Commit 0e880a86 authored by Sigmund Augdal's avatar Sigmund Augdal

Remove any unused ipsets before trying to create new ones. Should reduce risk...

Remove any unused ipsets before trying to create new ones. Should reduce risk of hitting max number of sets after an iptables_configurator crash
parent c2e2499e
......@@ -50,6 +50,11 @@ def next_generation(old_groups):
return generation
def destroy_ipsets(sets):
for ipset in sets:
subprocess.call("ipset destroy {}".format(ipset), shell=True)
class Generator(object):
def __init__(self, cert, key, cacert, logfile=None, noop=False, etcd_host="localhost"):
self.noop = noop
......@@ -237,6 +242,8 @@ class Generator(object):
def generate_all(self):
old_groups = self.prepare()
# Destroy old, unused sets to reduce risk of hitting max number of sets
destroy_ipsets(old_groups)
groups = security_groups.get_security_groups(self.etcd_client)
for group_id, group in sorted(groups.items(), key=lambda x: x[0]):
......@@ -295,8 +302,8 @@ class Generator(object):
if not self.noop:
call("iptables-restore", iptables_output)
call("ip6tables-restore", ip6tables_output)
for ipset in old_groups:
subprocess.call("ipset destroy {}".format(ipset), shell=True)
# Destroy sets that got freed by changing the iptables rules
destroy_ipsets(old_groups)
send_stat("instance_net.security_groups.ipset_count",
len([g for g in self.group_members.values() if g > 0]))
send_stat("instance_net.security_groups.max_ipset_members",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment