Welcome, Guest

TOPIC:

cant start iscsi-ha 3 years 9 months ago #2078

gerry kernan Topic Author Offline Posts: 16	thanks Salvatore its starting now. Best Regards gerry
	Please Log in or Create an account to join the conversation.

cant start iscsi-ha 3 years 9 months ago #2080

gerry kernan Topic Author Offline Posts: 16	hi any ETA on when 8.2 will be supported? gerry
	Please Log in or Create an account to join the conversation.

cant start iscsi-ha 3 years 8 months ago #2081

Salvatore Costantino Offline Posts: 722	We will be looking at 8.2 this week to investigate the difference in the FW configuration. Best case, a minor change to the iscsi-ha init script is all that is needed which would be a a quick release for us.
	Please Log in or Create an account to join the conversation.

cant start iscsi-ha 3 years 5 months ago #2237

Victor Hugo
Offline
Posts: 18

Hello Masters,

I have made a new installation of XenServer 8.2 to check this and in the new installation the file /etc/sysconfig/iptables remain the same, here is my file in a fresh install:

================
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this
default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
# DHCP for host internal networks (CA-6996)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Linux HA hearbeat (CA-9394)
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m udp -p udp
--dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp
--dport 443 -j ACCEPT
# dlm
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dports 5404,5405 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
================

so, looking the code of iscsi-ha, they check if the string RH-Firewall-1-INPUT exist or not, if not, they try to create a new rule based in the output from the actual iptables rules on memory. The only way that this don't work is:

1 - you have your configuration files in another language (chinese, russian or other).. .yeah, should be crazy but "maybe"
2 - you don't have a configuration file, the firewall have been disabled or never activate.

I thing the second is your case. the content of your file:

# Generated by iptables-save v1.4.21 on Tue Jun 30 18:25:55 2020
*filter
:INPUT ACCEPT [2484664:137226084]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [363161:16807398554]
COMMIT
# Completed on Tue Jun 30 18:25:55 2020

show that this configuration file was created on Jun 30 18:25:55 2020. Maybe you disabled the firewall rules and save it empty ??
Well, in any case I don't think that is a regression in halizard and I'm very sure that actually your xenserver don't have any firewall rules active (you should recheck this for security).

Salu2

Please Log in or Create an account to join the conversation.