cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-1685) If iptables VM chain is missing, security_group.py crashes
Date Thu, 14 Mar 2013 18:36:12 GMT
John Kinsella created CLOUDSTACK-1685:
-----------------------------------------

             Summary: If iptables VM chain is missing, security_group.py crashes
                 Key: CLOUDSTACK-1685
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1685
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
    Affects Versions: 4.0.0
            Reporter: John Kinsella
            Assignee: John Kinsella


If, for some reason, the iptables rules for a specific VM are removed (given using ACS in
a network that supports ipchains), security_group.py will not be able to update the ruleset:

2013-03-14 13:30:31,039 -     programming network rules for  IP: 50.23.83.141 vmname=i-2-1722-VM
2013-03-14 13:30:31,039 - iptables -F i-2-1722-VM
2013-03-14 13:30:31,046 - Failed to network rule !: Traceback (most recent call last):
  File "/usr/lib64/cloud/common/scripts/vm/network/security_group.py", line 626, in add_network_rules
    execute("iptables -F " + vmchain)
  File "/usr/lib64/cloud/common/scripts/vm/network/security_group.py", line 35, in execute
    return bash("-c", cmd).stdout
  File "/usr/lib/python2.6/site-packages/cloud_utils.py", line 165, in __call__
    raise e
CalledProcessError: Command '['/bin/bash', '-c', 'iptables -F i-2-1722-VM']' returned non-zero
exit status 1

Running the iptables command by hand gives you:

# iptables -F i-2-1722-VM
iptables: No chain/target/match by that name.

Several things could happen here - I'm going to suggest that if the script finds the chain
missing, that it re-initializes it for that VM, and then continues applying the ruleset (a
complete ruleset is passed each time, not just the adds/removes)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message