Qinshan886 opened a new issue, #9579:
URL: https://github.com/apache/cloudstack/issues/9579
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Security groups,iptables
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
cloudstack 4.18.1.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
Centos 7.9
##### SUMMARY
<!-- Explain the problem/feature briefly -->
A newly deployed CloudStack 4.18.1.0 agent node is experiencing issues where
the security group rules are not being applied to the created instance
machines. Additionally, there are errors reported by iptables.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
2024-08-23 14:35:26,306 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml:
org.libvirt.LibvirtException: Domain not found: no domain with matching name
'i-2-5292-VM'
2024-08-23 14:35:26,308 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml:
org.libvirt.LibvirtException: Domain not found: no domain with matching name
'i-2-5292-VM'
2024-08-23 14:35:26,309 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml:
org.libvirt.LibvirtException: Domain not found: no domain with matching name
'i-2-5292-VM'
2024-08-23 14:35:26,310 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Executing:
/usr/share/cloudstack-common/scripts/vm/network/security_group.py
destroy_network_rules_for_vm --vmname i-2-5292-VM
2024-08-23 14:35:26,312 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Executing while with timeout :
1800000
2024-08-23 14:35:26,808 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Execution is successful.
2024-08-23 14:35:26,809 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-3:null) (logid:20080328) Chain 'i-2-5292-VM-in' doesn't
exist.
Chain 'i-2-5292-VM-out' doesn't exist.
Chain 'i-2-5292-VM-in-ips' doesn't exist.
Chain 'i-2-5292-VM-out-ips' doesn't exist.
Chain 'i-2-5292-VM-in-src' doesn't exist.
Chain 'i-2-5292-VM-out-dst' doesn't exist.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.1: The set with the given name does not exist
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
Here is an example where I created a machine on an agent node with a
functioning security group. In this case, both the security group and iptables
are working correctly, and there are no iptables errors reported.
~~~
2024-08-23 16:28:22,918 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-2:null) (logid:c5363bc1) Executing:
/usr/share/cloudstack-common/scripts/vm/network/security_group.py
default_network_rules --vmname i-2-5310-VM --vmid 5310 --vmip 192.168.188.21
--vmmac 1e:00:c6:00:00:95 --vif vnet10 --brname cloudbr0 --nicsecips 0;
--isFirstNic
2024-08-23 16:28:22,920 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-2:null) (logid:c5363bc1) Executing while with timeout :
1800000
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-2:null) (logid:c5363bc1) Execution is successful.
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-2:null) (logid:c5363bc1) Chain 'i-2-5310-VM-in' doesn't
exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
ipset v7.1: The set with the given name does not exist
ipset v7.1: The set with the given name does not exist
Chain 'i-2-5310-VM-in' doesn't exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
