def _provision_ext_sec_group(self, custom_ext_rules=None):
sg_name_ext = self.name + '-ext'
try:
oaw.check_secgroup_exists(self.nova_client, sg_name_ext)
except RuntimeError:
print
print ' Creating security group for external access'
print ' NOTE: you can modify the rules afterwards through '
print
print ' nova secgroup-add-rule %s ...' % sg_name_ext
print
print ' or through the web interface'
print
sg = oaw.create_sec_group(
self.nova_client, sg_name_ext,
'Security group for %s external access' % self.name)
self.__prov_log('create', 'sec-group', sg.id, sg.name)
# add user configured rules (override the cluster config rules with custom_ext_rules if provided)
ext_rules = []
if custom_ext_rules:
ext_rules = custom_ext_rules
elif 'ext-secgroup-rules' in self.config['cluster'].keys():
ext_rules = self.config['cluster']['ext-secgroup-rules']
for rule in ext_rules:
print " adding rule '%s'" % rule
proto, from_port, to_port, cidr = rule.strip().split()
oaw.add_sec_group_rule(self.nova_client,
sg.id,
ip_protocol=proto,
from_port=from_port,
to_port=to_port,
cidr=cidr)
def _provision_ext_sec_group(self, custom_ext_rules=None):
sg_name_ext = self.name + "-ext"
try:
oaw.check_secgroup_exists(self.nova_client, sg_name_ext)
except RuntimeError:
print
print " Creating security group for external access"
print " NOTE: you can modify the rules afterwards through "
print
print " nova secgroup-add-rule %s ..." % sg_name_ext
print
print " or through the web interface"
print
sg = oaw.create_sec_group(
self.nova_client, sg_name_ext, "Security group for %s external access" % self.name
)
self.__prov_log("create", "sec-group", sg.id, sg.name)
# add user configured rules (override the cluster config rules with custom_ext_rules if provided)
ext_rules = []
if custom_ext_rules:
ext_rules = custom_ext_rules
elif "ext-secgroup-rules" in self.config["cluster"].keys():
ext_rules = self.config["cluster"]["ext-secgroup-rules"]
for rule in ext_rules:
print " adding rule '%s'" % rule
proto, from_port, to_port, cidr = rule.strip().split()
oaw.add_sec_group_rule(
self.nova_client, sg.id, ip_protocol=proto, from_port=from_port, to_port=to_port, cidr=cidr
)
def _provision_int_sec_group(self):
sg_name_int = self.name + "-int"
try:
oaw.check_secgroup_exists(self.nova_client, sg_name_int)
except RuntimeError:
print
print " No security group for internal access exists, creating it"
sg = oaw.create_sec_group(
self.nova_client, sg_name_int, "Security group for %s internal access" % self.name
)
self.__prov_log("create", "sec-group", sg.id, sg.name)
# add intra-cluster access
oaw.create_local_access_rules(self.nova_client, sg_name_int, sg_name_int)
# add access from other security groups (usually 'bastion')
if "allow-traffic-from-sec-groups" in self.config["cluster"]:
for sg in self.config["cluster"]["allow-traffic-from-sec-groups"]:
oaw.create_local_access_rules(self.nova_client, sg_name_int, sg)
def _provision_int_sec_group(self):
sg_name_int = self.name + '-int'
try:
oaw.check_secgroup_exists(self.nova_client, sg_name_int)
except RuntimeError:
print
print ' No security group for internal access exists, creating it'
sg = oaw.create_sec_group(
self.nova_client, sg_name_int,
'Security group for %s internal access' % self.name)
self.__prov_log('create', 'sec-group', sg.id, sg.name)
# add intra-cluster access
oaw.create_local_access_rules(self.nova_client, sg_name_int,
sg_name_int)
# add access from other security groups (usually 'bastion')
if 'allow-traffic-from-sec-groups' in self.config['cluster']:
for sg in self.config['cluster'][
'allow-traffic-from-sec-groups']:
oaw.create_local_access_rules(self.nova_client,
sg_name_int, sg)
