diff --git a/api/src/com/cloud/api/commands/CreateNetworkCmd.java b/api/src/com/cloud/api/commands/CreateNetworkCmd.java index 80a9bd5760c..71c2bdf40c0 100644 --- a/api/src/com/cloud/api/commands/CreateNetworkCmd.java +++ b/api/src/com/cloud/api/commands/CreateNetworkCmd.java @@ -82,9 +82,6 @@ public class CreateNetworkCmd extends BaseCmd { @Parameter(name=ApiConstants.NETWORK_DOMAIN, type=CommandType.STRING, description="network domain") private String networkDomain; - - @Parameter(name=ApiConstants.SECURITY_GROUP_EANBLED, type=CommandType.BOOLEAN, description="true if network is security group enabled, false otherwise") - private Boolean is_security_group_enabled; ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// @@ -145,9 +142,6 @@ public class CreateNetworkCmd extends BaseCmd { return networkDomain; } - public boolean isSecurityGroupEnabled() { - return is_security_group_enabled == null ? false : true; - } ///////////////////////////////////////////////////// /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// diff --git a/api/src/com/cloud/api/commands/CreateZoneCmd.java b/api/src/com/cloud/api/commands/CreateZoneCmd.java index bbb3190ce8d..92db2a59532 100644 --- a/api/src/com/cloud/api/commands/CreateZoneCmd.java +++ b/api/src/com/cloud/api/commands/CreateZoneCmd.java @@ -115,7 +115,7 @@ public class CreateZoneCmd extends BaseCmd { return networkType; } - public boolean isSecurityGroupEnabled() { + public Boolean isSecurityGroupEnabled() { if (securitygroupenabled == null) { return false; } diff --git a/api/src/com/cloud/dc/DataCenter.java b/api/src/com/cloud/dc/DataCenter.java index 3b0b599e781..0abb243d2dc 100644 --- a/api/src/com/cloud/dc/DataCenter.java +++ b/api/src/com/cloud/dc/DataCenter.java @@ -11,7 +11,7 @@ import com.cloud.org.Grouping; public interface DataCenter extends Grouping { public enum NetworkType { Basic, - Advanced + Advanced, } long getId(); String getDns1(); @@ -33,5 +33,6 @@ public interface DataCenter extends Grouping { String getLoadBalancerProvider(); String getUserDataProvider(); String getVpnProvider(); + boolean isSecurityGroupEnabled(); } diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 7d1f10de2b9..e3c1944e4ee 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1125,7 +1125,7 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura try { txn.start(); // Create the new zone in the database - DataCenterVO zone = new DataCenterVO(zoneName, null, dns1, dns2, internalDns1, internalDns2, vnetRange, guestCidr, domain, domainId, zoneType); + DataCenterVO zone = new DataCenterVO(zoneName, null, dns1, dns2, internalDns1, internalDns2, vnetRange, guestCidr, domain, domainId, zoneType, isSecurityGroupEnabled); zone = _zoneDao.persist(zone); // Add vnet entries for the new zone if zone type is Advanced @@ -1170,11 +1170,7 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura } else if (offering.getTrafficType() == TrafficType.Control) { broadcastDomainType = BroadcastDomainType.LinkLocal; } else if (offering.getTrafficType() == TrafficType.Public) { - if (zone.getNetworkType() == NetworkType.Advanced) { - if (isSecurityGroupEnabled) { - isNetworkDefault = true; - userNetwork.setSecurityGroupEnabled(isSecurityGroupEnabled); - } + if (zone.getNetworkType() == NetworkType.Advanced && !zone.isSecurityGroupEnabled()) { broadcastDomainType = BroadcastDomainType.Vlan; } else { continue; @@ -1184,6 +1180,9 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura isNetworkDefault = true; broadcastDomainType = BroadcastDomainType.Native; userNetwork.setSecurityGroupEnabled(isSecurityGroupEnabled); + } else if (offering.getGuestType() == GuestIpType.Direct && isSecurityGroupEnabled) { + isNetworkDefault = true; + userNetwork.setSecurityGroupEnabled(isSecurityGroupEnabled); } else { continue; } @@ -1216,7 +1215,9 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura isBasic = true; } - + Boolean securityGroupEnabled = cmd.isSecurityGroupEnabled(); + + NetworkType zoneType = isBasic ? NetworkType.Basic : NetworkType.Advanced; //Guest cidr is required for Advanced zone creation; error out when the parameter specified for Basic zone @@ -1241,7 +1242,6 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura vnetRange = null; } - boolean securityGroupEnabled = cmd.isSecurityGroupEnabled(); if (zoneType == NetworkType.Basic) { securityGroupEnabled = true; } @@ -1588,6 +1588,10 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura throw new InvalidParameterValueException("Unable to find zone by id " + zoneId); } + if (zone.isSecurityGroupEnabled() && forVirtualNetwork) { + throw new InvalidParameterValueException("Can't add virtual network into a zone with security group enabled"); + } + //If networkId is not specified, and vlan is Virtual or Direct Untagged, try to locate default networks if (forVirtualNetwork){ if (network == null) { @@ -1724,7 +1728,7 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura } //Allow adding untagged direct vlan only for Basic zone - if (zone.getNetworkType() == NetworkType.Advanced && vlanId.equals(Vlan.UNTAGGED) && !forVirtualNetwork) { + if (zone.getNetworkType() == NetworkType.Advanced && vlanId.equals(Vlan.UNTAGGED) && (!forVirtualNetwork || zone.isSecurityGroupEnabled())) { throw new InvalidParameterValueException("Direct untagged network is not supported for the zone " + zone.getId() + " of type " + zone.getNetworkType()); } else if (zone.getNetworkType() == NetworkType.Basic && !(vlanId.equals(Vlan.UNTAGGED) && !forVirtualNetwork)) { throw new InvalidParameterValueException("Only direct untagged network is supported in the zone " + zone.getId() + " of type " + zone.getNetworkType()); diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java index 499f66c6701..6500827d2cf 100644 --- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java +++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java @@ -563,9 +563,9 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx Account systemAcct = _accountMgr.getSystemAccount(); DataCenterDeployment plan = new DataCenterDeployment(dataCenterId); - List defaultOffering = _networkMgr.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemPublicNetwork); - if (dc.getNetworkType() == NetworkType.Basic) { + + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { defaultOffering = _networkMgr.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemGuestNetwork); } diff --git a/server/src/com/cloud/dc/DataCenterVO.java b/server/src/com/cloud/dc/DataCenterVO.java index 8ef823c5c23..c28c6c67cf7 100644 --- a/server/src/com/cloud/dc/DataCenterVO.java +++ b/server/src/com/cloud/dc/DataCenterVO.java @@ -97,6 +97,9 @@ public class DataCenterVO implements DataCenter { @Column(name="firewall_provider") private String firewallProvider; + @Column(name="is_security_group_enabled") + boolean securityGroupEnabled; + @Column(name="mac_address", updatable = false, nullable=false) @TableGenerator(name="mac_address_sq", table="data_center", pkColumnName="id", valueColumnName="mac_address", allocationSize=1) private long macAddress = 1; @@ -147,11 +150,11 @@ public class DataCenterVO implements DataCenter { } public DataCenterVO(long id, String name, String description, String dns1, String dns2, String dns3, String dns4, String vnet, String guestCidr, String domain, Long domainId, NetworkType zoneType) { - this(name, description, dns1, dns2, dns3, dns4, vnet, guestCidr, domain, domainId, zoneType); + this(name, description, dns1, dns2, dns3, dns4, vnet, guestCidr, domain, domainId, zoneType, false); this.id = id; } - public DataCenterVO(String name, String description, String dns1, String dns2, String dns3, String dns4, String vnet, String guestCidr, String domain, Long domainId, NetworkType zoneType) { + public DataCenterVO(String name, String description, String dns1, String dns2, String dns3, String dns4, String vnet, String guestCidr, String domain, Long domainId, NetworkType zoneType, boolean securityGroupEnabled) { this.name = name; this.description = description; this.dns1 = dns1; @@ -163,6 +166,7 @@ public class DataCenterVO implements DataCenter { this.domain = domain; this.domainId = domainId; this.networkType = zoneType; + this.securityGroupEnabled = securityGroupEnabled; loadBalancerProvider = Provider.VirtualRouter.getName(); firewallProvider = Provider.VirtualRouter.getName(); dhcpProvider = Provider.VirtualRouter.getName(); @@ -302,5 +306,13 @@ public class DataCenterVO implements DataCenter { public NetworkType getNetworkType() { return networkType; } - + + @Override + public boolean isSecurityGroupEnabled() { + return securityGroupEnabled; + } + + public void setSecurityGroupEnabled(boolean enabled) { + this.securityGroupEnabled = enabled; + } } diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index 5e98b6dc9d7..9f7107cde96 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1482,6 +1482,10 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag throw new InvalidParameterValueException("Network creation is not allowed in zone with network type " + NetworkType.Basic); } + if (zone.isSecurityGroupEnabled() && networkOffering.getGuestType() == GuestIpType.Virtual) { + throw new InvalidParameterValueException("Virtual Network creation is not allowd if zone is security group enabled"); + } + String cidr = null; if (gateway != null && netmask != null) { cidr = NetUtils.ipAndNetMaskToCidr(gateway, netmask); @@ -1502,7 +1506,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag } txn.start(); - Network network = createNetwork(networkOfferingId, name, displayText, isShared, isDefault, zoneId, gateway, cidr, vlanId, networkDomain, owner, cmd.isSecurityGroupEnabled()); + Network network = createNetwork(networkOfferingId, name, displayText, isShared, isDefault, zoneId, gateway, cidr, vlanId, networkDomain, owner, false); // Don't pass owner to create vlan when network offering is of type Direct - done to prevent accountVlanMap entry // creation when vlan is mapped to network diff --git a/server/src/com/cloud/network/NetworkVO.java b/server/src/com/cloud/network/NetworkVO.java index 32c7fdf1d32..719b0e4d171 100644 --- a/server/src/com/cloud/network/NetworkVO.java +++ b/server/src/com/cloud/network/NetworkVO.java @@ -135,7 +135,7 @@ public class NetworkVO implements Network { boolean isDefault; @Column(name="is_security_group_enabled") - boolean securityGroupEnabled = false; + boolean securityGroupEnabled; public NetworkVO() { } diff --git a/server/src/com/cloud/network/guru/DirectNetworkGuru.java b/server/src/com/cloud/network/guru/DirectNetworkGuru.java index 021063ecff9..5f881155a59 100644 --- a/server/src/com/cloud/network/guru/DirectNetworkGuru.java +++ b/server/src/com/cloud/network/guru/DirectNetworkGuru.java @@ -69,8 +69,13 @@ public class DirectNetworkGuru extends AdapterBase implements NetworkGuru { protected boolean canHandle(NetworkOffering offering, DataCenter dc) { //this guru handles only non-system network with guestIpType = Direct - if (dc.getNetworkType() == NetworkType.Advanced && offering.getGuestType() == GuestIpType.Direct && offering.getTrafficType() == TrafficType.Guest && !offering.isSystemOnly()) { - return true; + if (dc.getNetworkType() == NetworkType.Advanced && offering.getGuestType() == GuestIpType.Direct && offering.getTrafficType() == TrafficType.Guest) { + if (dc.isSecurityGroupEnabled()) { + return true; + } else if (!offering.isSystemOnly()) { + return true; + } + return false; } else { s_logger.trace("We only take care of Guest Direct networks"); return false; @@ -98,6 +103,8 @@ public class DirectNetworkGuru extends AdapterBase implements NetworkGuru { throw new InvalidParameterValueException("cidr and gateway must be specified together."); } + config.setSecurityGroupEnabled(userSpecified.isSecurityGroupEnabled()); + if (userSpecified.getCidr() != null) { config.setCidr(userSpecified.getCidr()); config.setGateway(userSpecified.getGateway()); diff --git a/server/src/com/cloud/network/guru/PublicNetworkGuru.java b/server/src/com/cloud/network/guru/PublicNetworkGuru.java index a1e6123996f..6ca1e73d57d 100644 --- a/server/src/com/cloud/network/guru/PublicNetworkGuru.java +++ b/server/src/com/cloud/network/guru/PublicNetworkGuru.java @@ -54,7 +54,7 @@ public class PublicNetworkGuru extends AdapterBase implements NetworkGuru { protected boolean canHandle(NetworkOffering offering, DataCenter dc) { - if (dc.getNetworkType() == NetworkType.Advanced && offering.getTrafficType() == TrafficType.Public && offering.isSystemOnly()) { + if (dc.getNetworkType() == NetworkType.Advanced && offering.getTrafficType() == TrafficType.Public && offering.isSystemOnly() && !dc.isSecurityGroupEnabled()) { return true; } else { s_logger.trace("We only take care of System only Public Virtual Network"); @@ -71,12 +71,7 @@ public class PublicNetworkGuru extends AdapterBase implements NetworkGuru { } if (offering.getTrafficType() == TrafficType.Public) { - GuestIpType type = null; - if (network.isSecurityGroupEnabled()) { - type = GuestIpType.Direct; - } - - NetworkVO ntwk = new NetworkVO(offering.getTrafficType(), type, Mode.Static, BroadcastDomainType.Vlan, offering.getId(), plan.getDataCenterId(), State.Setup); + NetworkVO ntwk = new NetworkVO(offering.getTrafficType(), null, Mode.Static, BroadcastDomainType.Vlan, offering.getId(), plan.getDataCenterId(), State.Setup); return ntwk; } else { return null; diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java index ed2c95036fc..f47d33be2bf 100644 --- a/server/src/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/com/cloud/server/ConfigurationServerImpl.java @@ -610,7 +610,7 @@ public class ConfigurationServerImpl implements ConfigurationServer { } } // Create the new zone in the database - DataCenterVO zone = new DataCenterVO(zoneName, null, dns1, dns2, internalDns1, internalDns2, vnetRange, guestCidr, domain, domainId, zoneType); + DataCenterVO zone = new DataCenterVO(zoneName, null, dns1, dns2, internalDns1, internalDns2, vnetRange, guestCidr, domain, domainId, zoneType, false); zone = _zoneDao.persist(zone); // Add vnet entries for the new zone diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java index 284d34c3c95..39ed00397ab 100644 --- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java +++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java @@ -380,7 +380,8 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V DataCenter dc = _dcDao.findById(plan.getDataCenterId()); List defaultOffering = _networkMgr.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemPublicNetwork); - if (dc.getNetworkType() == NetworkType.Basic) { + + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { defaultOffering = _networkMgr.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemGuestNetwork); } diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index d8a991a47ef..ac87229166f 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -104,6 +104,7 @@ import com.cloud.ha.HighAvailabilityManager; import com.cloud.host.HostVO; import com.cloud.host.dao.DetailsDao; import com.cloud.host.dao.HostDao; +import com.cloud.hypervisor.Hypervisor; import com.cloud.hypervisor.Hypervisor.HypervisorType; import com.cloud.network.IPAddressVO; import com.cloud.network.Network; @@ -2706,13 +2707,13 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override public boolean isVmSecurityGroupEnabled(Long vmId) { - List nics = _nicDao.listByVmId(vmId); - for (NicVO nic : nics) { - Network network = _networkDao.findById(nic.getNetworkId()); - if (network != null && network.isSecurityGroupEnabled()) { - return true; - } - } + UserVmVO userVM = _vmDao.findById(vmId); + if (userVM != null) { + DataCenterVO dataCenter = _dcDao.findById(userVM.getDataCenterId()); + if (dataCenter != null && dataCenter.isSecurityGroupEnabled() && userVM.getHypervisorType() != Hypervisor.HypervisorType.VMware) { + return true; + } + } return false; } } diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql index 71caaa3e67e..d0edaf51de8 100755 --- a/setup/db/create-schema.sql +++ b/setup/db/create-schema.sql @@ -179,7 +179,7 @@ CREATE TABLE `cloud`.`networks` ( `is_default` int(1) unsigned NOT NULL DEFAULT 0 COMMENT '1 if network is default', `created` datetime NOT NULL COMMENT 'date created', `removed` datetime COMMENT 'date removed if not null', - `is_security_group_enabled` smallint(1) NOT NULL COMMENT '1: enabled, 0: not', + `is_security_group_enabled` tinyint NOT NULL DEFAULT 0 COMMENT '1: enabled, 0: not', PRIMARY KEY (`id`), CONSTRAINT `fk_networks__network_offering_id` FOREIGN KEY (`network_offering_id`) REFERENCES `network_offerings`(`id`), CONSTRAINT `fk_networks__data_center_id` FOREIGN KEY (`data_center_id`) REFERENCES `data_center`(`id`), @@ -474,6 +474,7 @@ CREATE TABLE `cloud`.`data_center` ( `vpn_provider` char(64) DEFAULT 'VirtualRouter', `userdata_provider` char(64) DEFAULT 'VirtualRouter', `enable` tinyint NOT NULL DEFAULT 1 COMMENT 'Is this data center enabled for activities', + `is_security_group_enabled` tinyint NOT NULL DEFAULT 0 COMMENT '1: enabled, 0: not', PRIMARY KEY (`id`), CONSTRAINT `fk_data_center__domain_id` FOREIGN KEY (`domain_id`) REFERENCES `domain`(`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;