Bug #3846

Already existing rules in security group driver

Added by Guillaume Oberlé about 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:06/22/2015
Priority:HighDue date:
Assignee:Jaime Melis% Done:


Category:Drivers - Network
Target version:Release 4.14
Resolution:fixed Pull request:
Affected Versions:Development


I feel that resolution of Bug #3807 : Remove only rules for ATTACH=YES nics when doing a detach (deactivate method), commit : https://github.com/OpenNebula/one/commit/dc318dd06467f41f478d1cd027cdb0b4279fc48b has introduced a new problem in the security group driver.

The previous behaviour of the activate function in the security group driver was to clean all IPTables rules for every NICs related to the VM (by calling the deactivate function) before re-adding them with the new rules (for example when you attach a NIC).

Since the resolution of bug #3807, the deactivate function doesn't remove all the IPTables rules now, but only rules associated with NICs tagged ATTACH="yes".

Thus, when you try to add a new NIC to an already existing VM, you get an error that some IPTables chains already exists. These IPTables chains are related to already attached NICs.

Related file : https://github.com/OpenNebula/one/blob/dc318dd06467f41f478d1cd027cdb0b4279fc48b/src/vnm_mad/remotes/lib/sg_driver.rb#L53

Associated revisions

Revision 76ad1230
Added by Guillaume Oberlé about 6 years ago

Bug #3846: Already existing rules in security group driver


#1 Updated by Ruben S. Montero about 6 years ago

  • Assignee set to Jaime Melis

#2 Updated by Ruben S. Montero almost 6 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

Also available in: Atom PDF