From ba73128770b49998a26652ff9446e927a8e8e13d Mon Sep 17 00:00:00 2001 From: Nachi Ueno Date: Tue, 18 Jan 2011 20:04:16 +0900 Subject: Fixed apply_instance_filter is not implemented in NWFilterFirewall --- nova/virt/libvirt_conn.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index f38af5ed8..afe2284e7 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -98,7 +98,7 @@ flags.DEFINE_string('ajaxterm_portrange', '10000-12000', 'Range of ports that ajaxterm should randomly try to bind') flags.DEFINE_string('firewall_driver', - 'nova.virt.libvirt_conn.IptablesFirewallDriver', + None, 'Firewall driver (defaults to iptables)') @@ -936,6 +936,10 @@ class NWFilterFirewall(FirewallDriver): self.static_filters_configured = False self.handle_security_groups = False + def apply_instance_filter(self, instance): + """No-op. Everything is done in prepare_instance_filter""" + pass + def _get_connection(self): return self._libvirt_get_connection() _conn = property(_get_connection) -- cgit From 4190d539315c50c50edcb8f7866274fe3d95d9a1 Mon Sep 17 00:00:00 2001 From: Nachi Ueno Date: Wed, 19 Jan 2011 11:13:33 +0900 Subject: get_my_linklocal raises exception --- nova/virt/libvirt.xml.template | 6 ++++-- nova/virt/libvirt_conn.py | 26 ++++++++++++++++---------- 2 files changed, 20 insertions(+), 12 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index de06a1eb0..3ec82e403 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -75,10 +75,12 @@ - - + #if $getVar('extra_params', False) ${extra_params} +#end if +#if $getVar('ra_server', False) + #end if diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index afe2284e7..4036d4f07 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -658,8 +658,7 @@ class LibvirtConnection(object): # Assume that the gateway also acts as the dhcp server. dhcp_server = network['gateway'] ra_server = network['ra_server'] - if not ra_server: - ra_server = 'fd00::' + if FLAGS.allow_project_net_traffic: if FLAGS.use_ipv6: net, mask = _get_net_and_mask(network['cidr']) @@ -698,11 +697,13 @@ class LibvirtConnection(object): 'mac_address': instance['mac_address'], 'ip_address': ip_address, 'dhcp_server': dhcp_server, - 'ra_server': ra_server, 'extra_params': extra_params, 'rescue': rescue, 'local': instance_type['local_gb'], 'driver_type': driver_type} + + if ra_server: + xml_info['ra_server'] = ra_server + "/128" if not rescue: if instance['kernel_id']: xml_info['kernel'] = xml_info['basepath'] + "/kernel" @@ -884,6 +885,11 @@ class FirewallDriver(object): the security group.""" raise NotImplementedError() + def _ra_server_for_instance(self, instance): + network = db.project_get_network(context.get_admin_context(), + instance['project_id']) + return network['ra_server'] + class NWFilterFirewall(FirewallDriver): """ @@ -1098,7 +1104,9 @@ class NWFilterFirewall(FirewallDriver): 'nova-base-ipv6', 'nova-allow-dhcp-server'] if FLAGS.use_ipv6: - instance_secgroup_filter_children += ['nova-allow-ra-server'] + ra_server = self._ra_server_for_instance(instance) + if ra_server: + instance_secgroup_filter_children += ['nova-allow-ra-server'] ctxt = context.get_admin_context() @@ -1275,8 +1283,9 @@ class IptablesFirewallDriver(FirewallDriver): elif(ip_version == 6): # Allow RA responses ra_server = self._ra_server_for_instance(instance) - our_rules += ['-A %s -s %s -p icmpv6' % - (chain_name, ra_server)] + if ra_server: + our_rules += ['-A %s -s %s -p icmpv6' % + (chain_name, ra_server + "/128")] # If nothing matches, jump to the fallback chain our_rules += ['-A %s -j nova-fallback' % (chain_name,)] @@ -1367,7 +1376,4 @@ class IptablesFirewallDriver(FirewallDriver): instance['project_id']) return network['gateway'] - def _ra_server_for_instance(self, instance): - network = db.project_get_network(context.get_admin_context(), - instance['project_id']) - return network['ra_server'] + -- cgit From 30ec3b18dbb24fe1a1cfa0e733c373edee49ca84 Mon Sep 17 00:00:00 2001 From: Nachi Ueno Date: Wed, 19 Jan 2011 12:45:07 +0900 Subject: Revert Firewalldriver --- nova/virt/libvirt_conn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 4036d4f07..55c193e20 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -98,7 +98,7 @@ flags.DEFINE_string('ajaxterm_portrange', '10000-12000', 'Range of ports that ajaxterm should randomly try to bind') flags.DEFINE_string('firewall_driver', - None, + 'nova.virt.libvirt_conn.IptablesFirewallDriver', 'Firewall driver (defaults to iptables)') -- cgit From a9bf56c7e4613c83646c109ce9e6452e0cd25d2d Mon Sep 17 00:00:00 2001 From: Hisaharu Ishii Date: Fri, 21 Jan 2011 20:30:29 +0900 Subject: Fixed for pep8 --- nova/virt/libvirt_conn.py | 2 -- 1 file changed, 2 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 8ad83731f..73291f7f5 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1380,5 +1380,3 @@ class IptablesFirewallDriver(FirewallDriver): network = db.project_get_network(context.get_admin_context(), instance['project_id']) return network['gateway'] - - -- cgit From 303803ca29b7676d544e4c1988eb467bc8d2e0b9 Mon Sep 17 00:00:00 2001 From: Jordan Rinke Date: Mon, 24 Jan 2011 14:24:22 -0800 Subject: Added static cpu limit of 100000 (100%) to hyperv.py instead of using the vcpu value of 1 --- nova/virt/hyperv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index 30dc1c79b..190c1a880 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -191,7 +191,7 @@ class HyperVConnection(object): vcpus = long(instance['vcpus']) procsetting.VirtualQuantity = vcpus procsetting.Reservation = vcpus - procsetting.Limit = vcpus + procsetting.Limit = 100000 # static assignment to 100% since no limit/weight variable exists now. (job, ret_val) = vs_man_svc.ModifyVirtualSystemResources( vm.path_(), [procsetting.GetText_(1)]) -- cgit From 0fd1fa81e86c708020e8f3940da38cfc768557fb Mon Sep 17 00:00:00 2001 From: Jordan Rinke Date: Tue, 25 Jan 2011 09:18:55 -0800 Subject: Fixed spacing issue for pep8 --- nova/virt/hyperv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index 190c1a880..4fed299d4 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -191,7 +191,7 @@ class HyperVConnection(object): vcpus = long(instance['vcpus']) procsetting.VirtualQuantity = vcpus procsetting.Reservation = vcpus - procsetting.Limit = 100000 # static assignment to 100% since no limit/weight variable exists now. + procsetting.Limit = 100000 # static assignment to 100% since no limit/weight variable exists now. (job, ret_val) = vs_man_svc.ModifyVirtualSystemResources( vm.path_(), [procsetting.GetText_(1)]) -- cgit From 0fb22b90295c0137dbe4535643ac741d249356f7 Mon Sep 17 00:00:00 2001 From: Jordan Rinke Date: Tue, 25 Jan 2011 09:21:31 -0800 Subject: Properly fixed spacing issue for pep8 --- nova/virt/hyperv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index 4fed299d4..0fc7578d3 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -191,7 +191,7 @@ class HyperVConnection(object): vcpus = long(instance['vcpus']) procsetting.VirtualQuantity = vcpus procsetting.Reservation = vcpus - procsetting.Limit = 100000 # static assignment to 100% since no limit/weight variable exists now. + procsetting.Limit = 100000 #static assignment to 100% since no limit/weight variable exists now. (job, ret_val) = vs_man_svc.ModifyVirtualSystemResources( vm.path_(), [procsetting.GetText_(1)]) -- cgit From 5fdf1132f3418c1f6ecaa5593835536db9895085 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Tue, 25 Jan 2011 15:56:55 -0800 Subject: Change how libvirt firewall drivers work to have meaningful flags. --- nova/virt/libvirt_conn.py | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 548d82ba9..bf2714c25 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -149,13 +149,8 @@ class LibvirtConnection(object): self._wrapped_conn = None self.read_only = read_only - self.nwfilter = NWFilterFirewall(self._get_connection) - - if not FLAGS.firewall_driver: - self.firewall_driver = self.nwfilter - self.nwfilter.handle_security_groups = True - else: - self.firewall_driver = utils.import_object(FLAGS.firewall_driver) + fw_class = utils.import_class(FLAGS.firewall_driver) + self.firewall_driver = fw_class(get_connection=self._get_connection) def init_host(self): pass @@ -386,7 +381,7 @@ class LibvirtConnection(object): instance['id'], power_state.NOSTATE, 'launching') - self.nwfilter.setup_basic_filtering(instance) + self.firewall_driver.setup_basic_filtering(instance) self.firewall_driver.prepare_instance_filter(instance) self._create_image(instance, xml) self._conn.createXML(xml, 0) @@ -882,6 +877,15 @@ class FirewallDriver(object): the security group.""" raise NotImplementedError() + def setup_basic_filtering(self, instance): + """Create rules to block spoofing and allow dhcp. + + This gets called when spawning an instance, before + :method:`prepare_instance_filter`. + + """ + raise NotImplementedError() + class NWFilterFirewall(FirewallDriver): """ @@ -929,7 +933,7 @@ class NWFilterFirewall(FirewallDriver): """ - def __init__(self, get_connection): + def __init__(self, get_connection, **kwargs): self._libvirt_get_connection = get_connection self.static_filters_configured = False self.handle_security_groups = False @@ -1170,9 +1174,14 @@ class NWFilterFirewall(FirewallDriver): class IptablesFirewallDriver(FirewallDriver): - def __init__(self, execute=None): + def __init__(self, execute=None, **kwargs): self.execute = execute or utils.execute self.instances = {} + self.nwfilter = NWFilterFirewall(kwargs['get_connection']) + + def setup_basic_filtering(self, instance): + """Use NWFilter from libvirt for this.""" + return self.nwfilter.setup_basic_filtering(instance) def apply_instance_filter(self, instance): """No-op. Everything is done in prepare_instance_filter""" -- cgit From 2d97fa1fc2d2e98188e0ebab4e67d3d74ab7b146 Mon Sep 17 00:00:00 2001 From: Hisaharu Ishii Date: Wed, 26 Jan 2011 19:44:13 +0900 Subject: Fix merge miss --- nova/virt/libvirt_conn.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 0a0bbfb59..3562fbd6b 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1310,8 +1310,8 @@ class IptablesFirewallDriver(FirewallDriver): # Allow RA responses ra_server = self._ra_server_for_instance(instance) if ra_server: - our_rules += ['-A %s -s %s -p icmpv6' % - (chain_name, ra_server + "/128")] + our_rules += ['-A %s -s %s -p icmpv6 -j ACCEPT' % + (chain_name, ra_server + "/128")] #Allow project network traffic if (FLAGS.allow_project_net_traffic): cidrv6 = self._project_cidrv6_for_instance(instance) -- cgit From ae0f6c611d0d195da243e4a8f7dfe5fcb79978ac Mon Sep 17 00:00:00 2001 From: Thierry Carrez Date: Thu, 27 Jan 2011 16:39:51 +0100 Subject: Naive, low-regression-risk fix enabling Glance to work with libvirt/hyperv --- nova/virt/images.py | 3 +++ 1 file changed, 3 insertions(+) (limited to 'nova/virt') diff --git a/nova/virt/images.py b/nova/virt/images.py index 9c987e14d..7a6fef330 100644 --- a/nova/virt/images.py +++ b/nova/virt/images.py @@ -111,5 +111,8 @@ def _image_path(path): def image_url(image): + if FLAGS.image_service == "nova.image.glance.GlanceImageService": + return "http://%s:%s/images/%s" % (FLAGS.glance_host, + FLAGS.glance_port, image) return "http://%s:%s/_images/%s/image" % (FLAGS.s3_host, FLAGS.s3_port, image) -- cgit From 3b59176df0ea63715e2f8af73258af87bb06ee97 Mon Sep 17 00:00:00 2001 From: Jordan Rinke Date: Thu, 27 Jan 2011 08:48:22 -0800 Subject: Shortened comment for 80char limt. --- nova/virt/hyperv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index 0fc7578d3..d2383d72c 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -191,7 +191,7 @@ class HyperVConnection(object): vcpus = long(instance['vcpus']) procsetting.VirtualQuantity = vcpus procsetting.Reservation = vcpus - procsetting.Limit = 100000 #static assignment to 100% since no limit/weight variable exists now. + procsetting.Limit = 100000 #static assignment to 100% (job, ret_val) = vs_man_svc.ModifyVirtualSystemResources( vm.path_(), [procsetting.GetText_(1)]) -- cgit From 498171d2212f51185e9479da1222f0753acab779 Mon Sep 17 00:00:00 2001 From: Jordan Rinke Date: Thu, 27 Jan 2011 09:43:25 -0800 Subject: Fixed spacing... AGAIN --- nova/virt/hyperv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index d2383d72c..a745c619e 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -191,7 +191,7 @@ class HyperVConnection(object): vcpus = long(instance['vcpus']) procsetting.VirtualQuantity = vcpus procsetting.Reservation = vcpus - procsetting.Limit = 100000 #static assignment to 100% + procsetting.Limit = 100000 # static assignment to 100% (job, ret_val) = vs_man_svc.ModifyVirtualSystemResources( vm.path_(), [procsetting.GetText_(1)]) -- cgit From 9c35a9a32dc58cb56685292a7ba056f95e715474 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Thu, 27 Jan 2011 10:48:00 -0800 Subject: Fixes NotFound messages in api to show the ec2_id. Added InstanceNotFound and VolumeNotFound errors to store internal id. Removed redundant method instance_get_by_id. Caught exceptions in api layer and fixed messages to use ec2_id. --- nova/virt/xenapi/vmops.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py index 628a171fa..e84ce20c4 100644 --- a/nova/virt/xenapi/vmops.py +++ b/nova/virt/xenapi/vmops.py @@ -149,7 +149,7 @@ class VMOps(object): if isinstance(instance_or_vm, (int, long)): ctx = context.get_admin_context() try: - instance_obj = db.instance_get_by_id(ctx, instance_or_vm) + instance_obj = db.instance_get(ctx, instance_or_vm) instance_name = instance_obj.name except exception.NotFound: # The unit tests screw this up, as they use an integer for -- cgit From a495294ccc40a868b79144085da38196759f699c Mon Sep 17 00:00:00 2001 From: Ed Leafe Date: Thu, 27 Jan 2011 13:52:10 -0600 Subject: Fixed formatting issues in current codebase. --- nova/virt/xenapi/vm_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/xenapi/vm_utils.py b/nova/virt/xenapi/vm_utils.py index 4afd28dd8..4bbd522c1 100644 --- a/nova/virt/xenapi/vm_utils.py +++ b/nova/virt/xenapi/vm_utils.py @@ -640,7 +640,7 @@ def with_vdi_attached_here(session, vdi, read_only, f): session.get_xenapi().VBD.plug(vbd) LOG.debug(_('Plugging VBD %s done.'), vbd) orig_dev = session.get_xenapi().VBD.get_device(vbd) - LOG.debug(_('VBD %s plugged as %s'), vbd, orig_dev) + LOG.debug(_('VBD %(vbd)s plugged as %(orig_dev)s') % locals()) dev = remap_vbd_dev(orig_dev) if dev != orig_dev: LOG.debug(_('VBD %(vbd)s plugged into wrong dev, ' -- cgit