Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security groups not updated after VM powered off #6299

Closed
2 of 3 tasks
brodriguez-opennebula opened this issue Aug 17, 2023 · 1 comment
Closed
2 of 3 tasks

Security groups not updated after VM powered off #6299

brodriguez-opennebula opened this issue Aug 17, 2023 · 1 comment
Assignees
@rsmontero @brodriguez-opennebula
Labels
Category: Drivers - Network Priority: Normal Sponsored Status: Accepted Type: Bug
Milestone
Release 6.8

Comments

@brodriguez-opennebula
Copy link
Contributor

brodriguez-opennebula commented Aug 17, 2023
edited by rsmontero

Description
There is a race condition where, if a VM is powered off, its SG rules may not be flushed in time. This may lead to the following type of errors

sudo -n ipset destroy one-VM_ID-NIC_ID-SG_NAME

To Reproduce

The following procedure is not deterministic, relies on the poweroff time of the VM

  • Create a VM with at least a NIC
  • Set up a SG in the VM NIC
  • Power off the VM

Expected behavior

  • The VM should be turned off
  • The Security group should be disabled

Details

  • Affected Component: Security Groups (networking)
  • Hypervisor: KVM
  • Version: 6.6.3

Additional context
Add any other context about the problem here.

Progress Status

  • Code committed
  • Testing - QA
  • Documentation (Release notes - resolved issues, compatibility, known issues)
@tinova tinova modified the milestones: Release 6.6.4, Release 6.8 Aug 17, 2023
brodriguez-opennebula added a commit that referenced this issue Aug 17, 2023
@brodriguez-opennebula
B #6299: Change SG flush timeout at VM poweroff
a716fc2 
There is a race condition where, if a VM is powered off, its SG rules may not
be flushed in time. This may lead to the following type of errors

```
sudo -n ipset destroy one-VM_ID-NIC_ID-SG_NAME
```

The timeout to flush the security group iptables has been increased to 500 ms
to prevent this problem
rsmontero pushed a commit to OpenNebula/docs that referenced this issue Sep 21, 2023
@brodriguez-opennebula @rsmontero
B OpenNebula/one#6299: Resolved issues
44f338b
rsmontero pushed a commit that referenced this issue Sep 21, 2023
@brodriguez-opennebula @rsmontero
B #6299: Increase delay before ipset destroy
253e2d3 
This will give kernel some more time to clean up before attemting to
destroy the associated ipsets. Otherwise it may fail with: "Set cannot be
destroyed: it is in use by a kernel component"
@rsmontero
Copy link
Member

The timeout before attempting to delete the ipset has been increased the kernel has some more margin to cleanup iptable references under heavy load

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rsmontero rsmontero

@brodriguez-opennebula brodriguez-opennebula

Labels
Category: Drivers - Network Priority: Normal Sponsored Status: Accepted Type: Bug
Projects
None yet
Milestone
Release 6.8
Development

When branches are created from issues, their pull requests are automatically linked.

6299-security-groups-not-updated-after-vm-powered-off OpenNebula/one
4 participants
@tinova @rsmontero @onenhansen @brodriguez-opennebula