vrouter: remove a POSTROUTING rule for port forwarding in VPC router

[ustcweizhou]

Description

As discussed in #3937 (comment)
a rule for port forwarding in VPC router might not be needed.

This fixes the failed result of health check for network VRs.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Screenshots (if appropriate):

How Has This Been Tested?

[weizhouapache]

@DaanHoogland can you kick off test for this PR ?

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✖centos6 ✔centos7 ✔debian. JID-1038

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-1227)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 47773 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr3952-t1227-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_vpc_redundant.py
Smoke tests completed. 82 look OK, 1 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_05_rvpc_multi_tiers	Failure	490.68	test_vpc_redundant.py
test_05_rvpc_multi_tiers	Error	518.61	test_vpc_redundant.py

[andrijapanicsb]

Testing this one, instead of #3937 - we removed the offending rule, so additional code to handle VPC vs Isolated network VR is not needed.

[andrijapanicsb]

@weizhouapache testing this one - and after configuring port forward (and stopping iptables on the guest VM) - I can't connect via PF rule to the VM (works fine for VPC though).

Can you please take a look? Otherwise, since we are 1 day from the freeze for 4.14., I'll have to go with #3937 (but I prefer your PR with removed extra lines) ?

[weizhouapache]

@weizhouapache testing this one - and after configuring port forward (and stopping iptables on the guest VM) - I can't connect via PF rule to the VM (works fine for VPC though).

Can you please take a look? Otherwise, since we are 1 day from the freeze for 4.14., I'll have to go with #3937 (but I prefer your PR with removed extra lines) ?

@andrijapanicsb I will look into it today.
one suggestion, can we easily remove a line in systemvm/debian/root/health_checks/iptables_check.py as a workaround ? health check will pass in both network and vpc vr.

https://github.com/apache/cloudstack/pull/3952/files#diff-cf7b342df9a0681cd60e083d7f746bd2

[andrijapanicsb]

I see it should work @weizhouapache , but let me ping @Pearl1594 for the opinion

thx

[andrijapanicsb]

We'll do another PR with just that one change, thanks @weizhouapache

[andrijapanicsb]

@weizhouapache the PR was made, tested (by you and @Pearl1594 - thanks ) and merged - here #3963

Do you want to close this one now or... ?
I will remove the milestone from it - thanks!

[weizhouapache]

@weizhouapache the PR was made, tested (by you and @Pearl1594 - thanks ) and merged - here #3963

Do you want to close this one now or... ?
I will remove the milestone from it - thanks!

considering we have merged #3963 , I think we can move this to 4.14.1

by the way, I have tested the failed test test_vpc_redundant.py in my local testing environment, no issue at all.

[yadvr]

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✖centos7 ✖debian. JID-1366

[yadvr]

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔centos7 ✔debian. JID-1509

[yadvr]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[yadvr]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-1975)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 46271 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr3952-t1975-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_password_server.py
Intermittent failure detected: /marvin/tests/smoke/test_privategw_acl.py
Intermittent failure detected: /marvin/tests/smoke/test_secondary_storage.py
Intermittent failure detected: /marvin/tests/smoke/test_service_offerings.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_deployment_planner.py
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Intermittent failure detected: /marvin/tests/smoke/test_hostha_kvm.py
Smoke tests completed. 78 look OK, 5 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File
test_01_sys_vm_start	Failure	0.06	test_secondary_storage.py
ContextSuite context=TestCpuCapServiceOfferings>:setup	Error	0.00	test_service_offerings.py
test_01_deploy_vm_on_specific_host	Error	35.91	test_vm_deployment_planner.py
test_04_deploy_vm_on_host_override_pod_and_cluster	Error	6.27	test_vm_deployment_planner.py
test_11_migrate_vm	Error	6.30	test_vm_life_cycle.py
test_hostha_enable_ha_when_host_disconected	Error	936.27	test_hostha_kvm.py
test_hostha_enable_ha_when_host_in_maintenance	Error	300.74	test_hostha_kvm.py

[yadvr]

@ustcweizhou can you review the test failures?

[weizhouapache]

@ustcweizhou can you review the test failures?

@rhtyd can you re-kick off the tests ?

[yadvr]

@blueorangutan package

[blueorangutan]

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔centos7 ✔debian. JID-1613

[yadvr]

@blueorangutan test

[blueorangutan]

@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-2223)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 33746 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr3952-t2223-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_vm_life_cycle.py
Smoke tests completed. 82 look OK, 1 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=Test01DeployVM>:setup	Error	0.00	test_vm_life_cycle.py
ContextSuite context=Test02VMLifeCycle>:setup	Error	0.00	test_vm_life_cycle.py
ContextSuite context=Test03SecuredVmMigration>:setup	Error	0.00	test_vm_life_cycle.py

[yadvr]

Test LGTM the failure is due to a regression in Trillian/ansible overiding file (the test_vm_life_cycle.py and has been fixed).

[yadvr]

LGTM did not test is manually

[DaanHoogland]

code looks good and appears to do what it says on the tin.
@andrijapanicsb @Pearl1594 can one of you have a look at testing?

[yadvr]

The regression has been fixed, failures not related to this PR.