yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1043886] Re: Firewall rules are not updated if you restart nova-compute

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Shang <brian.shang.dev@xxxxxxxxx>
Date: Tue, 03 Mar 2015 02:48:14 -0000
Reply-to: Bug 1043886 <1043886@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: nova
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1043886

Title:
  Firewall rules are not updated if you restart nova-compute

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  IptablesFirewallDriver from nova/virt/firewall.py keeps a list of
  instances in self.instances.

  When nova-compute starts this is empty. It is not loaded at start in some way, instead
  it is filled using the prepare_instance_filter method.

  This method is called from the virt drivers in a few scenarios that are different on 
  libvirt and xenapi (these are the ones I checked).

  On xenapi it only happens during spawn, on libvirt it also happens
  during hard reboot.

  This means that if you have some running instances using some security group, and then for
  some reason restart the nova-compute service - updates to the security group (i.e.
  adding/removing some rule) will not be propagated to iptables correctly. On libvirt
  you can "fix" this by rebooting an instance hard. On xenapi you can't fix it.

  I added an ugly hack to make xenapi work like I want it to (but I can see that it is
  not fit for inclusion).  I would be happy to fix this in some less ugly way if someone 
  gave me a helpful hint of what the core devs would consider be a good way to solve it.

  To me perhaps the reasonable thing would be for IptablesFirewallDriver to treat
  self.instances as a cache and if some instance is not there, then check if it is running
  and if so - fetch the network_info + do prepare_instance_filter.

  Anyway, here is my ugly hack patch, perhaps it helps someone or gives more insight into 
  what I mean :-):

  --- /home/atomia/jma_backup/nova/virt/xenapi/vmops.py   2012-06-12 15:04:56.000000000 +0200
  +++ /usr/lib/python2.7/dist-packages/nova/virt/xenapi/vmops.py  2012-08-30 16:37:58.226715150 +0200
  @@ -32,6 +32,7 @@

   from nova.compute import api as compute
   from nova.compute import power_state
  +from nova.compute import utils as compute_utils
   from nova import context as nova_context
   from nova import db
   from nova import exception
  @@ -1749,6 +1750,16 @@

       def refresh_security_group_rules(self, security_group_id):
           """ recreates security group rules for every instance """
  +        LOG.debug("JMA: refresh_security_group_rules for " + str(security_group_id) + ", the firewall driver is of type " + self.firewall_driver.__class__.__name__)
  +
  +        import nova.network
  +        nw_api = nova.network.API()
  +        context = nova_context.get_admin_context()
  +        security_group = db.security_group_get(context, security_group_id)
  +        for instance in security_group['instances']:
  +            nw_info = compute_utils.legacy_network_info(nw_api.get_instance_nw_info(context, instance))
  +            self.firewall_driver.prepare_instance_filter(instance, nw_info)
  +
           self.firewall_driver.refresh_security_group_rules(security_group_id)

       def refresh_security_group_members(self, security_group_id):

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1043886/+subscriptions