exception executing api command: createNetworkOffering com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter doesn't support services combination: [Dns, Dhcp, UserData, Lb] That forces me to add source nat, but once I want add a guest network in the zone I get the opposite error. I can't mix SG + sourceNat 013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] (catalina-exec-22:null) Service SourceNat is not allowed in security group enabled zone First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1. Not sure why source NAT should not be allowed in SG network. Sorry, this is indeed a dead lock situation. It does not look like you can use LB with in shared network with SG in advanced zone. So no internal lb ? Thanks, Bjoern On 10/15/2013 11:28 PM, Murali Reddy wrote: On 16/10/13 7:17 AM, "Bjoern Teipel" <mailto:bjoern.tei...@internetbrands.com> wrote: Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o n+ Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution
