def setup_controllers(self, conf): LOG.info('%s(): caller(): %s', log_utils.get_fname(1), log_utils.get_fname(2)) url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address, conf.OVS.of_listen_port) controllers = ["tcp:" + url] self.add_protocols(ovs_consts.OPENFLOW13) self.set_controller(controllers) # NOTE(ivc): Force "out-of-band" controller connection mode (see # "In-Band Control" [1]). # # By default openvswitch uses "in-band" controller connection mode # which adds hidden OpenFlow rules (only visible by issuing ovs-appctl # bridge/dump-flows <br>) and leads to a network loop on br-tun. As of # now the OF controller is hosted locally with OVS which fits the # "out-of-band" mode. If the remote OF controller is ever to be # supported by openvswitch agent in the future, "In-Band Control" [1] # should be taken into consideration for physical bridge only, but # br-int and br-tun must be configured with the "out-of-band" # controller connection mode. # # [1] https://github.com/openvswitch/ovs/blob/master/DESIGN.md self.set_controllers_connection_mode("out-of-band") self.set_controllers_inactivity_probe(conf.OVS.of_inactivity_probe)
def _proxy_request(self, instance_id, tenant_id, req): headers = { 'X-Forwarded-For': req.headers.get('X-Forwarded-For'), 'X-Instance-ID': instance_id, 'X-Tenant-ID': tenant_id, 'X-Instance-ID-Signature': self._sign_instance_id(instance_id) } nova_host_port = ipv6_utils.valid_ipv6_url( self.conf.nova_metadata_host, self.conf.nova_metadata_port) url = urllib.parse.urlunsplit( (self.conf.nova_metadata_protocol, nova_host_port, req.path_info, req.query_string, '')) disable_ssl_certificate_validation = self.conf.nova_metadata_insecure if self.conf.auth_ca_cert and not disable_ssl_certificate_validation: verify_cert = self.conf.auth_ca_cert else: verify_cert = not disable_ssl_certificate_validation client_cert = None if self.conf.nova_client_cert and self.conf.nova_client_priv_key: client_cert = (self.conf.nova_client_cert, self.conf.nova_client_priv_key) resp = requests.request(method=req.method, url=url, headers=headers, data=req.body, cert=client_cert, verify=verify_cert) if resp.status_code == 200: req.response.content_type = resp.headers['content-type'] req.response.body = resp.content LOG.debug(str(resp)) return req.response elif resp.status_code == 403: LOG.warning( 'The remote metadata server responded with Forbidden. This ' 'response usually occurs when shared secrets do not match.') return webob.exc.HTTPForbidden() elif resp.status_code == 400: return webob.exc.HTTPBadRequest() elif resp.status_code == 404: return webob.exc.HTTPNotFound() elif resp.status_code == 409: return webob.exc.HTTPConflict() elif resp.status_code == 500: msg = _( 'Remote metadata server experienced an internal server error.') LOG.warning(msg) explanation = str(msg) return webob.exc.HTTPInternalServerError(explanation=explanation) else: raise Exception( _('Unexpected response code: %s') % resp.status_code)
def test_valid_hostname_url(self): host = "controller" port = 443 self.assertEqual("controller:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv4_url(self): host = "192.168.1.2" port = 443 self.assertEqual("192.168.1.2:443", ipv6_utils.valid_ipv6_url(host, port))
def test_invalid_ipv6_url(self): host = "::1" port = 443 self.assertNotEqual("::1:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv6_url(self): host = "::1" port = 443 self.assertEqual("[::1]:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_hostname_url(self): host = "controller" port = 443 self.assertEqual("controller:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv4_url(self): host = "192.168.1.2" port = 443 self.assertEqual("192.168.1.2:443", ipv6_utils.valid_ipv6_url(host, port))
def test_invalid_ipv6_url(self): host = "::1" port = 443 self.assertNotEqual("::1:443", ipv6_utils.valid_ipv6_url(host, port))
def test_valid_ipv6_url(self): host = "::1" port = 443 self.assertEqual("[::1]:443", ipv6_utils.valid_ipv6_url(host, port))
def _proxy_request(self, instance_id, tenant_id, req): headers = { 'X-Forwarded-For': req.headers.get('X-Forwarded-For'), 'X-Instance-ID': instance_id, 'X-Tenant-ID': tenant_id, 'X-Instance-ID-Signature': self._sign_instance_id(instance_id) } nova_host_port = ipv6_utils.valid_ipv6_url( self.conf.nova_metadata_host, self.conf.nova_metadata_port) url = urllib.parse.urlunsplit(( self.conf.nova_metadata_protocol, nova_host_port, req.path_info, req.query_string, '')) disable_ssl_certificate_validation = self.conf.nova_metadata_insecure if self.conf.auth_ca_cert and not disable_ssl_certificate_validation: verify_cert = self.conf.auth_ca_cert else: verify_cert = not disable_ssl_certificate_validation client_cert = None if self.conf.nova_client_cert and self.conf.nova_client_priv_key: client_cert = (self.conf.nova_client_cert, self.conf.nova_client_priv_key) resp = requests.request(method=req.method, url=url, headers=headers, data=req.body, cert=client_cert, verify=verify_cert) if resp.status_code == 200: req.response.content_type = resp.headers['content-type'] req.response.body = resp.content LOG.debug(str(resp)) return req.response elif resp.status_code == 403: LOG.warning( 'The remote metadata server responded with Forbidden. This ' 'response usually occurs when shared secrets do not match.' ) return webob.exc.HTTPForbidden() elif resp.status_code == 400: return webob.exc.HTTPBadRequest() elif resp.status_code == 404: return webob.exc.HTTPNotFound() elif resp.status_code == 409: return webob.exc.HTTPConflict() elif resp.status_code == 500: msg = _( 'Remote metadata server experienced an internal server error.' ) LOG.warning(msg) explanation = six.text_type(msg) return webob.exc.HTTPInternalServerError(explanation=explanation) else: raise Exception(_('Unexpected response code: %s') % resp.status_code)