def run(self, values):
gce_svc = gce_service.GCEService(values.project, None, log)
instance_config = instance_config_from_values(
values, mode=INSTANCE_METAVISOR_MODE, cli_config=self.config)
if values.startup_script:
extra_items = [{
'key': 'startup-script',
'value': values.startup_script
}]
else:
extra_items = None
brkt_userdata = instance_config.make_userdata()
metadata = gce_service.gce_metadata_from_userdata(
brkt_userdata, extra_items=extra_items)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
if values.instance_name:
gce_service.validate_image_name(values.instance_name)
encrypted_instance_id = launch_gce_image.launch(log,
gce_svc,
values.image,
values.instance_name,
values.zone,
values.delete_boot,
values.instance_type,
values.network,
values.subnetwork,
metadata)
print(encrypted_instance_id)
return 0
def do_encryption(gce_svc,
enc_svc_cls,
zone,
encryptor,
encryptor_image,
instance_name,
instance_config,
encrypted_image_disk,
network,
status_port=ENCRYPTOR_STATUS_PORT):
metadata = gce_metadata_from_userdata(instance_config.make_userdata())
log.info('Launching encryptor instance')
gce_svc.run_instance(zone=zone,
name=encryptor,
image=encryptor_image,
network=network,
disks=[
gce_svc.get_disk(zone, instance_name),
gce_svc.get_disk(zone, encrypted_image_disk)
],
metadata=metadata)
try:
enc_svc = enc_svc_cls([gce_svc.get_instance_ip(encryptor, zone)],
port=status_port)
wait_for_encryptor_up(enc_svc, Deadline(600))
wait_for_encryption(enc_svc)
except Exception as e:
f = gce_svc.write_serial_console_file(zone, encryptor)
if f:
log.info('Encryption failed. Writing console to %s' % f)
raise e
retry(function=gce_svc.delete_instance,
on=[httplib.BadStatusLine, socket.error,
errors.HttpError])(zone, encryptor)
def do_encryption(gce_svc,
enc_svc_cls,
zone,
encryptor,
encryptor_image,
instance_name,
instance_config,
encrypted_image_disk,
network,
status_port=ENCRYPTOR_STATUS_PORT):
metadata = gce_metadata_from_userdata(instance_config.make_userdata())
log.info('Launching encryptor instance')
gce_svc.run_instance(zone=zone,
name=encryptor,
image=encryptor_image,
network=network,
disks=[gce_svc.get_disk(zone, instance_name),
gce_svc.get_disk(zone, encrypted_image_disk)],
metadata=metadata)
try:
enc_svc = enc_svc_cls([gce_svc.get_instance_ip(encryptor, zone)],
port=status_port)
wait_for_encryptor_up(enc_svc, Deadline(600))
wait_for_encryption(enc_svc)
except Exception as e:
f = gce_svc.write_serial_console_file(zone, encryptor)
if f:
log.info('Encryption failed. Writing console to %s' % f)
raise e
retry(function=gce_svc.delete_instance,
on=[httplib.BadStatusLine, socket.error, errors.HttpError])(zone, encryptor)
def command_launch_gce_image(values, log):
gce_svc = gce_service.GCEService(values.project, None, log)
brkt_env = brkt_cli.brkt_env_from_values(values)
instance_config = make_instance_config(values,
brkt_env,
mode=INSTANCE_METAVISOR_MODE)
if values.startup_script:
extra_items = [{
'key': 'startup-script',
'value': values.startup_script
}]
else:
extra_items = None
brkt_userdata = instance_config.make_userdata()
metadata = gce_service.gce_metadata_from_userdata(brkt_userdata,
extra_items=extra_items)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
launch_gce_image.launch(log, gce_svc, values.image, values.instance_name,
values.zone, values.delete_boot,
values.instance_type, metadata)
return 0
def command_launch_gce_image(values, log):
gce_svc = gce_service.GCEService(values.project, None, log)
brkt_env = brkt_cli.brkt_env_from_values(values)
instance_config = make_instance_config(values, brkt_env,
mode=INSTANCE_METAVISOR_MODE)
if values.startup_script:
extra_items = [{'key': 'startup-script', 'value': values.startup_script}]
else:
extra_items = None
brkt_userdata = instance_config.make_userdata()
metadata = gce_service.gce_metadata_from_userdata(brkt_userdata,
extra_items=extra_items)
if not values.verbose:
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
launch_gce_image.launch(log,
gce_svc,
values.image,
values.instance_name,
values.zone,
values.delete_boot,
values.instance_type,
metadata)
return 0
def update_gce_image(gce_svc, enc_svc_cls, image_id, encryptor_image,
encrypted_image_name, zone, instance_config,
keep_encryptor=False, image_file=None,
image_bucket=None, network=None,
status_port=ENCRYPTOR_STATUS_PORT):
snap_created = None
try:
# create image from file in GCS bucket
log.info('Retrieving encryptor image from GCS bucket')
if not encryptor_image:
encryptor_image = gce_svc.get_latest_encryptor_image(zone,
image_bucket, image_file=image_file)
else:
# Keep user provided encryptor image
keep_encryptor = True
instance_name = 'brkt-updater-' + gce_svc.get_session_id()
updater = instance_name + '-metavisor'
encrypted_image_disk = instance_name + '-guest'
# Create disk from encrypted guest snapshot. This disk
# won't be altered. It will be re-snapshotted and paired
# with the new encryptor image.
gce_svc.disk_from_snapshot(zone, image_id, encrypted_image_disk)
gce_svc.wait_for_disk(zone, encrypted_image_disk)
log.info("Creating snapshot of encrypted image disk")
gce_svc.create_snapshot(zone, encrypted_image_disk, encrypted_image_name)
snap_created = True
log.info("Launching encrypted updater")
instance_config.brkt_config['solo_mode'] = 'updater'
user_data = gce_metadata_from_userdata(instance_config.make_userdata())
gce_svc.run_instance(zone,
updater,
encryptor_image,
network=network,
disks=[],
metadata=user_data)
enc_svc = enc_svc_cls([gce_svc.get_instance_ip(updater, zone)],
port=status_port)
# wait for updater to finish and guest root disk
wait_for_encryptor_up(enc_svc, Deadline(600))
try:
wait_for_encryption(enc_svc)
except:
raise
# delete updater instance
log.info('Deleting updater instance')
gce_svc.delete_instance(zone, updater)
# wait for updater root disk
gce_svc.wait_for_detach(zone, updater)
# create image from mv root disk and snapshot
# encrypted guest root disk
log.info("Creating updated metavisor image")
gce_svc.create_gce_image_from_disk(zone, encrypted_image_name, updater)
gce_svc.wait_image(encrypted_image_name)
gce_svc.wait_snapshot(encrypted_image_name)
except:
f = gce_svc.write_serial_console_file(zone, updater)
if f:
log.info('Update failed. Writing console to %s' % f)
log.info("Update failed. Cleaning up")
if snap_created:
gce_svc.delete_snapshot(encrypted_image_name)
gce_svc.cleanup(zone, encryptor_image, keep_encryptor)
raise
finally:
gce_svc.cleanup(zone, encryptor_image, keep_encryptor)
return encrypted_image_name
def update_gce_image(gce_svc,
enc_svc_cls,
image_id,
encryptor_image,
encrypted_image_name,
zone,
instance_config,
keep_encryptor=False,
image_file=None,
image_bucket=None,
network=None,
status_port=ENCRYPTOR_STATUS_PORT):
snap_created = None
try:
# create image from file in GCS bucket
log.info('Retrieving encryptor image from GCS bucket')
if not encryptor_image:
encryptor_image = gce_svc.get_latest_encryptor_image(
zone, image_bucket, image_file=image_file)
else:
# Keep user provided encryptor image
keep_encryptor = True
instance_name = 'brkt-updater-' + gce_svc.get_session_id()
updater = instance_name + '-metavisor'
encrypted_image_disk = instance_name + '-guest'
# Create disk from encrypted guest snapshot. This disk
# won't be altered. It will be re-snapshotted and paired
# with the new encryptor image.
gce_svc.disk_from_snapshot(zone, image_id, encrypted_image_disk)
gce_svc.wait_for_disk(zone, encrypted_image_disk)
log.info("Creating snapshot of encrypted image disk")
gce_svc.create_snapshot(zone, encrypted_image_disk,
encrypted_image_name)
snap_created = True
log.info("Launching encrypted updater")
instance_config.brkt_config['solo_mode'] = 'updater'
user_data = gce_metadata_from_userdata(instance_config.make_userdata())
gce_svc.run_instance(zone,
updater,
encryptor_image,
network=network,
disks=[],
metadata=user_data)
enc_svc = enc_svc_cls([gce_svc.get_instance_ip(updater, zone)],
port=status_port)
# wait for updater to finish and guest root disk
wait_for_encryptor_up(enc_svc, Deadline(600))
try:
wait_for_encryption(enc_svc)
except:
raise
# delete updater instance
log.info('Deleting updater instance')
gce_svc.delete_instance(zone, updater)
# wait for updater root disk
gce_svc.wait_for_detach(zone, updater)
# create image from mv root disk and snapshot
# encrypted guest root disk
log.info("Creating updated metavisor image")
gce_svc.create_gce_image_from_disk(zone, encrypted_image_name, updater)
gce_svc.wait_image(encrypted_image_name)
gce_svc.wait_snapshot(encrypted_image_name)
except:
f = gce_svc.write_serial_console_file(zone, updater)
if f:
log.info('Update failed. Writing console to %s' % f)
log.info("Update failed. Cleaning up")
if snap_created:
gce_svc.delete_snapshot(encrypted_image_name)
gce_svc.cleanup(zone, encryptor_image, keep_encryptor)
raise
finally:
gce_svc.cleanup(zone, encryptor_image, keep_encryptor)
return encrypted_image_name