Hello,
I am running Cloudplatform 3.0.5 with Xenserver 6.0.2 and I've setup a zone with basic networking with security groups. In the install guide it states that you must switch Xenserver to bridged networking mode if you are using basic networking. However, when my Xenserver host is using bridge mode, my Secondary Storage VM cannot resolve any DNS, despite the fact that it can ping outside IPs. This makes Cloudplatform unable to download templates.
Is this normal behavior (which isn't documented), or if not why would bridge mode stop the SSVM from being able to pull DNS records from nameservers despite the SSVM being able to ping those nameservers.
I tried this several times and even destroyed the SSVM and rebooted the management server in between, and I always got the same results. Here's what I got after running the ssvm-check.sh script:
When Xenserver 6.0.2 HV is in bridge mode:
root@s-5-VM:~# /usr/local/cloud/systemvm/ssvm-check.sh
================================================
First DNS server is 204.8.176.71
PING 204.8.176.71 (204.8.176.71): 56 data bytes
64 bytes from 204.8.176.71: icmp_seq=0 ttl=64 time=3.451 ms
64 bytes from 204.8.176.71: icmp_seq=1 ttl=64 time=0.452 ms
--- 204.8.176.71 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.452/1.952/3.451/1.500 ms
Good: Can ping DNS server
================================================
ERROR: DNS not resolving download.cloud.com
resolv.conf follows
nameserver 204.8.176.71
nameserver 204.8.176.72
nameserver 204.8.180.41
nameserver 204.8.180.42
When Xenserver 6.0.2 is in vswitch mode:
root@s-5-VM:~# /usr/local/cloud/systemvm/ssvm-check.sh
================================================
First DNS server is 204.8.176.71
PING 204.8.176.71 (204.8.176.71): 56 data bytes
64 bytes from 204.8.176.71: icmp_seq=0 ttl=64 time=0.730 ms
64 bytes from 204.8.176.71: icmp_seq=1 ttl=64 time=0.501 ms
--- 204.8.176.71 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.501/0.615/0.730/0.115 ms
Good: Can ping DNS server
================================================
Good: DNS resolves download.cloud.com
================================================
NFS is currently mounted
Mount point is /mnt/SecStorage/3a13a1bb-dfc4-3948-92c6-0fa1d1dce25f
Good: Can write to mount point
================================================
Management server is 204.8.176.70. Checking connectivity.
Good: Can connect to management server port 8250
================================================
Good: Java process is running
================================================
Tests Complete. Look for ERROR or WARNING above.
Have you verified if there are any iptable rules on the host that may be blocking the DNS when running in bridged mode.
Regards,
Somesh
Somesh,
It seems that was the problem. When I add an iptables rule on the host/dom0 for udp port 53, then the SSVM is able to resolve DNS.
After running the ssvm-check.sh script again I saw that I also needed to open tcp port 8250. Are there any other ports I'll need to open on the host iptables?
This behavior is surprising to me. Why does the iptables config on Dom0 affect the networking of a VM? Isn't that a security concern? Also, the host is able to resolve dns regardless of whether there is a rule in it's iptables for udp port 53, so I'm guessing the host's iptable rules are effectively functioning as outgoing firewall rules for all the vm's. Is that correct?
Well 8250 is needed for communication between management server and the agent process running on the system VM. What other ports are required? All related and established connections should be allowed. I believe DHCP and VNC should also be allowed.
Ideally we don't expect users to set iptable rules on the host (other that what come as default) as they are well hidden inside the network, inaccessible on the public domain hence not requiring such restrictions.
Here is a snippet from Xenserver Administrator Guide:
---
A bridge, in the case of XenServer networking, is the same as a switch, except it?s implemented in software on the XenServer host. The bridging software XenServer uses is the standard Linux implementation, with no special code from Citrix. There is therefore plenty of documentation available online.
---
Hope that helps.
Edited by: Somesh Naidu on Feb 19, 2013 6:19 AM
Some sections were inaccurate hence removed.
Ask, Discuss, Answer
