[
https://issues.apache.org/jira/browse/CLOUDSTACK-79?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13602629#comment-13602629
]
John Kinsella commented on CLOUDSTACK-79:
-----------------------------------------
So, there's actually a relatively easy fix for this...
When doing once-per-minute "pings" with hosts, the management server checks to
see if the security group for each VM is up to date. Each host runs
/usr/lib64/cloud/common/scripts/vm/network/security_group.py
get_rule_logs_for_vms and returns the results. If the sequence number of a VM's
security group is found to be out-of-date, the management server sends down a
request to add_network_rules again. With my patch in CLOUDSTACK-1685,
security_group.py will notice chains missing for that VM and re-initialize, and
then apply the ruleset passed from the master.
So - ACS isn't monitoring for a rule change per-se, but it's trivial to get ACS
to re-apply the ruleset. We could have a script on the agent to allow an
administrator to request a re-generation of the ruleset for a specific VM.
I wouldn't want to monitor the ruleset itself - it's relatively a PIA to do so
due to rule-order being important...I guess ACS is the enforcing agent for the
security group - would want to take that discussion to the mailing list.
> CloudStack 3.0.4: firewall rules not restored on KVM host
> ---------------------------------------------------------
>
> Key: CLOUDSTACK-79
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-79
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM, Network Controller
> Affects Versions: pre-4.0.0
> Reporter: Vladimir Ostrovsky
> Fix For: 4.1.0
>
>
> I have CloudStack 3.0.4 with a Basic Zone defined. The Zone includes several
> KVM hosts and uses Security Groups (in other words, IPtables on the hosts) to
> isolate traffic between VMs.
> The problem: if, for some reason, IPtables on the host are flushed or the
> iptables service is restarted, the cloud-agent doesn't pull the correct rules
> from the management server and doesn't synchronize the host with Security
> Groups definitions in CloudStack. Restart of the cloud-agent service doesn't
> help as well.
> Shouldn't the agent do it?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
