[
https://issues.apache.org/jira/browse/CLOUDSTACK-1685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13602620#comment-13602620
]
ASF subversion and git services commented on CLOUDSTACK-1685:
-------------------------------------------------------------
Commit c1847cdc5026639d3619a4028aa455ff8d511311 in branch refs/heads/4.1 from
Chip Childers <chip.child...@gmail.com>
[ https://git-wip-us.apache.org/repos/asf?p=incubator-cloudstack.git;h=c1847cd ]
Summary: security_group.py: catch exception when flushing chain
Detail: Added exception handling around iptables chain flushing, along
with a call to default_network_rules() to re-initialize.
Testing:
On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a
backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp )
Destroy the firewall ruleset for that VM with
/usr/lib64/cloud/common/scripts/vm/network/security_group.py
destroy_network_rules_for_vm --vmname i-2-1722-VM --vif vnet10
Now copy the log file back, edit the file and decrement the last field by 1
ACS should notice the out-of-date sequence ID and push a new ruleset for
the VM within 60 seconds.
BUG-ID: CLOUDSTACK-1685
Bugfix-for: John Kinsella
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <j...@stratosec.co> 1363286927 -0700
> If iptables VM chain is missing, security_group.py crashes
> ----------------------------------------------------------
>
> Key: CLOUDSTACK-1685
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1685
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.0.0
> Reporter: John Kinsella
> Assignee: John Kinsella
>
> If, for some reason, the iptables rules for a specific VM are removed (given
> using ACS in a network that supports ipchains), security_group.py will not be
> able to update the ruleset:
> 2013-03-14 13:30:31,039 - programming network rules for IP: 50.23.83.141
> vmname=i-2-1722-VM
> 2013-03-14 13:30:31,039 - iptables -F i-2-1722-VM
> 2013-03-14 13:30:31,046 - Failed to network rule !: Traceback (most recent
> call last):
> File "/usr/lib64/cloud/common/scripts/vm/network/security_group.py", line
> 626, in add_network_rules
> execute("iptables -F " + vmchain)
> File "/usr/lib64/cloud/common/scripts/vm/network/security_group.py", line
> 35, in execute
> return bash("-c", cmd).stdout
> File "/usr/lib/python2.6/site-packages/cloud_utils.py", line 165, in
> __call__
> raise e
> CalledProcessError: Command '['/bin/bash', '-c', 'iptables -F i-2-1722-VM']'
> returned non-zero exit status 1
> Running the iptables command by hand gives you:
> # iptables -F i-2-1722-VM
> iptables: No chain/target/match by that name.
> Several things could happen here - I'm going to suggest that if the script
> finds the chain missing, that it re-initializes it for that VM, and then
> continues applying the ruleset (a complete ruleset is passed each time, not
> just the adds/removes)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
