andrijapanic commented on issue #13: Update Quick Installation Guide URL: https://github.com/apache/cloudstack-documentation/pull/13#issuecomment-432659098 Hi Alex, Let me begin :) First thanks for the update, I have followed "blindly" the updated tutorial (while still doing sanity checks and frequent reboots...) and I find it very straight-forward, so big thanks for the update ! I do have a couple of small fixes / missing points, so can you please fix it - but I would also wait for @rhtyd to give his feedback. ## Line break for eth0 / enp3s0 config Next section seems printed in one line, instead of multiple lines (at least while viewing file on github) ``` TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV6INIT=no NAME=enp5s0 UUID=26f024e6-1113-416e-b319-58ebec347886 DEVICE=enp3s0 ONBOOT=yes BRIDGE=cloudbr0 ``` Further more, UUID defined in "eth0" equivalent interface is not needed and bare minimum is enough, as following: ( ifcfg-eth0 # or other name which you assume in tutorial, ensp30 (there is type above also!) ``` TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes IPV6INIT=no NAME=eth0 DEVICE=eth0 ONBOOT=yes BRIDGE=cloudbr0 ``` If you choose to accept changes above, then also remove the following sentence: ``` You should not use the Hardware Address (aka the MAC address, or UUID) from our example for your configuration. It is network interface specific, so you should keep the address already provided in the UUID directive... ``` ## Firewall script issues - many, many issues here, read carefully please ! In general I don't like this whole firewall sections, because it caused tons of problem for me, when following this modified guide, during test setup (last 3 h): - ssvm/cpvm agents could not connect to mgmt server - so whole zone was broken - ssmv.sh script reports bad IP address of the Secondary Storage - since agent didn't run and no additional configuration was done inside SSVM. - since SSVM was not functional, Dashboard showed ZERO capacity for Secondary Storage.. - I could not access UI on 8080 from my laptop over VPN - etc. @rhtyd I propose, for simple purpose of Quick Installation Guide, to either COMPLETELY DISABLE FIREWALL ! (we anyway "disable" selinux, we don't set it up "properly"...) or at least drop/remove the "DENY" rules/lines and add more "allow" lines/ports, because I could not access UI from remote laptop (over VPN, etc), also SSVM/CPVM could not connect to 8250 on mgmt server, since this is not covered in the firewall configuration, etc. So either disable firewall completely ("cloudstack-setup-management" command seems to have done this for me, until I rebooted host ...) or at least do following changes to the firewalldnfs.sh script * replace CIDR "204.168.1.0/24" with the one from tutorial "172.16.10.0/24" ( @AlexBeez this is copy/paste leftover I assume) * Remove both "deny" lines from current places (50, 60), they are duplicated and also have to come after all ACCEPT rules * Add lines that will enable remote access to 53 (cpvm DNS resolution) 8080 (UI access), 8250(cpvm/ssvm to mgmt) ,3306 (for sake of DB management) ,80 (forward chain, for CPVM access), 5900-6100 (vnc, for CPVM) - and some of these have soruce set to 0.0.0.0/0 (common sense) So the final script looks like following, with modification from above, looks as following (and yet, we have not covered ports for VM live migration etc..) ``` #!/bin/bash firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 10 -m state --state ESTABLISHED,RELATED -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 20 -p icmp -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 30 -i lo -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 40 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 70 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 80 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 90 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 100 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 110 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 120 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 130 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 140 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 150 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 160 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 170 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 180 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 3306 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 190 -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD_direct 191 -s 0.0.0.0/0 -m state --state NEW -p tcp --dport 80 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD_direct 192 -s 172.16.10.0/24 -m state --state NEW -p udp --dport 53 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 193 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 5900:6100 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 194 -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 8250 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 300 -j REJECT --reject-with icmp-host-prohibited # make changes permanent and reload firewall-cmd --runtime-to-permanent firewall-cmd --reload ``` Or, again, as mentioned above - just disable the firewall altogether, since it will cause more problems for new users (no real benefit, since nobody is building production environment following Quick Installation Guide)... and I'm NOT sure what other port has been blocked - above are just the ones that I tested and saw issues with - because even without explicit DENY rule in script above, there is default DROP rule in the INPUT chain in Centos7 (though chain policy is set to ACCEPT). So again...this will kill user experience due to different problems... *strongly* suggest we give this a though (disable firewall completely) After all firewall fixes above, I could deploy Basic Zone as per tutorial, just fine, deploy VM from default CEntos 5.5 template, verified connectivity in different areas, etc...
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
