def add_to_instance(context, instance, security_group_name): """Add security group to the instance.""" neutron = neutronapi.get_client(context) try: security_group_id = neutronv20.find_resourceid_by_name_or_id( neutron, 'security_group', security_group_name, context.project_id) except n_exc.NeutronClientNoUniqueMatch as e: raise exception.NoUniqueMatch(six.text_type(e)) except n_exc.NeutronClientException as e: if e.status_code == 404: msg = (_("Security group %(name)s is not found for " "project %(project)s") % {'name': security_group_name, 'project': context.project_id}) raise exception.SecurityGroupNotFound(msg) else: raise e params = {'device_id': instance.uuid} try: ports = neutron.list_ports(**params).get('ports') except n_exc.NeutronClientException: with excutils.save_and_reraise_exception(): LOG.exception("Neutron Error:") if not ports: msg = (_("instance_id %s could not be found as device id on" " any ports") % instance.uuid) raise exception.SecurityGroupNotFound(msg) for port in ports: if not _has_security_group_requirements(port): LOG.warning("Cannot add security group %(name)s to " "%(instance)s since the port %(port_id)s " "does not meet security requirements", {'name': security_group_name, 'instance': instance.uuid, 'port_id': port['id']}) raise exception.SecurityGroupCannotBeApplied() if 'security_groups' not in port: port['security_groups'] = [] port['security_groups'].append(security_group_id) updated_port = {'security_groups': port['security_groups']} try: LOG.info("Adding security group %(security_group_id)s to " "port %(port_id)s", {'security_group_id': security_group_id, 'port_id': port['id']}) neutron.update_port(port['id'], {'port': updated_port}) except n_exc.NeutronClientException as e: if e.status_code == 400: raise exception.SecurityGroupCannotBeApplied( six.text_type(e)) else: raise e except Exception: with excutils.save_and_reraise_exception(): LOG.exception("Neutron Error:")
def create_port(self, body): p = body.get('port') ret = {'status': 'ACTIVE', 'id': str(uuid.uuid4()), 'mac_address': p.get('mac_address', 'fa:16:3e:b8:f5:fb'), 'device_id': p.get('device_id', str(uuid.uuid4())), 'admin_state_up': p.get('admin_state_up', True), 'security_groups': p.get('security_groups', []), 'network_id': p.get('network_id')} network = self._fake_networks[p['network_id']] if 'port_security_enabled' in p: ret['port_security_enabled'] = p['port_security_enabled'] elif 'port_security_enabled' in network: ret['port_security_enabled'] = network['port_security_enabled'] port_security = ret.get('port_security_enabled', True) # port_security must be True if security groups are present if not port_security and ret['security_groups']: raise exception.SecurityGroupCannotBeApplied() if network['subnets']: ret['fixed_ips'] = [{'subnet_id': network['subnets'][0], 'ip_address': '10.0.0.1'}] if not ret['security_groups'] and (port_security is None or port_security is True): for security_group in self._fake_security_groups.values(): if security_group['name'] == 'default': ret['security_groups'] = [security_group['id']] break self._fake_ports[ret['id']] = ret return {'port': ret}
def allocate(self, context, instance_id, tenant_id, zone, **kwargs): neutron = neutronv2.get_client(context, admin=True) dhcp_opts = kwargs.get('dhcp_options', None) net_ids = [kwargs.get('network_id')] nets = self._get_available_networks(context, tenant_id, net_ids) if not nets: LOG.warn(_LW("No network configured!")) return network_model.NetworkInfo([]) security_groups = kwargs.get('security_groups', []) security_group_ids = [] if len(security_groups): search_opts = {'tenant_id': tenant_id} user_security_groups = neutron.list_security_groups( **search_opts).get('security_groups') for security_group in security_groups: name_match = None uuid_match = None for user_security_group in user_security_groups: if user_security_group['name'] == security_group: if name_match: raise exception.NoUniqueMatch( _("Multiple security groups found matching" " '%s'. Use an ID to be more specific.") % security_group) name_match = user_security_group['id'] if user_security_group['id'] == security_group: uuid_match = user_security_group['id'] # If a user names the security group the same as # another's security groups uuid, the name takes priority. if not name_match and not uuid_match: raise exception.SecurityGroupNotFound( security_group_id=security_group) elif name_match: security_group_ids.append(name_match) elif uuid_match: security_group_ids.append(uuid_match) for net in nets: if net['id'] == kwargs.get('network_id'): network = net break if (security_groups and not ( network['subnets'] and network.get('port_security_enabled', True))): raise exception.SecurityGroupCannotBeApplied() port_req_body = {'port': {'device_id': instance_id, 'device_owner': zone, 'binding:host_id': 'qjnode2.test.ibm.com'}} created_port = self._create_port( neutron, tenant_id, network['id'], port_req_body, None, security_group_ids, dhcp_opts) nw_info = self._build_network_info_model(context, instance_id, tenant_id, networks=[net], port_ids=[created_port]) return network_model.NetworkInfo([vif for vif in nw_info])
def add_to_instance(self, context, instance, security_group_name): """Add security group to the instance.""" neutron = neutronv2.get_client(context) try: security_group_id = neutronv20.find_resourceid_by_name_or_id( neutron, 'security_group', security_group_name) except n_exc.NeutronClientException as e: exc_info = sys.exc_info() if e.status_code == 404: msg = ("Security group %s is not found for project %s" % (security_group_name, context.project_id)) self.raise_not_found(msg) else: LOG.exception(_("Neutron Error:")) raise exc_info[0], exc_info[1], exc_info[2] params = {'device_id': instance['uuid']} try: ports = neutron.list_ports(**params).get('ports') except n_exc.NeutronClientException: with excutils.save_and_reraise_exception(): LOG.exception(_("Neutron Error:")) if not ports: msg = ("instance_id %s could not be found as device id on" " any ports" % instance['uuid']) self.raise_not_found(msg) for port in ports: if not self._has_security_group_requirements(port): LOG.warn( _("Cannot add security group %(name)s to %(instance)s" " since the port %(port_id)s does not meet security" " requirements"), { 'name': security_group_name, 'instance': instance['uuid'], 'port_id': port['id'] }) raise exception.SecurityGroupCannotBeApplied() if 'security_groups' not in port: port['security_groups'] = [] port['security_groups'].append(security_group_id) updated_port = {'security_groups': port['security_groups']} try: LOG.info( _("Adding security group %(security_group_id)s to " "port %(port_id)s"), { 'security_group_id': security_group_id, 'port_id': port['id'] }) neutron.update_port(port['id'], {'port': updated_port}) except Exception: with excutils.save_and_reraise_exception(): LOG.exception(_("Neutron Error:"))
def test_attach_interface_failed_securitygroup_cannot_be_applied( self, attach_mock, get_mock): fake_instance = objects.Instance(uuid=FAKE_UUID1, project_id=FAKE_UUID2) get_mock.return_value = fake_instance attach_mock.side_effect = ( exception.SecurityGroupCannotBeApplied()) self.assertRaises(exc.HTTPBadRequest, self.attachments.create, self.req, FAKE_UUID1, body={}) ctxt = self.req.environ['nova.context'] attach_mock.assert_called_once_with(ctxt, fake_instance, None, None, None) get_mock.assert_called_once_with(ctxt, FAKE_UUID1, expected_attrs=None)
def allocate_for_instance(self, context, instance, **kwargs): """Allocate network resources for the instance. :param requested_networks: optional value containing network_id, fixed_ip, and port_id :param security_groups: security groups to allocate for instance :param macs: None or a set of MAC addresses that the instance should use. macs is supplied by the hypervisor driver (contrast with requested_networks which is user supplied). NB: NeutronV2 currently assigns hypervisor supplied MAC addresses to arbitrary networks, which requires openflow switches to function correctly if more than one network is being used with the bare metal hypervisor (which is the only one known to limit MAC addresses). """ hypervisor_macs = kwargs.get('macs', None) available_macs = None if hypervisor_macs is not None: # Make a copy we can mutate: records macs that have not been used # to create a port on a network. If we find a mac with a # pre-allocated port we also remove it from this set. available_macs = set(hypervisor_macs) neutron = neutronv2.get_client(context) LOG.debug(_('allocate_for_instance() for %s'), instance['display_name']) if not instance['project_id']: msg = _('empty project id for instance %s') raise exception.InvalidInput( reason=msg % instance['display_name']) requested_networks = kwargs.get('requested_networks') ports = {} fixed_ips = {} net_ids = [] if requested_networks: for network_id, fixed_ip, port_id in requested_networks: if port_id: port = neutron.show_port(port_id)['port'] if hypervisor_macs is not None: if port['mac_address'] not in hypervisor_macs: raise exception.PortNotUsable(port_id=port_id, instance=instance['display_name']) else: # Don't try to use this MAC if we need to create a # port on the fly later. Identical MACs may be # configured by users into multiple ports so we # discard rather than popping. available_macs.discard(port['mac_address']) network_id = port['network_id'] ports[network_id] = port elif fixed_ip and network_id: fixed_ips[network_id] = fixed_ip if network_id: net_ids.append(network_id) nets = self._get_available_networks(context, instance['project_id'], net_ids) if not nets: LOG.warn(_("No network configured!"), instance=instance) return [] security_groups = kwargs.get('security_groups', []) security_group_ids = [] # TODO(arosen) Should optimize more to do direct query for security # group if len(security_groups) == 1 if len(security_groups): search_opts = {'tenant_id': instance['project_id']} user_security_groups = neutron.list_security_groups( **search_opts).get('security_groups') for security_group in security_groups: name_match = None uuid_match = None for user_security_group in user_security_groups: if user_security_group['name'] == security_group: if name_match: msg = (_("Multiple security groups found matching" " '%s'. Use an ID to be more specific."), security_group) raise exception.NoUniqueMatch(msg) name_match = user_security_group['id'] if user_security_group['id'] == security_group: uuid_match = user_security_group['id'] # If a user names the security group the same as # another's security groups uuid, the name takes priority. if not name_match and not uuid_match: raise exception.SecurityGroupNotFound( security_group_id=security_group) elif name_match: security_group_ids.append(name_match) elif uuid_match: security_group_ids.append(uuid_match) touched_port_ids = [] created_port_ids = [] for network in nets: # If security groups are requested on an instance then the # network must has a subnet associated with it. Some plugins # implement the port-security extension which requires # 'port_security_enabled' to be True for security groups. # That is why True is returned if 'port_security_enabled' # is not found. if (security_groups and not ( network['subnets'] and network.get('port_security_enabled', True))): raise exception.SecurityGroupCannotBeApplied() network_id = network['id'] zone = 'compute:%s' % instance['availability_zone'] port_req_body = {'port': {'device_id': instance['uuid'], 'device_owner': zone}} try: port = ports.get(network_id) self._populate_neutron_extension_values(instance, port_req_body) # Requires admin creds to set port bindings port_client = (neutron if not self._has_port_binding_extension() else neutronv2.get_client(context, admin=True)) if port: port_client.update_port(port['id'], port_req_body) touched_port_ids.append(port['id']) else: fixed_ip = fixed_ips.get(network_id) if fixed_ip: port_req_body['port']['fixed_ips'] = [{'ip_address': fixed_ip}] port_req_body['port']['network_id'] = network_id port_req_body['port']['admin_state_up'] = True port_req_body['port']['tenant_id'] = instance['project_id'] if security_group_ids: port_req_body['port']['security_groups'] = ( security_group_ids) if available_macs is not None: if not available_macs: raise exception.PortNotFree( instance=instance['display_name']) mac_address = available_macs.pop() port_req_body['port']['mac_address'] = mac_address created_port_ids.append( port_client.create_port(port_req_body)['port']['id']) except Exception: with excutils.save_and_reraise_exception(): for port_id in touched_port_ids: try: port_req_body = {'port': {'device_id': None}} # Requires admin creds to set port bindings if self._has_port_binding_extension(): port_req_body['port']['binding:host_id'] = None port_client = neutronv2.get_client( context, admin=True) else: port_client = neutron port_client.update_port(port_id, port_req_body) except Exception: msg = _("Failed to update port %s") LOG.exception(msg, port_id) for port_id in created_port_ids: try: neutron.delete_port(port_id) except Exception: msg = _("Failed to delete port %s") LOG.exception(msg, port_id) nw_info = self._get_instance_nw_info(context, instance, networks=nets) # NOTE(danms): Only return info about ports we created in this run. # In the initial allocation case, this will be everything we created, # and in later runs will only be what was created that time. Thus, # this only affects the attach case, not the original use for this # method. return network_model.NetworkInfo([port for port in nw_info if port['id'] in created_port_ids + touched_port_ids])
def allocate_for_instance(self, context, instance, **kwargs): """Allocate network resources for the instance. :param context: The request context. :param instance: nova.objects.instance.Instance object. :param requested_networks: optional value containing network_id, fixed_ip, and port_id :param security_groups: security groups to allocate for instance :param macs: None or a set of MAC addresses that the instance should use. macs is supplied by the hypervisor driver (contrast with requested_networks which is user supplied). NB: NeutronV2 currently assigns hypervisor supplied MAC addresses to arbitrary networks, which requires openflow switches to function correctly if more than one network is being used with the bare metal hypervisor (which is the only one known to limit MAC addresses). :param dhcp_options: None or a set of key/value pairs that should determine the DHCP BOOTP response, eg. for PXE booting an instance configured with the baremetal hypervisor. It is expected that these are already formatted for the neutron v2 api. See nova/virt/driver.py:dhcp_options_for_instance for an example. """ hypervisor_macs = kwargs.get('macs', None) available_macs = None if hypervisor_macs is not None: # Make a copy we can mutate: records macs that have not been used # to create a port on a network. If we find a mac with a # pre-allocated port we also remove it from this set. available_macs = set(hypervisor_macs) neutron = neutronv2.get_client(context) LOG.debug('allocate_for_instance()', instance=instance) if not instance.project_id: msg = _('empty project id for instance %s') raise exception.InvalidInput(reason=msg % instance.uuid) requested_networks = kwargs.get('requested_networks') dhcp_opts = kwargs.get('dhcp_options', None) ports = {} net_ids = [] ordered_networks = [] if requested_networks: for request in requested_networks: if request.port_id: try: port = neutron.show_port(request.port_id)['port'] except neutron_client_exc.PortNotFoundClient: raise exception.PortNotFound(port_id=request.port_id) if port['tenant_id'] != instance.project_id: raise exception.PortNotUsable(port_id=request.port_id, instance=instance.uuid) if (port.get('device_id') and port.get('device_id') != instance['uuid']): raise exception.PortInUse(port_id=request.port_id) if hypervisor_macs is not None: if port['mac_address'] not in hypervisor_macs: raise exception.PortNotUsable( port_id=request.port_id, instance=instance.uuid) else: # Don't try to use this MAC if we need to create a # port on the fly later. Identical MACs may be # configured by users into multiple ports so we # discard rather than popping. available_macs.discard(port['mac_address']) request.network_id = port['network_id'] ports[request.port_id] = port if request.network_id: net_ids.append(request.network_id) ordered_networks.append(request) nets = self._get_available_networks(context, instance.project_id, net_ids) if not nets: LOG.warn(_LW("No network configured!"), instance=instance) return network_model.NetworkInfo([]) # if this function is directly called without a requested_network param # or if it is indirectly called through allocate_port_for_instance() # with None params=(network_id=None, requested_ip=None, port_id=None, # pci_request_id=None): if (not requested_networks or requested_networks.is_single_unspecified): # bug/1267723 - if no network is requested and more # than one is available then raise NetworkAmbiguous Exception if len(nets) > 1: msg = _("Multiple possible networks found, use a Network " "ID to be more specific.") raise exception.NetworkAmbiguous(msg) ordered_networks.append( objects.NetworkRequest(network_id=nets[0]['id'])) db_req_networks = list() db_obj = huawei_instance_extra.HuaweiInstanceExtra( instance_uuid=instance.uuid) db_instance = db_obj.get_by_instance_uuid( context, instance_uuid=instance.uuid) if db_instance.request_network: db_req_networks = jsonutils.loads(db_instance.request_network) db_req_networks.append([nets[0]['id'], None, None]) db_obj.request_network = jsonutils.dumps(db_req_networks) db_obj.create(context) # NOTE(): check external net attach permission after the # check for ambiguity, there could be another # available net which is permitted bug/1364344 self._check_external_network_attach(context, nets) security_groups = kwargs.get('security_groups', []) security_group_ids = [] # TODO() Should optimize more to do direct query for security # group if len(security_groups) == 1 if len(security_groups): search_opts = {'tenant_id': instance.project_id} user_security_groups = neutron.list_security_groups( **search_opts).get('security_groups') for security_group in security_groups: name_match = None uuid_match = None for user_security_group in user_security_groups: if user_security_group['name'] == security_group: if name_match: raise exception.NoUniqueMatch( _("Multiple security groups found matching" " '%s'. Use an ID to be more specific.") % security_group) name_match = user_security_group['id'] if user_security_group['id'] == security_group: uuid_match = user_security_group['id'] # If a user names the security group the same as # another's security groups uuid, the name takes priority. if not name_match and not uuid_match: raise exception.SecurityGroupNotFound( security_group_id=security_group) elif name_match: security_group_ids.append(name_match) elif uuid_match: security_group_ids.append(uuid_match) touched_port_ids = [] created_port_ids = [] ports_in_requested_order = [] nets_in_requested_order = [] for request in ordered_networks: # Network lookup for available network_id network = None for net in nets: if net['id'] == request.network_id: network = net break # if network_id did not pass validate_networks() and not available # here then skip it safely not continuing with a None Network else: continue nets_in_requested_order.append(network) # If security groups are requested on an instance then the # network must has a subnet associated with it. Some plugins # implement the port-security extension which requires # 'port_security_enabled' to be True for security groups. # That is why True is returned if 'port_security_enabled' # is not found. if (security_groups and not (network['subnets'] and network.get('port_security_enabled', True))): # add for roll back self._delete_ports(neutron, instance, created_port_ids) raise exception.SecurityGroupCannotBeApplied() request.network_id = network['id'] zone = 'compute:%s' % instance.availability_zone port_req_body = { 'port': { 'device_id': instance.uuid, 'device_owner': zone } } try: self._populate_neutron_extension_values( context, instance, request.pci_request_id, port_req_body) # Requires admin creds to set port bindings port_client = (neutron if not self._has_port_binding_extension(context) else neutronv2.get_client(context, admin=True)) if request.port_id: port = ports[request.port_id] port_client.update_port(port['id'], port_req_body) touched_port_ids.append(port['id']) ports_in_requested_order.append(port['id']) else: created_port = self._create_port(port_client, instance, request.network_id, port_req_body, request.address, security_group_ids, available_macs, dhcp_opts) created_port_ids.append(created_port) ports_in_requested_order.append(created_port) except Exception: with excutils.save_and_reraise_exception(): for port_id in touched_port_ids: try: port_req_body = {'port': {'device_id': ''}} # Requires admin creds to set port bindings if self._has_port_binding_extension(context): port_req_body['port']['binding:host_id'] = None port_client = neutronv2.get_client(context, admin=True) else: port_client = neutron port_client.update_port(port_id, port_req_body) except Exception: msg = _LE("Failed to update port %s") LOG.exception(msg, port_id) self._delete_ports(neutron, instance, created_port_ids) pci_list = kwargs.get('pci_list', []) nw_info = self.get_instance_nw_info(context, instance, networks=nets_in_requested_order, port_ids=ports_in_requested_order, pci_list=pci_list) # NOTE(): Only return info about ports we created in this run. # In the initial allocation case, this will be everything we created, # and in later runs will only be what was created that time. Thus, # this only affects the attach case, not the original use for this # method. return network_model.NetworkInfo([ vif for vif in nw_info if vif['id'] in created_port_ids + touched_port_ids ])