Hi Michael,
Thanks for your reply!
Maybe it was not clear in my last response, but I already tried to remove the iptables rules. (ref output of iptable-save at the bottom) Without success.
Since we don't need libvirt and related virtual bridge, I reinstalled the system without optional packages.
But I still have the same issue: when requesting a ca or pva, I get a time-out.
Again I checked if it will work when setting the EPICS environment variables, which confirmed that by setting EPICS_CA_ADDR_LIST 'caget' works.
After digging and googling more; I found out that CentOS8 has by default a firewalld running (I'm new to CentOS, I'm used to work with IP tables ...).
This one is default set to public network.
When I disable it with ' sudo systemctl stop firewalld ', all works fine.
So bottom line, all works as expected (issue was mainly my lack of knowledge with CentOS...)
Thanks for your support, it guided me in the right direction!
Kind regards,
Kris
-----Original Message-----
From: Michael Davidsaver <mdavidsaver at gmail.com>
Sent: maandag 16 augustus 2021 17:01
To: Meeus Kris <Kris.Meeus at sckcen.be>
Cc: tech-talk at aps.anl.gov
Subject: Re: IOC PVA on mTCA CPU requires environment variables to be set
On 8/16/21 4:57 AM, Meeus Kris wrote:
> Hi Michael,
> Thanks for your reply, below you can find the requested settings. It seems that the installation added a virtual bridge.
>
> I've tried to disable the virtual bridge; cleared iptables and checked again, without success. Ref listed settings at the end.
A virtual bridge can work. I use this configuration on my laptop.
Although I explicitly allow all traffic between host and guests.
I suspect the libvirt created firewall rules are causing your difficulties.
I don't use libvirt myself, and so can't give you a simple solution.
> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
As quick an experiment, you could try removing these two REJECT rules.
Firewalling CA is complicated by the handoff from UDP search to TCP connection,
which Linux 'conntrack' doesn't know about. PVA is even more complicated
because some servers (pvAccessCPP) send search responses from a random port,
so Linux 'conntrack' can't even associate search requests and replies.
https://libvirt.org/firewall.html
https://wiki.libvirt.org/page/Networking
- References:
- IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk
- RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk
- Navigate by Date:
- Prev:
Re: Question about retrieve history data in archiver appliance Shankar, Murali via Tech-talk
- Next:
Configuring Phoebus alarm related display via a kafka message John Dobbins via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk
- Next:
IOC up, but can't connect via channel access Daykin, Evan via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
|