[ovirt-users] Fwd: ISCSI storage with multiple nics on same subnet disabled on host activation
Yaniv Kaul
ykaul at redhat.com
Mon Jul 17 19:38:36 UTC 2017
On Mon, Jul 17, 2017 at 10:56 AM, Nelson Lameiras <
nelson.lameiras at lyra-network.com> wrote:
> Hello, Can any one please help us with the problem described below?
>
> Nir, I'm including you since a quick search on the internet led me to
> think that you have worked on this part of the project. Please forgive me
> if I'm off topic.
>
> (I incorrectly used below the expression "patch" when I meant "configure".
> it's corrected now)
>
VDSM may indeed change the IP filter. From the function that sets it[1]:
def setRpFilterIfNeeded(netIfaceName, hostname, loose_mode):
"""
Set rp_filter to loose or strict mode if there's no session using the
netIfaceName device and it's not the device used by the OS to reach the
'hostname'.
loose mode is needed to allow multiple iSCSI connections in a multiple
NIC
per subnet configuration. strict mode is needed to avoid the security
breach where an untrusted VM can DoS the host by sending it packets with
spoofed random sources.
Arguments:
netIfaceName: the device used by the iSCSI session
target: iSCSI target object cointaining the portal hostname
loose_mode: boolean
I think it sets it to strict mode when disconnecting or removing an iSCSI
session.
Perhaps something in the check we are doing is incorrect? Do you have other
sessions open?
Y.
[1]
https://github.com/oVirt/vdsm/blob/321233bea649fb6d1e72baa1b1164c8c1bc852af/lib/vdsm/storage/iscsi.py#L556
> cordialement, regards,
>
> <https://www.lyra-network.com/>
> Nelson LAMEIRAS
> Ingénieur Systèmes et Réseaux / Systems and Networks engineer
> Tel: +33 5 32 09 09 70 <+33%205%2032%2009%2009%2070>
> nelson.lameiras at lyra-network.com
> www.lyra-network.com | www.payzen.eu <https://payzen.eu>
> <https://www.youtube.com/channel/UCrVl1CO_Jlu3KbiRH-tQ_vA>
> <https://www.linkedin.com/company/lyra-network_2>
> <https://twitter.com/LyraNetwork>
> <https://payzen.eu>
> ------------------------------
> Lyra Network, 109 rue de l'innovation, 31670 Labège, FRANCE
>
>
> ------------------------------
> *De: *"Nelson Lameiras" <nelson.lameiras at lyra-network.com>
> *À: *"ovirt users" <users at ovirt.org>
> *Envoyé: *Mercredi 7 Juin 2017 14:59:48
> *Objet: *[ovirt-users] ISCSI storage with multiple nics on same subnet
> disabled on host activation
>
> Hello,
>
> In our oVirt hosts, we are using DELL equallogic SAN with each server
> connecting to SAN via 2 physical interfaces. Since both interfaces share
> the same network (Equalogic limitation) we must configure sysctl to to
> allow iSCSI multipath with multiple NICs in the same subnet :
>
> ------------------------------------------------------------
> --------------------------------
>
> net.ipv4.conf.p2p1.arp_ignore=1
> net.ipv4.conf.p2p1.arp_announce=2
> net.ipv4.conf.p2p1.rp_filter=2
>
> net.ipv4.conf.p2p2.arp_ignore=1
> net.ipv4.conf.p2p2.arp_announce=2
> net.ipv4.conf.p2p2.rp_filter=2
>
> ------------------------------------------------------------
> --------------------------------
>
> This works great in most setups, but for a strange reason, on some of our
> setups, the sysctl configuration is updated by VDSM when activating a host
> and the second interface stops working immeadiatly :
> ------------------------------------------------------------
> --------------------------------
> vdsm.log
>
> 2017-06-07 11:51:51,063+0200 INFO (jsonrpc/5) [storage.ISCSI] Setting strict mode rp_filter for device 'p2p2'. (iscsi:602)
> 2017-06-07 11:51:51,064+0200 ERROR (jsonrpc/5) [storage.HSM] Could not connect to storageServer (hsm:2392)
> Traceback (most recent call last):
> File "/usr/share/vdsm/storage/hsm.py", line 2389, in connectStorageServer
> conObj.connect()
> File "/usr/share/vdsm/storage/storageServer.py", line 433, in connect
> iscsi.addIscsiNode(self._iface, self._target, self._cred)
> File "/usr/lib/python2.7/site-packages/vdsm/storage/iscsi.py", line 232, in addIscsiNode
> iscsiadm.node_login(iface.name, target.address, target.iqn)
> File "/usr/lib/python2.7/site-packages/vdsm/storage/iscsiadm.py", line 337, in node_login
> raise IscsiNodeError(rc, out, err)
>
>
>
> ------------------------------------------------------------
> --------------------------------
>
> "strict mode" is enforced for second interface, and it no longuer works...
> Which means - at least - that there is no redundancy in case of hardware
> faillure and this is not acceptable for our production needs.
>
> What is really strange is that we have another "twin" site on another
> geographic region with simillar hardware configuration and same oVirt
> installation, and this problem does not happen.
> Can this be really random?
> What can be the root cause of this behaviour? How can I correct it?
>
> our setup:
> oVirt hostedEngine : Centor 7.3, ovirt 4.1.2
> 3 physical oVirt nodes centos 7.3, ovirt 4.1.2
> SAN DELL Equalogic
>
> cordialement, regards,
>
> <https://www.lyra-network.com/>
> Nelson LAMEIRAS
> Ingénieur Systèmes et Réseaux / Systems and Networks engineer
> Tel: +33 5 32 09 09 70 <+33%205%2032%2009%2009%2070>
> nelson.lameiras at lyra-network.com
> www.lyra-network.com | www.payzen.eu <https://payzen.eu>
> <https://www.youtube.com/channel/UCrVl1CO_Jlu3KbiRH-tQ_vA>
> <https://www.linkedin.com/company/lyra-network_2>
> <https://twitter.com/LyraNetwork>
> <https://payzen.eu>
> ------------------------------
> Lyra Network, 109 rue de l'innovation, 31670 Labège, FRANCE
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_lyra_115x94.jpg
Type: image/jpeg
Size: 3846 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_payzen_61x28.jpg
Type: image/jpeg
Size: 1864 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0011.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_lyra_115x94.jpg
Type: image/jpeg
Size: 3846 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0012.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_YouTube_32x28.jpg
Type: image/jpeg
Size: 1604 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0013.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_LinkedIn_41x28.jpg
Type: image/jpeg
Size: 1635 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0014.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_Twitter_42x28.jpg
Type: image/jpeg
Size: 1629 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0015.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_LinkedIn_41x28.jpg
Type: image/jpeg
Size: 1635 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0016.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_YouTube_32x28.jpg
Type: image/jpeg
Size: 1604 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0017.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_logo_Twitter_42x28.jpg
Type: image/jpeg
Size: 1629 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0018.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: element-signature_payzen_61x28.jpg
Type: image/jpeg
Size: 1864 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/e5b89167/attachment-0019.jpg>
More information about the Users
mailing list