cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-309) iptables rules being deleted from wrong VM after a migration
Date Thu, 14 Mar 2013 01:01:10 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13601925#comment-13601925
] 

John Kinsella commented on CLOUDSTACK-309:
------------------------------------------

Confirmed.

On a system including the following iptables rules:
-A BF-cloudbr0-IN -m physdev --physdev-in vnet9 --physdev-is-bridged -j i-2-1713-def 
-A BF-cloudbr0-IN -m physdev --physdev-in vnet10 --physdev-is-bridged -j i-2-1718-def 
-A BF-cloudbr0-IN -m physdev --physdev-in vnet11 --physdev-is-bridged -j i-2-1720-def 
-A BF-cloudbr0-IN -m physdev --physdev-in vnet12 --physdev-is-bridged -j i-2-1722-def 
-A BF-cloudbr0-OUT -m physdev --physdev-out vnet9 --physdev-is-bridged -j i-2-1713-def 
-A BF-cloudbr0-OUT -m physdev --physdev-out vnet10 --physdev-is-bridged -j i-2-1718-def 
-A BF-cloudbr0-OUT -m physdev --physdev-out vnet11 --physdev-is-bridged -j i-2-1720-def 
-A BF-cloudbr0-OUT -m physdev --physdev-out vnet12 --physdev-is-bridged -j i-2-1722-def

executing "locate ^Csconfig.py(reverse-i-search)`py': /usr/lib64/cloud/common/scripts/vm/network/security_group.py
destroy_network_rules_for_vm --vmname i-2-17-VM" removed all the above rules.  (With ACS 4.0
release)

Looks like similar statements elsewhere in the script prevent similar effects, going to apply
that fix here as well.
                
> iptables rules being deleted from wrong VM after a migration
> ------------------------------------------------------------
>
>                 Key: CLOUDSTACK-309
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-309
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: pre-4.0.0
>         Environment: cloudstack 3.0.2 with kvm on centos
>            Reporter: Francois Scala
>            Assignee: John Kinsella
>             Fix For: 4.1.0
>
>
> First migration :
> 2012-10-09 17:57:26,571 - iptables-save | grep BF | grep i-2-82 | grep physdev-is-bridged
| sed 's/-A/-D/'
> 2012-10-09 17:57:26,619 - iptables -A BF-cloudbr0-OUT -m physdev --physdev-is-bridged
--physdev-out vnet1 -j i-2-82-def
> 2012-10-09 17:57:26,628 - iptables -A BF-cloudbr0-IN -m physdev --physdev-is-bridged
--physdev-in vnet1 -j i-2-82-def
> Second migration, wrong rules are being deleted due to a grep mismatch :
> 2012-10-09 18:33:22,301 - iptables-save | grep BF | grep i-2-8 | grep physdev-is-bridged
| sed 's/-A/-D/'
> 2012-10-09 18:33:22,307 - iptables -D BF-cloudbr0-IN -m physdev --physdev-in vnet1 --physdev-is-bridged
-j i-2-82-def
> 2012-10-09 18:33:22,317 - iptables -D BF-cloudbr0-OUT -m physdev --physdev-out vnet1
--physdev-is-bridged -j i-2-82-def
> 2012-10-09 18:33:22,372 - iptables -A BF-cloudbr0-OUT -m physdev --physdev-is-bridged
--physdev-out vnet2 -j i-2-8-def
> 2012-10-09 18:33:22,382 - iptables -A BF-cloudbr0-IN -m physdev --physdev-is-bridged
--physdev-in vnet2 -j i-2-8-def
> Proposed patch :
> /usr/lib64/cloud/agent/scripts/vm/network/security_group.py line 342 :
> <<	delcmd = "iptables-save | grep BF | grep " +  vmchain + " | grep physdev-is-bridged
| sed 's/-A/-D/'"
> >>	delcmd = "iptables-save | grep BF | grep " +  vmchain + "- | grep physdev-is-bridged
| sed 's/-A/-D/'"

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message