Use SRX firewall filter as SRX firewall. The old security policy mechanism
cannot be used as IP based. This would enable SRX's ability to control traffic
for F5 behind it.
Change access to canHandle so it's easier to unittest.
Make a note that answers can be null if the host is down, there should
be a way to deal with this, but for now an NPE is an adequate indication
that something is wrong.
- Fix interface to return array of strings, or filenames
- Fix StaticRoleBased ACL adapter to process config files by going through all pluggable services
- Refactor interface names
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Automates name field filling using following python program which reads from
various *commands.properties.in files and populates name fields based on the
name cmd class mapping defined in them.
import os
search_pattern = "@APICommand("
pattern_len = len(search_pattern)
prop_files = [
"client/tomcatconf/cisconexusvsm_commands.properties.in",
"client/tomcatconf/f5bigip_commands.properties.in",
"client/tomcatconf/junipersrx_commands.properties.in",
"client/tomcatconf/netapp_commands.properties.in",
"client/tomcatconf/netscalerloadbalancer_commands.properties.in",
"client/tomcatconf/nicira-nvp_commands.properties.in",
"client/tomcatconf/simulator_commands.properties.in",]
file_prefixes = [
"plugins/hypervisors/vmware/src/",
"plugins/network-elements/f5/src/",
"plugins/network-elements/juniper-srx/src/",
"plugins/file-systems/netapp/src/",
"plugins/network-elements/netscaler/src/",
"plugins/network-elements/nicira-nvp/src/",
"plugins/hypervisors/simulator/src/",]
counter = 0
for prop_file in prop_files:
f = open(prop_file, 'r')
data = f.read()
f.close()
file_prefix = file_prefixes[counter]
apis = filter(lambda x: x.strip()!='' and (not x.startswith('#')), data.split('\n'))
for api in apis:
api_name = api.split('=')[0].strip()
cmd_name = file_prefix + api.split('=')[1].split(';')[0].replace('.', '/').strip() + ".java"
if not os.path.exists(cmd_name):
print cmd_name, api_name
f = open(cmd_name, 'r')
d = f.read()
f.close()
idx = d.find(search_pattern) + pattern_len
new_str = d[:idx] + "name = \"%s\", " % api_name + d[idx:]
f = open(cmd_name, 'w')
f.write(new_str)
f.close()
counter += 1
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Entities correlated to the Identity and carry a uuid and those
correlated to InternalIdentity carry an id. Those entities that carry
both will correlated to Identity and InternalIdentity.
This refactors entities wherever possible to ensure the VO only
implements the first class entity.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Multiple fixes:
1. changes to the mvn configuration
a. include simulator to client.war
b. activate simulator by profile
2. templates for simulator
3. developer prefill for simulator
a. Use deplydb-simulator to setup simulator db
4. Inherit components-simulator.xml from components.xml
5. ListVolumesCommand missed for MockStorageManager
6. Include simulator properties into utils/db.properties
TODO:
Secondary storage VMs don't come up because ComponentLocator doesn't
retain a unique set of adapaters by name. Fix this in subsequent
checkin.
BootArgs carry router priority for master and backup and simulator will
reuse the priority to decide RvR status. Deprecating the odd/even logic.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Detail:
To induce latency for a command you have to use an API call like so
http://localhost:8096/client/api?command=configureSimulator&zoneid=1&podid=1&name=CheckRouterCommand&value=wait:80|timeout:0
(This is a hidden API command just for the simulator)
You will see the configuration effected in the mockconfiguration table of
simulator db. You can introduce the latency at runtime without restarting
management server.
mysql> select * from mockconfiguration;
+----+----------------+--------+------------+---------+--------------------+-------------------+
| id | data_center_id | pod_id | cluster_id | host_id | name | values |
+----+----------------+--------+------------+---------+--------------------+-------------------+
| 1 | 1 | 1 | NULL | NULL | CheckRouterCommand | wait:80|timeout:0 |
+----+----------------+--------+------------+---------+--------------------+-------------------+
1 row in set (0.00 sec)
By providing the optional zoneid, podid, clusterid, hostid you can induce the
latency at various levels. This delay will happen before the command is
processed and post-execution return Command's Answer back to management
server.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Simulator just like any hypervisor should be a plugin.
resurrecting it to aid api refactoring tests. WIP
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Detail: Instead of using LibvirtStorageAdaptor for everything, you can create
your own storage adaptor and use it. We select storage adaptor based on storage
pool type, thus we needed to adjust LibvirtComputingResource to pass pool type
to everything in KVMStoragePoolManager. This in turn required that we pass the
info necessary to LibvirtComputingResource as well, so a few agent Commands were
modified.
Note this patch in and of itself shouldn't change any existing behavior, just
allow for new storage adaptors to be selected based on storage pool type.
Reviewed-by: Edison Su
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1355769696 -0700
These unittests do not depend on the componentlocator but instead are
completely dependent on mock objects. This ensures that they can be run
standalone without any requirements on the environment.
Includes some fixes to NiciraNvpGuestNetworkGuru and GuestNetworkGuru
Note to self, surefire actually runs with assertions enabled where junit
inside eclipse doesn't. Sure surefire will mark tests as failed when an
assertion is triggered. Take care when mocking stuff.
Added some unittests for the NiciraNvpApi. These tests mainly validate
the logic of the execute methods, which are the main thing in this
class. Other methods are basically wrappers around these functions.
Changed NiciraNvpApi to have a factory method for obtaining the
HttpMethod. This makes it easier to mock it.
Changed the executeMethods in NiciraNvpApi to protected so the unittests
have access.
Fixed a bug in NiciraNvpApi where releaseconnection was not called in
some cases.
Nicira NVP can't handle a range of port when implementing port
forwarding, so return an error message when a rule is being implemented
that uses port ranges.
Include unittest to verify this behaviour
Rewritten handling for static nat and port forwarding, should make some
more sense now and the complex functions are split in smaller units.
Fix a small bug in Match
Add equals function to NatRule that ignores the uuid field.
network in the advanced zone
Changing the F5, NetScaler, SRX network elemetns to handle both 'isolated networks'
and 'shared networks' in the advanced zone
Bug ID:CLOUDSTACK-312 enable L4-L7 network services in the shared network in the advanced zone
Detail: If source image is qcow2, and we want a qcow2 image, then doing a
convert strips off compression and any snapshots the user had in that image. If
a backing file exists, we stick with convert so we can pull in both the backing
file and the COW image, otherwise we just cp the qcow2 file. This is also faster
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1354755241 -0700
Move ExternalNetworkDeviceManager to cloud-api, as server depends on cloud-api
The api refactoring of one of the api required this interface
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Refactor VPN and VM APIs to admin and user pkgs
- Names space, org.apache.cloudstack
- Fix refactored apis in commands*.in
- Fix comments etc.
- Expand tabs, remove trailing whitespace
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Changed the creation of the NiciraNvpApi to a factory method that can be
overridden by a mock object.
Setup two tests to test the configure function of the NiciraNvpResource
to test this factory method.
Detail: This patch deletes any patchdisk found when deleting root volume for
system VM.
BUG-ID: CLOUDSTACK-566
Bugfix-for: 4.0.1
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1354222335 -0700
stopped
Detail: This patch fixed an issue with hosts trying to stop system vms that were
already not running and deleting a patch disk for the system vm running on
another host. It got applied to 4.0 but not master.
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1354222160 -0700
Detail: Because of the way most other primary storage types work with cloudstack
(i.e. backing stores) CLVM actually copies the template to a local logical
volume on primary storage, then uses that. This causes all of your primary
storage to be littered with a copy of every template used. Since we're not
using these, dump the template direct to the newly created logical volume.
This is faster as well since the template is sparse; we're not creating a fat
template on primary storage and then copying that to a logical volume when we
deploy from template.
BUG-ID: CLOUDSTACK-508
Bugfix-for: 4.1
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353221260 -0700
Detail: In com.cloud.hypervisor.kvm.resource.BridgeVifDriver.java, in 2 places
an if block should have evaluated to true if trafficLabel was null, however it
was causing a NullPointerException instead.
BUG-ID : NONE
Bugfix-for: 4.0
Reviewed-by: Marcus Sorensen
Reported-by: Dave Cahill
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1352307750 -0700
The authenticators now have an encode function that cloudstack will use to encode the user supplied password before storing it in the database. This makes it easier to add other authenticators with other hashing algorithms. The requires a two step approach to creating the admin account at first start as the authenticators are only present in the management-server component locator.
The SHA256 salted authenticator make use of this new system and adds a hashing algorithm based on SHA256 with a salt. This type of hash is far less susceptible to rainbow table attacks.
To make use of these new features the users password will be sent over the wire just as he typed it and it will be transformed into a hash on the server and compared with the stored password. This means that the hash will not go over the wire anymore.
The default authenticator in components.xml is still set to md5 for backwards compatibility. For new installations the sha256 could be enabled.
Detail: There was a regression in functionality introduced by
915babd970 where the public
bridge could not also be the private bridge. This had several
additional consequences, this patch should revert the behavior
back while keeping the functionality enhancements introduced by that
commit.
BUG-ID : NONE
Reviewed-by: Dave Cahill
Reported-by: Dave Cahill via cloudstack-dev
Signed-off-by: Marcus Sorensen <shadowsor@gmail.com> 1351574006 -0600
called.
VifDriver.unplug must be called in MigrateCommand which hooks VM
migration in source host, because plug will be called in
PrepareForMigration in destination host. But that operation is missing
in current LibvirtComputingResources.
Signed-off-by: Edison Su <sudison@gmail.com>
On kvm computing host, vifdriver.unplug will always fails (throws
LibvirtException) and network cleanup will not be called. This was
because the code first undefine the computing domain, and then tries to
query the destroyed machine definition to fetch NIC information. IMHO,
kvm plugin code rounds LibvirtException too much.
Signed-off-by: Edison Su <sudison@gmail.com>
The vmware modules should be listed as provided so they are never
packaged. However this also means that you have to put them in the
web-inf/lib directory by hand.
Set the version of the api in the central pom for easy reference.
Add wsdl4j as a runtime requirement. It is actually required by the
vmware implementation but it is easier to list it as a requirements for
the component here as vmware is not in any maven repo
put the dependency on vim back in the dependencies. It is not required
for compile, but is required as runtime by apputils.
vmware-lib-jaxrpc is now provided by axis-jaxrpc-1.4.jar, the former is
the same as latter (bit by bit) and only difference is the file name.
- Fix dependency in vmware-base's pom.xml
- Fix dependency in hypervisor-plugin-vmware's pom.xml
- Fix install-non-oss.sh by reverting commit:
2e6ddc6c36.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This commit merges the nicira-l3support branch with master. This
effectively adds nicira nvp l3 support to master. The NiciraNVP Provider
can support the following services with this modification: Connectivity,
SourceNat, StaticNat and PortForwarding
Testing done:
Create, Delete network offerings with Nicira Element
Use Gui to add, modify, remove Nicira Element and Provider
Provision, deprovision SourceNat networks
Provision, deprovision Portforwarding and StaticNat rules
Tested with Nicira NVP release 2.1.0, 2.2.0 and 2.2.1 (2.2.x recommended)
Since only the cephx user like 'admin' was passed we couldn't define two RBD storage pools
using the cephx user admin, even if they were running on different Ceph clusters.
By adding the monitor hostname and poolname to the secret's usage (which we don't even use) it becomes
unique.
Fixes the hard coded path in the vmware plugin.
The systemvm.iso file would copy the script only to /opt/cloud/bin.
Same is the path used for vpc_netusage.sh
Signed-off-by: Rohit Yadav <rohit.yadav@citrix.com>
work)
Cloudstack seems to let you create guest traffic types on multiple
physical networks. However, when I try this with KVM I end up always
bridging to whatever device is used for guest.network.device. This pulls
the traffic label (NicTO.getName()) and uses that bridge to ensure that
we get on the correct physical network, rather than just always using
the guest.network.device.
This also changes the bridge naming scheme from cloudVirBr + vlanid to
br + physicalinterface + "-" + vlanid. This is because we should be able
to support the same vlan numbers per physical network, and the previous
bridge name would not support this and collide.
Signed-off-by: Edison Su <sudison@gmail.com>
create
The code is unable to detect an existing pool, because we use a random
UUID each time. New Libvirt doesn't allow multiple pools to be defined
to the same storage. This patch generates a UUID based on the storage
path, so that it can be detected as existing and reused. It also cleans
up no-op code and adjusts the naming of a few things to clean up any
confusion.
Signed-off-by: Edison Su <sudison@gmail.com>
Since /root is r-x permissions, Java fails to mkdir /root/.ssh (even
though the agent is running as root) because it looks for the writable
permission. This patch modifies the 'chmod 700 /root/.ssh' shell command
that we already use into 'mkdir -m 700 /root/.ssh', to be able to create
the directory as root even though write permissions are not set on
/root. This seemed cleaner/safer than adding writable to /root.
Signed-off-by: Edison Su <sudison@gmail.com>
The default value for local.storage.path does not exists by
default in CentOS 6. By default, this results in NullPointerException
silently. Without this log message, administrator can't figure out
the reason at all.
Signed-off-by: Edison Su <sudison@gmail.com>
/root/.ssh is created with perms '600' if it doesn't already exist. This causes
a problem in that it can't write out id_rsa.cloud:
2012-08-27 16:35:40,227 DEBUG [cloud.agent.Agent] (agentRequest-Handler-4:null)
Processing command: com.cloud.agent.api.ModifySshKeysCommand
2012-08-27 16:35:40,228 DEBUG [kvm.resource.LibvirtComputingResource]
(agentRequest-Handler-4:null) Failed to create file: java.io.IOException:
Permission denied
Doing 'chmod u+x /root/.ssh' fixed the above, so it seems that even though the
agent is running as root it cares about being able to chdir into /root.ssh
Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
Implements
SetupGuestNetworkCommand,SetNetworkACLCommand,SetSourceNatCommand,IpAssocVpcCommand,SetPortForwardingRulesVpcCommand.
Passes basic functionality, though I'm sure there may be some honing to
do.
Also fixes a few minor things found along the way:
vpc_guestnw.sh wasn't successfully setting up apache due to default
listen IP of 10.1.1.1
vpc_guestnw.sh was referencing a 'logger_it' function, replaced with
'logger -t cloud'
system vms were running with OS type "Debian GNU/Linux 5.0(32-bit)",
which was not found in the KVMGuestOsMapper
the Xen implementation of SetupGuestNetworkCommand had apparently
copied its catch message from UnPlug Nic, fixed string
Send-by: Marcus Sorensen
RB: https://reviews.apache.org/r/6883
This is part 1 in enabling VPC for KVM. The various commands needing
implementation will be submitted individually unless I'm told to do
otherwise, in case I don't complete all of the commands, such that
someone else can take over or build on my work.
RB: https://reviews.apache.org/r/6859
Send-by: shadowsor@gmail.com
Add BridgeVifDriver and move current vif implementation to it.
- remove dependency on VirtualRoutingResource.
- factor out some of the networking code in LibvirtComputingResource
to BridgeVifDriver.
Add base class for KVM VifDriver.
Add VifDriver Interface for KVM.
RB: https://reviews.apache.org/r/6285
Send-by: Tomoe Sugihara <tomoe@midokura.com>
Add BridgeVifDriver and move current vif implementation to it.
- remove dependency on VirtualRoutingResource.
- factor out some of the networking code in LibvirtComputingResource
to BridgeVifDriver.
Add base class for KVM VifDriver.
Add VifDriver Interface for KVM.
RB: https://reviews.apache.org/r/6285
Send-by: Tomoe Sugihara <tomoe@midokura.com>
We used to generate a UUID when this wasn't set, but since we aren't writing to
agent.properties anymore we have to make sure the UUID is persistent across restarts.
Sheng Yang
Rohit Yadav
Chiradeep Vittal
Kelven Yang
Edison Su
Hugo Trippaers
Alex Huang
Prasanna Santhanam
Edison Su
Devdeep Singh
Min Chen
Marcus Sorensen
Hugo Trippaers
Murali Reddy
anthony
Hiroaki Kawai
Vijay Venkatachalam
Deepak Garg
Chip Childers
marcus
Alena Prokharchyk
Kelven Yang
Wido den Hollander
Marcus Sorensen
Rohit Yadav
Edison Su
frank
Jie Feng
Manikanta Kattamuri
Mice Xia
Koushik Das
Darren Shepherd
olivier lamy
Kishan Kavala
Darren Shepherd
Darren Shepherd
Abhinandan Prateek
tomoe@midokura.jp
Mice Xia