etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 8118: add security group back 

status 8118: resolved fixed
This commit is contained in:
Edison Su 2011-01-20 13:09:32 -05:00
parent 314a491b9c
commit 4b355ca301
5 changed files with 45 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
View File

@ -79,6 +79,7 @@ import com.cloud.agent.api.CheckHealthCommand;
import com.cloud.agent.api.CheckStateCommand;
import com.cloud.agent.api.CheckVirtualMachineAnswer;
import com.cloud.agent.api.CheckVirtualMachineCommand;
import com.cloud.agent.api.CleanupNetworkRulesCmd;
import com.cloud.agent.api.Command;
import com.cloud.agent.api.CreatePrivateTemplateFromSnapshotCommand;
import com.cloud.agent.api.CreatePrivateTemplateFromVolumeCommand;
@ -869,6 +870,8 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
return execute((NetworkUsageCommand) cmd);
} else if (cmd instanceof NetworkRulesSystemVmCommand) {
return execute((NetworkRulesSystemVmCommand)cmd);
} else if (cmd instanceof CleanupNetworkRulesCmd) {
return execute((CleanupNetworkRulesCmd)cmd);
} else {
s_logger.warn("Unsupported command ");
return Answer.createUnsupportedCommandAnswer(cmd);
@ -1574,6 +1577,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
}
}
private Answer execute(CleanupNetworkRulesCmd cmd) {
boolean result = cleanup_rules();
return new Answer(cmd, result, "");
}
protected GetVncPortAnswer execute(GetVncPortCommand cmd) {
try {
Connect conn = LibvirtConnection.getConnection();
@ -3500,6 +3508,19 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
return true;
}
private boolean cleanup_rules() {
if (!_can_bridge_firewall) {
return false;
}
Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
cmd.add("cleanup_rules");
String result = cmd.execute();
if (result != null) {
return false;
}
return true;
}
private String get_rule_logs_for_vms() {
Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
cmd.add("get_rule_logs_for_vms");

15
scripts/vm/network/security_group.py
View File

@ -434,7 +434,6 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
try:
vmName = vm_name
domId = getvmId(vmName)
vm_name = '-'.join(vm_name.split('-')[:-1])
vmchain = vm_name
changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
@ -447,14 +446,17 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
logging.debug("Change detected in vmId or vmIp or domId, resetting default rules")
default_network_rules(vmName, vm_ip, vm_id, vmMac)
if rules == "" or rules == None:
return 'true'
lines = rules.split(';')
print lines
logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name)
#iptables('-F', vmchain)
print lines
for line in lines:
tokens = line.split(':')
if len(tokens) != 4:
continue
@ -473,16 +475,16 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
if ips:
if protocol == 'all':
for ip in ips:
iptables = "iptables -I " + vmchain + " -m state --state NEW -m iprange --src-range " + ip + " -j ACCEPT"
iptables = "iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT"
elif protocol != 'icmp':
for ip in ips:
iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -m iprange --src-range " + ip + " -j ACCEPT"
iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT"
else:
range = start + "/" + end
if start == "-1":
range = "any"
for ip in ips:
iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -m iprange --src-range " + ip + " -j ACCEPT"
iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT"
execute(iptables)
if allow_any and protocol != 'all':
@ -497,7 +499,6 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
iptables = "iptables -A " + vmchain + " -j DROP"
execute(iptables)
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False:
return 'false'
@ -548,3 +549,5 @@ if __name__ == '__main__':
get_rule_logs_for_vms()
elif cmd == "add_network_rules":
add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules)
elif cmd == "cleanup_rules":
cleanup_rules()

2
server/src/com/cloud/network/security/SecurityGroupManager.java
View File

@ -39,7 +39,7 @@ public interface SecurityGroupManager {
public SecurityGroupVO createDefaultSecurityGroup( Long accountId);
public boolean addInstanceToGroups(Long userVmId, List<SecurityGroupVO> groups);
public boolean addInstanceToGroups(Long userVmId, List<String> groups);
public void removeInstanceFromGroups(Long userVmId);

15
server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
View File

@ -1044,7 +1044,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
agentId = vm.getHostId();
if (agentId != null ) {
_rulesetLogDao.findByVmId(work.getInstanceId());
SecurityIngressRulesCmd cmd = generateRulesetCmd(vm.getInstanceName(), vm.getGuestIpAddress(), vm.getGuestMacAddress(), vm.getId(), generateRulesetSignature(rules), seqnum, rules);
SecurityIngressRulesCmd cmd = generateRulesetCmd(vm.getInstanceName(), vm.getPrivateIpAddress(), vm.getPrivateMacAddress(), vm.getId(), generateRulesetSignature(rules), seqnum, rules);
Commands cmds = new Commands(cmd);
try {
_agentMgr.send(agentId, cmds, _answerListener);
@ -1067,16 +1067,21 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
@Override
@DB
public boolean addInstanceToGroups(final Long userVmId, final List<SecurityGroupVO> groups) {
public boolean addInstanceToGroups(final Long userVmId, final List<String> groups) {
if (!_enabled) {
return true;
}
if (groups != null) {
final Set<SecurityGroupVO> uniqueGroups = new TreeSet<SecurityGroupVO>(new SecurityGroupVOComparator());
uniqueGroups.addAll(groups);
if (groups != null || !groups.isEmpty()) {
final Transaction txn = Transaction.currentTxn();
txn.start();
UserVm userVm = _userVMDao.acquireInLockTable(userVmId); //ensures that duplicate entries are not created.
List<SecurityGroupVO> sgs = new ArrayList<SecurityGroupVO>();
for (String sg : groups) {
sgs.add(_securityGroupDao.findByAccountAndName(userVm.getAccountId(), sg));
}
final Set<SecurityGroupVO> uniqueGroups = new TreeSet<SecurityGroupVO>(new SecurityGroupVOComparator());
uniqueGroups.addAll(sgs);
if (userVm == null) {
s_logger.warn("Failed to acquire lock on user vm id=" + userVmId);
}

5
server/src/com/cloud/vm/UserVmManagerImpl.java
View File

@ -128,6 +128,7 @@ import com.cloud.network.ovs.OvsNetworkManager;
import com.cloud.network.router.VirtualNetworkApplianceManager;
import com.cloud.network.rules.RulesManager;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.SecurityGroupVO;
import com.cloud.offerings.dao.NetworkOfferingDao;
import com.cloud.server.Criteria;
import com.cloud.service.ServiceOfferingVO;
@ -2134,7 +2135,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
} finally {
updateVmStateForFailedVmCreation(vm.getId());
}
vm.setPassword(password);
_networkGroupMgr.addInstanceToGroups(vm.getId(), cmd.getSecurityGroupList());
return vm;
}