Rohit, I just added a comment to update line 457 to tick-quote the vmchain as you've done elsewhere. My main concern would be flushing the ipset while the iptable entry still exists.
I am curious what in sm/util.py concerned you. That's all storage management code and should have nothing to do with security groups. I also diffed a 6.5 and 6.2 version which didn't show anything obvious to explain a security group issue. ipset definitely did change going from 4.5 to 6.11 to match our kernel update. -tim On Tue, Apr 21, 2015 at 11:57 AM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > Hi all, > > We discovered that Security Groups don’t work in ACS 4.5+ when used with > XenServer 6.5 due to ipset, sm/util.py changes. I’ve opened the issue here > which was found to be reproducible by my colleagues Geoff and Abhi: > https://issues.apache.org/jira/browse/CLOUDSTACK-8395 > > I’ve tried to fix it in a way such that vmops plugin would work on both XS > 6.2 and 6.5 releases, here's the PR: > https://github.com/apache/cloudstack/pull/186 > > One of the major changes it introduces it to use “nethash” instead of > “iphash” when storing CIDRs received as part of a ingress/egress rule. I’m > not sure how it will affect users that will upgrade to ACS 4.5, as a > precaution I’ve added a change to flush and remove old ipset entry before > adding a new one. (Assuming all network rule addition/removals are > idempotent, as everytime we add/remove a rule, all rules are sent to be > applied by the XS vmops plugins). > > Tim - since you’re one of the Xen gurus can you help review it and suggest > any other changes? > > I wanted to bring this issue on dev ML since it’s a potential blocker for > 4.5. I’m not sure if we officially support XS 6.5 on 4.4 branch, but if > needed once we have a reviewed commit it can be cherry-picked on 4.4 as > well. > > Regards, > Rohit Yadav > Software Architect, ShapeBlue > M. +91 88 262 30892 | rohit.ya...@shapeblue.com > Blog: bhaisaab.org | Twitter: @_bhaisaab > > > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the sender > if you believe you have received this email in error. Shape Blue Ltd is a > company incorporated in England & Wales. ShapeBlue Services India LLP is a > company incorporated in India and is operated under license from Shape Blue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil > and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > a company registered by The Republic of South Africa and is traded under > license from Shape Blue Ltd. ShapeBlue is a registered trademark. >
