AssignVirtualMachine
I have not had to do this in quite some time but I can no longer assign a VM from my root account to a user account. I get the following error: Failed to move vm Acct[UUID-USERNAME] does not have permission to operate with resource Acct[UUID-admin] I know that a bunch of permission stuff has been added over the last few releases but I have no idea which one I need to set to get this working. I'm running 4.13.0 in case it matters. Any ideas and/or any good resources outlining the API permissions system? I was able to find the permissions in the UI but it looks like it is allow/deny on a per API call basis. I added assignvirtualmachine there but it is still failing. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Re: AssignVirtualMachine
Yeah it is really odd. I have tried both logging into the UI as admin as well as ensuring I have the admin key and secret and using the API directly. I get the same error in both cases. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 9/9/20 3:15 PM, Abhishek Kumar wrote: Hi Mathew, While trying to assign your VM from ADMIN to USER account, are you making this API call as the user? This error must be due to the reason that the caller of the API doesn't have permission to operate on the given resource (VM belongs to the admin account and the user cannot operate on it). You can try calling the same API as the root admin and it should work. I'm not aware of any resource on API permissions system myself but general rules are check for API access for a particular user role, domain admin and user account cannot operate on resources owned by users of other domains or parent/root domain. Regards, Abhishek ____ From: Matthew Smart Sent: 09 September 2020 23:32 To: users@cloudstack.apache.org Subject: AssignVirtualMachine I have not had to do this in quite some time but I can no longer assign a VM from my root account to a user account. I get the following error: Failed to move vm Acct[UUID-USERNAME] does not have permission to operate with resource Acct[UUID-admin] I know that a bunch of permission stuff has been added over the last few releases but I have no idea which one I need to set to get this working. I'm running 4.13.0 in case it matters. Any ideas and/or any good resources outlining the API permissions system? I was able to find the permissions in the UI but it looks like it is allow/deny on a per API call basis. I added assignvirtualmachine there but it is still failing. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com abhishek.ku...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue
(RESOLVED) AssignVirtualMachine
I had already checked the Template and it was set to public. However, its underlying ISO was not set to public. Changing the ISO to public allowed me to move the VM. Thank you Pearl and Abhishek for the help! I love this community. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 9/10/20 2:00 AM, Pearl d'Silva wrote: Hi Matthew, A probable reason for the permission denied issue could be that the user account doesn't have access to the template/ ISO with which the VM has been spawned up with. Editing its permissions - i.e., making it public and sharing the template/ISO with the specific account may help resolve the issue. Thanks, Pearl ____ From: Matthew Smart Sent: Thursday, September 10, 2020 2:10 AM To: users@cloudstack.apache.org Subject: Re: AssignVirtualMachine Yeah it is really odd. I have tried both logging into the UI as admin as well as ensuring I have the admin key and secret and using the API directly. I get the same error in both cases. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 9/9/20 3:15 PM, Abhishek Kumar wrote: Hi Mathew, While trying to assign your VM from ADMIN to USER account, are you making this API call as the user? This error must be due to the reason that the caller of the API doesn't have permission to operate on the given resource (VM belongs to the admin account and the user cannot operate on it). You can try calling the same API as the root admin and it should work. I'm not aware of any resource on API permissions system myself but general rules are check for API access for a particular user role, domain admin and user account cannot operate on resources owned by users of other domains or parent/root domain. Regards, Abhishek ________ From: Matthew Smart Sent: 09 September 2020 23:32 To: users@cloudstack.apache.org Subject: AssignVirtualMachine I have not had to do this in quite some time but I can no longer assign a VM from my root account to a user account. I get the following error: Failed to move vm Acct[UUID-USERNAME] does not have permission to operate with resource Acct[UUID-admin] I know that a bunch of permission stuff has been added over the last few releases but I have no idea which one I need to set to get this working. I'm running 4.13.0 in case it matters. Any ideas and/or any good resources outlining the API permissions system? I was able to find the permissions in the UI but it looks like it is allow/deny on a per API call basis. I added assignvirtualmachine there but it is still failing. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com abhishek.ku...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue pearl.dsi...@shapeblue.com www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue
Changing a host's password
This process seems straightforward to me but I want to make sure I understand the parameters to pass into step 3 from the guide: http://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#changing-host-password Here is the command for encrypting the password in step 3: java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.0.jar \ org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI \ encrypt.sh input="newrootpassword" \ password="databasekey" \ verbose=false The two parameters are input and password. Is the input parameter where I put the new password and, if so, where do I find the "databasekey" that is indicated to be the proper value of the password parameter? Or Is the input parameter just an unused descriptive field that can contain any value and the password parameter is where the new password should go? I cannot seem to find a good description of how to use JasyptPBEStringEncryptionCLI online anywhere. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Re: Changing a host's password
is the databasekey referring to the value "db.cloud.encrypt.secret" listed in /etc/cloudstack/management/db.properties? Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 11/11/20 4:32 PM, Matthew Smart wrote: This process seems straightforward to me but I want to make sure I understand the parameters to pass into step 3 from the guide: http://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#changing-host-password Here is the command for encrypting the password in step 3: java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.0.jar \ org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI \ encrypt.sh input="newrootpassword" \ password="databasekey" \ verbose=false The two parameters are input and password. Is the input parameter where I put the new password and, if so, where do I find the "databasekey" that is indicated to be the proper value of the password parameter? Or Is the input parameter just an unused descriptive field that can contain any value and the password parameter is where the new password should go? I cannot seem to find a good description of how to use JasyptPBEStringEncryptionCLI online anywhere. Thanks,
New (to me) issue trying to install management server
Hey everyone, So, the server acting as my management server (including the database) crashed hard and I am trying to spin up a new one restoring from backups. Everything has seemed to go smoothly but now I am getting the following error: InvalidConnectionAttributeException: The server time zone value 'CDT' is unrecognized or represents more than one time zone. My new server is identical to the old one (Cent 7. Mariadb 5.5.64. Identical hardware) and in all of my work with jdbc and mysql I have never seen this error. I have googled and see that I can fix it by adding a timezone entry in my.cnf but I was wondering if this issue is indicative of a problem with my restoration of the management server. So, is there a timezone setting somewhere in cloudstack management that I missed? Has anyone else hit this error before? I can provide the full stack trace if it is helpful. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Old SystemVM Templates
Hey Everyone, I'm doing some cleanup on my main Cloudstack deployment which went live circa 2016. Part of that is deleting deprecated templates and isos out of secondary storage. I have a bunch of old SystemVM Templates in there and have verified that there are no deployed vms using them. When I try to delete them, even forced, it tells me: /The DomR template cannot be deleted./ Now I know I can hack them out of the database and manually delete them on disk but I thought it would be best to ask if there is a "proper" way of removing these templates first. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
How to specify which public ip range to use?
Hey guys, I cannot find documentation on this topic. I have a zone created with two public ip ranges. When I create a new network it always routes through the first listed ip range. Is there a way in the UI to specify the second ip range be used for a given network? If not, do you know records I would need to change in the db to make this happen? Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Re: How to specify which public ip range to use?
Ahh, got it. Thanks! Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 07/21/2016 02:58 PM, Simon Weller wrote: cated f
Architecture Advice
Not sure if this is the right place for this question but I am in the process of migrating my datacenter to cloudstack from a manually managed virtualization cluster. I am doing this because we need to implement full segregation between assets owned by different entities and managing that manually would be highly inefficient. I have everything configured and working exactly the way I want it from a segregation standpoint. When fully migrated we will have around 50 separate accounts all segregated onto their own vlans. The stumbling block for me now is VPN access. We do not operate a public cloud. A small number of sysadmins in my organization are responsible for all management and administration of all assets hosted in the datacenter. Afaik, to use the VPN capability of the VRouter I would have to create users for each sysadmin in all 50 accounts and then propagate any changes to access rights via the api or manually through the UI. Our current setup has 7 segregated vlans that are accessible via a single OpenVPN gateway that queries my ldap server to determine access rights and pushes network routes when a user authenticates. I would like to reproduce this capability in Cloudstack but am faltering at determining how it could be done. I would prefer to keep all assets including the Master VPN gateway as vms inside my Cloudstack environment and really don't want to incur the overhead of adding an OpenVPN VM to each account. I also can't really just create a shared network and give each vm a nic on it since that breaks the asset segregation that precipitated this move to cloudstack. Finally, I have to be able to query my ldap server for authentication and authorization instead of the Cloudstack database. Has anyone dealt with a similar architecture? How do you minimize the overhead of a small group of admins and automated scripts needing access to all the accounts? We are a software development and hosting firm. I have 20 years experience both in development and in datacenter administration. I am not afraid to get my hands dirty and write something custom to handle this but I am a novice at cloudstack and am looking for some advice on how you would tackle this problem. Thanks, -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Re: Architecture Advice
Ilya, Thanks for the response. For the most part, our deployment is much simpler than yours. We allow only our senior sysadmins access to the Cloudstack UI (and only have 2 senior sysadmins currently). This access is already tied to LDAP and working perfectly. I don't mind using a vm for VPN since we have sysadmin staff with direct physical access to the datacenter 24/7. Worst case in an outtage they can connect directly to the bare metal servers and interface with a VM through the hypervisor vnc port just like the Cloudstack Console Proxy does. What we are stumbling on is allowing our development staff, sysadmins, and clients to access the vms directly via ssh and other access protocols. I have to allow them the ability to remote into vms to perform maintenance, configuration, and troubleshooting but have to keep these networks completely segregated and managed by our centralized LDAP system. This access is currently facilitated in our non-cloudstack environment by allowing them to VPN into segregated networks and directly access the vms but we do so by allowing our VPN cluster to access ALL segregated networks. This creates a single point of vulnerability in that if an attacker gains access to a server in the VPN cluster they have penetrated our segregation and can access all networks. My plan was to use the built in VPN capabilities of the VRouter instances to provide for a more secure asset segregation while allowing stakeholders the necessary access to their vms. The stumbling point right now is how we manage the vpns for the 50-60 separate networks we will have when this is rolled out. From what I can find, the current VPN implementation allows for the manual creation of 8 VPN users for each Cloudstack Account and I cannot find anything to indicate whether the VPN users can be managed via LDAP the way that the Cloudstack UI users are. Does anyone have any guidance on the capabilities of the VRouter VPN offering? Am I correct in my determination that there is not currently any way to configure it to pull auth and access rights from LDAP? Thanks, Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 07/29/2016 02:30 AM, ilya wrote: Matthew, Interesting challenge, i operate in slightly different environment - let me explain how it works in places i've been too in past and you can decide if its something you see being a fit. Since data center access is treated as top tier - access to it must be guaranteed at all times - especially to sysadmin. Hence, i'm personally, hesitant placing it on a VM - managed by cloudstack, openstack or vmware or any virtual technology.. I'd prefer for it to be a physical redundant VPN appliance - but its just me, being overly paranoid, bitten by many outages - and probably not cloudy enough. With that said, the VPN profile - will inherit a configuration that can access whatever number of VLANs you have to offer - on the network layer. For example, i'd create a Admin network that can access all networks underneath that is bound to my VPN users. As for cloudstack access, i see few ways of solving your challenge - but i also believe i may not fully understand you design. For example, in my environment, i may have close to 100 cloud admins. These are the people that tend to different environments across many datacenters doing different things. Some fix hypervisors, other deal with network and vms or do capacity planning. When they login to cloudstack to perfom management task - select few - that we may trust - get root admin priveleges. They can access all cloudstack entities below ROOT domain - there are no restrictions. This is something that is available now cloudstack. However, i may also have 98 users that i dont trust as much and want to limit what they can do, for that - we will leverage another feature called Dynamic CloudStack Roles A.K.A. RBAC. link: http://www.shapeblue.com/cloudstack-101/ - scroll down to Management What RBAC gets is an ability to define you won custom role within cloudstack to perform only specific operations based on fairly granular cloudstack API. For example, you may want a user who needs to be able to READ content from CloudStack - but not make any changes. You would create a role with "List*" priveleges, assing an account and user on ROOT domain. This would be equivalent of read-only-admin user. Other admins, could do VM stop, start, reboot, snapshot and read and change some settings - you can create a Power User role to do that as well and since they are sysadmin users - you will assign them to ROOT domain - so they can see all your customers within ACS. There is no limit as to how granular you can be in terms of access to cloudstack. If there is an API that does it - you can decide how and who uses it. You can also tie your cloudstack with LDAP
VR VPN + LDAP access
Guys, Thanks for the info. My next step is to engage the dev mailing list to see if there is any interest in my team contributing to add ldap or radius (not familiar with the available plugins for open/strong swan) support to the VR. I assume the SAML support in cloudstack is for the UI just like the LDAP support? In the meantime, I see two options that I want to run by you guys. The first being creating a VM cluster in a special account that has access to all of the isolated networks to use as a master VPN server. Essentially, I would be replicate my current non-cloudstack setup as a temporary solution. Given that I am more than qualified to manually manipulate the api, db, and configs to associate this VM with all of the isolated guest networks. Is this even possible? The other, less appealing option is to override the current VR VM with one I have configured with the ppp ldap plugin and configs I would need to support what I want to do. Obviously, I don't like the idea of breaking my ability to upgrade the VR as new versions are released but I think this is doable in that the VR looks to be just a Debian VM. If I am careful I should be able to add my changes without breaking it... but given my current knowledge of the VR and networking internals of Cloudstack I could easily break something in some subtle way that does not present until we are in production. Not ideal. What do you guys recommend as a course forward until we get a more modular access/auth subsystem contributed to the project? I am so close to having cloudstack do exactly what I want. It is 95% perfect for us. I just need to figure out this other 5%. Thanks, Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/03/2016 12:48 AM, ilya wrote: VR VPN + LDAP access
Re: VR VPN + LDAP access
Abhi, What we want is to add LDAP support to openswan (ppp plugin maybe?) on the VR so that users can be authenticated and authorized via our ldap server. I have been digging through the code and familiarizing myself with it. Should I move this conversation to the dev list before I get into the use case I am working on? Thanks, Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/05/2016 04:17 AM, Abhinandan Prateek wrote: Hi Matthew, What is the use case to add ldap (server ?) to VR ? The system vms are stateless and any support needs to be build into system vm template which as you rightly pointed out, is debian based. The way to get started on this is to first familiarise yourself with the process of building system vm templates. (In tools/appliance ) And next step will be to figure out how you can send configuration information from management server to a VR. (You can check how firewall rules are configured etc) -abhi abhinandan.prat...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On 04/08/16, 11:36 PM, "Matthew Smart" wrote: Guys, Thanks for the info. My next step is to engage the dev mailing list to see if there is any interest in my team contributing to add ldap or radius (not familiar with the available plugins for open/strong swan) support to the VR. I assume the SAML support in cloudstack is for the UI just like the LDAP support? In the meantime, I see two options that I want to run by you guys. The first being creating a VM cluster in a special account that has access to all of the isolated networks to use as a master VPN server. Essentially, I would be replicate my current non-cloudstack setup as a temporary solution. Given that I am more than qualified to manually manipulate the api, db, and configs to associate this VM with all of the isolated guest networks. Is this even possible? The other, less appealing option is to override the current VR VM with one I have configured with the ppp ldap plugin and configs I would need to support what I want to do. Obviously, I don't like the idea of breaking my ability to upgrade the VR as new versions are released but I think this is doable in that the VR looks to be just a Debian VM. If I am careful I should be able to add my changes without breaking it... but given my current knowledge of the VR and networking internals of Cloudstack I could easily break something in some subtle way that does not present until we are in production. Not ideal. What do you guys recommend as a course forward until we get a more modular access/auth subsystem contributed to the project? I am so close to having cloudstack do exactly what I want. It is 95% perfect for us. I just need to figure out this other 5%. Thanks, Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/03/2016 12:48 AM, ilya wrote: VR VPN + LDAP access
Basic VPN not working.
Hey guys, I decided I should make sure I can properly configure the remote access vpn in its current state before I try to modify it for my uses. Unfortunately, I cannot seem to get it to work using the instructions on the website. I activated the VPN from the web UI and added a user account. These steps succeeded and I am not seeing any errors in the management or agent logs. I configured the VPN client (Mac OSX) but when I connect it errors saying "L2TP-VPN server did not respond." If I enable ICMP in the firewall I can ping the IP associated with the router from the client machine. If I console into the VRouter and run lsof -i I can see that x2ltpd is listening on l2f (1701). I have tried running nc -u VROUTERIP 1701 from the client to manually test if the router is listening on port 1701 but the command never finishes. I thought this was odd because I expect that if x2ltpd was not listening on 1701 that nc would fail. The way it blocks reminds me of a firewall drop. But the firewall configuration for the VROUTERIP is showing 1701, 4500, and 500 UDP allowed from 0.0.0.0/0 both in the web UI and via iptables -L -n Not sure this is relevant but I did notice that if I tail /var/log/syslog on the VRouter there are the following lines close to the bottom: Nov 9 11:20:13 systemvm xl2tpd[11917]: setsockopt recvref[30]: Protocol not available Nov 9 11:20:13 systemvm xl2tpd[11917]: This binary does not support kernel L2TP. Nov 9 11:20:13 systemvm xl2tpd[11918]: xl2tpd version xl2tpd-1.3.1 started on systemvm PID:11918 Nov 9 11:20:13 systemvm xl2tpd[11918]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Nov 9 11:20:13 systemvm xl2tpd[11918]: Forked by Scott Balmos and David Stipp, (C) 2001 Nov 9 11:20:13 systemvm xl2tpd[11918]: Inherited by Jeff McAdams, (C) 2002 Nov 9 11:20:13 systemvm xl2tpd[11918]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Nov 9 11:20:13 systemvm xl2tpd[11918]: Listening on IP address 0.0.0.0, port 1701 Nov 9 11:20:42 systemvm /usr/sbin/irqbalance: Balancing is ineffective on systems with a single cache domain. Shutting down Nov 9 11:20:59 systemvm KVP: KVP starting; pid is:18270 Nov 9 11:21:36 systemvm shutdown[21010]: shutting down for system halt Nov 9 11:21:36 systemvm init: Switching to runlevel: 0 Nov 9 11:21:37 systemvm KVP: KVP starting; pid is:21036 Nov 9 11:21:37 systemvm KVP: recvfrom failed; pid:21036 error:2 No such file or directory Nov 9 11:21:37 systemvm init: Re-reading inittab Nov 9 11:21:37 systemvm conntrack-tools[11432]: shutdown received Nov 9 11:21:39 systemvm dnsmasq[11500]: exiting on receipt of SIGTERM Nov 9 11:21:39 systemvm acpid: exiting Nov 9 11:21:39 systemvm xl2tpd[11918]: death_handler: Fatal signal 15 received Nov 9 11:21:39 systemvm ntpd[1732]: ntpd exiting on signal 15 Any thoughts on this or ideas for how I can troubleshoot the issue? -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com
Re: Basic VPN not working.
Also, if I run tcpdump -i eth2 udp port 1701 on the router and try to connect or try nc I see no packets on the router. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/10/2016 12:29 PM, Matthew Smart wrote: Hey guys, I decided I should make sure I can properly configure the remote access vpn in its current state before I try to modify it for my uses. Unfortunately, I cannot seem to get it to work using the instructions on the website. I activated the VPN from the web UI and added a user account. These steps succeeded and I am not seeing any errors in the management or agent logs. I configured the VPN client (Mac OSX) but when I connect it errors saying "L2TP-VPN server did not respond." If I enable ICMP in the firewall I can ping the IP associated with the router from the client machine. If I console into the VRouter and run lsof -i I can see that x2ltpd is listening on l2f (1701). I have tried running nc -u VROUTERIP 1701 from the client to manually test if the router is listening on port 1701 but the command never finishes. I thought this was odd because I expect that if x2ltpd was not listening on 1701 that nc would fail. The way it blocks reminds me of a firewall drop. But the firewall configuration for the VROUTERIP is showing 1701, 4500, and 500 UDP allowed from 0.0.0.0/0 both in the web UI and via iptables -L -n Not sure this is relevant but I did notice that if I tail /var/log/syslog on the VRouter there are the following lines close to the bottom: Nov 9 11:20:13 systemvm xl2tpd[11917]: setsockopt recvref[30]: Protocol not available Nov 9 11:20:13 systemvm xl2tpd[11917]: This binary does not support kernel L2TP. Nov 9 11:20:13 systemvm xl2tpd[11918]: xl2tpd version xl2tpd-1.3.1 started on systemvm PID:11918 Nov 9 11:20:13 systemvm xl2tpd[11918]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Nov 9 11:20:13 systemvm xl2tpd[11918]: Forked by Scott Balmos and David Stipp, (C) 2001 Nov 9 11:20:13 systemvm xl2tpd[11918]: Inherited by Jeff McAdams, (C) 2002 Nov 9 11:20:13 systemvm xl2tpd[11918]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Nov 9 11:20:13 systemvm xl2tpd[11918]: Listening on IP address 0.0.0.0, port 1701 Nov 9 11:20:42 systemvm /usr/sbin/irqbalance: Balancing is ineffective on systems with a single cache domain. Shutting down Nov 9 11:20:59 systemvm KVP: KVP starting; pid is:18270 Nov 9 11:21:36 systemvm shutdown[21010]: shutting down for system halt Nov 9 11:21:36 systemvm init: Switching to runlevel: 0 Nov 9 11:21:37 systemvm KVP: KVP starting; pid is:21036 Nov 9 11:21:37 systemvm KVP: recvfrom failed; pid:21036 error:2 No such file or directory Nov 9 11:21:37 systemvm init: Re-reading inittab Nov 9 11:21:37 systemvm conntrack-tools[11432]: shutdown received Nov 9 11:21:39 systemvm dnsmasq[11500]: exiting on receipt of SIGTERM Nov 9 11:21:39 systemvm acpid: exiting Nov 9 11:21:39 systemvm xl2tpd[11918]: death_handler: Fatal signal 15 received Nov 9 11:21:39 systemvm ntpd[1732]: ntpd exiting on signal 15 Any thoughts on this or ideas for how I can troubleshoot the issue?
Re: Incorrect details for private Nic
Did this error end up in a bug report in Jira? I have just ran into the exact same issue testing an advanced network where public, private, and guest networks are assigned the same bridge. I am going to reload my test nodes tomorrow to make sure it is not the result of something left over from previous tests but the fact that the exact errors are being logged by another user is not encouraging. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/29/2016 10:39 PM, Simon Weller wrote: Sorry, I wasn't clear...I meant change your interfaces by removing the vlans so the bridges show just the interface name. Simon Weller/ENA (615) 312-6068 -Original Message- From: John Cenile [jcenile1...@gmail.com] Received: Monday, 29 Aug 2016, 8:32PM To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Incorrect details for private Nic Unfortunately that didn't fix it either, it looks like they just change straight back to "cloudbr0": [root@node1 ~]# tail -n 3 /etc/cloudstack/agent/agent.properties private.network.device=eth0 public.network.device=eth0 guest.network.device=eth0 2016-08-30 12:28:50,924 INFO [cloud.agent.Agent] (main:null) (logid:) id is 2016-08-30 12:28:50,924 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: cloudbr0 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: cloudbr0 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 12:28:50,935 WARN [cloud.resource.ServerResourceBase] (main:null) (logid:) Incorrect details for private Nic during initialization of ServerResourceBase 2016-08-30 12:28:50,935 ERROR [cloud.agent.AgentShell] (main:null) (logid:) Unable to start agent: Unable to configure LibvirtComputingResource [root@node1 ~]# service cloudstack-agent status cloudstack-agent dead but subsys locked Thanks for your help so far, do you have any other suggestions? The next thing I was going to try was downgrading to 4.8 and trying that version. On 30 August 2016 at 00:40, Simon Weller wrote: I'd suspect changing the sub ints to native ports will fix this as well. That might be a better approach so you don't have to mess with the traffic labels Traveling today, so if my responses are a bit slow, it's because I'm on a plane. Simon Weller/ENA (615) 312-6068 -Original Message- From: John Cenile [jcenile1...@gmail.com] Received: Monday, 29 Aug 2016, 10:08AM To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Incorrect details for private Nic I just tried this, unfortunately that didn't solve it. I was under the impression that the master replaced the interface names in that file with cloudbr0 / cloudbr1? When I check the file again, those interface names are back. Here are the logs (notice on the second attempt, the interface names changed back): [root@node1 ~]# tail -f /var/log/cloudstack/agent/agent.log 2016-08-30 00:06:34,789 DEBUG [cloud.agent.AgentShell] (main:null) (logid:) Checking to see if agent.pid exists. 2016-08-30 00:06:34,798 DEBUG [cloud.utils.ProcessUtil] (main:null) (logid:) Executing: bash -c echo $PPID 2016-08-30 00:06:34,803 DEBUG [cloud.utils.ProcessUtil] (main:null) (logid:) Execution is successful. 2016-08-30 00:06:34,853 INFO [cloud.agent.Agent] (main:null) (logid:) id is 2016-08-30 00:06:34,853 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: eth0.200 2016-08-30 00:06:34,856 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: eth0.200 2016-08-30 00:06:34,856 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 00:06:34,856 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 00:06:34,859 WARN [cloud.resource.ServerResourceBase] (main:null) (logid:) Incorrect details for private Nic during initialization of ServerResourceBase 2016-08-30 00:06:34,859 ERROR [cloud.agent.AgentShell] (main:null) (logid:) Unable to start agent: Unable to configure LibvirtComputingResource 2016-08-30 00:07:29,905 INFO [cloud.agent.AgentShell] (main:null) (logid:) Agent started 2016-08-30 00:07:29,907 INFO [cloud.agent.AgentShell] (main:null) (logid:) Implementation Version is 4.9.0 2016-08-30 00:07:29,909 INFO [cloud.agent.AgentShell] (main:null) (logid:) agent.properties found at /etc/cloudstack/agent/agent.properties 2016-08-30 00:07:29,914 DEBUG [cloud.agent.AgentShell] (main:null) (logid:) Found property: guest.network.device 2016-08-30 00:07:29,
Re: Incorrect details for private Nic
I found the problem that was causing the issue. I access the cloudstack servers via a network that I want to be completely separate and unknown to the cloudstack deployment. I am using one server as both management and agent in this test. So my nic setup looks like this: * bond0 : an untagged bonded interface tied to cloudbr0 * bond0.3 : tagged interface for vlan 3 with static ip 192.168.1.108 * cloudbr0 : ethernet bridge to the untagged bond0 When I try to add the host it fails giving an error: Unable to configure LibvirtComputingResource and complaining about the private nic being incorrect When I look in agent.properties I noticed that the host value automatically gets set to 192.168.1.108 which is not routable on cloudbr0. If I manually set it to the proper host ip and then run cloudstack-setup-agent from a terminal the host is added properly and works. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 09/06/2016 07:42 PM, Matthew Smart wrote: Did this error end up in a bug report in Jira? I have just ran into the exact same issue testing an advanced network where public, private, and guest networks are assigned the same bridge. I am going to reload my test nodes tomorrow to make sure it is not the result of something left over from previous tests but the fact that the exact errors are being logged by another user is not encouraging. Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email: msm...@smartsoftwareinc.com On 08/29/2016 10:39 PM, Simon Weller wrote: Sorry, I wasn't clear...I meant change your interfaces by removing the vlans so the bridges show just the interface name. Simon Weller/ENA (615) 312-6068 -Original Message- From: John Cenile [jcenile1...@gmail.com] Received: Monday, 29 Aug 2016, 8:32PM To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Incorrect details for private Nic Unfortunately that didn't fix it either, it looks like they just change straight back to "cloudbr0": [root@node1 ~]# tail -n 3 /etc/cloudstack/agent/agent.properties private.network.device=eth0 public.network.device=eth0 guest.network.device=eth0 2016-08-30 12:28:50,924 INFO [cloud.agent.Agent] (main:null) (logid:) id is 2016-08-30 12:28:50,924 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: cloudbr0 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: cloudbr0 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 12:28:50,932 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: null 2016-08-30 12:28:50,935 WARN [cloud.resource.ServerResourceBase] (main:null) (logid:) Incorrect details for private Nic during initialization of ServerResourceBase 2016-08-30 12:28:50,935 ERROR [cloud.agent.AgentShell] (main:null) (logid:) Unable to start agent: Unable to configure LibvirtComputingResource [root@node1 ~]# service cloudstack-agent status cloudstack-agent dead but subsys locked Thanks for your help so far, do you have any other suggestions? The next thing I was going to try was downgrading to 4.8 and trying that version. On 30 August 2016 at 00:40, Simon Weller wrote: I'd suspect changing the sub ints to native ports will fix this as well. That might be a better approach so you don't have to mess with the traffic labels Traveling today, so if my responses are a bit slow, it's because I'm on a plane. Simon Weller/ENA (615) 312-6068 -Original Message- From: John Cenile [jcenile1...@gmail.com] Received: Monday, 29 Aug 2016, 10:08AM To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Incorrect details for private Nic I just tried this, unfortunately that didn't solve it. I was under the impression that the master replaced the interface names in that file with cloudbr0 / cloudbr1? When I check the file again, those interface names are back. Here are the logs (notice on the second attempt, the interface names changed back): [root@node1 ~]# tail -f /var/log/cloudstack/agent/agent.log 2016-08-30 00:06:34,789 DEBUG [cloud.agent.AgentShell] (main:null) (logid:) Checking to see if agent.pid exists. 2016-08-30 00:06:34,798 DEBUG [cloud.utils.ProcessUtil] (main:null) (logid:) Executing: bash -c echo $PPID 2016-08-30 00:06:34,803 DEBUG [cloud.utils.ProcessUtil] (main:null) (logid:) Execution is successful. 2016-08-30 00:06:34,853 INFO [cloud.agent.Agent] (main:null) (logid:) id is 2016-08-30 00:06:34,853 DEBUG [cloud.resource.ServerResourceBase] (main:null) (logid:) Retrieving network interface: eth0.200 2016-08-30 00:06:34,856 DEBUG [cloud.re
Permission Denied when trying to add nictovirtualmachine as Domain Admin
nvocation.java:175)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
at com.sun.proxy.$Proxy128.addNicToVirtualMachine(Unknown Source)
at
org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd.execute(AddNicToVMCmd.java:173)
at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:163)
at
com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:620)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:568)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-31 18:27:58,902 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Complete
async job-25273, jobStatus: FAILED, resultCode: 530, result:
org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Unable
to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
denied"}
--
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email:msm...@smartsoftwareinc.com
Re: Permission Denied when trying to add nictovirtualmachine as Domain Admin
Abhishek,
Thanks for the quick reply. It appears that permissions have changed in later
releases. As of May of this year, logged in as the domain admin, I could add
nics from any network to any vm regardless of the account ownership variables.
Now I cannot seem to add any nic to any vm as admin, even ones where the
network and vm are both owned by the admin account. Clearly, time to read the
docs again and set permissions appropriately. I am traveling the next week or
so but will report back if replicating the examples you show below is not
working for me.
Much Obliged,
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email: msm...@smartsoftwareinc.com
On 9/1/22 02:23, Abhishek Kumar wrote:
Hi Matthew,
In your case does the user to which VM belongs have the access to the network
you are trying to add to the VM?
I tried it in a test env and it works fine when the user has access to the
network (eg, the user owns the network). But it would fail when the user
doesn't have the access to the network.
Below is an example. First I tried to add a user owned network using domain
admin. It worked. Then I tried adding a domain-admin owned network to the VM.
It failed. But smae operation worked when I added proper network permissions.
(sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"cidr": "10.1.1.0/24",
"created": "2022-09-01T06:55:10+",
"displaytext": "user-iso1",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"egressdefaultpolicy": false,
"gateway": "10.1.1.1",
"hasannotations": false,
"id": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"ispersistent": false,
"issystem": false,
"name": "user-iso1",
"netmask": "255.255.255.0",
"networkdomain": "cs4cloud.internal",
"networkofferingavailability": "Required",
"networkofferingconservemode": true,
...
}
(sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"created": "2022-09-01T06:55:37+",
"displaytext": "user-l2",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"hasannotations": false,
"id": "54b35a12-0947-4897-ab3b-10059c3e1398",
"ispersistent": false,
"issystem": false,
"name": "user-l2",
"networkofferingavailability": "Optional",
"networkofferingconservemode": true,
"networkofferingdisplaytext": "Offering for L2 networks",
"networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab",
"networkofferingname": "DefaultL2NetworkOffering",
"physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501",
"receivedbytes": 0,
"redundantrouter": false,
"related": "54b35a12-0947-4897-ab3b-10059c3e1398",
"restartrequired": false,
"sentbytes": 0,
"service": [],
"specifyipranges": false,
"state": "Implemented",
"strechedl2subnet": false,
"tags": [],
"traffictype": "Guest",
"type": "L2",
"zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
"zonename": "ref-trl-3557-v-M7-abhishek-kumar"
}
]
}
(sblab) 🐷 > deploy virtualmachine zoneid=fce252b8-5075-4077-80c0-4f027fea354d
serviceofferingid=3ed0124f-7064-4680-82da-80204d3a3ddb
templateid=feb21788-29be-4fb0-8618-ec0f50921838
networkids=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
"virtualmachine": {
"
Re: Permission Denied when trying to add nictovirtualmachine as ROOT Admin
I have been traveling and just got a chance to return to this issue.
Again, I want to allow the Root Admin account to add nics from different
networks to any virtual machine. 'Create network permissions' from the
API to try to add the ROOT Admin account to a network's permissions
fails because it says that the ROOT Admin is not a member of the domain.
That account is a member of the ROOT domain and all other domains are
listed hierarchically beneath ROOT (EG ROOT/dev, ROOT/prod, ... etc)
fwiw. I don't want to further complicate my automation by creating and
keeping track of an individual Domain Admin account for each of my
domains. I have found a workaround I can live with by just creating the
requisite row in the network_permissions table in the db for the ROOT
Admin account for each network.
Is there a pressing reason why the ROOT Admin should have rights to do
pretty much everything else but not add nics to vms on different
networks? Does the roadmap call for a further curtailing of ROOT Admin
permissions? If not, would giving ROOT admin implicit network
permissions be a feature that could be requested?
Thanks,
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email: msm...@smartsoftwareinc.com
On 9/1/22 02:23, Abhishek Kumar wrote:
Hi Matthew,
In your case does the user to which VM belongs have the access to the network
you are trying to add to the VM?
I tried it in a test env and it works fine when the user has access to the
network (eg, the user owns the network). But it would fail when the user
doesn't have the access to the network.
Below is an example. First I tried to add a user owned network using domain
admin. It worked. Then I tried adding a domain-admin owned network to the VM.
It failed. But smae operation worked when I added proper network permissions.
(sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"cidr": "10.1.1.0/24",
"created": "2022-09-01T06:55:10+",
"displaytext": "user-iso1",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"egressdefaultpolicy": false,
"gateway": "10.1.1.1",
"hasannotations": false,
"id": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"ispersistent": false,
"issystem": false,
"name": "user-iso1",
"netmask": "255.255.255.0",
"networkdomain": "cs4cloud.internal",
"networkofferingavailability": "Required",
"networkofferingconservemode": true,
...
}
(sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"created": "2022-09-01T06:55:37+",
"displaytext": "user-l2",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"hasannotations": false,
"id": "54b35a12-0947-4897-ab3b-10059c3e1398",
"ispersistent": false,
"issystem": false,
"name": "user-l2",
"networkofferingavailability": "Optional",
"networkofferingconservemode": true,
"networkofferingdisplaytext": "Offering for L2 networks",
"networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab",
"networkofferingname": "DefaultL2NetworkOffering",
"physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501",
"receivedbytes": 0,
"redundantrouter": false,
"related": "54b35a12-0947-4897-ab3b-10059c3e1398",
"restartrequired": false,
"sentbytes": 0,
"service": [],
"specifyipranges": false,
"state": "Implemented",
"strechedl2subnet&qu
