Summary: security_group.py: catch exception when flushing chain Detail: Added exception handling around iptables chain flushing, along with a call to default_network_rules() to re-initialize.
Testing: On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp ) Destroy the firewall ruleset for that VM with /usr/lib64/cloud/common/scripts/vm/network/security_group.py destroy_network_rules_for_vm --vmname i-2-1722-VM --vif vnet10 Now copy the log file back, edit the file and decrement the last field by 1 ACS should notice the out-of-date sequence ID and push a new ruleset for the VM within 60 seconds. BUG-ID: CLOUDSTACK-1685 Bugfix-for: John Kinsella Reviewed-by: Reported-by: Signed-off-by: John Kinsella <j...@stratosec.co> 1363286927 -0700 Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/08a0788b Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/08a0788b Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/08a0788b Branch: refs/heads/marvin-refactor Commit: 08a0788b384f7083eb261dbeec51d3efe5907927 Parents: e6d46d7 Author: John Kinsella <j...@stratosec.co> Authored: Thu Mar 14 11:48:47 2013 -0700 Committer: John Kinsella <j...@stratosec.co> Committed: Thu Mar 14 11:48:47 2013 -0700 ---------------------------------------------------------------------- scripts/vm/network/security_group.py | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/08a0788b/scripts/vm/network/security_group.py ---------------------------------------------------------------------- diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 1bcbc3e..03e35fb 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -622,10 +622,14 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif lines = rules.split(';')[:-1] logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name) - vmchain = vm_name - execute("iptables -F " + vmchain) - egress_vmchain = egress_chain_name(vm_name) - execute("iptables -F " + egress_vmchain) + try: + vmchain = vm_name + execute("iptables -F " + vmchain) + egress_vmchain = egress_chain_name(vm_name) + execute("iptables -F " + egress_vmchain) + except: + logging.debug("Error flushing iptables rules for " + vmchain + ". Presuming firewall rules deleted, re-initializing." ) + default_network_rules(vm_name, vm_id, vm_ip, vmMac, vif, brname) egressrule = 0 for line in lines:
