I've fixed several bugs in security_group.py in the last few days. Would be
nice if we could get this into 4.1.
commit 381f737e64ed9192e6eea4aeffe1920637f7d835
Author: John Kinsella <j...@stratosec.co>
Date: Wed Mar 13 16:52:49 2013 -0700
Summary: Fix exception handling in security_group.py
Detail: Code was attempting to concatinate an exception to a string.
Updated to convert to text and concatinate that.
BUG-ID: CLOUDSTACK-1052
commit 1079d63b6f978b2124db26d7f84f7ae62ba9daa0
Author: John Kinsella <j...@stratosec.co>
Date: Wed Mar 13 17:54:50 2013 -0700
Summary: Prevent deletion of wrong iptables rules
Detail: A grep in security_group.py wasn't defined well enough, could
potentially delete rules for VMs other than intended
BUG-ID: CLOUDSTACK-309
commit 08a0788b384f7083eb261dbeec51d3efe5907927
Author: John Kinsella <j...@stratosec.co>
Date: Thu Mar 14 11:48:47 2013 -0700
Summary: security_group.py: catch exception when flushing chain
Detail: Added exception handling around iptables chain flushing, along
with a call to default_network_rules() to re-initialize.
Testing:
On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a
backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp )
Destroy the firewall ruleset for that VM with
/usr/lib64/cloud/common/scripts/vm/network/security_group.py
destroy_network_rules_for_vm --vmname i-2-1722-VM --vif vnet10
Now copy the log file back, edit the file and decrement the last field by 1
ACS should notice the out-of-date sequence ID and push a new ruleset for
the VM within 60 seconds.
BUG-ID: CLOUDSTACK-1685
