search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.1k stars 1.11k forks source link

In CloudStack, when creating an instance, the security group is not applied, and there are errors reported by iptables. #9579

Open Qinshan886 opened 2 months ago

Qinshan886 commented 2 months ago
ISSUE TYPE
COMPONENT NAME
Security groups,iptables
CLOUDSTACK VERSION
cloudstack 4.18.1.0
CONFIGURATION
OS / ENVIRONMENT

Centos 7.9

SUMMARY

A newly deployed CloudStack 4.18.1.0 agent node is experiencing issues where the security group rules are not being applied to the created instance machines. Additionally, there are errors reported by iptables.

STEPS TO REPRODUCE
2024-08-23 14:35:26,306 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,308 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,309 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,310 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py destroy_network_rules_for_vm --vmname i-2-5292-VM
2024-08-23 14:35:26,312 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Executing while with timeout : 1800000
2024-08-23 14:35:26,808 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Execution is successful.
2024-08-23 14:35:26,809 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Chain 'i-2-5292-VM-in' doesn't exist.
Chain 'i-2-5292-VM-out' doesn't exist.
Chain 'i-2-5292-VM-in-ips' doesn't exist.
Chain 'i-2-5292-VM-out-ips' doesn't exist.
Chain 'i-2-5292-VM-in-src' doesn't exist.
Chain 'i-2-5292-VM-out-dst' doesn't exist.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.1: The set with the given name does not exist
EXPECTED RESULTS

Here is an example where I created a machine on an agent node with a functioning security group. In this case, both the security group and iptables are working correctly, and there are no iptables errors reported.

2024-08-23 16:28:22,918 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-5310-VM --vmid 5310 --vmip 192.168.188.21 --vmmac 1e:00:c6:00:00:95 --vif vnet10 --brname cloudbr0 --nicsecips 0; --isFirstNic
2024-08-23 16:28:22,920 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Executing while with timeout : 1800000
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Execution is successful.
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Chain 'i-2-5310-VM-in' doesn't exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
ipset v7.1: The set with the given name does not exist
ipset v7.1: The set with the given name does not exist
Chain 'i-2-5310-VM-in' doesn't exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
ACTUAL RESULTS
weizhouapache commented 2 months ago

it looks like the error happened when destroy network rules for a stopping vm (the command is destroy_network_rules_for_vm ) they are just some warnings I think

DaanHoogland commented 2 months ago

@Qinshan886 is there a malfunction in your system? A deletion of a rule that does not exist is just a warning unless a rule remains that should have been deleted.