OpenStack Compute (nova)

reboot instance does not restore security group rules

Bug #704300 reported by Koji Iida on 2011-01-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Tushar Patil	OpenStack Compute (nova) 2011.2 "cactus"

Bug Description

When rebooting instance , firewall rules which have been applied to that instance are not restored.

revision: lp:nova 572

(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): INFO [IUIZZRCSWQTQT9POCBHE admin admin] check_instance_lock: decorating: |<function reboot_instance at 0x2ef4c80>|
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): INFO [IUIZZRCSWQTQT9POCBHE admin admin] check_instance_lock: arguments: |<nova.compute.manager.ComputeManager object at 0x2edc250>| |<nova.context.RequestContext object at 0x42d0ed0>| |1|
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): DEBUG [IUIZZRCSWQTQT9POCBHE admin admin] instance 1: getting locked state from MainProcess (pid=11825) get_lock /opt/openstack/nova/nova/compute/manager.py:493
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): INFO [IUIZZRCSWQTQT9POCBHE admin admin] check_instance_lock: locked: |False|
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): INFO [IUIZZRCSWQTQT9POCBHE admin admin] check_instance_lock: admin: |True|
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): INFO [IUIZZRCSWQTQT9POCBHE admin admin] check_instance_lock: executing: |<function reboot_instance at 0x2ef4c80>|
(nova.compute.manager 2011.1-LOCALBRANCH:LOCALREVISION): AUDIT [IUIZZRCSWQTQT9POCBHE admin admin] Rebooting instance 1
libvir: QEMU error : Domain not found: no domain with matching name 'instance-00000001'
(nova.root 2011.1-LOCALBRANCH:LOCALREVISION): INFO [N/A] new_filter: # Generated by iptables-save v1.4.4 on Tue Jan 18 16:38:10 2011
*filter
:INPUT ACCEPT [114826:171358827]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12474:761315]
:nova-fallback - [0:0]
:nova-local - [0:0]
-A nova-fallback -j DROP
-A FORWARD -j nova-local
-A FORWARD -o br100 -j ACCEPT
-A FORWARD -i br100 -j ACCEPT
COMMIT
# Completed on Tue Jan 18 16:38:10 2011

(nova.root 2011.1-LOCALBRANCH:LOCALREVISION): INFO [N/A] new_filter: # Generated by ip6tables-save v1.4.4 on Tue Jan 18 16:38:10 2011
*filter
:INPUT ACCEPT [8:768]
:FORWARD ACCEPT [11:912]
:OUTPUT ACCEPT [12:748]
:nova-fallback - [0:0]
:nova-local - [0:0]
-A nova-fallback -j DROP
-A FORWARD -j nova-local
COMMIT
# Completed on Tue Jan 18 16:38:10 2011

(nova.virt.libvirt_conn 2011.1-LOCALBRANCH:LOCALREVISION): DEBUG [N/A] instance instance-00000001: starting toXML method from MainProcess (pid=11825) to_xml /opt/openstack/nova/nova/virt/libvirt_conn.py:647
(nova.virt.libvirt_conn 2011.1-LOCALBRANCH:LOCALREVISION): DEBUG [N/A] instance instance-00000001: starting toXML method from MainProcess (pid=11825) to_xml /opt/openstack/nova/nova/virt/libvirt_conn.py:650
(nova.virt.libvirt_conn 2011.1-LOCALBRANCH:LOCALREVISION): DEBUG [N/A] instance instance-00000001: finished toXML method from MainProcess (pid=11825) to_xml /opt/openstack/nova/nova/virt/libvirt_conn.py:717
(nova.virt.libvirt_conn 2011.1-LOCALBRANCH:LOCALREVISION): DEBUG [N/A] instance instance-00000001: rebooted from MainProcess (pid=11825) _wait_for_reboot /opt/openstack/nova/nova/virt/libvirt_conn.py:317

Related branches

lp:~tpatil/nova/bug704300

Merged into lp:~hudson-openstack/nova/trunk at revision 845

Trey Morris (community): Approve on 2011-03-22

Vish Ishaya (community): Approve on 2011-03-22

Koji Iida (community): Approve on 2011-03-18

Devin Carlen (community): Approve on 2011-03-14

Soren Hansen: Pending requested 2011-03-17

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-02-23:

That's a bit ancient revision, lots of changes have happened in that area since. Any chance you could test and reproduce with the released Bexar, or with the current Cactus trunk ?

Changed in nova:
status:	New → Incomplete

Revision history for this message

Koji Iida (iida-koji) wrote on 2011-02-24:

Download full text (3.9 KiB)

Yes, I got same result with rev 728.

libvirt_conn.py:reboot()
----
    def reboot(self, instance):
        self.destroy(instance, False)
        xml = self.to_xml(instance)
        self._conn.createXML(xml, 0)
        timer = utils.LoopingCall(f=None)
----

self.destroy() called from reboot() deletes iptables rule of this instance. But reboot() function does not re-create iptables rule for this instance.
That is why iptables rules are disappeared when instance is rebooted.

Here are output of iptables-save before and after euca-reboot-instance.

root@usv401:/opt/openstack# euca-run-instances -g secgrp1 -k test -t m1.tiny ami-tiny
RESERVATION r-8xkekwbe admin secgrp1
INSTANCE i-00000001 ami-tiny scheduling test (admin, None) 0 m1.tiny 2011-02-24T07:04:48Z unknown zone
root@usv401:/opt/openstack# euca-describe-instances
RESERVATION r-8xkekwbe admin secgrp1
INSTANCE i-00000001 ami-tiny 10.0.0.3 10.0.0.3 running test (admin, usv401) 0 m1.tiny 2011-02-24T07:04:48Z nova
root@usv401:/opt/openstack# iptables-save
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:06:42 2011
*nat
:PREROUTING ACCEPT [4:939]
:POSTROUTING ACCEPT [25:1500]
:OUTPUT ACCEPT [27:2186]
:SNATTING - [0:0]
-A PREROUTING -d 192.168.6.41/32 -p udp -m udp --dport 2000 -j DNAT --to-destination 10.0.0.2:1194
-A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.6.41:8773
-A POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -d 10.128.0.0/24 -j ACCEPT
-A POSTROUTING -j SNATTING
-A SNATTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.6.41
COMMIT
# Completed on Thu Feb 24 16:06:42 2011
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:06:42 2011
*filter
:INPUT ACCEPT [28696:167045505]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28707:167053799]
:nova-fallback - [0:0]
:nova-inst-1 - [0:0]
:nova-local - [0:0]
:nova-sg-2 - [0:0]
-A FORWARD -j nova-local
-A FORWARD -o br100 -j ACCEPT
-A FORWARD -i br100 -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -j nova-local
-A nova-fallback -j DROP
-A nova-inst-1 -m state --state INVALID -j DROP
-A nova-inst-1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-inst-1 -j nova-sg-2
-A nova-inst-1 -s 10.0.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-inst-1 -s 10.0.0.0/27 -j ACCEPT
-A nova-inst-1 -j nova-fallback
-A nova-local -d 10.0.0.3/32 -j nova-inst-1
COMMIT
# Completed on Thu Feb 24 16:06:42 2011
root@usv401:/opt/openstack# euca-reboot-instances i-00000001
INSTANCE i-00000001
root@usv401:/opt/openstack# euca-describe-instances
RESERVATION r-8xkekwbe admin secgrp1
INSTANCE i-00000001 ami-tiny 10.0.0.3 10.0.0.3 running test (admin, usv401) 0 m1.tiny 2011-02-24T07:04:48Z nova
root@usv401:/opt/openstack# iptables-save
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:08:04 2011
*nat
:PREROUTING ACCEPT [5:1247]
:POSTROUTING ACCEPT [30:1800]
:OUTPUT ACCEPT [33:2829]
:SNATTING - [0:0]
-A PREROUTING -d 192.168.6.41/32 -p udp -m u...

Yes, I got same result with rev 728.

Here are output of iptables-save before and after euca-reboot-instance.

root@usv401:/opt/openstack# euca-run-instances -g secgrp1 -k test -t m1.tiny ami-tiny
RESERVATION     r-8xkekwbe      admin   secgrp1
INSTANCE        i-00000001      ami-tiny                        scheduling      test (admin, None)      0               m1.tiny 2011-02-24T07:04:48Z    unknown zone
root@usv401:/opt/openstack# euca-describe-instances
RESERVATION     r-8xkekwbe      admin   secgrp1
INSTANCE        i-00000001      ami-tiny        10.0.0.3        10.0.0.3        running test (admin, usv401)    0               m1.tiny 2011-02-24T07:04:48Z    nova
root@usv401:/opt/openstack#  iptables-save
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:06:42 2011
*nat
:PREROUTING ACCEPT [4:939]
:POSTROUTING ACCEPT [25:1500]
:OUTPUT ACCEPT [27:2186]
:SNATTING - [0:0]
-A PREROUTING -d 192.168.6.41/32 -p udp -m udp --dport 2000 -j DNAT --to-destination 10.0.0.2:1194
-A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.6.41:8773
-A POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -d 10.128.0.0/24 -j ACCEPT
-A POSTROUTING -j SNATTING
-A SNATTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.6.41
COMMIT
# Completed on Thu Feb 24 16:06:42 2011
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:06:42 2011
*filter
:INPUT ACCEPT [28696:167045505]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28707:167053799]
:nova-fallback - [0:0]
:nova-inst-1 - [0:0]
:nova-local - [0:0]
:nova-sg-2 - [0:0]
-A FORWARD -j nova-local
-A FORWARD -o br100 -j ACCEPT
-A FORWARD -i br100 -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -j nova-local
-A nova-fallback -j DROP
-A nova-inst-1 -m state --state INVALID -j DROP
-A nova-inst-1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-inst-1 -j nova-sg-2
-A nova-inst-1 -s 10.0.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-inst-1 -s 10.0.0.0/27 -j ACCEPT
-A nova-inst-1 -j nova-fallback
-A nova-local -d 10.0.0.3/32 -j nova-inst-1
COMMIT
# Completed on Thu Feb 24 16:06:42 2011
root@usv401:/opt/openstack# euca-reboot-instances i-00000001
INSTANCE        i-00000001
root@usv401:/opt/openstack# euca-describe-instances
RESERVATION     r-8xkekwbe      admin   secgrp1
INSTANCE        i-00000001      ami-tiny        10.0.0.3        10.0.0.3        running test (admin, usv401)    0               m1.tiny 2011-02-24T07:04:48Z    nova
root@usv401:/opt/openstack# iptables-save
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:08:04 2011
*nat
:PREROUTING ACCEPT [5:1247]
:POSTROUTING ACCEPT [30:1800]
:OUTPUT ACCEPT [33:2829]
:SNATTING - [0:0]
-A PREROUTING -d 192.168.6.41/32 -p udp -m udp --dport 2000 -j DNAT --to-destination 10.0.0.2:1194
-A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.6.41:8773
-A POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -d 10.128.0.0/24 -j ACCEPT
-A POSTROUTING -j SNATTING
-A SNATTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.6.41
COMMIT
# Completed on Thu Feb 24 16:08:04 2011
# Generated by iptables-save v1.4.4 on Thu Feb 24 16:08:04 2011
*filter
:INPUT ACCEPT [7621:502667]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7638:507563]
:nova-fallback - [0:0]
:nova-local - [0:0]
-A FORWARD -j nova-local
-A FORWARD -o br100 -j ACCEPT
-A FORWARD -i br100 -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -j nova-local
-A nova-fallback -j DROP
COMMIT
# Completed on Thu Feb 24 16:08:04 2011

Thierry Carrez (ttx) on 2011-02-24

Changed in nova:
importance:	Undecided → High
status:	Incomplete → Confirmed

Tushar Patil (tpatil) on 2011-03-11

Changed in nova:
status:	Confirmed → In Progress

Thierry Carrez (ttx) on 2011-03-17

Changed in nova:
assignee:	nobody → Tushar Patil (tpatil)

OpenStack Infra (hudson-openstack) on 2011-03-22

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2011-04-15

Changed in nova:
milestone:	none → 2011.2
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.