def _initial_secure_host(self, instance, ports=None): """ Lock down the host in it's default state """ # TODO(tim.simpson) This hangs if the "lock_path" FLAG value refers to # a directory which can't be locked. It'd be nice # if we could somehow detect that and raise an error # instead. # # Get the ip and network information ctxt = context.get_admin_context() ip = db.instance_get_fixed_address(ctxt, instance["id"]) network = db.fixed_ip_get_network(ctxt, ip) # Create our table instance and add our chains for the instance table_ipv4 = linux_net.iptables_manager.ipv4["filter"] table_ipv6 = linux_net.iptables_manager.ipv6["filter"] table_ipv4.add_chain(instance["name"]) table_ipv6.add_chain(instance["name"]) # As of right now there is no API call to manage security # so there are no rules applied, this really is just a pass. # The thought here is to allow us to pass a list of ports # that should be globally open and lock down the rest but # cannot implement this until the API passes a security # context object down to us. # Apply the rules linux_net.iptables_manager.apply()
def _add_ip(self, instance, netif="eth0", if_file="etc/network/interfaces"): """ Add an ip to the container """ ctxt = context.get_admin_context() ip = db.instance_get_fixed_address(ctxt, instance["id"]) network = db.fixed_ip_get_network(ctxt, ip) net_path = "%s/%s" % (FLAGS.ovz_ve_private_dir, instance["id"]) if_file_path = net_path + "/" + if_file try: os.chdir(net_path) with open(FLAGS.ovz_network_template) as fh: network_file = fh.read() % { "gateway_dev": netif, "address": ip, "netmask": network["netmask"], "gateway": network["gateway"], } # TODO(imsplitbit): Find a way to write to this file without # mangling the perms. utils.execute("sudo", "chmod", "666", if_file_path) fh = open(if_file_path, "a") fh.write(network_file) fh.close() utils.execute("sudo", "chmod", "644", if_file_path) except Exception as err: LOG.error(err) raise exception.Error("Error adding IP")
def is_allocated_in_project(address, project_id): """Returns true if address is in specified project""" project_net = db.project_get_network(context.get_admin_context(), project_id) network = db.fixed_ip_get_network(context.get_admin_context(), address) instance = db.fixed_ip_get_instance(context.get_admin_context(), address) # instance exists until release return instance is not None and network['id'] == project_net['id']
def allocate_fixed_ip(self, context, instance_id, *args, **kwargs): """Setup dhcp for this network.""" address = super(FlatDHCPManager, self).allocate_fixed_ip(context, instance_id, *args, **kwargs) network_ref = db.fixed_ip_get_network(context, address) if not FLAGS.fake_network: self.driver.update_dhcp(context, network_ref['id']) return address
def _is_allocated_in_project(self, address, project_id): """Returns true if address is in specified project""" project_net = db.network_get_by_bridge(context.get_admin_context(), FLAGS.flat_network_bridge) network = db.fixed_ip_get_network(context.get_admin_context(), address) instance = db.fixed_ip_get_instance(context.get_admin_context(), address) # instance exists until release return instance is not None and network['id'] == project_net['id']
def release_ip(private_ip): """Run del command on dhcpbridge""" network_ref = db.fixed_ip_get_network(context.get_admin_context(), private_ip) instance_ref = db.fixed_ip_get_instance(context.get_admin_context(), private_ip) cmd = (binpath('nova-dhcpbridge'), 'del', instance_ref['mac_address'], private_ip, 'fake') env = {'DNSMASQ_INTERFACE': network_ref['bridge'], 'TESTING': '1', 'FLAGFILE': FLAGS.dhcpbridge_flagfile} (out, err) = utils.execute(*cmd, addl_env=env) LOG.debug("RELEASE_IP: %s, %s ", out, err)
def _set_nameserver(self, instance): """ Get the nameserver for the assigned network and set it using OpenVz's tools. """ ctxt = context.get_admin_context() ip = db.instance_get_fixed_address(ctxt, instance["id"]) network = db.fixed_ip_get_network(ctxt, ip) try: _, err = utils.execute("sudo", "vzctl", "set", instance["id"], "--save", "--nameserver", network["dns"]) if err: LOG.error(err) except Exception as err: LOG.error(err) raise exception.Error("Unable to set nameserver for %s" % instance["id"])