Hussamuddin Nasir
Aug 4, 2014, 3:30:21 PM8/4/14
to Leigh Stoller, geni-...@googlegroups.com, geni-dev-utah@flux.utah.edu Utah
Hello folks,
I came across a bug at the Clemson IG Rack. I used node sin the
following config
Xen nodeA - public control IP
Xen nodeB - public control IP
Xen nodeC - private control IP
Xen nodeD - private control IP
Xen nodeE - private control IP
OpenVZ nodeF - public control IP
My communication between nodes goes over the control plane and is
restricted to within the rack.
PROBLEM : There is no route/connectivity (ping fails) between nodes on
the Control IP and nodes with private IP. This works on every IG rack
out there except the CLemson one. It was reported to us by one of the
geni users using the Genidesktop
--
cheers,
Hussam
(Hussamuddin Nasir)
Netlab Operations Team
-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu
University of Kentucky
**********************
-------------------------------------------------------------------
I came across a bug at the Clemson IG Rack. I used node sin the
following config
Xen nodeA - public control IP
Xen nodeB - public control IP
Xen nodeC - private control IP
Xen nodeD - private control IP
Xen nodeE - private control IP
OpenVZ nodeF - public control IP
My communication between nodes goes over the control plane and is
restricted to within the rack.
PROBLEM : There is no route/connectivity (ping fails) between nodes on
the Control IP and nodes with private IP. This works on every IG rack
out there except the CLemson one. It was reported to us by one of the
geni users using the Genidesktop
--
cheers,
Hussam
(Hussamuddin Nasir)
Netlab Operations Team
-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu
University of Kentucky
**********************
-------------------------------------------------------------------
Tim Upthegrove
Aug 4, 2014, 4:14:46 PM8/4/14
to geni-...@googlegroups.com, Leigh Stoller, geni-dev-utah@flux.utah.edu Utah
Hey Hussam,
Throwing in my unsolicited 2 cents below...
On Mon, Aug 4, 2014 at 3:30 PM, Hussamuddin Nasir <na...@netlab.uky.edu> wrote:
My communication between nodes goes over the control plane and is restricted to within the rack.
PROBLEM : There is no route/connectivity (ping fails) between nodes on the Control IP and nodes with private IP. This works on every IG rack out there except the CLemson one. It was reported to us by one of the geni users using the Genidesktop
Should we expect this to work in general across all GENI aggregates? Actually, is this something that is really a good idea, either inside or outside of GENI? I've always assumed that RFC 1918 address space should only be reachable on specific layer 4 ports via a public IP using NAT, regardless of whether or not the traffic is restricted to a single (somewhat isolated) set of infrastructure. Basically, what I personally am thinking is that the Clemson rack is behaving more normally than the other racks that allow public and private IPs to ping each other. But that is all just my take on it, and perhaps it doesn't line up with how the IG racks work.
Out of curiosity, what does the path look like when the public IP tries to reach the private IP? Is it going through campus infrastructure, a software router on one of the control nodes, a software router in the hypervisor (when VMs are on the same host), or something else?
As an alternative that doesn't involve going to all public or all private management IPs, perhaps the experimenter can provision two sets of VLANs at the aggregate.... one set as the experimental data plane, and one set as the experimental control plane, with its own privately managed IP space.
Thanks,
-- Tim Upthegrove
Hussamuddin Nasir
Aug 4, 2014, 4:32:36 PM8/4/14
to geni-...@googlegroups.com
Traditionally, EMulab and Protogeni
have a control plane and and experimental plane both of which are
behind some sort of router or firewall.
The experimental plane is totally locked down with private IP that the user assigns to the nodes interfaces.
The control plane on ther other hand can have a mix of private and public IPs that the boss node of the rack assigns its VMs/raw PCs. The boss node communicates to these VM (with both public and private IP) over the same control plane (and same VLAN) . We just use the same control plane for our communication between nodes as a part of the GEMINI and GeniDesktop setup.
The experimental plane is totally locked down with private IP that the user assigns to the nodes interfaces.
The control plane on ther other hand can have a mix of private and public IPs that the boss node of the rack assigns its VMs/raw PCs. The boss node communicates to these VM (with both public and private IP) over the same control plane (and same VLAN) . We just use the same control plane for our communication between nodes as a part of the GEMINI and GeniDesktop setup.
cheers, Hussam (Hussamuddin Nasir) Netlab Operations Team ------------------------------------------------------------------- Laboratory for Adv. Networking Phone : (859)218-0059 James F Hardymon Building Fax : (859)323-3740 301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu University of Kentucky ********************** -------------------------------------------------------------------
--
GENI Users is a community supported mailing list, so please help by responding to questions you know the answer to.
If this is your first time posting a question to this list, please review http://groups.geni.net/geni/wiki/GENIExperimenter/CommunityMailingList
---
You received this message because you are subscribed to the Google Groups "GENI Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to geni-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hussamuddin Nasir
Aug 4, 2014, 4:51:41 PM8/4/14
to geni-...@googlegroups.com
And just to add, this bug only exists
when the nodes are Xen. It works fine when all nodes are openVZ(we
used such a scenario at the last GEC).
cheers, Hussam (Hussamuddin Nasir) Netlab Operations Team ------------------------------------------------------------------- Laboratory for Adv. Networking Phone : (859)218-0059 James F Hardymon Building Fax : (859)323-3740 301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu University of Kentucky ********************** -------------------------------------------------------------------
Leigh Stoller
Aug 4, 2014, 6:05:16 PM8/4/14
to geni-...@googlegroups.com, geni-dev-utah@flux.utah.edu Utah
> PROBLEM : There is no route/connectivity (ping fails) between nodes on the Control IP and nodes with private IP. This works on every IG rack out there except the CLemson one. It was reported to us by one of the geni users using the Genidesktop
Can we get a pointer to a sliver at Clemson that exhibits this
behavior please?
Leigh
Hussamuddin Nasir
Aug 4, 2014, 7:16:16 PM8/4/14
to geni-...@googlegroups.com
I have a slice called gandh1 which has xen and openvz nodes.
I cannot ping from the openvz node to any of the xen nodes.
The xen nodes can ping each other fine (regardless of them being public
or private.)
cheers,
Hussam
(Hussamuddin Nasir)
Netlab Operations Team
-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu
University of Kentucky
**********************
-------------------------------------------------------------------
I cannot ping from the openvz node to any of the xen nodes.
The xen nodes can ping each other fine (regardless of them being public
or private.)
cheers,
Hussam
(Hussamuddin Nasir)
Netlab Operations Team
-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu
University of Kentucky
**********************
-------------------------------------------------------------------
Leigh Stoller
Aug 4, 2014, 8:02:22 PM8/4/14
to geni-...@googlegroups.com
> I have a slice called gandh1 which has xen and openvz nodes.
> I cannot ping from the openvz node to any of the xen nodes.
Basically, the Clemson rack is violating one of the requirements
> I cannot ping from the openvz node to any of the xen nodes.
of a geni rack; the upstream router is responding to arp requests
for 172 addresses.
I will send email to the rack admin, but in the meantime you will
need to avoid this rack until it is fixed.
Leigh
Leigh Stoller
Aug 5, 2014, 9:53:08 AM8/5/14
to geni-...@googlegroups.com
> I have a slice called gandh1 which has xen and openvz nodes.
> I cannot ping from the openvz node to any of the xen nodes.
Okay, this has been fixed; the local site admin turned off proxy
> I cannot ping from the openvz node to any of the xen nodes.
arp on the upstream router.
Leigh
Reply all
Reply to author
Forward
0 new messages