def _get_security_groups(self, node_group):
if not node_group.auto_security_group:
return node_group.security_groups
return (list(node_group.security_groups or []) +
[{"Ref": g.generate_auto_security_group_name(
node_group.cluster.name, node_group.name)}])
def _serialize_auto_security_group(self, ng):
if not ng.auto_security_group:
return {}
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = self._asg_for_node_group_description(ng)
res_type = "OS::Neutron::SecurityGroup"
desc_key = "description"
rules_key = "rules"
create_rule = lambda ip_version, cidr, proto, from_port, to_port: {
"ethertype": "IPv{}".format(ip_version),
"remote_ip_prefix": cidr,
"protocol": proto,
"port_range_min": six.text_type(from_port),
"port_range_max": six.text_type(to_port)}
rules = self._serialize_auto_security_group_rules(ng, create_rule)
return {
security_group_name: {
"type": res_type,
"properties": {
desc_key: security_group_description,
rules_key: rules
}
}
}
def _serialize_ng_group(self, ng, outputs):
ng_file_name = "file://" + ng.name + ".yaml"
self.files[ng_file_name] = self._serialize_ng_file(ng)
outputs[ng.name + "-instances"] = {
"value": {"get_attr": [ng.name, "instance"]}}
properties = {"instance_index": "%index%"}
if ng.cluster.anti_affinity:
properties[SERVER_GROUP_PARAM_NAME] = {
'get_resource': _get_aa_group_name(ng.cluster)}
if ng.auto_security_group:
properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
'get_resource': g.generate_auto_security_group_name(ng)}
return {
ng.name: {
"type": "OS::Heat::ResourceGroup",
"properties": {
"count": self.node_groups_extra[ng.id]['node_count'],
"resource_def": {
"type": ng_file_name,
"properties": properties
}
}
}
}
def _serialize_ng_group(self, ng, outputs):
ng_file_name = "file://" + ng.name + ".yaml"
self.files[ng_file_name] = self._serialize_ng_file(ng)
outputs[ng.name + "-instances"] = {
"value": {
"get_attr": [ng.name, "instance"]
}
}
properties = {"instance_index": "%index%"}
if ng.cluster.anti_affinity:
properties[SERVER_GROUP_PARAM_NAME] = {
'get_resource': _get_aa_group_name(ng.cluster)
}
if ng.auto_security_group:
properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
'get_resource': g.generate_auto_security_group_name(ng)
}
return {
ng.name: {
"type": "OS::Heat::ResourceGroup",
"properties": {
"count": self.node_groups_extra[ng.id]['node_count'],
"resource_def": {
"type": ng_file_name,
"properties": properties
}
}
}
}
def _delete_auto_security_group(self, node_group):
if not node_group.auto_security_group:
return
if not node_group.security_groups:
# node group has no security groups
# nothing to delete
return
name = node_group.security_groups[-1]
try:
client = nova.client().security_groups
security_group = client.get(name)
if (security_group.name !=
g.generate_auto_security_group_name(node_group)):
LOG.warning(
_LW("Auto security group for node group {name} is "
"not found").format(name=node_group.name))
return
client.delete(name)
except Exception:
LOG.warning(
_LW("Failed to delete security group {name}").format(
name=name))
def _create_auto_security_group(self, node_group):
name = g.generate_auto_security_group_name(node_group)
nova_client = nova.client()
security_group = nova_client.security_groups.create(
name, "Auto security group created by Sahara for Node Group '%s' "
"of cluster '%s'." % (node_group.name, node_group.cluster.name))
# ssh remote needs ssh port, agents are not implemented yet
nova_client.security_group_rules.create(security_group.id, 'tcp',
SSH_PORT, SSH_PORT,
"0.0.0.0/0")
# open all traffic for private networks
if CONF.use_neutron:
for cidr in neutron.get_private_network_cidrs(node_group.cluster):
for protocol in ['tcp', 'udp']:
nova_client.security_group_rules.create(
security_group.id, protocol, 1, 65535, cidr)
nova_client.security_group_rules.create(
security_group.id, 'icmp', -1, -1, cidr)
# enable ports returned by plugin
for port in node_group.open_ports:
nova_client.security_group_rules.create(security_group.id, 'tcp',
port, port, "0.0.0.0/0")
security_groups = list(node_group.security_groups or [])
security_groups.append(security_group.id)
conductor.node_group_update(context.ctx(), node_group,
{"security_groups": security_groups})
return security_groups
def _serialize_auto_security_group(self, ng):
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = self._asg_for_node_group_description(ng)
if CONF.use_neutron:
res_type = "OS::Neutron::SecurityGroup"
desc_key = "description"
rules_key = "rules"
create_rule = lambda ip_version, cidr, proto, from_port, to_port: {
"ethertype": "IPv{}".format(ip_version),
"remote_ip_prefix": cidr,
"protocol": proto,
"port_range_min": six.text_type(from_port),
"port_range_max": six.text_type(to_port)}
else:
res_type = "AWS::EC2::SecurityGroup"
desc_key = "GroupDescription"
rules_key = "SecurityGroupIngress"
create_rule = lambda _, cidr, proto, from_port, to_port: {
"CidrIp": cidr,
"IpProtocol": proto,
"FromPort": six.text_type(from_port),
"ToPort": six.text_type(to_port)}
rules = self._serialize_auto_security_group_rules(ng, create_rule)
return {
security_group_name: {
"type": res_type,
"properties": {
desc_key: security_group_description,
rules_key: rules
}
}
}
def _serialize_auto_security_group(self, ng):
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = self._asg_for_node_group_description(ng)
if CONF.use_neutron:
res_type = "OS::Neutron::SecurityGroup"
desc_key = "description"
rules_key = "rules"
create_rule = lambda ip_version, cidr, proto, from_port, to_port: {
"ethertype": "IPv{}".format(ip_version),
"remote_ip_prefix": cidr,
"protocol": proto,
"port_range_min": six.text_type(from_port),
"port_range_max": six.text_type(to_port)}
else:
res_type = "AWS::EC2::SecurityGroup"
desc_key = "GroupDescription"
rules_key = "SecurityGroupIngress"
create_rule = lambda _, cidr, proto, from_port, to_port: {
"CidrIp": cidr,
"IpProtocol": proto,
"FromPort": six.text_type(from_port),
"ToPort": six.text_type(to_port)}
rules = self._serialize_auto_security_group_rules(ng, create_rule)
return {
security_group_name: {
"type": res_type,
"properties": {
desc_key: security_group_description,
rules_key: rules
}
}
}
def _serialize_auto_security_group(self, ng):
if not ng.auto_security_group:
return {}
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = self._asg_for_node_group_description(ng)
res_type = "OS::Neutron::SecurityGroup"
desc_key = "description"
rules_key = "rules"
create_rule = lambda ip_version, cidr, proto, from_port, to_port: {
"ethertype": "IPv{}".format(ip_version),
"remote_ip_prefix": cidr,
"protocol": proto,
"port_range_min": six.text_type(from_port),
"port_range_max": six.text_type(to_port)}
rules = self._serialize_auto_security_group_rules(ng, create_rule)
return {
security_group_name: {
"type": res_type,
"properties": {
desc_key: security_group_description,
rules_key: rules
}
}
}
def _create_auto_security_group(self, node_group):
name = g.generate_auto_security_group_name(node_group)
nova_client = nova.client()
security_group = nova_client.security_groups.create(
name, "Auto security group created by Sahara for Node Group '%s' "
"of cluster '%s'." %
(node_group.name, node_group.cluster.name))
# ssh remote needs ssh port, agents are not implemented yet
nova_client.security_group_rules.create(
security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0")
# open all traffic for private networks
if CONF.use_neutron:
for cidr in neutron.get_private_network_cidrs(node_group.cluster):
for protocol in ['tcp', 'udp']:
nova_client.security_group_rules.create(
security_group.id, protocol, 1, 65535, cidr)
nova_client.security_group_rules.create(
security_group.id, 'icmp', -1, -1, cidr)
# enable ports returned by plugin
for port in node_group.open_ports:
nova_client.security_group_rules.create(
security_group.id, 'tcp', port, port, "0.0.0.0/0")
security_groups = list(node_group.security_groups or [])
security_groups.append(security_group.id)
conductor.node_group_update(context.ctx(), node_group,
{"security_groups": security_groups})
return security_groups
def _serialize_ng_group(self, ng, outputs):
ng_file_name = "file://" + ng.name + ".yaml"
self.files[ng_file_name] = self._serialize_ng_file(ng)
outputs[ng.name + "-instances"] = {
"value": {"get_attr": [ng.name, "instance"]}}
properties = {"instance_index": "%index%"}
if ng.cluster.anti_affinity:
ng_count = ng.count
# assuming instance_index also start from index 0
for i in range(0, ng_count - 1):
server_group_name = self._get_server_group_name()
server_group_resource = {
"get_resource": server_group_name
}
properties[SERVER_GROUP_NAMES].insert(i, server_group_resource)
if ng.auto_security_group:
properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
'get_resource': g.generate_auto_security_group_name(ng)}
return {
ng.name: {
"type": "OS::Heat::ResourceGroup",
"properties": {
"count": self.node_groups_extra[ng.id]['node_count'],
"resource_def": {
"type": ng_file_name,
"properties": properties
}
}
}
}
def check_auto_security_group(cluster_name, nodegroup):
if nodegroup.get('auto_security_group'):
name = g.generate_auto_security_group_name(
cluster_name, nodegroup['name'])
if name in [security_group.name for security_group in
nova.client().security_groups.list()]:
raise ex.NameAlreadyExistsException(
_("Security group with name '%s' already exists") % name)
def _get_security_groups(self, node_group):
if not node_group.auto_security_group:
return node_group.security_groups
return (list(node_group.security_groups or []) +
[{
"Ref": g.generate_auto_security_group_name(node_group)
}])
def _get_security_groups(self, node_group):
node_group_sg = list(node_group.security_groups or [])
if node_group.auto_security_group:
node_group_sg += [{
"get_resource":
g.generate_auto_security_group_name(node_group)
}]
return node_group_sg
def _get_security_groups(self, node_group):
node_group_sg = list(node_group.security_groups or [])
if node_group.auto_security_group:
node_group_sg += [
{"get_resource": g.generate_auto_security_group_name(
node_group)}
]
return node_group_sg
def _serialize_auto_security_group(self, ng):
fields = {
'security_group_name': g.generate_auto_security_group_name(ng),
'security_group_description':
"Auto security group created by Sahara for Node Group "
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name),
'rules': self._serialize_auto_security_group_rules(ng)}
yield _load_template('security_group.heat', fields)
def _serialize_auto_security_group(self, ng):
fields = {
'security_group_name': g.generate_auto_security_group_name(ng),
'security_group_description':
"Auto security group created by Sahara for Node Group "
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name),
'rules': self._serialize_auto_security_group_rules(ng)}
yield _load_template('security_group.heat', fields)
def check_auto_security_group(cluster_name, nodegroup):
if nodegroup.get('auto_security_group'):
name = g.generate_auto_security_group_name(cluster_name,
nodegroup['name'])
if name in [
security_group.name
for security_group in nova.client().security_groups.list()
]:
raise ex.NameAlreadyExistsException(
_("Security group with name '%s' already exists") % name)
def test_delete_auto_security_group_other_groups(self, nova_client):
ng = mock.Mock(id="16fd2706-8baf-433b-82eb-8c7fada847da",
auto_security_group=True)
ng.name = "ngname"
ng.cluster.name = "cluster"
auto_name = g.generate_auto_security_group_name(ng)
ng.security_groups = ['1', '2', auto_name]
client = mock.Mock()
nova_client.return_value = client
client.security_groups.get.side_effect = lambda x: SecurityGroup(x)
self.engine._delete_auto_security_group(ng)
client.security_groups.delete.assert_called_once_with(auto_name)
def _serialize_auto_security_group(self, ng):
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = (
"Auto security group created by Sahara for Node Group "
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name))
rules = self._serialize_auto_security_group_rules(ng)
return {
security_group_name: {
"type": "AWS::EC2::SecurityGroup",
"properties": {
"GroupDescription": security_group_description,
"SecurityGroupIngress": rules
}
}
}
def _serialize_auto_security_group(self, ng):
security_group_name = g.generate_auto_security_group_name(ng)
security_group_description = (
"Auto security group created by Sahara for Node Group "
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name))
rules = self._serialize_auto_security_group_rules(ng)
return {
security_group_name: {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": security_group_description,
"SecurityGroupIngress": rules
}
}
}
def test_delete_auto_security_group_other_groups(self, nova_client):
ng = mock.Mock(id="16fd2706-8baf-433b-82eb-8c7fada847da",
auto_security_group=True)
ng.name = "ngname"
ng.cluster.name = "cluster"
auto_name = g.generate_auto_security_group_name(ng)
ng.security_groups = ['1', '2', auto_name]
client = mock.Mock()
nova_client.return_value = client
client.security_groups.get.side_effect = lambda x: SecurityGroup(x)
self.engine._delete_auto_security_group(ng)
client.security_groups.delete.assert_called_once_with(auto_name)
def _serialize_ng_group(self, ng, outputs, instances_to_delete=None):
ng_file_name = "file://" + ng.name + ".yaml"
self.files[ng_file_name] = self._serialize_ng_file(ng)
outputs[ng.name + "-instances"] = {
"value": {
"get_attr": [ng.name, "instance"]
}
}
properties = {"instance_index": "%index%"}
if ng.cluster.anti_affinity:
ng_count = self.node_groups_extra[ng.id]['node_count']
# assuming instance_index also start from index 0
for i in range(0, ng_count):
server_group_name = self._get_server_group_name()
server_group_resource = {"get_resource": server_group_name}
if SERVER_GROUP_NAMES not in properties:
properties[SERVER_GROUP_NAMES] = []
properties[SERVER_GROUP_NAMES].insert(i, server_group_resource)
if ng.auto_security_group:
properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
'get_resource': g.generate_auto_security_group_name(ng)
}
removal_policies = []
if self.node_groups_extra[ng.id]['instances_to_delete']:
resource_list = []
for name in self.node_groups_extra[ng.id]['instances_to_delete']:
resource_list.append(_get_index_from_inst_name(name))
removal_policies.append({'resource_list': resource_list})
return {
ng.name: {
"type": "OS::Heat::ResourceGroup",
"properties": {
"count": self.node_groups_extra[ng.id]['node_count'],
"removal_policies": removal_policies,
"resource_def": {
"type": ng_file_name,
"properties": properties
}
}
}
}
def _serialize_ng_group(self, ng, outputs, instances_to_delete=None):
ng_file_name = "file://" + ng.name + ".yaml"
self.files[ng_file_name] = self._serialize_ng_file(ng)
outputs[ng.name + "-instances"] = {
"value": {"get_attr": [ng.name, "instance"]}}
properties = {"instance_index": "%index%"}
if ng.cluster.anti_affinity:
ng_count = self.node_groups_extra[ng.id]['node_count']
# assuming instance_index also start from index 0
for i in range(0, ng_count):
server_group_name = self._get_server_group_name()
server_group_resource = {
"get_resource": server_group_name
}
if SERVER_GROUP_NAMES not in properties:
properties[SERVER_GROUP_NAMES] = []
properties[SERVER_GROUP_NAMES].insert(i, server_group_resource)
if ng.auto_security_group:
properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
'get_resource': g.generate_auto_security_group_name(ng)}
removal_policies = []
if self.node_groups_extra[ng.id]['instances_to_delete']:
resource_list = []
for name in self.node_groups_extra[ng.id]['instances_to_delete']:
resource_list.append(_get_index_from_inst_name(name))
removal_policies.append({'resource_list': resource_list})
return {
ng.name: {
"type": "OS::Heat::ResourceGroup",
"properties": {
"count": self.node_groups_extra[ng.id]['node_count'],
"removal_policies": removal_policies,
"resource_def": {
"type": ng_file_name,
"properties": properties
}
}
}
}
def _create_auto_security_group(self, node_group):
name = g.generate_auto_security_group_name(node_group)
nova_client = nova.client()
security_group = nova_client.security_groups.create(
name, "Auto security group created by Sahara for Node Group '%s' "
"of cluster '%s'." % (node_group.name, node_group.cluster.name))
# ssh remote needs ssh port, agents are not implemented yet
nova_client.security_group_rules.create(security_group.id, 'tcp',
SSH_PORT, SSH_PORT,
"0.0.0.0/0")
# enable ports returned by plugin
for port in node_group.open_ports:
nova_client.security_group_rules.create(security_group.id, 'tcp',
port, port, "0.0.0.0/0")
security_groups = list(node_group.security_groups or [])
security_groups.append(security_group.id)
conductor.node_group_update(context.ctx(), node_group,
{"security_groups": security_groups})
return security_groups
def _delete_auto_security_group(self, node_group):
if not node_group.auto_security_group:
return
if not node_group.security_groups:
# node group has no security groups
# nothing to delete
return
name = node_group.security_groups[-1]
try:
client = nova.client().security_groups
security_group = client.get(name)
if (security_group.name !=
g.generate_auto_security_group_name(node_group)):
LOG.warn(_LW("Auto security group for node group %s is not "
"found"), node_group.name)
return
client.delete(name)
except Exception:
LOG.exception(_LE("Failed to delete security group %s"), name)
def _create_auto_security_group(self, node_group):
name = g.generate_auto_security_group_name(node_group)
nova_client = nova.client()
security_group = nova_client.security_groups.create(
name, "Auto security group created by Sahara for Node Group '%s' "
"of cluster '%s'." %
(node_group.name, node_group.cluster.name))
# ssh remote needs ssh port, agents are not implemented yet
nova_client.security_group_rules.create(
security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0")
# enable ports returned by plugin
for port in node_group.open_ports:
nova_client.security_group_rules.create(
security_group.id, 'tcp', port, port, "0.0.0.0/0")
security_groups = list(node_group.security_groups or [])
security_groups.append(security_group.id)
conductor.node_group_update(context.ctx(), node_group,
{"security_groups": security_groups})
return security_groups
def _delete_auto_security_group(self, node_group):
if not node_group.auto_security_group:
return
if not node_group.security_groups:
# node group has no security groups
# nothing to delete
return
name = node_group.security_groups[-1]
try:
client = nova.client().security_groups
security_group = b.execute_with_retries(client.get, name)
if (security_group.name !=
g.generate_auto_security_group_name(node_group)):
LOG.warning(_LW("Auto security group for node group {name} is "
"not found").format(name=node_group.name))
return
b.execute_with_retries(client.delete, name)
except Exception:
LOG.warning(_LW("Failed to delete security group {name}").format(
name=name))
