[
https://issues.apache.org/jira/browse/CLOUDSTACK-79?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13453272#comment-13453272
]
Wido den Hollander commented on CLOUDSTACK-79:
----------------------------------------------
This is known, the security rules are only applied when a instance is started,
but are not checked afterwards.
A couple of approaches can be taken here:
* Have the agent flush all the rules every X minutes/seconds/hours and apply
all the rules again.
* Have the agent parse the iptable rules and have it find out which are not
applied anymore
* Have a button/API call: "Re-apply rules"
The first one could disrupt traffic for a short moment, probably not desirable.
The second one is however not that easy to implement and could potentially hurt
stuff when parsing goes wrong.
I think option 3 is more doable.
> CloudStack 3.0.4: firewall rules not restored on KVM host
> ---------------------------------------------------------
>
> Key: CLOUDSTACK-79
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-79
> Project: CloudStack
> Issue Type: Bug
> Components: KVM, Network Controller
> Affects Versions: pre-4.0.0
> Reporter: Vladimir Ostrovsky
>
> I have CloudStack 3.0.4 with a Basic Zone defined. The Zone includes several
> KVM hosts and uses Security Groups (in other words, IPtables on the hosts) to
> isolate traffic between VMs.
> The problem: if, for some reason, IPtables on the host are flushed or the
> iptables service is restarted, the cloud-agent doesn't pull the correct rules
> from the management server and doesn't synchronize the host with Security
> Groups definitions in CloudStack. Restart of the cloud-agent service doesn't
> help as well.
> Shouldn't the agent do it?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
