It is disabled in sysctl.conf, not sure how it gets re-enabled. See patches/systemvm/debian/config/etc/init.d/cloud-early-config (function disable_rpfilter). Perhaps it is interface-specific rather than "all".
On 10/4/12 2:39 PM, "John Burwell" <jburw...@basho.com> wrote: >Ahmad, > >You were correct on the rp_filter issue. Once disabled, the SSVM was >able to connect outbound to S3, as well as, any host reachable from >devcloud. I noticed that rp_filter is disabled in sysctl.conf yet it is >somehow being enabled at runtime. Is this behavior intended? > >Thanks, >-John > >On Oct 4, 2012, at 1:07 PM, Ahmad Emneina <ahmad.emne...@citrix.com> >wrote: > >> On 10/4/12 9:16 AM, "John Burwell" <jburw...@basho.com> wrote: >> >>> Kelcey, >>> >>> I am a bit confused about how secstorage.allowed.internal.sites is used >>> which stems to lack of knowledge regarding the devcloud network >>> configuration. Also, is there documentation available for setting up >>> such a NAT? >>> >>> As a point of clarification to my original question, I am working in >>>the >>> devcloud environment (using the OVA downloaded from the wiki) where I >>> need to get the SSVM to connect to S3 or to a local VirtualBox VM >>>running >>> an S3-compatible object store. Thus far, I have been unable to get >>> devcloud to bring up a second NIC on a host-only network. I have >>> attempted to setup an advanced network configuration as follows: >>> >>> Physical Network with VLAN isolation method >>> Management Server: 10.0.2.15 -> Gateway: 10.0.2.2 >>> Storage Network: 10.0.2.50-10.0.2.59 -> Gateway 10.0.2.2 on VLAN0 >>> Management Network: 10.0.2.200-10.0.2.220 -> Gateway 10.0.2.2 >>> Public Network: 10.0.2.100-10.0.2.199 -> VLAN0 >> >> The issue that gets created here is you get system vm's that are >> multi-homed. Your system vm's get a nic (leg) on each network... But >>that >> network is one and the same. Why this is an issue is rp_filter is >>enabled >> by default on the system vm's, message comes in on one of those nics, >>but >> it's default route out is another nic... Thus blocking the response. >> >> Ideally you'd use a basic zone for this kind of configuration, or else >> you'll end up having to log into the system vm's every time a new one is >> spawned and disabling rp_filter for the nics. You might want to test >>this, >> by logging in and disabling rp_filter on the nics and see if things >>start >> working as expected. >> >> >>> >>> Obviously, my network configuration is incorrect, but I have the >>>reached >>> the limits of my CloudStack and Xen knowledge to identify the >>>problem(s). >>> >>> Given this information, what is the best way to give the SSVM access to >>> the Internet and/or a VirtualBox host-only network? >>> >>> Thank you for your help, >>> -John >>> >>> On Oct 3, 2012, at 10:39 PM, "Kelceydamage@bbits" <kel...@bbits.ca> >>>wrote: >>> >>>> The the secondary storage VM can be NATed to from any network router, >>>> however the console proxy does not work over NAT. >>>> >>>> Sent from my iPhone >>>> >>>> On Oct 3, 2012, at 7:32 PM, Edison Su <edison...@citrix.com> wrote: >>>> >>>>> System vm will have 4 nics, eth2 is on the public network, eth1 is >>>>>the >>>>> private(mgt) network. >>>>> The IP address of eth2 is got from pod configuration: in one of IP >>>>> address range ["startip", "endip"] in createPod API. >>>>> The IP address of eth1 is got from guest network, if it's basic >>>>> network mode, this IP range is configured by createVlanIpRanges API >>>>> SSVM will connect to mgt server through eth1(mgt server's ip address >>>>> is configured to route through eth1), and download template from >>>>>eth2. >>>>> What's your specific issue about network configuration? >>>>> >>>>>> -----Original Message----- >>>>>> From: John Burwell [mailto:jburw...@basho.com] >>>>>> Sent: Wednesday, October 03, 2012 7:11 PM >>>>>> To: cloudstack-dev@incubator.apache.org >>>>>> Subject: SSVM Network Configuration >>>>>> >>>>>> All, >>>>>> >>>>>> How do you configure networking to permit the SSVM to connect to the >>>>>> public Internet or another internal network? I have been trying to >>>>>> understand the network configuration from the documentation, but am >>>>>> missing something in my configuration attempt. >>>>>> >>>>>> Thank you for your assistance, >>>>>> -John >>> >>> >> >> >> -- >> Æ >> >> >> >
