Re: DEA/Warden staging error

Home Messages Hashtags Subgroups

#1909

Re: DEA/Warden staging error

Matthew Sykes <matthew.sykes@...> #1909 Based on your description, it doesn't sound like warden networking or the warden iptables chains are your problem. Are you able to share all of your routes and chains via a gist? route -n ifconfig -a iptables -L -n -v -t filter iptables -L -n -v -t nat iptables -L -n -v -t mangle Any kernel messages that look relevant in the message buffer (dmesg)? Have you tried doing a network capture to verify the packets are look the way you expect? Are you sure your host routing rules are good? Do the warden subnets overlap with any network accessible to the host? Based on previous notes, it doesn't sound like this is a standard deployment so it's hard to say what could be impacting you. On Tue, Sep 22, 2015 at 1:08 PM, Kyle Havlovitz (kyhavlov) < kyhavlov(a)cisco.com> wrote: I didn’t; I’m still having this problem. Even adding this lenient security group didn’t let me get any traffic out of the VM: [{"name":"allow_all","rules":[{"protocol":"all","destination":"0.0.0.0/0 "},{"protocol":"tcp","destination":"0.0.0.0/0 ","ports":"1-65535"},{"protocol":"udp","destination":"0.0.0.0/0 ","ports":"1-65535"}]}] The only way I was able to get traffic out was by manually removing the reject/drop iptables rules that warden set up, and even with that the container still lost all connectivity after 30 seconds. From: CF Runtime <cfruntime(a)gmail.com> Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: Tuesday, September 22, 2015 at 12:50 PM To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Subject: [cf-dev] Re: Re: Re: Re: Re: Re: Re: Re: DEA/Warden staging error Hey Kyle, Did you make any progress? Zak & Mikhail CF Release Integration Team On Thu, Sep 17, 2015 at 10:28 AM, CF Runtime <cfruntime(a)gmail.com> wrote: It certainly could be. By default the contains reject all egress traffic. CC security groups configure iptables rules that allow traffic out. One of the default security groups in the BOSH templates allows access on port 53. If you have no security groups, the containers will not be able to make any outgoing requests. Joseph & Natalie CF Release Integration Team On Thu, Sep 17, 2015 at 8:44 AM, Kyle Havlovitz (kyhavlov) < kyhavlov(a)cisco.com> wrote: On running git clone inside the container via the warden shell, I get: "Cloning into 'staticfile-buildpack'... fatal: unable to access ' https://github.com/cloudfoundry/staticfile-buildpack/': Could not resolve host: github.com". So the container can't get to anything outside of it (I also tried pinging some external IPs to make sure it wasn't a DNS thing). Would this be caused by cloud controller security group settings? -- Matthew Sykes matthew.sykes(a)gmail.com attachment.html attachment.html
More All Messages By This Member

View All 8 Messages In Topic

#1909

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms