Merged with trunk, fixed broken stuff

3 files changed, 169 insertions, 4 deletions

diff --git a/tools/install_venv.py b/tools/install_venv.py
index 1f0fa3cc7..32c372352 100644
--- a/tools/install_venv.py
+++ b/tools/install_venv.py
@@ -88,6 +88,10 @@ def create_virtualenv(venv=VENV):
 
 def install_dependencies(venv=VENV):
   print 'Installing dependencies with pip (this can take a while)...'
+  # Install greenlet by hand - just listing it in the requires file does not
+  # get it in stalled in the right order
+  run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, 'greenlet'],
+              redirect_output=False)
   run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, '-r', PIP_REQUIRES],
               redirect_output=False)
   run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, TWISTED_NOVA],
@@ -95,8 +99,8 @@ def install_dependencies(venv=VENV):
 
 
   # Tell the virtual env how to "import nova"
-  pathfile=os.path.join(venv, "lib", "python2.6", "site-packages", "nova.pth")
-  f=open(pathfile, 'w')
+  pthfile = os.path.join(venv, "lib", "python2.6", "site-packages", "nova.pth")
+  f = open(pthfile, 'w')
   f.write("%s\n" % ROOT)
 
 
diff --git a/tools/pip-requires b/tools/pip-requires
index 58e32cad7..f1e9711a0 100644
--- a/tools/pip-requires
+++ b/tools/pip-requires
@@ -1,3 +1,4 @@
+SQLAlchemy==0.6.3
 pep8==0.5.0
 pylint==0.19
 IPy==0.70
@@ -7,15 +8,17 @@ amqplib==0.6.1
 anyjson==0.2.4
 boto==2.0b1
 carrot==0.10.5
-eventlet==0.9.10
+eventlet==0.9.12
 lockfile==0.8
 python-daemon==1.5.5
 python-gflags==1.3
 redis==2.0.0
 routes==1.12.3
 tornado==1.0
-webob==0.9.8
+WebOb==0.9.8
 wsgiref==0.1.2
 zope.interface==3.6.1
 mox==0.5.0
 -f http://pymox.googlecode.com/files/mox-0.5.0.tar.gz
+greenlet==0.3.1
+nose
diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh
new file mode 100755
index 000000000..673353eb4
--- /dev/null
+++ b/tools/setup_iptables.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env bash
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# NOTE(vish): This script sets up some reasonable defaults for iptables and
+#             creates nova-specific chains.  If you use this script you should
+#             run nova-network and nova-compute with --use_nova_chains=True
+
+# NOTE(vish): If you run nova-api on a different port, make sure to change
+#             the port here
+API_PORT=${API_PORT:-"8773"}
+if [ -n "$1" ]; then
+    CMD=$1
+else
+    CMD="all"
+fi
+
+if [ -n "$2" ]; then
+    IP=$2
+else
+    # NOTE(vish): This will just get the first ip in the list, so if you
+    #             have more than one eth device set up, this will fail, and
+    #             you should explicitly pass in the ip of the instance
+    IP=`ifconfig  | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
+fi
+
+if [ -n "$3" ]; then
+    PRIVATE_RANGE=$3
+else
+    PRIVATE_RANGE="10.0.0.0/12"
+fi
+
+
+if [ -n "$4" ]; then
+    # NOTE(vish): Management IP is the ip over which to allow ssh traffic.  It
+    #             will also allow traffic to nova-api
+    MGMT_IP=$4
+else
+    MGMT_IP="$IP"
+fi
+if [ "$CMD" == "clear" ]; then
+    iptables -P INPUT ACCEPT
+    iptables -P FORWARD ACCEPT
+    iptables -P OUTPUT ACCEPT
+    iptables -F
+    iptables -t nat -F
+    iptables -F nova_input
+    iptables -F nova_output
+    iptables -F nova_forward
+    iptables -t nat -F nova_input
+    iptables -t nat -F nova_output
+    iptables -t nat -F nova_forward
+    iptables -t nat -X
+    iptables -X
+fi
+
+if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then
+    iptables -P INPUT DROP
+    iptables -A INPUT -m state --state INVALID -j DROP
+    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
+    iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
+    iptables -N nova_input
+    iptables -A INPUT -j nova_input
+    iptables -A INPUT -p icmp -j ACCEPT
+    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
+
+    iptables -P FORWARD DROP
+    iptables -A FORWARD -m state --state INVALID -j DROP
+    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+    iptables -N nova_forward
+    iptables -A FORWARD -j nova_forward
+
+    # NOTE(vish): DROP on output is too restrictive for now.  We need to add
+    #             in a bunch of more specific output rules to use it.
+    # iptables -P OUTPUT DROP
+    iptables -A OUTPUT -m state --state INVALID -j DROP
+    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -N nova_output
+    iptables -A OUTPUT -j nova_output
+
+    iptables -t nat -N nova_prerouting
+    iptables -t nat -A PREROUTING -j nova_prerouting
+
+    iptables -t nat -N nova_postrouting
+    iptables -t nat -A POSTROUTING -j nova_postrouting
+
+    iptables -t nat -N nova_output
+    iptables -t nat -A OUTPUT -j nova_output
+fi
+
+if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
+    iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
+fi
+
+if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then
+    # NOTE(vish): This opens up ports for web access, allowing web-based
+    #             dashboards to work.
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
+fi
+
+if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
+fi
+
+if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
+    if [ "$IP" != "$MGMT_IP" ]; then
+        iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
+    fi
+fi
+
+if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
+fi
+
+if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
+fi
+
+if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
+fi
+
+if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then
+    # NOTE(vish): this could theoretically be setup per network
+    #             for each host, but it seems like overkill
+    iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
+    iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
+    iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
+fi
+
+if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
+fi
+
+