def _create_default_security_group(self, proj_dict): proj_obj = vnc_api.Project.from_dict(**proj_dict) sgr_uuid = str(uuid.uuid4()) ingress_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[ AddressType(security_group=proj_obj.get_fq_name_str() + ':' + 'default') ], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)]) sg_rules = PolicyEntriesType([ingress_rule]) sgr_uuid = str(uuid.uuid4()) egress_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[AddressType(security_group='local')], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(subnet=SubnetType('0.0.0.0', 0))], dst_ports=[PortType(0, 65535)]) sg_rules.add_policy_rule(egress_rule) # create security group sg_obj = vnc_api.SecurityGroup(name='default', parent_obj=proj_obj, security_group_entries=sg_rules) self._vnc_lib.security_group_create(sg_obj)
def _create_vmi_obj(self, port_q, vn_obj): project_id = self._project_id_neutron_to_vnc(port_q['tenant_id']) try: proj_obj = self._project_read(proj_id=project_id) except vnc_exc.NoIdError: self._raise_contrail_exception( 'ProjectNotFound', projec_id=project_id, resource='port') id_perms = vnc_api.IdPermsType(enable=True) vmi_uuid = str(uuid.uuid4()) if port_q.get('name'): vmi_name = port_q['name'] else: vmi_name = vmi_uuid vmi_obj = vnc_api.VirtualMachineInterface(vmi_name, proj_obj, id_perms=id_perms) vmi_obj.uuid = vmi_uuid vmi_obj.set_virtual_network(vn_obj) vmi_obj.set_security_group_list([]) if ('security_groups' not in port_q or port_q['security_groups'].__class__ is object): sg_obj = vnc_api.SecurityGroup("default", proj_obj) uid = sg_handler.SecurityGroupHandler( self._vnc_lib)._ensure_default_security_group_exists( proj_obj.uuid) sg_obj.uuid = uid vmi_obj.add_security_group(sg_obj) return vmi_obj
def construct_security_group(project): security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG, parent_obj=project) security_group_entry = vnc_api.PolicyEntriesType() ingress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType( security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(security_group='local')], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) egress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType(security_group='local')], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) security_group_entry.add_policy_rule(ingress_rule) security_group_entry.add_policy_rule(egress_rule) security_group.set_security_group_entries(security_group_entry) return security_group
def _create_default_security_group(vnc_lib, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType( security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule rules = [_get_rule(True, 'default', None, 'IPv4'), _get_rule(True, 'default', None, 'IPv6'), _get_rule(False, None, '0.0.0.0', 'IPv4'), _get_rule(False, None, '::', 'IPv6')] sg_rules = PolicyEntriesType(rules) # create security group sg_obj = vnc_api.SecurityGroup(name='default', parent_obj=proj_obj, security_group_entries=sg_rules) vnc_lib.security_group_create(sg_obj)
def _create_security_group(self, sg_q): project_id = self._project_id_neutron_to_vnc(sg_q['tenant_id']) try: project_obj = self._project_read(proj_id=project_id) except vnc_exc.NoIdError: raise self._raise_contrail_exception('ProjectNotFound', project_id=project_id, resource='security_group') id_perms = vnc_api.IdPermsType(enable=True, description=sg_q.get('description')) sg_vnc = vnc_api.SecurityGroup(name=sg_q['name'], parent_obj=project_obj, id_perms=id_perms) return sg_vnc
def _create_no_rule_sg(self): domain_obj = vnc_api.Domain(SG_NO_RULE_FQ_NAME[0]) proj_obj = vnc_api.Project(SG_NO_RULE_FQ_NAME[1], domain_obj) sg_rules = vnc_api.PolicyEntriesType() id_perms = vnc_api.IdPermsType( enable=True, description="Security group with no rules", user_visible=False) sg_obj = vnc_api.SecurityGroup(name=SG_NO_RULE_NAME, parent_obj=proj_obj, security_group_entries=sg_rules, id_perms=id_perms) self._resource_create(sg_obj) return sg_obj
def _create_default_security_group(vnc_lib, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType(security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule rules = [ _get_rule(True, 'default', None, 'IPv4'), _get_rule(True, 'default', None, 'IPv6'), _get_rule(False, None, '0.0.0.0', 'IPv4'), _get_rule(False, None, '::', 'IPv6') ] sg_rules = PolicyEntriesType(rules) # create security group id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) sg_obj = vnc_api.SecurityGroup(name='default', parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) vnc_lib.security_group_create(sg_obj) # neutron doesn't propagate user token vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
def security_group(project): return vnc_api.SecurityGroup( name='security-group-name', parent_obj=project, )