Forum
Welcome, Guest
Username: Password: Remember me
This is the optional category header for the Suggestion Box.
  • Page:
  • 1
  • 2

TOPIC:

cant start iscsi-ha 5 months 4 days ago #2078

  • gerry kernan
  • gerry kernan's Avatar Topic Author
  • Offline
  • Posts: 16
thanks Salvatore

its starting now.

Best Regards

gerry

Please Log in or Create an account to join the conversation.

cant start iscsi-ha 4 months 2 weeks ago #2080

  • gerry kernan
  • gerry kernan's Avatar Topic Author
  • Offline
  • Posts: 16
hi

any ETA on when 8.2 will be supported?

gerry

Please Log in or Create an account to join the conversation.

cant start iscsi-ha 4 months 1 week ago #2081

  • Salvatore Costantino
  • Salvatore Costantino's Avatar
  • Offline
  • Posts: 653
We will be looking at 8.2 this week to investigate the difference in the FW configuration. Best case, a minor change to the iscsi-ha init script is all that is needed which would be a a quick release for us.

Please Log in or Create an account to join the conversation.

cant start iscsi-ha 1 month 18 hours ago #2237

Hello Masters,

I have made a new installation of XenServer 8.2 to check this and in the new installation the file /etc/sysconfig/iptables remain the same, here is my file in a fresh install:
================
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this
default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
# DHCP for host internal networks (CA-6996)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Linux HA hearbeat (CA-9394)
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m udp -p udp
--dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 443 -j ACCEPT
# dlm
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dports 5404,5405 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
================

so, looking the code of iscsi-ha, they check if the string RH-Firewall-1-INPUT exist or not, if not, they try to create a new rule based in the output from the actual iptables rules on memory. The only way that this don't work is:

1 - you have your configuration files in another language (chinese, russian or other).. .yeah, should be crazy but "maybe"
2 - you don't have a configuration file, the firewall have been disabled or never activate.

I thing the second is your case. the content of your file:
# Generated by iptables-save v1.4.21 on Tue Jun 30 18:25:55 2020
*filter
:INPUT ACCEPT [2484664:137226084]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [363161:16807398554]
COMMIT
# Completed on Tue Jun 30 18:25:55 2020

show that this configuration file was created on Jun 30 18:25:55 2020. Maybe you disabled the firewall rules and save it empty ??
Well, in any case I don't think that is a regression in halizard and I'm very sure that actually your xenserver don't have any firewall rules active (you should recheck this for security).

Salu2

Please Log in or Create an account to join the conversation.

  • Page:
  • 1
  • 2