Revision d0545590
b/snf-cyclades-app/conf/20-snf-cyclades-app-api.conf | ||
---|---|---|
49 | 49 |
#DEFAULT_MAC_FILTERED_BRIDGE = 'prv0' |
50 | 50 |
# |
51 | 51 |
# |
52 |
## Firewall tags should contain '%d' to be filled with the NIC
|
|
53 |
## index.
|
|
54 |
#GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:0:protected'
|
|
55 |
#GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:0:unprotected'
|
|
56 |
#GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:0:limited'
|
|
52 |
## Firewall tags should contain '%s' to be filled with the NIC
|
|
53 |
## ID.
|
|
54 |
#GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:%s:protected'
|
|
55 |
#GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:%s:unprotected'
|
|
56 |
#GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:%s:limited'
|
|
57 | 57 |
# |
58 | 58 |
## The default firewall profile that will be in effect if no tags are defined |
59 | 59 |
#DEFAULT_FIREWALL_PROFILE = 'DISABLED' |
b/snf-cyclades-app/synnefo/api/servers.py | ||
---|---|---|
756 | 756 |
profile = args.get("profile") |
757 | 757 |
if profile is None: |
758 | 758 |
raise faults.BadRequest("Missing 'profile' attribute") |
759 |
index = args.get("index", 0) |
|
760 |
servers.set_firewall_profile(vm, profile=profile, index=index) |
|
759 |
nic_id = args.get("nic") |
|
760 |
if nic_id is None: |
|
761 |
raise faults.BadRequest("Missing 'nic' attribute") |
|
762 |
nic = util.get_nic(vm, nic_id) |
|
763 |
servers.set_firewall_profile(vm, profile=profile, nic=nic) |
|
761 | 764 |
return HttpResponse(status=202) |
762 | 765 |
|
763 | 766 |
|
b/snf-cyclades-app/synnefo/api/tests/servers.py | ||
---|---|---|
672 | 672 |
request = {'firewallProfile': {'profile': 'PROTECTED'}} |
673 | 673 |
response = self.mypost('servers/%d/action' % vm.id, |
674 | 674 |
vm.userid, json.dumps(request), 'json') |
675 |
self.assertEqual(response.status_code, 202) |
|
675 |
self.assertBadRequest(response) |
|
676 |
request = {'firewallProfile': {'profile': 'PROTECTED', "nic": "10"}} |
|
677 |
response = self.mypost('servers/%d/action' % vm.id, |
|
678 |
vm.userid, json.dumps(request), 'json') |
|
679 |
self.assertItemNotFound(response) |
|
680 |
nic = mfactory.NetworkInterfaceFactory(machine=vm) |
|
681 |
request = {'firewallProfile': {'profile': 'PROTECTED', "nic": nic.id}} |
|
682 |
response = self.mypost('servers/%d/action' % vm.id, |
|
683 |
vm.userid, json.dumps(request), 'json') |
|
684 |
self.assertSuccess(response) |
|
676 | 685 |
mrapi().ModifyInstance.assert_called_once() |
677 | 686 |
|
678 | 687 |
def test_unsupported_firewall(self, mrapi, mimage): |
b/snf-cyclades-app/synnefo/api/util.py | ||
---|---|---|
176 | 176 |
image["metadata"] = dict((key.upper(), val) |
177 | 177 |
for key, val in properties.items()) |
178 | 178 |
|
179 |
|
|
180 | 179 |
return image |
181 | 180 |
|
182 | 181 |
|
... | ... | |
286 | 285 |
|
287 | 286 |
|
288 | 287 |
def get_nic(vm, nic_id): |
288 |
"""Get a VMs NIC by its ID.""" |
|
289 | 289 |
try: |
290 | 290 |
return vm.nics.get(id=nic_id) |
291 | 291 |
except NetworkInterface.DoesNotExist: |
292 |
raise faults.ItemNotFound('Server not connected to this network.')
|
|
292 |
raise faults.ItemNotFound("NIC '%s' not found" % nic_id)
|
|
293 | 293 |
|
294 | 294 |
|
295 | 295 |
def render_metadata(request, metadata, use_values=False, status=200): |
b/snf-cyclades-app/synnefo/app_settings/default/api.py | ||
---|---|---|
49 | 49 |
|
50 | 50 |
|
51 | 51 |
# Firewalling. Firewall tags should contain '%d' to be filled with the NIC |
52 |
# index.
|
|
53 |
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:%d:protected'
|
|
54 |
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:%d:unprotected'
|
|
55 |
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:%d:limited'
|
|
52 |
# ID.
|
|
53 |
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:%s:protected'
|
|
54 |
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:%s:unprotected'
|
|
55 |
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:%s:limited'
|
|
56 | 56 |
|
57 | 57 |
# The default firewall profile that will be in effect if no tags are defined |
58 | 58 |
DEFAULT_FIREWALL_PROFILE = 'DISABLED' |
b/snf-cyclades-app/synnefo/logic/backend.py | ||
---|---|---|
844 | 844 |
|
845 | 845 |
with pooled_rapi_client(vm) as client: |
846 | 846 |
jobID = client.ModifyInstance(**kwargs) |
847 |
# If the NIC has a tag for a firewall profile it must be deleted, |
|
848 |
# otherwise it may affect another NIC. XXX: Deleting the tag should |
|
849 |
# depend on the removing the NIC, but currently RAPI client does not |
|
850 |
# support this, this may result in clearing the firewall profile |
|
851 |
# without successfully removing the NIC. This issue will be fixed with |
|
852 |
# use of NIC UUIDs. |
|
853 | 847 |
firewall_profile = nic.firewall_profile |
854 | 848 |
if firewall_profile and firewall_profile != "DISABLED": |
855 |
tag = _firewall_tags[firewall_profile] % nic.index
|
|
849 |
tag = _firewall_tags[firewall_profile] % nic.backend_uuid
|
|
856 | 850 |
client.DeleteInstanceTags(vm.backend_vm_id, [tag], |
857 | 851 |
dry_run=settings.TEST) |
858 | 852 |
|
859 | 853 |
return jobID |
860 | 854 |
|
861 | 855 |
|
862 |
def set_firewall_profile(vm, profile, index=0): |
|
856 |
def set_firewall_profile(vm, profile, nic): |
|
857 |
uuid = nic.backend_uuid |
|
863 | 858 |
try: |
864 |
tag = _firewall_tags[profile] % index
|
|
859 |
tag = _firewall_tags[profile] % uuid
|
|
865 | 860 |
except KeyError: |
866 | 861 |
raise ValueError("Unsopported Firewall Profile: %s" % profile) |
867 | 862 |
|
868 |
log.debug("Setting tag of VM %s, NIC index %d, to %s", vm, index, profile)
|
|
863 |
log.debug("Setting tag of VM %s, NIC %s, to %s", vm, nic, profile)
|
|
869 | 864 |
|
870 | 865 |
with pooled_rapi_client(vm) as client: |
871 | 866 |
# Delete previous firewall tags |
872 | 867 |
old_tags = client.GetInstanceTags(vm.backend_vm_id) |
873 |
delete_tags = [(t % index) for t in _firewall_tags.values()
|
|
874 |
if (t % index) in old_tags]
|
|
868 |
delete_tags = [(t % uuid) for t in _firewall_tags.values()
|
|
869 |
if (t % uuid) in old_tags]
|
|
875 | 870 |
if delete_tags: |
876 | 871 |
client.DeleteInstanceTags(vm.backend_vm_id, delete_tags, |
877 | 872 |
dry_run=settings.TEST) |
b/snf-cyclades-app/synnefo/logic/reconciliation.py | ||
---|---|---|
454 | 454 |
if len(t) != 4: |
455 | 455 |
logger.error("Malformed synefo tag %s", tag) |
456 | 456 |
continue |
457 |
try: |
|
458 |
index = int(t[2]) |
|
459 |
nics[index]['firewall'] = t[3] |
|
460 |
except ValueError: |
|
461 |
logger.error("Malformed synnefo tag %s", tag) |
|
462 |
except IndexError: |
|
463 |
logger.error("Found tag %s for non-existent NIC %d", |
|
464 |
tag, index) |
|
457 |
nic_name = t[2] |
|
458 |
firewall = t[3] |
|
459 |
[nic.setdefault("firewall", firewall) |
|
460 |
for nic in nics if nic["name"] == nic_name] |
|
465 | 461 |
return nics |
466 | 462 |
|
467 | 463 |
|
b/snf-cyclades-app/synnefo/logic/servers.py | ||
---|---|---|
337 | 337 |
|
338 | 338 |
|
339 | 339 |
@server_command("SET_FIREWALL_PROFILE") |
340 |
def set_firewall_profile(vm, profile, index=0):
|
|
341 |
log.info("Setting VM %s, NIC index %s, firewall %s", vm, index, profile)
|
|
340 |
def set_firewall_profile(vm, profile, nic):
|
|
341 |
log.info("Setting VM %s, NIC %s, firewall %s", vm, nic, profile)
|
|
342 | 342 |
|
343 | 343 |
if profile not in [x[0] for x in NetworkInterface.FIREWALL_PROFILES]: |
344 | 344 |
raise faults.BadRequest("Unsupported firewall profile") |
345 |
backend.set_firewall_profile(vm, profile=profile, index=index)
|
|
345 |
backend.set_firewall_profile(vm, profile=profile, nic=nic)
|
|
346 | 346 |
return None |
347 | 347 |
|
348 | 348 |
|
b/snf-cyclades-gtools/synnefo/ganeti/eventd.py | ||
---|---|---|
138 | 138 |
if len(t) != 4: |
139 | 139 |
logger.error("Malformed synefo tag %s", tag) |
140 | 140 |
continue |
141 |
try: |
|
142 |
index = int(t[2]) |
|
143 |
nics[index]['firewall'] = t[3] |
|
144 |
except ValueError: |
|
145 |
logger.error("Malformed synnefo tag %s", tag) |
|
146 |
except IndexError: |
|
147 |
logger.error("Found tag %s for non-existent NIC %d", |
|
148 |
tag, index) |
|
141 |
nic_name = t[2] |
|
142 |
firewall = t[3] |
|
143 |
[nic.setdefault("firewall", firewall) |
|
144 |
for nic in nics if nic["name"] == nic_name] |
|
149 | 145 |
return nics |
150 | 146 |
|
151 | 147 |
|
Also available in: Unified diff