def _set_machine_id(self, client_factory, instance): """ Set the machine id of the VM for guest tools to pick up and change the IP. """ admin_context = context.get_admin_context() vm_ref = self._get_vm_ref_from_the_name(instance.name) if vm_ref is None: raise exception.InstanceNotFound(instance_id=instance.id) network = db.network_get_by_instance(context.get_admin_context(), instance['id']) mac_address = None if instance['mac_addresses']: mac_address = instance['mac_addresses'][0]['address'] net_mask = network["netmask"] gateway = network["gateway"] broadcast = network["broadcast"] # TODO(vish): add support for dns2 dns = network["dns1"] addresses = db.instance_get_fixed_addresses(admin_context, instance['id']) ip_addr = addresses[0] if addresses else None machine_id_change_spec = \ vm_util.get_machine_id_change_spec(client_factory, mac_address, ip_addr, net_mask, gateway, broadcast, dns) LOG.debug( _("Reconfiguring VM instance %(name)s to set the machine id " "with ip - %(ip_addr)s") % ({ 'name': instance.name, 'ip_addr': ip_addr })) reconfig_task = self._session._call_method(self._session._get_vim(), "ReconfigVM_Task", vm_ref, spec=machine_id_change_spec) self._session._wait_for_task(instance.id, reconfig_task) LOG.debug( _("Reconfigured VM instance %(name)s to set the machine id " "with ip - %(ip_addr)s") % ({ 'name': instance.name, 'ip_addr': ip_addr }))
def _set_machine_id(self, client_factory, instance): """ Set the machine id of the VM for guest tools to pick up and change the IP. """ admin_context = nova_context.get_admin_context() vm_ref = self._get_vm_ref_from_the_name(instance.name) if vm_ref is None: raise exception.InstanceNotFound(instance_id=instance.id) network = db.network_get_by_instance(nova_context.get_admin_context(), instance['id']) mac_address = None if instance['mac_addresses']: mac_address = instance['mac_addresses'][0]['address'] net_mask = network["netmask"] gateway = network["gateway"] broadcast = network["broadcast"] # TODO(vish): add support for dns2 dns = network["dns1"] addresses = db.instance_get_fixed_addresses(admin_context, instance['id']) ip_addr = addresses[0] if addresses else None machine_id_change_spec = \ vm_util.get_machine_id_change_spec(client_factory, mac_address, ip_addr, net_mask, gateway, broadcast, dns) LOG.debug(_("Reconfiguring VM instance %(name)s to set the machine id " "with ip - %(ip_addr)s") % ({'name': instance.name, 'ip_addr': ip_addr})) reconfig_task = self._session._call_method(self._session._get_vim(), "ReconfigVM_Task", vm_ref, spec=machine_id_change_spec) self._session._wait_for_task(instance.id, reconfig_task) LOG.debug(_("Reconfigured VM instance %(name)s to set the machine id " "with ip - %(ip_addr)s") % ({'name': instance.name, 'ip_addr': ip_addr}))
def get_address(self): if self.address is None: self.address = db.instance_get_fixed_addresses( context.get_admin_context(), self.get_local_id()) return self.address
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server, )) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr, )) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [ mapping['gateway6'] for (_n, mapping) in network_info ] for gateway_v6 in gateways_v6: ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6, )) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrv6s = [ network['cidr_v6'] for (network, _m) in network_info ] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, )) security_groups = db.security_group_get_by_instance( ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group( ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port, )] else: args += [ '-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port) ] elif protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += [ '-m', 'icmp', '--icmp-type', icmp_type_arg ] elif version == 6: args += [ '-m', 'icmp6', '--icmpv6-type', icmp_type_arg ] if rule.cidr: LOG.info('Using cidr %r', rule.cidr) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: LOG.info('instance: %r', instance) ips = db.instance_get_fixed_addresses( ctxt, instance['id']) LOG.info('ips: %r', ips) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.info('Using fw_rules: %r', fw_rules) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server,)) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr,)) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [mapping['gateway6'] for (_n, mapping) in network_info] for gateway_v6 in gateways_v6: ipv6_rules.append( '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,)) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrv6s = [network['cidr_v6'] for (network, _m) in network_info] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,)) security_groups = db.security_group_get_by_instance(ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol.lower() if rule.protocol else None if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port,)] else: args += ['-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port)] elif protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] if rule.cidr: LOG.info('Using cidr %r', rule.cidr) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: LOG.info('instance: %r', instance) ips = db.instance_get_fixed_addresses(ctxt, instance['id']) LOG.info('ips: %r', ips) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.info('Using fw_rules: %r', fw_rules) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules