cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-1685) If iptables VM chain is missing, crashes
Date Thu, 14 Mar 2013 19:14:12 GMT


ASF subversion and git services commented on CLOUDSTACK-1685:

Commit 08a0788b384f7083eb261dbeec51d3efe5907927 in branch refs/heads/master from John Kinsella
[;h=08a0788 ]

Summary: catch exception when flushing chain

Detail: Added exception handling around iptables chain flushing, along
with a call to default_network_rules() to re-initialize.

On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a
backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp )
Destroy the firewall ruleset for that VM with
/usr/lib64/cloud/common/scripts/vm/network/ destroy_network_rules_for_vm
--vmname i-2-1722-VM --vif vnet10
Now copy the log file back, edit the file and decrement the last field by 1
ACS should notice the out-of-date sequence ID and push a new ruleset for
the VM within 60 seconds.

Bugfix-for: John Kinsella
Signed-off-by: John Kinsella <> 1363286927 -0700

> If iptables VM chain is missing, crashes
> ----------------------------------------------------------
>                 Key: CLOUDSTACK-1685
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.0.0
>            Reporter: John Kinsella
>            Assignee: John Kinsella
> If, for some reason, the iptables rules for a specific VM are removed (given using ACS
in a network that supports ipchains), will not be able to update the ruleset:
> 2013-03-14 13:30:31,039 -     programming network rules for  IP: vmname=i-2-1722-VM
> 2013-03-14 13:30:31,039 - iptables -F i-2-1722-VM
> 2013-03-14 13:30:31,046 - Failed to network rule !: Traceback (most recent call last):
>   File "/usr/lib64/cloud/common/scripts/vm/network/", line 626, in add_network_rules
>     execute("iptables -F " + vmchain)
>   File "/usr/lib64/cloud/common/scripts/vm/network/", line 35, in execute
>     return bash("-c", cmd).stdout
>   File "/usr/lib/python2.6/site-packages/", line 165, in __call__
>     raise e
> CalledProcessError: Command '['/bin/bash', '-c', 'iptables -F i-2-1722-VM']' returned
non-zero exit status 1
> Running the iptables command by hand gives you:
> # iptables -F i-2-1722-VM
> iptables: No chain/target/match by that name.
> Several things could happen here - I'm going to suggest that if the script finds the
chain missing, that it re-initializes it for that VM, and then continues applying the ruleset
(a complete ruleset is passed each time, not just the adds/removes)

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message