def _build_rules(context, group_id, group_name, ip_permissions, direction):
if group_name is None and group_id is None:
raise exception.MissingParameter(param='group id or name')
if ip_permissions is None:
raise exception.MissingParameter(param='source group or cidr')
os_security_group_id = security_group_engine.get_group_os_id(context,
group_id,
group_name)
os_security_group_rule_bodies = []
if ip_permissions is None:
ip_permissions = []
for rule in ip_permissions:
os_security_group_rule_body = (
{'security_group_id': os_security_group_id,
'direction': direction,
'ethertype': 'IPv4'})
protocol = rule.get('ip_protocol', -1)
from_port = rule.get('from_port', -1)
to_port = rule.get('to_port', -1)
_validate_parameters(protocol, from_port, to_port)
if protocol != -1:
os_security_group_rule_body['protocol'] = rule['ip_protocol']
if from_port != -1:
os_security_group_rule_body['port_range_min'] = rule['from_port']
if to_port != -1:
os_security_group_rule_body['port_range_max'] = rule['to_port']
# TODO(Alex) AWS protocol claims support of multiple groups and cidrs,
# however, neutron doesn't support it at the moment.
# It's possible in the future to convert list values incoming from
# REST API into several neutron rules and squeeze them back into one
# for describing.
# For now only 1 value is supported for either.
if rule.get('groups'):
os_security_group_rule_body['remote_group_id'] = (
security_group_engine.get_group_os_id(
context,
rule['groups'][0].get('group_id'),
rule['groups'][0].get('group_name')))
elif rule.get('ip_ranges'):
os_security_group_rule_body['remote_ip_prefix'] = (
rule['ip_ranges'][0]['cidr_ip'])
validator.validate_cidr_with_ipv6(
os_security_group_rule_body['remote_ip_prefix'], 'cidr_ip')
else:
raise exception.MissingParameter(param='source group or cidr')
os_security_group_rule_bodies.append(os_security_group_rule_body)
return os_security_group_rule_bodies
def delete_security_group(context, group_name=None, group_id=None,
delete_default=False):
if group_name is None and group_id is None:
raise exception.MissingParameter(param='group id or name')
security_group_engine.delete_group(context, group_name, group_id,
delete_default)
return True
def disassociate_address(context, public_ip=None, association_id=None):
if not public_ip and not association_id:
msg = _('Either public IP or association id must be specified')
raise exception.MissingParameter(msg)
if public_ip and association_id:
msg = _('You may specify public IP or association id, '
'but not both in the same call')
raise exception.InvalidParameterCombination(msg)
address_engine.disassociate_address(context, public_ip, association_id)
return True
def delete_dhcp_options(context, dhcp_options_id):
if not dhcp_options_id:
raise exception.MissingParameter(
_('DHCP options ID must be specified'))
dhcp_options = ec2utils.get_db_item(context, dhcp_options_id)
vpcs = db_api.get_items(context, 'vpc')
for vpc in vpcs:
if dhcp_options['id'] == vpc.get('dhcp_options_id'):
raise exception.DependencyViolation(obj1_id=dhcp_options['id'],
obj2_id=vpc['id'])
db_api.delete_item(context, dhcp_options['id'])
return True
def associate_address(context, public_ip=None, instance_id=None,
allocation_id=None, network_interface_id=None,
private_ip_address=None, allow_reassociation=False):
if not public_ip and not allocation_id:
msg = _('Either public IP or allocation id must be specified')
raise exception.MissingParameter(msg)
if public_ip and allocation_id:
msg = _('You may specify public IP or allocation id, '
'but not both in the same call')
raise exception.InvalidParameterCombination(msg)
if not instance_id and not network_interface_id:
msg = _('Either instance ID or network interface id must be specified')
raise exception.MissingParameter(msg)
associationId = address_engine.associate_address(
context, public_ip, instance_id,
allocation_id, network_interface_id,
private_ip_address, allow_reassociation)
if associationId:
return {'return': True,
'associationId': associationId}
return {'return': True}
def disassociate_address(context, public_ip=None, association_id=None):
LOG.info('Disassociate address: %(public_ip)s. Association: %(association_id)s.',
{'public_ip': public_ip, 'association_id': association_id})
if not public_ip and not association_id:
msg = _('Either public IP or association id must be specified')
raise exception.MissingParameter(msg)
if public_ip and association_id:
msg = _('You may specify public IP or association id, '
'but not both in the same call')
raise exception.InvalidParameterCombination(msg)
disassociate = address_engine.disassociate_address(context, public_ip, association_id)
LOG.info('Disassociation is %s', disassociate)
return True
def import_key_pair(context, key_name, public_key_material):
_validate_name(key_name)
if not public_key_material:
raise exception.MissingParameter(
_('The request must contain the parameter PublicKeyMaterial'))
nova = clients.nova(context)
public_key = base64.b64decode(public_key_material).decode("utf-8")
try:
key_pair = nova.keypairs.create(key_name, public_key)
except nova_exception.OverLimit:
raise exception.ResourceLimitExceeded(resource='keypairs')
except nova_exception.Conflict:
raise exception.InvalidKeyPairDuplicate(key_name=key_name)
return _format_key_pair(key_pair)
def modify_network_interface_attribute(context,
network_interface_id,
description=None,
source_dest_check=None,
security_group_id=None,
attachment=None):
params_count = (int(description is not None) +
int(source_dest_check is not None) +
int(security_group_id is not None) +
int(attachment is not None))
if params_count != 1:
raise exception.InvalidParameterCombination(
'Multiple attributes specified')
network_interface = ec2utils.get_db_item(context, network_interface_id)
if description is not None:
network_interface['description'] = description
db_api.update_item(context, network_interface)
neutron = clients.neutron(context)
if security_group_id is not None:
os_groups = [
sg['os_id']
for sg in ec2utils.get_db_items(context, 'sg', security_group_id)
]
neutron.update_port(network_interface['os_id'],
{'port': {
'security_groups': os_groups
}})
if source_dest_check is not None:
allowed = [] if source_dest_check else [{'ip_address': '0.0.0.0/0'}]
neutron.update_port(network_interface['os_id'],
{'port': {
'allowed_address_pairs': allowed
}})
network_interface['source_dest_check'] = source_dest_check
db_api.update_item(context, network_interface)
if attachment:
attachment_id = attachment.get('attachment_id')
delete_on_termination = attachment.get('delete_on_termination')
if attachment_id is None or delete_on_termination is None:
raise exception.MissingParameter(
_('The request must contain the parameter attachment '
'deleteOnTermination'))
attachment_id_own = ec2utils.change_ec2_id_kind(
network_interface['id'], 'eni-attach')
if ('instance_id' not in network_interface
or attachment_id_own != attachment_id):
raise exception.InvalidAttachmentIDNotFound(id=attachment_id)
network_interface['delete_on_termination'] = delete_on_termination
db_api.update_item(context, network_interface)
return True
def modify_image_attribute(context,
image_id,
attribute=None,
user_group=None,
operation_type=None,
description=None,
launch_permission=None,
product_code=None,
user_id=None,
value=None):
os_image = ec2utils.get_os_image(context, image_id)
if not os_image:
# TODO(ft): figure out corresponding AWS error
raise exception.IncorrectState(
reason='Image is still being created or failed')
attributes = set()
# NOTE(andrey-mp): launchPermission structure is converted here
# to plain parameters: attribute, user_group, operation_type, user_id
if launch_permission is not None:
attributes.add('launchPermission')
user_group = list()
user_id = list()
if len(launch_permission) == 0:
msg = _('No operation specified for launchPermission attribute.')
raise exception.InvalidParameterCombination(msg)
if len(launch_permission) > 1:
msg = _('Only one operation can be specified.')
raise exception.InvalidParameterCombination(msg)
operation_type, permissions = launch_permission.popitem()
for index_key in permissions:
permission = permissions[index_key]
if 'group' in permission:
user_group.append(permission['group'])
if 'user_id' in permission:
user_id.append(permission['user_id'])
if attribute == 'launchPermission':
attributes.add('launchPermission')
if description is not None:
attributes.add('description')
value = description
if attribute == 'description':
attributes.add('description')
# check attributes
if len(attributes) == 0:
if product_code is not None:
attribute = 'productCodes'
if attribute in [
'kernel', 'ramdisk', 'productCodes', 'blockDeviceMapping'
]:
raise exception.InvalidParameter(
_('Parameter %s is invalid. '
'The attribute is not supported.') % attribute)
raise exception.InvalidParameterCombination('No attributes specified.')
if len(attributes) > 1:
raise exception.InvalidParameterCombination(
_('Fields for multiple attribute types specified: %s') %
str(attributes))
if 'launchPermission' in attributes:
if not user_group:
msg = _('No operation specified for launchPermission attribute.')
raise exception.InvalidParameterCombination(msg)
if len(user_group) != 1 and user_group[0] != 'all':
msg = _('only group "all" is supported')
raise exception.InvalidParameterValue(parameter='UserGroup',
value=user_group,
reason=msg)
if operation_type not in ['add', 'remove']:
msg = _('operation_type must be add or remove')
raise exception.InvalidParameterValue(parameter='OperationType',
value='operation_type',
reason=msg)
_check_owner(context, os_image)
os_image.update(is_public=(operation_type == 'add'))
return True
if 'description' in attributes:
if not value:
raise exception.MissingParameter(
'The request must contain the parameter description')
_check_owner(context, os_image)
image = ec2utils.get_db_item(context, image_id)
image['description'] = value
db_api.update_item(context, image)
return True
def register_image(context,
name=None,
image_location=None,
description=None,
architecture=None,
root_device_name=None,
block_device_mapping=None,
virtualization_type=None,
kernel_id=None,
ramdisk_id=None,
sriov_net_support=None):
if not image_location and not root_device_name:
# NOTE(ft): for backward compatibility with a hypothetical code
# which uses name as image_location
image_location = name
if not image_location and not root_device_name:
msg = _("Either imageLocation or rootDeviceName must be set.")
raise exception.InvalidParameterCombination(msg)
if not image_location and not name:
msg = _('The request must contain the parameter name')
raise exception.MissingParameter(msg)
# TODO(ft): check parameters
properties = {}
metadata = {'properties': properties}
if name:
# TODO(ft): check the name is unique (at least for EBS image case)
metadata['name'] = name
if image_location:
properties['image_location'] = image_location
if 'name' not in metadata:
# NOTE(ft): it's needed for backward compatibility
metadata['name'] = image_location
if root_device_name:
properties['root_device_name'] = root_device_name
cinder = clients.cinder(context)
if block_device_mapping:
mappings = instance_api._parse_block_device_mapping(
context, block_device_mapping)
# TODO(ft): merge with image manifets's virtual device mappings
short_root_device_name = (
ec2utils.block_device_strip_dev(root_device_name))
for bdm in mappings:
instance_api._populate_parsed_bdm_parameter(
bdm, short_root_device_name)
if 'volume_size' in bdm:
continue
try:
if bdm['source_type'] == 'snapshot':
snapshot = cinder.volume_snapshots.get(bdm['snapshot_id'])
bdm['volume_size'] = snapshot.size
elif bdm['source_type'] == 'volume':
volume = cinder.volumes.get(bdm['volume_id'])
bdm['volume_size'] = volume.size
except cinder_exception.NotFound:
pass
properties['bdm_v2'] = True
properties['block_device_mapping'] = json.dumps(mappings)
if architecture is not None:
properties['architecture'] = architecture
if kernel_id:
properties['kernel_id'] = ec2utils.get_os_image(context, kernel_id).id
if ramdisk_id:
properties['ramdisk_id'] = ec2utils.get_os_image(context,
ramdisk_id).id
with common.OnCrashCleaner() as cleaner:
if 'image_location' in properties:
os_image = _s3_create(context, metadata)
else:
metadata.update({'size': 0, 'is_public': False})
# TODO(ft): set default values of image properties
glance = clients.glance(context)
os_image = glance.images.create(**metadata)
cleaner.addCleanup(os_image.delete)
kind = _get_os_image_kind(os_image)
image = db_api.add_item(context, kind, {
'os_id': os_image.id,
'is_public': False,
'description': description
})
return {'imageId': image['id']}
def register_image(context,
name=None,
image_location=None,
description=None,
architecture=None,
root_device_name=None,
block_device_mapping=None,
virtualization_type=None,
kernel_id=None,
ramdisk_id=None,
sriov_net_support=None):
# Setup default flags
is_s3_import = False
is_url_import = False
# Process the input arguments
if not image_location and not root_device_name:
# NOTE(ft): for backward compatibility with a hypothetical code
# which uses name as image_location
image_location = name
if not image_location and not root_device_name:
msg = _("Either imageLocation or rootDeviceName must be set.")
raise exception.InvalidParameterCombination(msg)
if not image_location and not name:
msg = _('The request must contain the parameter name')
raise exception.MissingParameter(msg)
# TODO(ft): check parameters
metadata = {}
if name:
# TODO(ft): check the name is unique (at least for EBS image case)
metadata['name'] = name
if image_location:
# Resolve the import type
metadata['image_location'] = image_location
parsed_url = six.moves.urllib.parse.urlparse(image_location)
is_s3_import = (parsed_url.scheme == '') or (parsed_url.scheme == 's3')
is_url_import = not is_s3_import
# Check if the name is in the metadata
if 'name' not in metadata:
# NOTE(ft): it's needed for backward compatibility
metadata['name'] = image_location
if root_device_name:
metadata['root_device_name'] = root_device_name
cinder = clients.cinder(context)
if block_device_mapping:
mappings = instance_api._parse_block_device_mapping(
context, block_device_mapping)
# TODO(ft): merge with image manifets's virtual device mappings
short_root_device_name = (
ec2utils.block_device_strip_dev(root_device_name))
for bdm in mappings:
instance_api._populate_parsed_bdm_parameter(
bdm, short_root_device_name)
if 'volume_size' in bdm:
continue
try:
if bdm['source_type'] == 'snapshot':
snapshot = cinder.volume_snapshots.get(bdm['snapshot_id'])
bdm['volume_size'] = snapshot.size
elif bdm['source_type'] == 'volume':
volume = cinder.volumes.get(bdm['volume_id'])
bdm['volume_size'] = volume.size
except cinder_exception.NotFound:
pass
metadata['bdm_v2'] = 'True'
metadata['block_device_mapping'] = json.dumps(mappings)
if architecture is not None:
metadata['architecture'] = architecture
if kernel_id:
metadata['kernel_id'] = ec2utils.get_os_image(context, kernel_id).id
if ramdisk_id:
metadata['ramdisk_id'] = ec2utils.get_os_image(context, ramdisk_id).id
# Begin the import/registration process
with common.OnCrashCleaner() as cleaner:
# Setup the glance client
glance = clients.glance(context)
# Check if this is an S3 import
if is_s3_import:
os_image = _s3_create(context, metadata)
# Condition for all non-S3 imports
else:
# Create the image in glance
metadata.update({
'visibility': 'private',
'container_format': 'bare',
'disk_format': 'raw'
})
os_image = glance.images.create(**metadata)
# Kick-off the URL image import if from URL
if is_url_import:
glance.images.image_import(os_image.id,
method='web-download',
uri=metadata['image_location'])
# Otherwise, use the default method
else:
glance.images.upload(os_image.id, '', image_size=0)
# Add cleanups and complete the registration process
cleaner.addCleanup(glance.images.delete, os_image.id)
kind = _get_os_image_kind(os_image)
image = db_api.add_item(context, kind, {
'os_id': os_image.id,
'is_public': False,
'description': description
})
# Return the image ID for the registration process
return {'imageId': image['id']}
def _set_route(context, route_table_id, destination_cidr_block,
gateway_id, instance_id, network_interface_id,
vpc_peering_connection_id, do_replace):
route_table = ec2utils.get_db_item(context, route_table_id)
vpc = db_api.get_item_by_id(context, route_table['vpc_id'])
vpc_ipnet = netaddr.IPNetwork(vpc['cidr_block'])
route_ipnet = netaddr.IPNetwork(destination_cidr_block)
if route_ipnet in vpc_ipnet:
msg = _('Cannot create a more specific route for '
'%(destination_cidr_block)s than local route '
'%(vpc_cidr_block)s in route table %(rtb_id)s')
msg = msg % {'rtb_id': route_table_id,
'destination_cidr_block': destination_cidr_block,
'vpc_cidr_block': vpc['cidr_block']}
raise exception.InvalidParameterValue(msg)
obj_param_count = len([p for p in (gateway_id, network_interface_id,
instance_id, vpc_peering_connection_id)
if p is not None])
if obj_param_count != 1:
msg = _('The request must contain exactly one of gatewayId, '
'networkInterfaceId, vpcPeeringConnectionId or instanceId')
if obj_param_count == 0:
raise exception.MissingParameter(msg)
else:
raise exception.InvalidParameterCombination(msg)
rollabck_route_table_state = copy.deepcopy(route_table)
if do_replace:
route_index, old_route = next(
((i, r) for i, r in enumerate(route_table['routes'])
if r['destination_cidr_block'] == destination_cidr_block),
(None, None))
if route_index is None:
msg = _("There is no route defined for "
"'%(destination_cidr_block)s' in the route table. "
"Use CreateRoute instead.")
msg = msg % {'destination_cidr_block': destination_cidr_block}
raise exception.InvalidParameterValue(msg)
else:
del route_table['routes'][route_index]
if gateway_id:
gateway = ec2utils.get_db_item(context, gateway_id)
if gateway.get('vpc_id') != route_table['vpc_id']:
if ec2utils.get_ec2_id_kind(gateway_id) == 'vgw':
raise exception.InvalidGatewayIDNotFound(id=gateway['id'])
else: # igw
raise exception.InvalidParameterValue(
_('Route table %(rtb_id)s and network gateway %(igw_id)s '
'belong to different networks') %
{'rtb_id': route_table_id,
'igw_id': gateway_id})
route = {'gateway_id': gateway['id']}
elif network_interface_id:
network_interface = ec2utils.get_db_item(context, network_interface_id)
if network_interface['vpc_id'] != route_table['vpc_id']:
msg = _('Route table %(rtb_id)s and interface %(eni_id)s '
'belong to different networks')
msg = msg % {'rtb_id': route_table_id,
'eni_id': network_interface_id}
raise exception.InvalidParameterValue(msg)
route = {'network_interface_id': network_interface['id']}
elif instance_id:
# TODO(ft): implement search in DB layer
network_interfaces = [eni for eni in db_api.get_items(context, 'eni')
if eni.get('instance_id') == instance_id]
if len(network_interfaces) == 0:
msg = _("Invalid value '%(i_id)s' for instance ID. "
"Instance is not in a VPC.")
msg = msg % {'i_id': instance_id}
raise exception.InvalidParameterValue(msg)
elif len(network_interfaces) > 1:
raise exception.InvalidInstanceId(instance_id=instance_id)
network_interface = network_interfaces[0]
if network_interface['vpc_id'] != route_table['vpc_id']:
msg = _('Route table %(rtb_id)s and interface %(eni_id)s '
'belong to different networks')
msg = msg % {'rtb_id': route_table_id,
'eni_id': network_interface['id']}
raise exception.InvalidParameterValue(msg)
route = {'network_interface_id': network_interface['id']}
else:
raise exception.InvalidRequest('Parameter VpcPeeringConnectionId is '
'not supported by this implementation')
route['destination_cidr_block'] = destination_cidr_block
update_target = _get_route_target(route)
if do_replace:
idempotent_call = False
old_target = _get_route_target(old_route)
if old_target != update_target:
update_target = None
else:
old_route = next((r for r in route_table['routes']
if r['destination_cidr_block'] ==
destination_cidr_block), None)
idempotent_call = old_route == route
if old_route and not idempotent_call:
raise exception.RouteAlreadyExists(
destination_cidr_block=destination_cidr_block)
if not idempotent_call:
route_table['routes'].append(route)
with common.OnCrashCleaner() as cleaner:
db_api.update_item(context, route_table)
cleaner.addCleanup(db_api.update_item, context,
rollabck_route_table_state)
_update_routes_in_associated_subnets(context, cleaner, route_table,
update_target=update_target)
return True