incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject [ACS41][Patch Request] Several patches to security_group.py
Date Thu, 14 Mar 2013 19:28:55 GMT
I've fixed several bugs in security_group.py in the last few days. Would be nice if we could
get this into 4.1.

commit 381f737e64ed9192e6eea4aeffe1920637f7d835
Author: John Kinsella <jlk@stratosec.co>
Date:   Wed Mar 13 16:52:49 2013 -0700

    Summary: Fix exception handling in security_group.py
    
    Detail: Code was attempting to concatinate an exception to a string.
    Updated to convert to text and concatinate that.
    
    BUG-ID: CLOUDSTACK-1052

commit 1079d63b6f978b2124db26d7f84f7ae62ba9daa0
Author: John Kinsella <jlk@stratosec.co>
Date:   Wed Mar 13 17:54:50 2013 -0700

    Summary: Prevent deletion of wrong iptables rules
    
    Detail: A grep in security_group.py wasn't defined well enough, could
    potentially delete rules for VMs other than intended
    
    BUG-ID: CLOUDSTACK-309

commit 08a0788b384f7083eb261dbeec51d3efe5907927
Author: John Kinsella <jlk@stratosec.co>
Date:   Thu Mar 14 11:48:47 2013 -0700

    Summary: security_group.py: catch exception when flushing chain
    
    Detail: Added exception handling around iptables chain flushing, along
    with a call to default_network_rules() to re-initialize.
    
    Testing:
    On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a
    backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp )
    Destroy the firewall ruleset for that VM with
    /usr/lib64/cloud/common/scripts/vm/network/security_group.py destroy_network_rules_for_vm
--vmname i-2-1722-VM --vif vnet10
    Now copy the log file back, edit the file and decrement the last field by 1
    ACS should notice the out-of-date sequence ID and push a new ruleset for
    the VM within 60 seconds.

    BUG-ID: CLOUDSTACK-1685


Mime
View raw message