From e811667b1e08bdfd7647cc29f792441db2cfb752 Mon Sep 17 00:00:00 2001 From: Ilya Alekseyev Date: Tue, 25 Jan 2011 21:58:07 +0300 Subject: Added iptables rule to IptablesFirewallDriver like in Hisaharu Ishii patch with some workaround --- nova/virt/libvirt_conn.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 259e19a69..cb8528e96 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1270,11 +1270,20 @@ class IptablesFirewallDriver(FirewallDriver): dhcp_server = self._dhcp_server_for_instance(instance) our_rules += ['-A %s -s %s -p udp --sport 67 --dport 68' % (chain_name, dhcp_server)] + #Allow project network traffic + if (FLAGS.allow_project_net_traffic): + cidr = self._project_cidr_for_instance(instance) + our_rules += ['-A %s -s %s -j ACCEPT' % (chain_name, cidr)] elif(ip_version == 6): # Allow RA responses ra_server = self._ra_server_for_instance(instance) our_rules += ['-A %s -s %s -p icmpv6' % (chain_name, ra_server)] + #Allow project network traffic + if (FLAGS.allow_project_net_traffic): + cidrv6 = self._project_cidrv6_for_instance(instance) + our_rules += ['-A %s -s %s -j ACCEPT' % + (chain_name, cidrv6)] # If nothing matches, jump to the fallback chain our_rules += ['-A %s -j nova-fallback' % (chain_name,)] @@ -1369,3 +1378,13 @@ class IptablesFirewallDriver(FirewallDriver): network = db.network_get_by_instance(context.get_admin_context(), instance['id']) return network['ra_server'] + + def _project_cidr_for_instance(self, instance): + network = db.network_get_by_instance(context.get_admin_context(), + instance['id']) + return network['cidr'] + + def _project_cidrv6_for_instance(self, instance): + network = db.network_get_by_instance(context.get_admin_context(), + instance['id']) + return network['cidr_v6'] \ No newline at end of file -- cgit From 7d66725e5a1e5438453aedcec809f8a25fae08d8 Mon Sep 17 00:00:00 2001 From: Tushar Patil Date: Tue, 25 Jan 2011 11:10:26 -0800 Subject: Fix for LP Bug #707554 --- nova/virt/libvirt_conn.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 259e19a69..d5db42543 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1268,13 +1268,13 @@ class IptablesFirewallDriver(FirewallDriver): if(ip_version == 4): # Allow DHCP responses dhcp_server = self._dhcp_server_for_instance(instance) - our_rules += ['-A %s -s %s -p udp --sport 67 --dport 68' % - (chain_name, dhcp_server)] + our_rules += ['-A %s -s %s -p udp --sport 67 --dport 68 ' + '-j ACCEPT' % (chain_name, dhcp_server)] elif(ip_version == 6): # Allow RA responses ra_server = self._ra_server_for_instance(instance) - our_rules += ['-A %s -s %s -p icmpv6' % - (chain_name, ra_server)] + our_rules += ['-A %s -s %s -p icmpv6 ' + '-j ACCEPT' % (chain_name, ra_server)] # If nothing matches, jump to the fallback chain our_rules += ['-A %s -j nova-fallback' % (chain_name,)] -- cgit From f51526b596f3d89cda2ec4501e19baf085c534e0 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Tue, 25 Jan 2011 20:49:29 +0100 Subject: Add a host argument to virt driver's init_host method. It will be set to the name of host it's running on. Make libvirt's init_host method go and look at what virtual machines are running when the compute worker starts up. This ensures firewalls are set up correctly for existing VM's. It also enables easier rolling upgrades. --- nova/virt/fake.py | 5 +++-- nova/virt/hyperv.py | 2 +- nova/virt/libvirt_conn.py | 27 +++++++++++++++++++++++++-- nova/virt/xenapi_conn.py | 2 +- 4 files changed, 30 insertions(+), 6 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/fake.py b/nova/virt/fake.py index f8b3c7807..161445b86 100644 --- a/nova/virt/fake.py +++ b/nova/virt/fake.py @@ -76,9 +76,10 @@ class FakeConnection(object): cls._instance = cls() return cls._instance - def init_host(self): + def init_host(self, host): """ - Initialize anything that is necessary for the driver to function + Initialize anything that is necessary for the driver to function, + including catching up with currently running VM's on the given host. """ return diff --git a/nova/virt/hyperv.py b/nova/virt/hyperv.py index 30dc1c79b..cb52e1ade 100644 --- a/nova/virt/hyperv.py +++ b/nova/virt/hyperv.py @@ -113,7 +113,7 @@ class HyperVConnection(object): self._conn = wmi.WMI(moniker='//./root/virtualization') self._cim_conn = wmi.WMI(moniker='//./root/cimv2') - def init_host(self): + def init_host(self, host): #FIXME(chiradeep): implement this LOG.debug(_('In init host')) pass diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index d8c1bf48a..5808d273a 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -157,8 +157,31 @@ class LibvirtConnection(object): else: self.firewall_driver = utils.import_object(FLAGS.firewall_driver) - def init_host(self): - pass + def init_host(self, host): + # Adopt existing VM's running here + ctxt = context.get_admin_context() + for instance in db.instance_get_all_by_host(ctxt, host): + try: + LOG.debug(_('Checking state of %s'), instance['name']) + state = self.get_info(instance['name'])['state'] + except exception.NotFound: + state = power_state.SHUTOFF + + LOG.debug(_('Current state of %(name)s was %(state)s.'), + {'name': instance['name'], 'state': state}) + db.instance_set_state(ctxt, instance['id'], state) + + if state == power_state.SHUTOFF: + # TODO(soren): This is what the compute manager does when you + # terminate # an instance. At some point I figure we'll have a + # "terminated" state and some sort of cleanup job that runs + # occasionally, cleaning them out. + db.instance_destroy(ctxt, instance['id']) + + if state != power_state.RUNNING: + continue + self.firewall_driver.prepare_instance_filter(instance) + self.firewall_driver.apply_instance_filter(instance) def _get_connection(self): if not self._wrapped_conn or not self._test_connection(): diff --git a/nova/virt/xenapi_conn.py b/nova/virt/xenapi_conn.py index 927f5905b..acf89f0c1 100644 --- a/nova/virt/xenapi_conn.py +++ b/nova/virt/xenapi_conn.py @@ -141,7 +141,7 @@ class XenAPIConnection(object): self._vmops = VMOps(session) self._volumeops = VolumeOps(session) - def init_host(self): + def init_host(self, host): #FIXME(armando): implement this #NOTE(armando): would we need a method #to call when shutting down the host? -- cgit From 588bf6717a11930435ad3b3aa1941cff8495e2b5 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Tue, 25 Jan 2011 21:19:34 +0100 Subject: Fix pep-8 problem from prereq branch. --- nova/virt/libvirt_conn.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index d5db42543..37eb02e4f 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1269,12 +1269,12 @@ class IptablesFirewallDriver(FirewallDriver): # Allow DHCP responses dhcp_server = self._dhcp_server_for_instance(instance) our_rules += ['-A %s -s %s -p udp --sport 67 --dport 68 ' - '-j ACCEPT' % (chain_name, dhcp_server)] + '-j ACCEPT' % (chain_name, dhcp_server)] elif(ip_version == 6): # Allow RA responses ra_server = self._ra_server_for_instance(instance) our_rules += ['-A %s -s %s -p icmpv6 ' - '-j ACCEPT' % (chain_name, ra_server)] + '-j ACCEPT' % (chain_name, ra_server)] # If nothing matches, jump to the fallback chain our_rules += ['-A %s -j nova-fallback' % (chain_name,)] -- cgit From e44b28a0daa771c67fa8672f89f7d52ee1bfec22 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Tue, 25 Jan 2011 21:20:42 +0100 Subject: Perform same filtering for OUTPUT as FORWARD in iptables. This removes a way around the filtering. --- nova/virt/libvirt_conn.py | 1 + 1 file changed, 1 insertion(+) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 37eb02e4f..ac7fd8ef0 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1228,6 +1228,7 @@ class IptablesFirewallDriver(FirewallDriver): our_chains += [':nova-local - [0:0]'] our_rules += ['-A FORWARD -j nova-local'] + our_rules += ['-A OUTPUT -j nova-local'] security_groups = {} # Add our chains -- cgit From 1b259ba6ac7401d99eff2ded3100c73f3048728e Mon Sep 17 00:00:00 2001 From: Tushar Patil Date: Tue, 25 Jan 2011 12:38:20 -0800 Subject: Fixed pep8 errors --- nova/virt/libvirt_conn.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index d5db42543..548d82ba9 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1269,12 +1269,12 @@ class IptablesFirewallDriver(FirewallDriver): # Allow DHCP responses dhcp_server = self._dhcp_server_for_instance(instance) our_rules += ['-A %s -s %s -p udp --sport 67 --dport 68 ' - '-j ACCEPT' % (chain_name, dhcp_server)] + '-j ACCEPT ' % (chain_name, dhcp_server)] elif(ip_version == 6): # Allow RA responses ra_server = self._ra_server_for_instance(instance) our_rules += ['-A %s -s %s -p icmpv6 ' - '-j ACCEPT' % (chain_name, ra_server)] + '-j ACCEPT' % (chain_name, ra_server)] # If nothing matches, jump to the fallback chain our_rules += ['-A %s -j nova-fallback' % (chain_name,)] -- cgit From 0d247586e708078e590913d1e36e4b2afa70d750 Mon Sep 17 00:00:00 2001 From: Ilya Alekseyev Date: Wed, 26 Jan 2011 01:02:34 +0300 Subject: Trunk merged --- nova/virt/libvirt_conn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nova/virt') diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index ee4b6f563..e975db90f 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1387,4 +1387,4 @@ class IptablesFirewallDriver(FirewallDriver): def _project_cidrv6_for_instance(self, instance): network = db.network_get_by_instance(context.get_admin_context(), instance['id']) - return network['cidr_v6'] \ No newline at end of file + return network['cidr_v6'] -- cgit