Version is 4.11.0.0 KVM Hypervisor
Centos On Fri, Mar 1, 2019 at 10:57 AM soundar rajan <bsoundara...@gmail.com> wrote: > Hi Jon, > > Thanks that fix's the error but still i am not able to ping the vm > > > 2019-03-01 10:46:23,246 - ipset -A i-2-40-VM-6 fe80::1c00:26ff:fe00:9d > 2019-03-01 10:46:23,261 - ip6tables -A BF-cloudbr0-OUT -m physdev > --physdev-is-bridged --physdev-out vnet2 -j i-2-40-def > 2019-03-01 10:46:23,277 - ip6tables -A BF-cloudbr0-IN -m physdev > --physdev-is-bridged --physdev-in vnet2 -j i-2-40-def > 2019-03-01 10:46:23,293 - ip6tables -A i-2-40-def -m state --state > RELATED,ESTABLISHED -j ACCEPT > 2019-03-01 10:46:23,309 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 --src fe80::/64 --dst ff02::1 -p > icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,327 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 --dst ff02::2 -p icmpv6 > --icmpv6-type router-solicitation -m hl --hl-eq 255 -j RETURN > 2019-03-01 10:46:23,344 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > router-advertisement -j DROP > 2019-03-01 10:46:23,361 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > neighbor-solicitation -m hl --hl-eq 255 -j RETURN > 2019-03-01 10:46:23,378 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,395 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > neighbor-advertisement -m set --match-set i-2-40-VM-6 src -m hl --hl-eq 255 > -j RETURN > 2019-03-01 10:46:23,412 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT > 2019-03-01 10:46:23,430 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > packet-too-big -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,447 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > packet-too-big -j ACCEPT > 2019-03-01 10:46:23,464 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > destination-unreachable -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,482 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > destination-unreachable -j ACCEPT > 2019-03-01 10:46:23,499 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > time-exceeded -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,516 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > time-exceeded -j ACCEPT > 2019-03-01 10:46:23,533 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --icmpv6-type > parameter-problem -m set --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,551 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p icmpv6 --icmpv6-type > parameter-problem -j ACCEPT > 2019-03-01 10:46:23,568 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p icmpv6 --dst ff02::16 -j RETURN > 2019-03-01 10:46:23,585 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --sport 546 --dst ff02::1:2 > --src fe80::1c00:26ff:fe00:9d -j RETURN > 2019-03-01 10:46:23,602 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -p udp --src fe80::/64 --dport 546 > --dst fe80::1c00:26ff:fe00:9d -j ACCEPT > 2019-03-01 10:46:23,620 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --sport 547 ! --dst > fe80::/64 -j DROP > 2019-03-01 10:46:23,637 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p udp --dport 53 -m set > --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,655 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -p tcp --dport 53 -m set > --match-set i-2-40-VM-6 src -j RETURN > 2019-03-01 10:46:23,672 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -m set ! --match-set i-2-40-VM-6 > src -j DROP > 2019-03-01 10:46:23,689 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-in vnet2 -m set --match-set i-2-40-VM-6 src > -j i-2-40-VM-eg > 2019-03-01 10:46:23,706 - ip6tables -A i-2-40-def -m physdev > --physdev-is-bridged --physdev-out vnet2 -j i-2-40-VM > 2019-03-01 10:46:23,723 - ip6tables -A i-2-40-VM -j DROP > 2019-03-01 10:46:23,739 - Programmed default rules for vm i-2-40-VM > 2019-03-01 10:46:24,255 - Executing command: add_network_rules > 2019-03-01 10:46:24,259 - programming network rules for IP: > 172.20.109.167 vmname=i-2-40-VM > 2019-03-01 10:46:24,260 - iptables -F i-2-40-VM > 2019-03-01 10:46:24,273 - ip6tables -F i-2-40-VM > 2019-03-01 10:46:24,287 - iptables -F i-2-40-VM-eg > 2019-03-01 10:46:24,298 - ip6tables -F i-2-40-VM-eg > 2019-03-01 10:46:24,312 - iptables -I i-2-40-VM -p tcp -m tcp --dport > 0:12000 -m state --state NEW -s 0.0.0.0/24 -j ACCEPT > 2019-03-01 10:46:24,325 - iptables -I i-2-40-VM-eg -p tcp -m tcp --dport > 0:12000 -m state --state NEW -d 0.0.0.0/24 -j RETURN > 2019-03-01 10:46:24,339 - iptables -A i-2-40-VM-eg -j DROP > 2019-03-01 10:46:24,351 - ip6tables -A i-2-40-VM-eg -j RETURN > 2019-03-01 10:46:24,364 - iptables -A i-2-40-VM -j DROP > 2019-03-01 10:46:24,376 - ip6tables -A i-2-40-VM -j DROP > 2019-03-01 10:46:24,389 - Writing log to /var/run/cloud/i-2-40-VM.log > 2019-03-01 10:46:31,575 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:47:31,513 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:48:31,515 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:49:31,517 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:50:31,520 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:51:31,522 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:52:31,527 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:53:31,528 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:54:31,529 - Executing command: get_rule_logs_for_vms > 2019-03-01 10:55:31,581 - Executing command: get_rule_logs_for_vms > Regards > Soundar > > On Fri, Mar 1, 2019 at 1:12 AM Jon Marshall <jms....@hotmail.co.uk> wrote: > >> Is this after you migrated the VM to another compute node ? >> >> It looks suspiciously like the issue I saw ie. I was using advanced >> networking with security groups and the security policy for the VM was not >> migrated to the new compute node. >> >> There is a bug filed for it and a workaround - >> >> https://github.com/apache/cloudstack/issues/3088 >> >> the fix is in the comments but basically you need to need to edit this >> file - "/usr/share/cloudstack-common/scripts/vm/network/security_group.py" >> >> and change line 490 from - >> >> if ips[0] == "0": >> >> to - >> >> if len(ips) == 0 or ips[0] == "0": >> >> and that should fix it. >> >> The will be included in CS v4.11.3 >> >> Jon >> >> >> ________________________________ >> From: soundar rajan <bsoundara...@gmail.com> >> Sent: 28 February 2019 13:52 >> To: d...@cloudstack.apache.org; users@cloudstack.apache.org >> Subject: Not able to access the vm from outside network >> >> Hi, >> >> VM outbound is working fine. Inbound is not not able to access from >> outside network >> >> Error Log >> 2019-02-28 18:12:25,112 - Failed to network rule ! >> Traceback (most recent call last): >> File >> "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", >> line 995, in add_network_rules >> default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, >> brname, >> sec_ips) >> File >> "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", >> line 490, in default_network_rules >> if ips[0] == "0": >> IndexError: list index out of range >> 2019-02-28 18:13:16,635 - Executing command: cleanup_rules >> 2019-02-28 18:13:16,645 - Vms on the host : ['i-2-40-VM', 'i-2-90-VM', >> 'i-2-112-VM'] >> 2019-02-28 18:13:16,645 - iptables-save | grep -P '^:(?!.*-(def|eg))' | >> awk >> '{sub(/^:/, "", $1) ; print $1}' | sort | uniq >> 2019-02-28 18:13:16,671 - iptables chains in the host :['BF-cloudbr0', >> 'BF-cloudbr0-IN', 'BF-cloudbr0-OUT', 'FORWARD', 'i-2-112-VM', 'i-2-40-VM', >> 'i-2-90-VM', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING', ''] >> 2019-02-28 18:13:16,672 - grep -E '^ebtable_' /proc/modules | cut -f1 -d' >> ' >> | sed s/ebtable_// >> 2019-02-28 18:13:16,693 - ebtables -t nat -L | awk '/chain:/ { >> gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq >> 2019-02-28 18:13:16,716 - ebtables -t filter -L | awk '/chain:/ { >> gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq >> 2019-02-28 18:13:16,738 - ebtables chains in the host: ['FORWARD,', >> 'INPUT,', 'OUTPUT,', ''] >> 2019-02-28 18:13:16,739 - Cleaned up rules for 0 chains >> 2019-02-28 18:13:23,959 - Executing command: get_rule_logs_for_vms >> >> It happens to particular vm >> >> Please help.. >> >
