summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nova/virt/libvirt/connection.py22
-rw-r--r--nova/virt/libvirt/firewall.py64
-rw-r--r--nova/virt/libvirt/netutils.py67
3 files changed, 33 insertions, 120 deletions
diff --git a/nova/virt/libvirt/connection.py b/nova/virt/libvirt/connection.py
index 6d043577a..bc317d660 100644
--- a/nova/virt/libvirt/connection.py
+++ b/nova/virt/libvirt/connection.py
@@ -471,10 +471,10 @@ class LibvirtConnection(driver.ComputeDriver):
# in the guest OS. But, in case of KVM, shutdown() does not work...
self.destroy(instance, network_info, cleanup=False)
self.plug_vifs(instance, network_info)
- self.firewall_driver.setup_basic_filtering(instance)
- self.firewall_driver.prepare_instance_filter(instance)
+ self.firewall_driver.setup_basic_filtering(instance, network_info)
+ self.firewall_driver.prepare_instance_filter(instance, network_info)
self._create_new_domain(xml)
- self.firewall_driver.apply_instance_filter(instance)
+ self.firewall_driver.apply_instance_filter(instance, network_info)
def _wait_for_reboot():
"""Called at an interval until the VM is running again."""
@@ -531,7 +531,7 @@ class LibvirtConnection(driver.ComputeDriver):
"""
self.destroy(instance, network_info, cleanup=False)
- xml = self.to_xml(instance, rescue=True)
+ xml = self.to_xml(instance, network_info, rescue=True)
rescue_images = {'image_id': FLAGS.rescue_image_id,
'kernel_id': FLAGS.rescue_kernel_id,
'ramdisk_id': FLAGS.rescue_ramdisk_id}
@@ -574,9 +574,9 @@ class LibvirtConnection(driver.ComputeDriver):
# NOTE(ilyaalekseyev): Implementation like in multinics
# for xenapi(tr3buchet)
@exception.wrap_exception()
- def spawn(self, context, instance,
- network_info=None, block_device_info=None):
- xml = self.to_xml(instance, False, network_info=network_info,
+ def spawn(self, context, instance, network_info,
+ block_device_info=None):
+ xml = self.to_xml(instance, network_info, False,
block_device_info=block_device_info)
self.firewall_driver.setup_basic_filtering(instance, network_info)
self.firewall_driver.prepare_instance_filter(instance, network_info)
@@ -584,7 +584,7 @@ class LibvirtConnection(driver.ComputeDriver):
block_device_info=block_device_info)
domain = self._create_new_domain(xml)
LOG.debug(_("instance %s: is running"), instance['name'])
- self.firewall_driver.apply_instance_filter(instance)
+ self.firewall_driver.apply_instance_filter(instance, network_info)
def _wait_for_boot():
"""Called at an interval until the VM is running."""
@@ -992,10 +992,6 @@ class LibvirtConnection(driver.ComputeDriver):
block_device_info=None):
block_device_mapping = driver.block_device_info_get_mapping(
block_device_info)
- # TODO(adiantum) remove network_info creation code
- # when multinics will be completed
- if not network_info:
- network_info = netutils.get_network_info(instance)
nics = []
for (network, mapping) in network_info:
@@ -1082,7 +1078,7 @@ class LibvirtConnection(driver.ComputeDriver):
xml_info['disk'] = xml_info['basepath'] + "/disk"
return xml_info
- def to_xml(self, instance, rescue=False, network_info=None,
+ def to_xml(self, instance, network_info, rescue=False,
block_device_info=None):
# TODO(termie): cache?
LOG.debug(_('instance %s: starting toXML method'), instance['name'])
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index 9ce57b6c9..fa29b99c3 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -40,17 +40,17 @@ except ImportError:
class FirewallDriver(object):
- def prepare_instance_filter(self, instance, network_info=None):
+ def prepare_instance_filter(self, instance, network_info):
"""Prepare filters for the instance.
At this point, the instance isn't running yet."""
raise NotImplementedError()
- def unfilter_instance(self, instance, network_info=None):
+ def unfilter_instance(self, instance, network_info):
"""Stop filtering instance"""
raise NotImplementedError()
- def apply_instance_filter(self, instance):
+ def apply_instance_filter(self, instance, network_info):
"""Apply instance filter.
Once this method returns, the instance should be firewalled
@@ -60,9 +60,7 @@ class FirewallDriver(object):
"""
raise NotImplementedError()
- def refresh_security_group_rules(self,
- security_group_id,
- network_info=None):
+ def refresh_security_group_rules(self, security_group_id):
"""Refresh security group rules from data store
Gets called when a rule has been added to or removed from
@@ -85,7 +83,7 @@ class FirewallDriver(object):
"""
raise NotImplementedError()
- def setup_basic_filtering(self, instance, network_info=None):
+ def setup_basic_filtering(self, instance, network_info):
"""Create rules to block spoofing and allow dhcp.
This gets called when spawning an instance, before
@@ -150,7 +148,7 @@ class NWFilterFirewall(FirewallDriver):
self.static_filters_configured = False
self.handle_security_groups = False
- def apply_instance_filter(self, instance):
+ def apply_instance_filter(self, instance, network_info):
"""No-op. Everything is done in prepare_instance_filter"""
pass
@@ -189,13 +187,10 @@ class NWFilterFirewall(FirewallDriver):
</rule>
</filter>'''
- def setup_basic_filtering(self, instance, network_info=None):
+ def setup_basic_filtering(self, instance, network_info):
"""Set up basic filtering (MAC, IP, and ARP spoofing protection)"""
logging.info('called setup_basic_filtering in nwfilter')
- if not network_info:
- network_info = netutils.get_network_info(instance)
-
if self.handle_security_groups:
# No point in setting up a filter set that we'll be overriding
# anyway.
@@ -300,10 +295,8 @@ class NWFilterFirewall(FirewallDriver):
# execute in a native thread and block current greenthread until done
tpool.execute(self._conn.nwfilterDefineXML, xml)
- def unfilter_instance(self, instance, network_info=None):
+ def unfilter_instance(self, instance, network_info):
"""Clear out the nwfilter rules."""
- if not network_info:
- network_info = netutils.get_network_info(instance)
instance_name = instance.name
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
@@ -326,16 +319,13 @@ class NWFilterFirewall(FirewallDriver):
LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) '
'for %(instance_name)s is not found.') % locals())
- def prepare_instance_filter(self, instance, network_info=None):
+ def prepare_instance_filter(self, instance, network_info):
"""Creates an NWFilter for the given instance.
In the process, it makes sure the filters for the provider blocks,
security groups, and base filter are all in place.
"""
- if not network_info:
- network_info = netutils.get_network_info(instance)
-
self.refresh_provider_fw_rules()
ctxt = context.get_admin_context()
@@ -500,9 +490,8 @@ class NWFilterFirewall(FirewallDriver):
return 'nova-instance-%s' % (instance['name'])
return 'nova-instance-%s-%s' % (instance['name'], nic_id)
- def instance_filter_exists(self, instance):
+ def instance_filter_exists(self, instance, network_info):
"""Check nova-instance-instance-xxx exists"""
- network_info = netutils.get_network_info(instance)
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
@@ -521,6 +510,7 @@ class IptablesFirewallDriver(FirewallDriver):
from nova.network import linux_net
self.iptables = linux_net.iptables_manager
self.instances = {}
+ self.network_infos = {}
self.nwfilter = NWFilterFirewall(kwargs['get_connection'])
self.basicly_filtered = False
@@ -529,22 +519,22 @@ class IptablesFirewallDriver(FirewallDriver):
self.iptables.ipv6['filter'].add_chain('sg-fallback')
self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')
- def setup_basic_filtering(self, instance, network_info=None):
+ def setup_basic_filtering(self, instance, network_info):
"""Set up provider rules and basic NWFilter."""
- if not network_info:
- network_info = netutils.get_network_info(instance)
self.nwfilter.setup_basic_filtering(instance, network_info)
if not self.basicly_filtered:
LOG.debug(_('iptables firewall: Setup Basic Filtering'))
self.refresh_provider_fw_rules()
self.basicly_filtered = True
- def apply_instance_filter(self, instance):
+ def apply_instance_filter(self, instance, network_info):
"""No-op. Everything is done in prepare_instance_filter"""
pass
- def unfilter_instance(self, instance, network_info=None):
+ def unfilter_instance(self, instance, network_info):
if self.instances.pop(instance['id'], None):
+ # NOTE(vish): use the passed info instead of the stored info
+ self.network_infos.pop(instance['id'])
self.remove_filters_for_instance(instance)
self.iptables.apply()
self.nwfilter.unfilter_instance(instance, network_info)
@@ -552,11 +542,10 @@ class IptablesFirewallDriver(FirewallDriver):
LOG.info(_('Attempted to unfilter instance %s which is not '
'filtered'), instance['id'])
- def prepare_instance_filter(self, instance, network_info=None):
- if not network_info:
- network_info = netutils.get_network_info(instance)
+ def prepare_instance_filter(self, instance, network_info):
self.instances[instance['id']] = instance
- self.add_filters_for_instance(instance, network_info)
+ self.network_infos[instance['id']] = network_info
+ self.add_filters_for_instance(instance)
self.iptables.apply()
def _create_filter(self, ips, chain_name):
@@ -583,7 +572,8 @@ class IptablesFirewallDriver(FirewallDriver):
for rule in ipv6_rules:
self.iptables.ipv6['filter'].add_rule(chain_name, rule)
- def add_filters_for_instance(self, instance, network_info=None):
+ def add_filters_for_instance(self, instance):
+ network_info = self.network_infos[instance['id']]
chain_name = self._instance_chain_name(instance)
if FLAGS.use_ipv6:
self.iptables.ipv6['filter'].add_chain(chain_name)
@@ -601,9 +591,7 @@ class IptablesFirewallDriver(FirewallDriver):
if FLAGS.use_ipv6:
self.iptables.ipv6['filter'].remove_chain(chain_name)
- def instance_rules(self, instance, network_info=None):
- if not network_info:
- network_info = netutils.get_network_info(instance)
+ def instance_rules(self, instance, network_info):
ctxt = context.get_admin_context()
ipv4_rules = []
@@ -726,14 +714,10 @@ class IptablesFirewallDriver(FirewallDriver):
self.iptables.apply()
@utils.synchronized('iptables', external=True)
- def do_refresh_security_group_rules(self,
- security_group,
- network_info=None):
+ def do_refresh_security_group_rules(self, security_group):
for instance in self.instances.values():
self.remove_filters_for_instance(instance)
- if not network_info:
- network_info = netutils.get_network_info(instance)
- self.add_filters_for_instance(instance, network_info)
+ self.add_filters_for_instance(instance)
def refresh_provider_fw_rules(self):
"""See class:FirewallDriver: docs."""
diff --git a/nova/virt/libvirt/netutils.py b/nova/virt/libvirt/netutils.py
index a8e88fc07..6f303072d 100644
--- a/nova/virt/libvirt/netutils.py
+++ b/nova/virt/libvirt/netutils.py
@@ -23,12 +23,7 @@
import netaddr
-from nova import context
-from nova import db
-from nova import exception
from nova import flags
-from nova import ipv6
-from nova import utils
FLAGS = flags.FLAGS
@@ -47,65 +42,3 @@ def get_net_and_prefixlen(cidr):
def get_ip_version(cidr):
net = netaddr.IPNetwork(cidr)
return int(net.version)
-
-
-def get_network_info(instance):
- # TODO(tr3buchet): this function needs to go away! network info
- # MUST be passed down from compute
- # TODO(adiantum) If we will keep this function
- # we should cache network_info
- admin_context = context.get_admin_context()
-
- try:
- fixed_ips = db.fixed_ip_get_by_instance(admin_context, instance['id'])
- except exception.FixedIpNotFoundForInstance:
- fixed_ips = []
-
- vifs = db.virtual_interface_get_by_instance(admin_context, instance['id'])
- flavor = db.instance_type_get(admin_context,
- instance['instance_type_id'])
- network_info = []
-
- for vif in vifs:
- network = vif['network']
-
- # determine which of the instance's IPs belong to this network
- network_ips = [fixed_ip['address'] for fixed_ip in fixed_ips if
- fixed_ip['network_id'] == network['id']]
-
- def ip_dict(ip):
- return {
- 'ip': ip,
- 'netmask': network['netmask'],
- 'enabled': '1'}
-
- def ip6_dict():
- prefix = network['cidr_v6']
- mac = vif['address']
- project_id = instance['project_id']
- return {
- 'ip': ipv6.to_global(prefix, mac, project_id),
- 'netmask': network['netmask_v6'],
- 'enabled': '1'}
-
- mapping = {
- 'label': network['label'],
- 'gateway': network['gateway'],
- 'broadcast': network['broadcast'],
- 'dhcp_server': network['gateway'],
- 'mac': vif['address'],
- 'rxtx_cap': flavor['rxtx_cap'],
- 'dns': [],
- 'ips': [ip_dict(ip) for ip in network_ips]}
-
- if network['dns1']:
- mapping['dns'].append(network['dns1'])
- if network['dns2']:
- mapping['dns'].append(network['dns2'])
-
- if FLAGS.use_ipv6:
- mapping['ip6s'] = [ip6_dict()]
- mapping['gateway6'] = network['gateway_v6']
-
- network_info.append((network, mapping))
- return network_info
generated by cgit (git 2.34.1) at 2026-02-03 03:52:31 +0000