cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-79) CloudStack 3.0.4: firewall rules not restored on KVM host
Date Thu, 14 Mar 2013 19:50:13 GMT


John Kinsella commented on CLOUDSTACK-79:

So, there's actually a relatively easy fix for this...

When doing once-per-minute "pings" with hosts, the management server checks to see if the
security group for each VM is up to date. Each host runs /usr/lib64/cloud/common/scripts/vm/network/
get_rule_logs_for_vms and returns the results. If the sequence number of a VM's security group
is found to be out-of-date, the management server sends down a request to add_network_rules
again. With my patch in CLOUDSTACK-1685, will notice chains missing for
that VM and re-initialize, and then apply the ruleset passed from the master.

So - ACS isn't monitoring for a rule change per-se, but it's trivial to get ACS to re-apply
the ruleset. We could have a script on the agent to allow an administrator to request a re-generation
of the ruleset for a specific VM.

I wouldn't want to monitor the ruleset itself - it's relatively a PIA to do so due to rule-order
being important...I guess ACS is the enforcing agent for the security group - would want to
take that discussion to the mailing list.
> CloudStack 3.0.4: firewall rules not restored on KVM host
> ---------------------------------------------------------
>                 Key: CLOUDSTACK-79
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: KVM, Network Controller
>    Affects Versions: pre-4.0.0
>            Reporter: Vladimir Ostrovsky
>             Fix For: 4.1.0
> I have CloudStack 3.0.4 with a Basic Zone defined. The Zone includes several KVM hosts
and uses Security Groups (in other words, IPtables on the hosts) to isolate traffic between
> The problem: if, for some reason, IPtables on the host are flushed or the iptables service
is restarted, the cloud-agent doesn't pull the correct rules from the management server and
doesn't synchronize the host with Security Groups definitions in CloudStack. Restart of the
cloud-agent service doesn't help as well.
> Shouldn't the agent do it?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message