From 08a0788b384f7083eb261dbeec51d3efe5907927 Mon Sep 17 00:00:00 2001 From: John Kinsella Date: Thu, 14 Mar 2013 11:48:47 -0700 Subject: [PATCH] Summary: security_group.py: catch exception when flushing chain Detail: Added exception handling around iptables chain flushing, along with a call to default_network_rules() to re-initialize. Testing: On agent, ls /var/run/cloud and pick one of the VMs to test with. Make a backup of it's logfile (eg cp /var/run/cloud/i-2-1722.log /tmp ) Destroy the firewall ruleset for that VM with /usr/lib64/cloud/common/scripts/vm/network/security_group.py destroy_network_rules_for_vm --vmname i-2-1722-VM --vif vnet10 Now copy the log file back, edit the file and decrement the last field by 1 ACS should notice the out-of-date sequence ID and push a new ruleset for the VM within 60 seconds. BUG-ID: CLOUDSTACK-1685 Bugfix-for: John Kinsella Reviewed-by: Reported-by: Signed-off-by: John Kinsella 1363286927 -0700 --- scripts/vm/network/security_group.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 1bcbc3e10fc..03e35fbba6d 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -622,10 +622,14 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif lines = rules.split(';')[:-1] logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name) - vmchain = vm_name - execute("iptables -F " + vmchain) - egress_vmchain = egress_chain_name(vm_name) - execute("iptables -F " + egress_vmchain) + try: + vmchain = vm_name + execute("iptables -F " + vmchain) + egress_vmchain = egress_chain_name(vm_name) + execute("iptables -F " + egress_vmchain) + except: + logging.debug("Error flushing iptables rules for " + vmchain + ". Presuming firewall rules deleted, re-initializing." ) + default_network_rules(vm_name, vm_id, vm_ip, vmMac, vif, brname) egressrule = 0 for line in lines: