def _update_security_group_rules(self, load_balancer, sec_grp_id): rules = self.neutron_client.list_security_group_rules( security_group_id=sec_grp_id) updated_ports = [ listener.protocol_port for listener in load_balancer.listeners if listener.provisioning_status != constants.PENDING_DELETE and listener.provisioning_status != constants.DELETED] peer_ports = [ listener.peer_port for listener in load_balancer.listeners if listener.provisioning_status != constants.PENDING_DELETE and listener.provisioning_status != constants.DELETED] updated_ports.extend(peer_ports) # Just going to use port_range_max for now because we can assume that # port_range_max and min will be the same since this driver is # responsible for creating these rules old_ports = [rule.get('port_range_max') for rule in rules.get('security_group_rules', []) # Don't remove egress rules and don't # confuse other protocols with None ports # with the egress rules. VRRP uses protocol # 51 and 112 if rule.get('direction') != 'egress' and rule.get('protocol').lower() == 'tcp'] add_ports = set(updated_ports) - set(old_ports) del_ports = set(old_ports) - set(updated_ports) for rule in rules.get('security_group_rules', []): if rule.get('port_range_max') in del_ports: self.neutron_client.delete_security_group_rule(rule.get('id')) ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address) for port in add_ports: self._create_security_group_rule(sec_grp_id, 'TCP', port_min=port, port_max=port, ethertype=ethertype) # Currently we are using the VIP network for VRRP # so we need to open up the protocols for it if (CONF.controller_worker.loadbalancer_topology == constants.TOPOLOGY_ACTIVE_STANDBY): try: self._create_security_group_rule( sec_grp_id, constants.VRRP_PROTOCOL_NUM, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e)) try: self._create_security_group_rule( sec_grp_id, constants.AUTH_HEADER_PROTOCOL_NUMBER, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e))
def _plug_amphora_vip(self, amphora, subnet): # We need a vip port owned by Octavia for Act/Stby and failover try: port = { constants.PORT: { constants.NAME: 'octavia-lb-vrrp-' + amphora.id, constants.NETWORK_ID: subnet.network_id, constants.FIXED_IPS: [{ 'subnet_id': subnet.id }], constants.ADMIN_STATE_UP: True, constants.DEVICE_OWNER: OCTAVIA_OWNER } } new_port = self.neutron_client.create_port(port) new_port = utils.convert_port_dict_to_model(new_port) LOG.debug('Created vip port: %(port_id)s for amphora: %(amp)s', { 'port_id': new_port.id, 'amp': amphora.id }) except Exception as e: message = _('Error creating the base (VRRP) port for the VIP with ' 'port details: {}').format(port) LOG.exception(message) raise base.PlugVIPException(message) from e try: interface = self.plug_port(amphora, new_port) except Exception as e: message = _('Error plugging amphora (compute_id: {compute_id}) ' 'into vip network {network_id}.').format( compute_id=amphora.compute_id, network_id=subnet.network_id) LOG.exception(message) try: if new_port: self.neutron_client.delete_port(new_port.id) LOG.debug( 'Deleted base (VRRP) port %s due to plug_port ' 'failure.', new_port.id) except Exception: LOG.exception( 'Failed to delete base (VRRP) port %s after ' 'plug_port failed. This resource is being ' 'abandoned and should be manually deleted when ' 'neutron is functional.', new_port.id) raise base.PlugVIPException(message) from e return interface
def _plug_amphora_vip(self, amphora, subnet): # We need a vip port owned by Octavia for Act/Stby and failover try: port = { 'port': { 'name': 'octavia-lb-vrrp-' + amphora.id, 'network_id': subnet.network_id, 'fixed_ips': [{ 'subnet_id': subnet.id }], 'admin_state_up': True, 'device_owner': OCTAVIA_OWNER } } new_port = self.neutron_client.create_port(port) new_port = utils.convert_port_dict_to_model(new_port) LOG.debug('Created vip port: %(port_id)s for amphora: %(amp)s', { 'port_id': new_port.id, 'amp': amphora.id }) interface = self.plug_port(amphora, new_port) except Exception: message = _('Error plugging amphora (compute_id: {compute_id}) ' 'into vip network {network_id}.').format( compute_id=amphora.compute_id, network_id=subnet.network_id) LOG.exception(message) raise base.PlugVIPException(message) return interface
def _add_vip_security_group_to_port(self, load_balancer_id, port_id): sec_grp = self._get_lb_security_group(load_balancer_id) try: self._add_security_group_to_port(sec_grp.get('id'), port_id) except base.PortNotFound as e: raise e except base.NetworkException as e: raise base.PlugVIPException(str(e))
def _plug_amphora_vip(self, compute_id, network_id): try: interface = self.plug_network(compute_id, network_id) except Exception: message = _LE('Error plugging amphora (compute_id: {compute_id}) ' 'into vip network {network_id}.').format( compute_id=compute_id, network_id=network_id) LOG.exception(message) raise base.PlugVIPException(message) return interface
def _add_vip_address_pair(self, port_id, vip_address): try: self._add_allowed_address_pair_to_port(port_id, vip_address) except neutron_client_exceptions.PortNotFoundClient as e: raise base.PortNotFound(str(e)) except Exception: message = _('Error adding allowed address pair {ip} ' 'to port {port_id}.').format(ip=vip_address, port_id=port_id) LOG.exception(message) raise base.PlugVIPException(message)
def _add_vip_security_group_to_port(self, load_balancer_id, port_id, sec_grp_id=None): sec_grp_id = (sec_grp_id or self._get_lb_security_group(load_balancer_id).get( constants.ID)) try: self._add_security_group_to_port(sec_grp_id, port_id) except base.PortNotFound: raise except base.NetworkException as e: raise base.PlugVIPException(str(e))
def _update_security_group_rules(self, load_balancer, sec_grp_id): rules = self.neutron_client.list_security_group_rules( security_group_id=sec_grp_id) updated_ports = [] for listener in load_balancer.listeners: if (listener.provisioning_status in [constants.PENDING_DELETE, constants.DELETED]): continue protocol = constants.PROTOCOL_TCP.lower() if listener.protocol == constants.PROTOCOL_UDP: protocol = constants.PROTOCOL_UDP.lower() elif listener.protocol == lib_consts.PROTOCOL_SCTP: protocol = lib_consts.PROTOCOL_SCTP.lower() if listener.allowed_cidrs: for ac in listener.allowed_cidrs: port = (listener.protocol_port, protocol, ac.cidr) updated_ports.append(port) else: port = (listener.protocol_port, protocol, None) updated_ports.append(port) # As the peer port will hold the tcp connection for keepalived and # haproxy session synchronization, so here the security group rule # should be just related with tcp protocol only. updated_ports.append( (listener.peer_port, constants.PROTOCOL_TCP.lower(), None)) # Just going to use port_range_max for now because we can assume that # port_range_max and min will be the same since this driver is # responsible for creating these rules old_ports = [] for rule in rules.get('security_group_rules', []): # Don't remove egress rules and don't confuse other protocols with # None ports with the egress rules. VRRP uses protocol 51 and 112 if (rule.get('direction') == 'egress' or rule.get('protocol').upper() not in [ constants.PROTOCOL_TCP, constants.PROTOCOL_UDP, lib_consts.PROTOCOL_SCTP ]): continue old_ports.append( (rule.get('port_range_max'), rule.get('protocol').lower(), rule.get('remote_ip_prefix'))) add_ports = set(updated_ports) - set(old_ports) del_ports = set(old_ports) - set(updated_ports) for rule in rules.get('security_group_rules', []): if (rule.get('protocol', '') and rule.get('protocol', '').lower() in ['tcp', 'udp'] and (rule.get('port_range_max'), rule.get('protocol'), rule.get('remote_ip_prefix')) in del_ports): rule_id = rule.get(constants.ID) try: self.neutron_client.delete_security_group_rule(rule_id) except neutron_client_exceptions.NotFound: LOG.info( "Security group rule %s not found, will assume " "it is already deleted.", rule_id) ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address) for port_protocol in add_ports: self._create_security_group_rule(sec_grp_id, port_protocol[1], port_min=port_protocol[0], port_max=port_protocol[0], ethertype=ethertype, cidr=port_protocol[2]) # Currently we are using the VIP network for VRRP # so we need to open up the protocols for it if load_balancer.topology == constants.TOPOLOGY_ACTIVE_STANDBY: try: self._create_security_group_rule(sec_grp_id, constants.VRRP_PROTOCOL_NUM, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e)) try: self._create_security_group_rule( sec_grp_id, constants.AUTH_HEADER_PROTOCOL_NUMBER, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e))
def _update_security_group_rules(self, load_balancer, sec_grp_id): rules = self.neutron_client.list_security_group_rules( security_group_id=sec_grp_id) updated_ports = [ (listener.protocol_port, constants.PROTOCOL_TCP.lower() if listener.protocol != constants.PROTOCOL_UDP else constants.PROTOCOL_UDP.lower()) for listener in load_balancer.listeners if listener.provisioning_status != constants.PENDING_DELETE and listener.provisioning_status != constants.DELETED ] # As the peer port will hold the tcp connection for keepalived and # haproxy session synchronization, so here the security group rule # should be just related with tcp protocol only. peer_ports = [ (listener.peer_port, constants.PROTOCOL_TCP.lower()) for listener in load_balancer.listeners if listener.provisioning_status != constants.PENDING_DELETE and listener.provisioning_status != constants.DELETED ] updated_ports.extend(peer_ports) # Just going to use port_range_max for now because we can assume that # port_range_max and min will be the same since this driver is # responsible for creating these rules old_ports = [ (rule.get('port_range_max'), rule.get('protocol')) for rule in rules.get('security_group_rules', []) # Don't remove egress rules and don't # confuse other protocols with None ports # with the egress rules. VRRP uses protocol # 51 and 112 if rule.get('direction') != 'egress' and rule.get('protocol', '').lower() in ['tcp', 'udp'] ] add_ports = set(updated_ports) - set(old_ports) del_ports = set(old_ports) - set(updated_ports) for rule in rules.get('security_group_rules', []): if (rule.get('protocol', '') and rule.get('protocol', '').lower() in ['tcp', 'udp'] and (rule.get('port_range_max'), rule.get('protocol')) in del_ports): rule_id = rule.get('id') try: self.neutron_client.delete_security_group_rule(rule_id) except neutron_client_exceptions.NotFound: LOG.info( "Security group rule %s not found, will assume " "it is already deleted.", rule_id) ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address) for port_protocol in add_ports: self._create_security_group_rule(sec_grp_id, port_protocol[1], port_min=port_protocol[0], port_max=port_protocol[0], ethertype=ethertype) # Currently we are using the VIP network for VRRP # so we need to open up the protocols for it if (CONF.controller_worker.loadbalancer_topology == constants.TOPOLOGY_ACTIVE_STANDBY): try: self._create_security_group_rule(sec_grp_id, constants.VRRP_PROTOCOL_NUM, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e)) try: self._create_security_group_rule( sec_grp_id, constants.AUTH_HEADER_PROTOCOL_NUMBER, direction='ingress', ethertype=ethertype) except neutron_client_exceptions.Conflict: # It's ok if this rule already exists pass except Exception as e: raise base.PlugVIPException(str(e))