Possible bug fix - sanity check please

Jon Marshall Wed, 23 Jan 2019 07:30:35 -0800

The following issue was seen using  CS 4.11.2 in advanced mode with security 
group isolation.


VM (internal name i-2-29-VM)  - is created and works fine with default security 
group allowing inbound SSH and ICMP echo request.

Migrate the VM to another of the compute nodes and the VM migrates and from the 
proxy console the VM can connect out but the default security group inbound is 
not copied across the compute node.   The 
/var/log/cloudstack/agent/security_group.log shows on the compute node the VM 
has migrated to -

2019-01-18 14:54:25,724 - Ignoring failure to delete ebtables chain for vm 
i-2-29-VM
2019-01-18 14:54:25,724 - ebtables -t nat -F i-2-29-VM-out
2019-01-18 14:54:25,730 - Ignoring failure to delete ebtables chain for vm 
i-2-29-VM
2019-01-18 14:54:25,730 - ebtables -t nat -F i-2-29-VM-in-ips
2019-01-18 14:54:25,735 - Ignoring failure to delete ebtables chain for vm 
i-2-29-VM
2019-01-18 14:54:25,735 - ebtables -t nat -F i-2-29-VM-out-ips
2019-01-18 14:54:25,740 - Ignoring failure to delete ebtables chain for vm 
i-2-29-VM
2019-01-18 14:54:25,741 - iptables -N i-2-29-VM
2019-01-18 14:54:25,745 - ip6tables -N i-2-29-VM
2019-01-18 14:54:25,749 - iptables -N i-2-29-VM-eg
2019-01-18 14:54:25,753 - ip6tables -N i-2-29-VM-eg
2019-01-18 14:54:25,758 - iptables -N i-2-29-def
2019-01-18 14:54:25,763 - ip6tables -N i-2-29-def
2019-01-18 14:54:25,767 - Creating ipset chain .... i-2-29-VM
2019-01-18 14:54:25,768 - ipset -F i-2-29-VM
2019-01-18 14:54:25,772 - ipset chain not exists creating.... i-2-29-VM
2019-01-18 14:54:25,772 - ipset -N i-2-29-VM iphash family inet
2019-01-18 14:54:25,777 - vm ip 172.30.6.62019-01-18 14:54:25,777 - ipset -A 
i-2-29-VM 172.30.6.60
2019-01-18 14:54:25,782 - Failed to network rule !
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", 
line 995, in add_network_rules
    default_network_rules(vmName, vm_id, vm_ip, vm_ip6, vmMac, vif, brname, 
sec_ips)
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", 
line 490, in default_network_rules
    if ips[0] == "0":
IndexError: list index out of range

 Added a few lines to debug the script security_group.py and it would appear 
this line (line 487) is the culprit -

ips = sec_ips.split(';')

as far as I can tell the separator should be a colon (':') and not a semi colon 
or at least on my setup.  Once changed to -

ips = sec_ips.split(':')

the iptables rules were updated correctly on the host the VM was migrated to.

I don't know if this is the right change to make as the script is over a 1000 
lines long and imports other modules so woudl appreciate any input as this 
seems to be a key function of Advanced with security groups.

Thanks

Jon

Possible bug fix - sanity check please

Reply via email to