[GitHub] bwsw commented on issue #3088: VM restart with 'rebootVirtualMachine' causes SGs broken with KVM

Tue, 11 Dec 2018 11:09:34 -0800 

bwsw commented on issue #3088: VM restart with 'rebootVirtualMachine' causes 
SGs broken with KVM
URL: https://github.com/apache/cloudstack/issues/3088#issuecomment-446323700
 
 
   Upon VM reload following actions are taken
   
   ```
   2018-12-12 02:04:11,342 - Executing command: get_rule_logs_for_vms
   2018-12-12 02:04:11,374 - Found a rebooted VM -- reprogramming rules for 
i-3022-5317-vm
   2018-12-12 02:04:11,374 - iptables-save | awk 
'/BF(.*)physdev-is-bridged(.*)i-3022-5317-def/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:04:11,385 - iptables -D BF-cloudbr1-IN -m physdev --physdev-in 
vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:04:11,395 - iptables -D BF-cloudbr1-OUT -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:04:11,403 - ip6tables-save | awk 
'/BF(.*)physdev-is-bridged(.*)i-3022-5317-def/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:04:11,421 - ip6tables -D BF-cloudbr1-IN -m physdev 
--physdev-in vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:04:11,436 - ip6tables -D BF-cloudbr1-OUT -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:04:11,451 - iptables-save | awk -F '-j ' '/FORWARD 
-o(.*)physdev-is-bridged(.*)BF/ {print $2}'
   2018-12-12 02:04:11,462 - iptables-save |grep physdev-is-bridged |grep 
FORWARD |grep BF |grep '\-o' |awk '{print $4}' | head -1
   2018-12-12 02:04:11,491 - iptables -A BF-cloudbr1-IN  -m physdev 
--physdev-is-bridged --physdev-in vnet22 -j i-3022-5317-def
   2018-12-12 02:04:11,511 - iptables -A BF-cloudbr1-OUT  -m physdev 
--physdev-is-bridged --physdev-out vnet22 -j i-3022-5317-def
   2018-12-12 02:04:11,532 - ip6tables -A BF-cloudbr1-IN  -m physdev 
--physdev-is-bridged --physdev-in vnet22 -j i-3022-5317-def
   2018-12-12 02:04:11,558 - ip6tables -A BF-cloudbr1-OUT  -m physdev 
--physdev-is-bridged --physdev-out vnet22 -j i-3022-5317-def
   2018-12-12 02:04:11,572 - iptables-save | awk '/-A 
i-3022-5317-def(.*)physdev/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:04:11,573 - iptables-save | awk '/-A 
i-3022-5317-def(.*)physdev/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:04:11,582 - iptables-save | awk '/-A 
i-3022-5317-def(.*)physdev/ { gsub(/vnet[0-9]+/, "vnet22") ; sub(/-A/, "-D", 
$1) ; print }'
   2018-12-12 02:04:11,583 - iptables-save | awk '/-A 
i-3022-5317-def(.*)physdev/ { gsub(/vnet[0-9]+/, "vnet22") ; sub(/-A/, "-D", 
$1) ; print }'
   2018-12-12 02:04:11,593 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m udp --sport 68 --dport 67 -j ACCEPT
   2018-12-12 02:04:11,602 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-out vnet22 --physdev-is-bridged -m udp --sport 67 --dport 68 -j ACCEPT
   2018-12-12 02:04:11,612 - iptables -D i-3022-5317-def -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set ! --match-set i-3022-5317-vm 
src -j DROP
   2018-12-12 02:04:11,621 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-m udp --dport 53 -j RETURN
   2018-12-12 02:04:11,630 - iptables -D i-3022-5317-def -p tcp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-m tcp --dport 53 -j RETURN
   2018-12-12 02:04:11,640 - iptables -D i-3022-5317-def -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-j i-3022-5317-vm-eg
   2018-12-12 02:04:11,650 - iptables -D i-3022-5317-def -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-vm
   2018-12-12 02:04:11,659 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m udp --sport 68 --dport 67 -j ACCEPT
   2018-12-12 02:04:11,665 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,665 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-out vnet22 --physdev-is-bridged -m udp --sport 67 --dport 68 -j ACCEPT
   2018-12-12 02:04:11,671 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,671 - iptables -D i-3022-5317-def -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set ! --match-set i-3022-5317-vm 
src -j DROP
   2018-12-12 02:04:11,676 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,677 - iptables -D i-3022-5317-def -p udp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-m udp --dport 53 -j RETURN
   2018-12-12 02:04:11,683 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,683 - iptables -D i-3022-5317-def -p tcp -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-m tcp --dport 53 -j RETURN
   2018-12-12 02:04:11,689 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,690 - iptables -D i-3022-5317-def -m physdev 
--physdev-in vnet22 --physdev-is-bridged -m set --match-set i-3022-5317-vm src 
-j i-3022-5317-vm-eg
   2018-12-12 02:04:11,695 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,695 - iptables -D i-3022-5317-def -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-vm
   2018-12-12 02:04:11,701 - Failed to rewrite antispoofing rules for vm 
i-3022-5317-vm
   2018-12-12 02:04:11,701 - Writing log to /var/run/cloud/i-3022-5317-vm.log
   2018-12-12 02:07:46,208 - Executing command: get_rule_logs_for_vms
   2018-12-12 02:07:46,476 - Executing command: add_network_rules
   2018-12-12 02:07:46,478 - sysctl -w net.bridge.bridge-nf-call-arptables=1
   2018-12-12 02:07:46,481 - sysctl -w net.bridge.bridge-nf-call-iptables=1
   2018-12-12 02:07:46,483 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
   2018-12-12 02:07:46,496 - iptables -L BF-cloudbr1
   2018-12-12 02:07:46,501 - iptables -L BF-cloudbr1-OUT
   2018-12-12 02:07:46,506 - iptables -L BF-cloudbr1-IN
   2018-12-12 02:07:46,511 - ip6tables -L BF-cloudbr1
   2018-12-12 02:07:46,519 - ip6tables -L BF-cloudbr1-OUT
   2018-12-12 02:07:46,526 - ip6tables -L BF-cloudbr1-IN
   2018-12-12 02:07:46,534 - iptables -n -L BF-cloudbr1 | awk 
'/BF-cloudbr1(.*)references/ {gsub(/\(/, "") ;print $3}'
   2018-12-12 02:07:46,540 - ip6tables -n -L BF-cloudbr1 | awk 
'/BF-cloudbr1(.*)references/ {gsub(/\(/, "") ;print $3}'
   2018-12-12 02:07:46,559 - iptables-save | awk 
'/BF(.*)physdev-is-bridged(.*)i-3022-5317-def/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:07:46,568 - iptables -D BF-cloudbr1-IN -m physdev --physdev-in 
vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:07:46,576 - iptables -D BF-cloudbr1-OUT -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:07:46,584 - ip6tables-save | awk 
'/BF(.*)physdev-is-bridged(.*)i-3022-5317-def/ { sub(/-A/, "-D", $1) ; print }'
   2018-12-12 02:07:46,605 - ip6tables -D BF-cloudbr1-IN -m physdev 
--physdev-in vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:07:46,619 - ip6tables -D BF-cloudbr1-OUT -m physdev 
--physdev-out vnet22 --physdev-is-bridged -j i-3022-5317-def
   2018-12-12 02:07:46,634 - ebtables -t nat -L PREROUTING | grep i-3022-5317-vm
   2018-12-12 02:07:46,639 - ebtables -t nat -L POSTROUTING | grep 
i-3022-5317-vm
   2018-12-12 02:07:46,643 - ebtables -t nat -D PREROUTING -i vnet22 -j 
i-3022-5317-vm-in
   2018-12-12 02:07:46,649 - ebtables -t nat -D POSTROUTING -o vnet22 -j 
i-3022-5317-vm-out
   2018-12-12 02:07:46,656 - ebtables -t nat -F i-3022-5317-vm-in
   2018-12-12 02:07:46,662 - ebtables -t nat -X i-3022-5317-vm-in
   2018-12-12 02:07:46,669 - ebtables -t nat -F i-3022-5317-vm-out
   2018-12-12 02:07:46,676 - ebtables -t nat -X i-3022-5317-vm-out
   2018-12-12 02:07:46,684 - ebtables -t nat -F i-3022-5317-vm-in-ips
   2018-12-12 02:07:46,690 - ebtables -t nat -X i-3022-5317-vm-in-ips
   2018-12-12 02:07:46,695 - ebtables -t nat -F i-3022-5317-vm-out-ips
   2018-12-12 02:07:46,702 - ebtables -t nat -X i-3022-5317-vm-out-ips
   2018-12-12 02:07:46,708 - iptables -N i-3022-5317-vm
   2018-12-12 02:07:46,712 - iptables -F i-3022-5317-vm
   2018-12-12 02:07:46,720 - ip6tables -N i-3022-5317-vm
   2018-12-12 02:07:46,727 - ip6tables -F i-3022-5317-vm
   2018-12-12 02:07:46,743 - iptables -N i-3022-5317-vm-eg
   2018-12-12 02:07:46,747 - iptables -F i-3022-5317-vm-eg
   2018-12-12 02:07:46,756 - ip6tables -N i-3022-5317-vm-eg
   2018-12-12 02:07:46,764 - ip6tables -F i-3022-5317-vm-eg
   2018-12-12 02:07:46,780 - iptables -N i-3022-5317-def
   2018-12-12 02:07:46,786 - iptables -F i-3022-5317-def
   2018-12-12 02:07:46,793 - ip6tables -N i-3022-5317-def
   2018-12-12 02:07:46,801 - ip6tables -F i-3022-5317-def
   2018-12-12 02:07:46,818 - Creating ipset chain .... i-3022-5317-vm
   2018-12-12 02:07:46,818 - ipset -F i-3022-5317-vm
   2018-12-12 02:07:46,822 - ipset -X i-3022-5317-vm
   2018-12-12 02:07:46,826 - ipset -N i-3022-5317-vm iphash family inet
   2018-12-12 02:07:46,830 - vm ip 176.120.29.236
   2018-12-12 02:07:46,830 - ipset -A i-3022-5317-vm 176.120.29.236
   2018-12-12 02:07:46,834 - Failed to network rule !
   Traceback (most recent call last):
     File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", 
line 995, in add_network_rules
       default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, brname, 
sec_ips)
     File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", 
line 490, in default_network_rules
       if ips[0] == "0":
   IndexError: list index out of range
   ```
   
   After that, the state of iptables as follows:
   
   ```
   :i-3022-5317-def - [0:0]
   :i-3022-5317-vm - [0:0]
   :i-3022-5317-vm-eg - [0:0]
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to