In CloudStack, when creating an instance, the security group is not applied, and there are errors reported by iptables. #9579
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
Security groups,iptables
CLOUDSTACK VERSION
cloudstack 4.18.1.0
CONFIGURATION
OS / ENVIRONMENT
Centos 7.9
SUMMARY
A newly deployed CloudStack 4.18.1.0 agent node is experiencing issues where the security group rules are not being applied to the created instance machines. Additionally, there are errors reported by iptables.
STEPS TO REPRODUCE
2024-08-23 14:35:26,306 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,308 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,309 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Failed to get dom xml: org.libvirt.LibvirtException: Domain not found: no domain with matching name 'i-2-5292-VM'
2024-08-23 14:35:26,310 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py destroy_network_rules_for_vm --vmname i-2-5292-VM
2024-08-23 14:35:26,312 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Executing while with timeout : 1800000
2024-08-23 14:35:26,808 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Execution is successful.
2024-08-23 14:35:26,809 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-3:null) (logid:20080328) Chain 'i-2-5292-VM-in' doesn't exist.
Chain 'i-2-5292-VM-out' doesn't exist.
Chain 'i-2-5292-VM-in-ips' doesn't exist.
Chain 'i-2-5292-VM-out-ips' doesn't exist.
Chain 'i-2-5292-VM-in-src' doesn't exist.
Chain 'i-2-5292-VM-out-dst' doesn't exist.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.1: The set with the given name does not exist
EXPECTED RESULTS
Here is an example where I created a machine on an agent node with a functioning security group. In this case, both the security group and iptables are working correctly, and there are no iptables errors reported.
2024-08-23 16:28:22,918 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Executing: /usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-5310-VM --vmid 5310 --vmip 192.168.188.21 --vmmac 1e:00:c6:00:00:95 --vif vnet10 --brname cloudbr0 --nicsecips 0; --isFirstNic
2024-08-23 16:28:22,920 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Executing while with timeout : 1800000
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Execution is successful.
2024-08-23 16:28:24,427 DEBUG [kvm.resource.LibvirtComputingResource] (agentRequest-Handler-2:null) (logid:c5363bc1) Chain 'i-2-5310-VM-in' doesn't exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
ipset v7.1: The set with the given name does not exist
ipset v7.1: The set with the given name does not exist
Chain 'i-2-5310-VM-in' doesn't exist.
Chain 'i-2-5310-VM-out' doesn't exist.
Chain 'i-2-5310-VM-in-ips' doesn't exist.
Chain 'i-2-5310-VM-out-ips' doesn't exist.
Chain 'i-2-5310-VM-in-src' doesn't exist.
Chain 'i-2-5310-VM-out-dst' doesn't exist.
ACTUAL RESULTS