def setup_controllers(self, conf):
LOG.info('%s(): caller(): %s', log_utils.get_fname(1),
log_utils.get_fname(2))
url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address,
conf.OVS.of_listen_port)
controllers = ["tcp:" + url]
self.add_protocols(ovs_consts.OPENFLOW13)
self.set_controller(controllers)
# NOTE(ivc): Force "out-of-band" controller connection mode (see
# "In-Band Control" [1]).
#
# By default openvswitch uses "in-band" controller connection mode
# which adds hidden OpenFlow rules (only visible by issuing ovs-appctl
# bridge/dump-flows <br>) and leads to a network loop on br-tun. As of
# now the OF controller is hosted locally with OVS which fits the
# "out-of-band" mode. If the remote OF controller is ever to be
# supported by openvswitch agent in the future, "In-Band Control" [1]
# should be taken into consideration for physical bridge only, but
# br-int and br-tun must be configured with the "out-of-band"
# controller connection mode.
#
# [1] https://github.com/openvswitch/ovs/blob/master/DESIGN.md
self.set_controllers_connection_mode("out-of-band")
self.set_controllers_inactivity_probe(conf.OVS.of_inactivity_probe)
def _proxy_request(self, instance_id, tenant_id, req):
headers = {
'X-Forwarded-For': req.headers.get('X-Forwarded-For'),
'X-Instance-ID': instance_id,
'X-Tenant-ID': tenant_id,
'X-Instance-ID-Signature': self._sign_instance_id(instance_id)
}
nova_host_port = ipv6_utils.valid_ipv6_url(
self.conf.nova_metadata_host, self.conf.nova_metadata_port)
url = urllib.parse.urlunsplit(
(self.conf.nova_metadata_protocol, nova_host_port, req.path_info,
req.query_string, ''))
disable_ssl_certificate_validation = self.conf.nova_metadata_insecure
if self.conf.auth_ca_cert and not disable_ssl_certificate_validation:
verify_cert = self.conf.auth_ca_cert
else:
verify_cert = not disable_ssl_certificate_validation
client_cert = None
if self.conf.nova_client_cert and self.conf.nova_client_priv_key:
client_cert = (self.conf.nova_client_cert,
self.conf.nova_client_priv_key)
resp = requests.request(method=req.method,
url=url,
headers=headers,
data=req.body,
cert=client_cert,
verify=verify_cert)
if resp.status_code == 200:
req.response.content_type = resp.headers['content-type']
req.response.body = resp.content
LOG.debug(str(resp))
return req.response
elif resp.status_code == 403:
LOG.warning(
'The remote metadata server responded with Forbidden. This '
'response usually occurs when shared secrets do not match.')
return webob.exc.HTTPForbidden()
elif resp.status_code == 400:
return webob.exc.HTTPBadRequest()
elif resp.status_code == 404:
return webob.exc.HTTPNotFound()
elif resp.status_code == 409:
return webob.exc.HTTPConflict()
elif resp.status_code == 500:
msg = _(
'Remote metadata server experienced an internal server error.')
LOG.warning(msg)
explanation = str(msg)
return webob.exc.HTTPInternalServerError(explanation=explanation)
else:
raise Exception(
_('Unexpected response code: %s') % resp.status_code)
def test_valid_hostname_url(self):
host = "controller"
port = 443
self.assertEqual("controller:443",
ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv4_url(self):
host = "192.168.1.2"
port = 443
self.assertEqual("192.168.1.2:443",
ipv6_utils.valid_ipv6_url(host, port))
def test_invalid_ipv6_url(self):
host = "::1"
port = 443
self.assertNotEqual("::1:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv6_url(self):
host = "::1"
port = 443
self.assertEqual("[::1]:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_hostname_url(self):
host = "controller"
port = 443
self.assertEqual("controller:443",
ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv4_url(self):
host = "192.168.1.2"
port = 443
self.assertEqual("192.168.1.2:443",
ipv6_utils.valid_ipv6_url(host, port))
def test_invalid_ipv6_url(self):
host = "::1"
port = 443
self.assertNotEqual("::1:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv6_url(self):
host = "::1"
port = 443
self.assertEqual("[::1]:443", ipv6_utils.valid_ipv6_url(host, port))
def _proxy_request(self, instance_id, tenant_id, req):
headers = {
'X-Forwarded-For': req.headers.get('X-Forwarded-For'),
'X-Instance-ID': instance_id,
'X-Tenant-ID': tenant_id,
'X-Instance-ID-Signature': self._sign_instance_id(instance_id)
}
nova_host_port = ipv6_utils.valid_ipv6_url(
self.conf.nova_metadata_host,
self.conf.nova_metadata_port)
url = urllib.parse.urlunsplit((
self.conf.nova_metadata_protocol,
nova_host_port,
req.path_info,
req.query_string,
''))
disable_ssl_certificate_validation = self.conf.nova_metadata_insecure
if self.conf.auth_ca_cert and not disable_ssl_certificate_validation:
verify_cert = self.conf.auth_ca_cert
else:
verify_cert = not disable_ssl_certificate_validation
client_cert = None
if self.conf.nova_client_cert and self.conf.nova_client_priv_key:
client_cert = (self.conf.nova_client_cert,
self.conf.nova_client_priv_key)
resp = requests.request(method=req.method, url=url,
headers=headers,
data=req.body,
cert=client_cert,
verify=verify_cert)
if resp.status_code == 200:
req.response.content_type = resp.headers['content-type']
req.response.body = resp.content
LOG.debug(str(resp))
return req.response
elif resp.status_code == 403:
LOG.warning(
'The remote metadata server responded with Forbidden. This '
'response usually occurs when shared secrets do not match.'
)
return webob.exc.HTTPForbidden()
elif resp.status_code == 400:
return webob.exc.HTTPBadRequest()
elif resp.status_code == 404:
return webob.exc.HTTPNotFound()
elif resp.status_code == 409:
return webob.exc.HTTPConflict()
elif resp.status_code == 500:
msg = _(
'Remote metadata server experienced an internal server error.'
)
LOG.warning(msg)
explanation = six.text_type(msg)
return webob.exc.HTTPInternalServerError(explanation=explanation)
else:
raise Exception(_('Unexpected response code: %s') %
resp.status_code)
