apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-02 11:52:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

if the xenserver host cannot do bridge firewalling do not attempt to retry the security rule updat

Browse Source 
change some logs to debug level
This commit is contained in:
Chiradeep Vittal 2011-08-31 22:59:19 -07:00
parent 65fb83035f
commit fae5e84699
6 changed files with 53 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
api/src/com/cloud/agent/api/SecurityIngressRuleAnswer.java
View File

@ -18,8 +18,16 @@
package com.cloud.agent.api;
public class SecurityIngressRuleAnswer extends Answer {
public static enum FailureReason {
NONE,
UNKNOWN,
PROGRAMMING_FAILED,
CANNOT_BRIDGE_FIREWALL
}
Long logSequenceNumber = null;
Long vmId = null;
FailureReason reason = FailureReason.NONE;
protected SecurityIngressRuleAnswer() {
}
@ -34,6 +42,14 @@ public class SecurityIngressRuleAnswer extends Answer {
super(cmd, result, detail);
this.logSequenceNumber = cmd.getSeqNum();
this.vmId = cmd.getVmId();
reason = FailureReason.PROGRAMMING_FAILED;
}
public SecurityIngressRuleAnswer(SecurityIngressRulesCmd cmd, boolean result, String detail, FailureReason r) {
super(cmd, result, detail);
this.logSequenceNumber = cmd.getSeqNum();
this.vmId = cmd.getVmId();
reason = r;
}
public Long getLogSequenceNumber() {
@ -44,4 +60,12 @@ public class SecurityIngressRuleAnswer extends Answer {
return vmId;
}
public FailureReason getReason() {
return reason;
}
public void setReason(FailureReason reason) {
this.reason = reason;
}
}

6
core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
View File

@ -4819,8 +4819,10 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
}
if (!_canBridgeFirewall) {
s_logger.info("Host " + _host.ip + " cannot do bridge firewalling");
return new SecurityIngressRuleAnswer(cmd, false, "Host " + _host.ip + " cannot do bridge firewalling");
s_logger.warn("Host " + _host.ip + " cannot do bridge firewalling");
return new SecurityIngressRuleAnswer(cmd, false,
"Host " + _host.ip + " cannot do bridge firewalling",
SecurityIngressRuleAnswer.FailureReason.CANNOT_BRIDGE_FIREWALL);
}
String result = callHostPlugin(conn, "vmops", "network_rules",

25
scripts/vm/hypervisor/xenserver/vmops
View File

@ -453,7 +453,6 @@ def ipset(ipsetname, proto, start, end, ips):
def destroy_network_rules_for_vm(session, args):
vm_name = args.pop('vmName')
vmchain = chain_name(vm_name)
vmchain_egress = chain_name(vm_name) + "-egress"
vmchain_default = chain_name_def(vm_name)
delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
@ -473,11 +472,6 @@ def destroy_network_rules_for_vm(session, args):
util.SMlog("Ignoring failure to delete chain " + vmchain)
try:
util.pread2(['iptables', '-F', vmchain_egress])
util.pread2(['iptables', '-X', vmchain_egress])
except:
util.SMlog("Ignoring failure to delete chain " + vmchain_egress)
remove_rule_log_for_vm(vm_name)
@ -654,7 +648,6 @@ def default_network_rules(session, args):
vmchain = chain_name(vm_name)
vmchain_egress = chain_name(vm_name) +"-egress"
vmchain_default = chain_name_def(vm_name)
destroy_ebtables_rules(vmchain)
@ -664,11 +657,6 @@ def default_network_rules(session, args):
util.pread2(['iptables', '-N', vmchain])
except:
util.pread2(['iptables', '-F', vmchain])
try:
util.pread2(['iptables', '-N', vmchain_egress])
except:
util.pread2(['iptables', '-F', vmchain_egress])
try:
util.pread2(['iptables', '-N', vmchain_default])
@ -687,7 +675,7 @@ def default_network_rules(session, args):
#don't let vm spoof its ip address
for v in vifs:
util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', vmchain_egress])
util.pread2(['iptables', '-A', vmchain_default, '-m', 'physdev', '--physdev-is-bridged', '--physdev-in', v, '--source', vm_ip, '-j', 'RETURN'])
util.pread2(['iptables', '-A', vmchain_default, '-j', vmchain])
except:
util.SMlog("Failed to program default rules for vm " + vm_name)
@ -1011,7 +999,6 @@ def network_rules(session, args):
vm_name = args.get('vmName')
vm_ip = args.get('vmIP')
vm_id = args.get('vmID')
type = args.get('type')
signature = args.pop('signature')
seqno = args.pop('seqno')
try:
@ -1036,12 +1023,9 @@ def network_rules(session, args):
vifs.append(tap)
except:
pass
if type == 'egress':
vmchain = chain_name(vm_name) + "-egress"
else:
vmchain = chain_name(vm_name)
vmchain = chain_name(vm_name)
reason = 'seqno_change_or_sig_change'
[reprogramDefault, reprogramChain, rewriteLog] = \
check_rule_log_for_vm (vm_name, vm_id, vm_ip, domid, signature, seqno)
@ -1142,7 +1126,6 @@ def checkRouter(session, args):
return txt
if __name__ == "__main__":
XenAPIPlugin.dispatch({"pingtest": pingtest, "setup_iscsi":setup_iscsi, "gethostvmstats": gethostvmstats,
"getvncport": getvncport, "getgateway": getgateway, "preparemigration": preparemigration,
"setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,

14
server/src/com/cloud/network/security/SecurityGroupListener.java
View File

@ -33,6 +33,7 @@ import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
import com.cloud.agent.api.SecurityIngressRuleAnswer;
import com.cloud.agent.api.StartupCommand;
import com.cloud.agent.api.StartupRoutingCommand;
import com.cloud.agent.api.SecurityIngressRuleAnswer.FailureReason;
import com.cloud.agent.manager.Commands;
import com.cloud.exception.AgentUnavailableException;
import com.cloud.host.HostVO;
@ -85,9 +86,16 @@ public class SecurityGroupListener implements Listener {
_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Done);
} else {
_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);
s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId);
affectedVms.add(ruleAnswer.getVmId());
_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);;
s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId
+" due to " + ruleAnswer.getDetails()
+" and updated jobs");
if (ruleAnswer.getReason() == FailureReason.CANNOT_BRIDGE_FIREWALL) {
s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure since host " + agentId + " cannot do bridge firewalling");
} else if (ruleAnswer.getReason() == FailureReason.PROGRAMMING_FAILED){
s_logger.debug("Retrying on failure for vm " + ruleAnswer.getVmId());
affectedVms.add(ruleAnswer.getVmId());
}
}
commandNum++;
}

18
server/src/com/cloud/network/security/SecurityGroupManagerImpl2.java
View File

@ -93,8 +93,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
workItems.addAll(affectedVms);
workItems.removeAll(_disabledVms);
if (s_logger.isTraceEnabled()) {
s_logger.trace("Security Group Mgr v2: scheduling ruleset updates for " + affectedVms.size() + " vms " + " (unique=" + workItems.size() + "), current queue size=" + _workQueue.size());
if (s_logger.isDebugEnabled()) {
s_logger.debug("Security Group Mgr v2: scheduling ruleset updates for " + affectedVms.size() + " vms " + " (unique=" + workItems.size() + "), current queue size=" + _workQueue.size());
}
Profiler p = new Profiler();
@ -109,8 +109,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
int newJobs = _workQueue.submitWorkForVms(workItems);
_mBean.logScheduledDetails(workItems);
p.stop();
if (s_logger.isTraceEnabled()){
s_logger.trace("Security Group Mgr v2: done scheduling ruleset updates for " + workItems.size() + " vms: num new jobs=" +
if (s_logger.isDebugEnabled()){
s_logger.debug("Security Group Mgr v2: done scheduling ruleset updates for " + workItems.size() + " vms: num new jobs=" +
newJobs + " num rows insert or updated=" + updated + " time taken=" + p.getDuration());
}
}
@ -173,8 +173,8 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
vm.getPrivateMacAddress(), vm.getId(), null,
work.getLogsequenceNumber(), rules);
cmd.setMsId(_serverId);
if (s_logger.isTraceEnabled()) {
s_logger.trace("SecurityGroupManager v2: sending ruleset update for vm " + vm.getInstanceName() +
if (s_logger.isDebugEnabled()) {
s_logger.debug("SecurityGroupManager v2: sending ruleset update for vm " + vm.getInstanceName() +
": num rules=" + cmd.getRuleSet().length + " num cidrs=" + cmd.getTotalNumCidrs() + " sig=" + cmd.getSignature());
}
Commands cmds = new Commands(cmd);
@ -188,11 +188,11 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl{
}
}
} else {
if (s_logger.isTraceEnabled()) {
if (s_logger.isDebugEnabled()) {
if (vm != null)
s_logger.trace("No rules sent to vm " + vm + "state=" + vm.getState());
s_logger.debug("No rules sent to vm " + vm + "state=" + vm.getState());
else
s_logger.trace("Could not find vm: No rules sent to vm " + userVmId );
s_logger.debug("Could not find vm: No rules sent to vm " + userVmId );
}
}
}

2
setup/db/create-schema.sql
View File

@ -1473,7 +1473,7 @@ CREATE TABLE `cloud`.`op_vm_ruleset_log` (
`created` datetime NOT NULL COMMENT 'time the entry was requested',
`logsequence` bigint unsigned COMMENT 'seq number to be sent to agent, uniquely identifies ruleset update',
PRIMARY KEY (`id`),
UNIQUE `i_op_vm_ruleset_log__instance_id`(`instance_id`)
UNIQUE `u_op_vm_ruleset_log__instance_id`(`instance_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`instance_group` (