merge with trunk

5 files changed, 66 insertions, 46 deletions

diff --git a/nova/virt/disk.py b/nova/virt/disk.py
index ddea1a1f7..f8aea1f34 100644
--- a/nova/virt/disk.py
+++ b/nova/virt/disk.py
@@ -81,34 +81,36 @@ def inject_data(image, key=None, net=None, partition=None, nbd=False):
         else:
             mapped_device = device
 
-        # We can only loopback mount raw images. If the device isn't there,
-        # it's normally because it's a .vmdk or a .vdi etc
-        if not os.path.exists(mapped_device):
-            raise exception.Error('Mapped device was not found (we can'
-                                  ' only inject raw disk images): %s' %
-                                  mapped_device)
-
-        # Configure ext2fs so that it doesn't auto-check every N boots
-        out, err = utils.execute('sudo', 'tune2fs',
-                                 '-c', 0, '-i', 0, mapped_device)
-
-        tmpdir = tempfile.mkdtemp()
         try:
-            # mount loopback to dir
-            out, err = utils.execute(
-                    'sudo', 'mount', mapped_device, tmpdir)
-            if err:
-                raise exception.Error(_('Failed to mount filesystem: %s')
-                                      % err)
-
+            # We can only loopback mount raw images. If the device isn't there,
+            # it's normally because it's a .vmdk or a .vdi etc
+            if not os.path.exists(mapped_device):
+                raise exception.Error('Mapped device was not found (we can'
+                                      ' only inject raw disk images): %s' %
+                                      mapped_device)
+
+            # Configure ext2fs so that it doesn't auto-check every N boots
+            out, err = utils.execute('sudo', 'tune2fs',
+                                     '-c', 0, '-i', 0, mapped_device)
+
+            tmpdir = tempfile.mkdtemp()
             try:
-                inject_data_into_fs(tmpdir, key, net, utils.execute)
+                # mount loopback to dir
+                out, err = utils.execute(
+                        'sudo', 'mount', mapped_device, tmpdir)
+                if err:
+                    raise exception.Error(_('Failed to mount filesystem: %s')
+                                          % err)
+
+                try:
+                    inject_data_into_fs(tmpdir, key, net, utils.execute)
+                finally:
+                    # unmount device
+                    utils.execute('sudo', 'umount', mapped_device)
             finally:
-                # unmount device
-                utils.execute('sudo', 'umount', mapped_device)
+                # remove temporary directory
+                utils.execute('rmdir', tmpdir)
         finally:
-            # remove temporary directory
-            utils.execute('rmdir', tmpdir)
             if not partition is None:
                 # remove partitions
                 utils.execute('sudo', 'kpartx', '-d', device)
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index f808a4b7b..9241c1d9e 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -57,6 +57,7 @@ from nova import context
 from nova import db
 from nova import exception
 from nova import flags
+from nova import ipv6
 from nova import log as logging
 from nova import utils
 from nova import vnc
@@ -184,8 +185,9 @@ def _get_network_info(instance):
         def ip6_dict():
             prefix = network['cidr_v6']
             mac = instance['mac_address']
+            project_id = instance['project_id']
             return  {
-                'ip': utils.to_global_ipv6(prefix, mac),
+                'ip': ipv6.to_global(prefix, mac, project_id),
                 'netmask': network['netmask_v6'],
                 'enabled': '1'}
 
@@ -1612,7 +1614,9 @@ class FirewallDriver(object):
         """
         raise NotImplementedError()
 
-    def refresh_security_group_rules(self, security_group_id):
+    def refresh_security_group_rules(self,
+                                     security_group_id,
+                                     network_info=None):
         """Refresh security group rules from data store
 
         Gets called when a rule has been added to or removed from
@@ -1933,7 +1937,9 @@ class NWFilterFirewall(FirewallDriver):
         self._define_filter(self._filter_container(filter_name,
                                                    filter_children))
 
-    def refresh_security_group_rules(self, security_group_id):
+    def refresh_security_group_rules(self,
+                                     security_group_id,
+                                     network_info=None):
         return self._define_filter(
                    self.security_group_to_nwfilter_xml(security_group_id))
 
@@ -2192,15 +2198,19 @@ class IptablesFirewallDriver(FirewallDriver):
     def refresh_security_group_members(self, security_group):
         pass
 
-    def refresh_security_group_rules(self, security_group):
-        self.do_refresh_security_group_rules(security_group)
+    def refresh_security_group_rules(self, security_group, network_info=None):
+        self.do_refresh_security_group_rules(security_group, network_info)
         self.iptables.apply()
 
     @utils.synchronized('iptables', external=True)
-    def do_refresh_security_group_rules(self, security_group):
+    def do_refresh_security_group_rules(self,
+                                        security_group,
+                                        network_info=None):
         for instance in self.instances.values():
             self.remove_filters_for_instance(instance)
-            self.add_filters_for_instance(instance)
+            if not network_info:
+                network_info = _get_network_info(instance)
+            self.add_filters_for_instance(instance, network_info)
 
     def _security_group_chain_name(self, security_group_id):
         return 'nova-sg-%s' % (security_group_id,)
diff --git a/nova/virt/xenapi/vm_utils.py b/nova/virt/xenapi/vm_utils.py
index c8f342aa8..9f6cd608c 100644
--- a/nova/virt/xenapi/vm_utils.py
+++ b/nova/virt/xenapi/vm_utils.py
@@ -48,6 +48,8 @@ FLAGS = flags.FLAGS
 flags.DEFINE_string('default_os_type', 'linux', 'Default OS type')
 flags.DEFINE_integer('block_device_creation_timeout', 10,
                      'time to wait for a block device to be created')
+flags.DEFINE_integer('max_kernel_ramdisk_size', 16 * 1024 * 1024,
+                     'maximum size in bytes of kernel or ramdisk images')
 
 XENAPI_POWER_STATE = {
     'Halted': power_state.SHUTDOWN,
@@ -444,6 +446,12 @@ class VMHelper(HelperBase):
         if image_type == ImageType.DISK:
             # Make room for MBR.
             vdi_size += MBR_SIZE_BYTES
+        elif image_type == ImageType.KERNEL_RAMDISK and \
+             vdi_size > FLAGS.max_kernel_ramdisk_size:
+            max_size = FLAGS.max_kernel_ramdisk_size
+            raise exception.Error(
+                _("Kernel/Ramdisk image is too large: %(vdi_size)d bytes, "
+                  "max %(max_size)d bytes") % locals())
 
         name_label = get_name_label_for_image(image)
         vdi_ref = cls.create_vdi(session, sr_ref, name_label, vdi_size, False)
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index fe9a74dd6..0074444f8 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -25,15 +25,15 @@ import M2Crypto
 import os
 import pickle
 import subprocess
-import tempfile
 import uuid
 
-from nova import db
 from nova import context
-from nova import log as logging
+from nova import db
 from nova import exception
-from nova import utils
 from nova import flags
+from nova import ipv6
+from nova import log as logging
+from nova import utils
 
 from nova.auth.manager import AuthManager
 from nova.compute import power_state
@@ -808,8 +808,9 @@ class VMOps(object):
 
             def ip6_dict():
                 return {
-                    "ip": utils.to_global_ipv6(network['cidr_v6'],
-                                               instance['mac_address']),
+                    "ip": ipv6.to_global(network['cidr_v6'],
+                                         instance['mac_address'],
+                                         instance['project_id']),
                     "netmask": network['netmask_v6'],
                     "enabled": "1"}
 
@@ -1161,18 +1162,17 @@ class SimpleDH(object):
         return mpi
 
     def _run_ssl(self, text, which):
-        base_cmd = ('cat %(tmpfile)s | openssl enc -aes-128-cbc '
-                '-a -pass pass:%(shared)s -nosalt %(dec_flag)s')
+        base_cmd = ('openssl enc -aes-128-cbc -a -pass pass:%(shared)s '
+                '-nosalt %(dec_flag)s')
         if which.lower()[0] == 'd':
             dec_flag = ' -d'
         else:
             dec_flag = ''
-        fd, tmpfile = tempfile.mkstemp()
-        os.close(fd)
-        file(tmpfile, 'w').write(text)
         shared = self._shared
         cmd = base_cmd % locals()
         proc = _runproc(cmd)
+        proc.stdin.write(text)
+        proc.stdin.close()
         proc.wait()
         err = proc.stderr.read()
         if err:
diff --git a/nova/virt/xenapi_conn.py b/nova/virt/xenapi_conn.py
index eb572f295..6d828e109 100644
--- a/nova/virt/xenapi_conn.py
+++ b/nova/virt/xenapi_conn.py
@@ -169,15 +169,15 @@ class XenAPIConnection(driver.ComputeDriver):
 
     def __init__(self, url, user, pw):
         super(XenAPIConnection, self).__init__()
-        session = XenAPISession(url, user, pw)
-        self._vmops = VMOps(session)
-        self._volumeops = VolumeOps(session)
+        self._session = XenAPISession(url, user, pw)
+        self._vmops = VMOps(self._session)
+        self._volumeops = VolumeOps(self._session)
         self._host_state = None
 
     @property
     def HostState(self):
         if not self._host_state:
-            self._host_state = HostState(self.session)
+            self._host_state = HostState(self._session)
         return self._host_state
 
     def init_host(self, host):