Blueprint xenapi-security-groups

Provides two drivers for implementing security groups in xenapi:
1) domU driver that enforces security groups on the Openstack virtual appliance (use advised with FlatDHCP in HA mode)
2) dom0 driver that enforces security groups where VIFs are attached

Both drivers translate security groups into iptables rules.
Existing libvirt code has been refactored to reduce the amount of duplicated code to a minimum

Now Addressing reviewers's comments on style. Fixing issue spotted with snapshots
Change-Id: Ifa16a8f2508a709be03241bac0f942fe1a51d1e8

1 files changed, 57 insertions, 1 deletions

diff --git a/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost b/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost
index f02597afc..64938641f 100755..100644
--- a/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost
+++ b/plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost
@@ -25,6 +25,7 @@ try:
     import json
 except ImportError:
     import simplejson as json
+import logging
 import os
 import random
 import re
@@ -67,6 +68,35 @@ def _run_command(cmd):
     return proc.stdout.read()
 
 
+# NOTE (salvatore-orlando):
+# Instead of updating run_command a new method has been implemented,
+# in order to avoid risking breaking existing functions calling _run_command
+def _run_command_with_input(cmd, process_input):
+    """Abstracts out the basics of issuing system commands. If the command
+    returns anything in stderr, a PluginError is raised with that information.
+    Otherwise, the output from stdout is returned.
+
+    process_input specificies a variable to use as the process' standard input.
+    """
+    pipe = subprocess.PIPE
+    # cmd can be either a single string with command and arguments,
+    # or a sequence of string
+    if not hasattr(cmd, '__iter__'):
+        cmd = [cmd]  # make it iterable
+
+    #Note(salvatore-orlando): the shell argument has been set to False
+    proc = subprocess.Popen(cmd, shell=False, stdin=pipe, stdout=pipe,
+            stderr=pipe, close_fds=True)
+    if process_input is not None:
+        (output, err) = proc.communicate(process_input)
+    else:
+        (output, err) = proc.communicate()
+    if err:
+        raise pluginlib.PluginError(err)
+    # This is tantamount to proc.stdout.read()
+    return output
+
+
 def _get_host_uuid():
     cmd = "xe host-list | grep uuid"
     resp = _run_command(cmd)
@@ -163,6 +193,31 @@ def set_config(self, arg_dict):
     _write_config_dict(conf)
 
 
+def iptables_config(session, args):
+    # command should be either save or restore
+    logging.debug("iptables_config:enter")
+    logging.debug("iptables_config: args=%s", args)
+    cmd_args = pluginlib.exists(args, 'cmd_args')
+    logging.debug("iptables_config: cmd_args=%s", cmd_args)
+    process_input = pluginlib.optional(args, 'process_input')
+    logging.debug("iptables_config: process_input=%s", process_input)
+    cmd = json.loads(cmd_args)
+    cmd = map(str, cmd)
+
+    # either execute iptable-save or iptables-restore
+    # command must be only one of these two
+    # process_input must be used only with iptables-restore
+    if len(cmd) > 0 and cmd[0] in ('iptables-save', 'iptables-restore'):
+        result = _run_command_with_input(cmd, process_input)
+        ret_str = json.dumps(dict(out=result,
+                                  err=''))
+        logging.debug("iptables_config:exit")
+        return ret_str
+    else:
+    # else don't do anything and return an error
+        raise pluginlib.PluginError(_("Invalid iptables command"))
+
+
 def _power_action(action):
     host_uuid = _get_host_uuid()
     # Host must be disabled first
@@ -326,4 +381,5 @@ if __name__ == "__main__":
             "host_reboot": host_reboot,
             "host_start": host_start,
             "get_config": get_config,
-            "set_config": set_config})
+            "set_config": set_config,
+            "iptables_config": iptables_config})