def _get_security_groups(self, node_group): if not node_group.auto_security_group: return node_group.security_groups return (list(node_group.security_groups or []) + [{"Ref": g.generate_auto_security_group_name( node_group.cluster.name, node_group.name)}])
def _serialize_auto_security_group(self, ng): if not ng.auto_security_group: return {} security_group_name = g.generate_auto_security_group_name(ng) security_group_description = self._asg_for_node_group_description(ng) res_type = "OS::Neutron::SecurityGroup" desc_key = "description" rules_key = "rules" create_rule = lambda ip_version, cidr, proto, from_port, to_port: { "ethertype": "IPv{}".format(ip_version), "remote_ip_prefix": cidr, "protocol": proto, "port_range_min": six.text_type(from_port), "port_range_max": six.text_type(to_port)} rules = self._serialize_auto_security_group_rules(ng, create_rule) return { security_group_name: { "type": res_type, "properties": { desc_key: security_group_description, rules_key: rules } } }
def _serialize_ng_group(self, ng, outputs): ng_file_name = "file://" + ng.name + ".yaml" self.files[ng_file_name] = self._serialize_ng_file(ng) outputs[ng.name + "-instances"] = { "value": {"get_attr": [ng.name, "instance"]}} properties = {"instance_index": "%index%"} if ng.cluster.anti_affinity: properties[SERVER_GROUP_PARAM_NAME] = { 'get_resource': _get_aa_group_name(ng.cluster)} if ng.auto_security_group: properties[AUTO_SECURITY_GROUP_PARAM_NAME] = { 'get_resource': g.generate_auto_security_group_name(ng)} return { ng.name: { "type": "OS::Heat::ResourceGroup", "properties": { "count": self.node_groups_extra[ng.id]['node_count'], "resource_def": { "type": ng_file_name, "properties": properties } } } }
def _serialize_ng_group(self, ng, outputs): ng_file_name = "file://" + ng.name + ".yaml" self.files[ng_file_name] = self._serialize_ng_file(ng) outputs[ng.name + "-instances"] = { "value": { "get_attr": [ng.name, "instance"] } } properties = {"instance_index": "%index%"} if ng.cluster.anti_affinity: properties[SERVER_GROUP_PARAM_NAME] = { 'get_resource': _get_aa_group_name(ng.cluster) } if ng.auto_security_group: properties[AUTO_SECURITY_GROUP_PARAM_NAME] = { 'get_resource': g.generate_auto_security_group_name(ng) } return { ng.name: { "type": "OS::Heat::ResourceGroup", "properties": { "count": self.node_groups_extra[ng.id]['node_count'], "resource_def": { "type": ng_file_name, "properties": properties } } } }
def _delete_auto_security_group(self, node_group): if not node_group.auto_security_group: return if not node_group.security_groups: # node group has no security groups # nothing to delete return name = node_group.security_groups[-1] try: client = nova.client().security_groups security_group = client.get(name) if (security_group.name != g.generate_auto_security_group_name(node_group)): LOG.warning( _LW("Auto security group for node group {name} is " "not found").format(name=node_group.name)) return client.delete(name) except Exception: LOG.warning( _LW("Failed to delete security group {name}").format( name=name))
def _create_auto_security_group(self, node_group): name = g.generate_auto_security_group_name(node_group) nova_client = nova.client() security_group = nova_client.security_groups.create( name, "Auto security group created by Sahara for Node Group '%s' " "of cluster '%s'." % (node_group.name, node_group.cluster.name)) # ssh remote needs ssh port, agents are not implemented yet nova_client.security_group_rules.create(security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0") # open all traffic for private networks if CONF.use_neutron: for cidr in neutron.get_private_network_cidrs(node_group.cluster): for protocol in ['tcp', 'udp']: nova_client.security_group_rules.create( security_group.id, protocol, 1, 65535, cidr) nova_client.security_group_rules.create( security_group.id, 'icmp', -1, -1, cidr) # enable ports returned by plugin for port in node_group.open_ports: nova_client.security_group_rules.create(security_group.id, 'tcp', port, port, "0.0.0.0/0") security_groups = list(node_group.security_groups or []) security_groups.append(security_group.id) conductor.node_group_update(context.ctx(), node_group, {"security_groups": security_groups}) return security_groups
def _serialize_auto_security_group(self, ng): security_group_name = g.generate_auto_security_group_name(ng) security_group_description = self._asg_for_node_group_description(ng) if CONF.use_neutron: res_type = "OS::Neutron::SecurityGroup" desc_key = "description" rules_key = "rules" create_rule = lambda ip_version, cidr, proto, from_port, to_port: { "ethertype": "IPv{}".format(ip_version), "remote_ip_prefix": cidr, "protocol": proto, "port_range_min": six.text_type(from_port), "port_range_max": six.text_type(to_port)} else: res_type = "AWS::EC2::SecurityGroup" desc_key = "GroupDescription" rules_key = "SecurityGroupIngress" create_rule = lambda _, cidr, proto, from_port, to_port: { "CidrIp": cidr, "IpProtocol": proto, "FromPort": six.text_type(from_port), "ToPort": six.text_type(to_port)} rules = self._serialize_auto_security_group_rules(ng, create_rule) return { security_group_name: { "type": res_type, "properties": { desc_key: security_group_description, rules_key: rules } } }
def _create_auto_security_group(self, node_group): name = g.generate_auto_security_group_name(node_group) nova_client = nova.client() security_group = nova_client.security_groups.create( name, "Auto security group created by Sahara for Node Group '%s' " "of cluster '%s'." % (node_group.name, node_group.cluster.name)) # ssh remote needs ssh port, agents are not implemented yet nova_client.security_group_rules.create( security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0") # open all traffic for private networks if CONF.use_neutron: for cidr in neutron.get_private_network_cidrs(node_group.cluster): for protocol in ['tcp', 'udp']: nova_client.security_group_rules.create( security_group.id, protocol, 1, 65535, cidr) nova_client.security_group_rules.create( security_group.id, 'icmp', -1, -1, cidr) # enable ports returned by plugin for port in node_group.open_ports: nova_client.security_group_rules.create( security_group.id, 'tcp', port, port, "0.0.0.0/0") security_groups = list(node_group.security_groups or []) security_groups.append(security_group.id) conductor.node_group_update(context.ctx(), node_group, {"security_groups": security_groups}) return security_groups
def _serialize_ng_group(self, ng, outputs): ng_file_name = "file://" + ng.name + ".yaml" self.files[ng_file_name] = self._serialize_ng_file(ng) outputs[ng.name + "-instances"] = { "value": {"get_attr": [ng.name, "instance"]}} properties = {"instance_index": "%index%"} if ng.cluster.anti_affinity: ng_count = ng.count # assuming instance_index also start from index 0 for i in range(0, ng_count - 1): server_group_name = self._get_server_group_name() server_group_resource = { "get_resource": server_group_name } properties[SERVER_GROUP_NAMES].insert(i, server_group_resource) if ng.auto_security_group: properties[AUTO_SECURITY_GROUP_PARAM_NAME] = { 'get_resource': g.generate_auto_security_group_name(ng)} return { ng.name: { "type": "OS::Heat::ResourceGroup", "properties": { "count": self.node_groups_extra[ng.id]['node_count'], "resource_def": { "type": ng_file_name, "properties": properties } } } }
def check_auto_security_group(cluster_name, nodegroup): if nodegroup.get('auto_security_group'): name = g.generate_auto_security_group_name( cluster_name, nodegroup['name']) if name in [security_group.name for security_group in nova.client().security_groups.list()]: raise ex.NameAlreadyExistsException( _("Security group with name '%s' already exists") % name)
def _get_security_groups(self, node_group): if not node_group.auto_security_group: return node_group.security_groups return (list(node_group.security_groups or []) + [{ "Ref": g.generate_auto_security_group_name(node_group) }])
def _get_security_groups(self, node_group): node_group_sg = list(node_group.security_groups or []) if node_group.auto_security_group: node_group_sg += [{ "get_resource": g.generate_auto_security_group_name(node_group) }] return node_group_sg
def _get_security_groups(self, node_group): node_group_sg = list(node_group.security_groups or []) if node_group.auto_security_group: node_group_sg += [ {"get_resource": g.generate_auto_security_group_name( node_group)} ] return node_group_sg
def _serialize_auto_security_group(self, ng): fields = { 'security_group_name': g.generate_auto_security_group_name(ng), 'security_group_description': "Auto security group created by Sahara for Node Group " "'%s' of cluster '%s'." % (ng.name, ng.cluster.name), 'rules': self._serialize_auto_security_group_rules(ng)} yield _load_template('security_group.heat', fields)
def check_auto_security_group(cluster_name, nodegroup): if nodegroup.get('auto_security_group'): name = g.generate_auto_security_group_name(cluster_name, nodegroup['name']) if name in [ security_group.name for security_group in nova.client().security_groups.list() ]: raise ex.NameAlreadyExistsException( _("Security group with name '%s' already exists") % name)
def test_delete_auto_security_group_other_groups(self, nova_client): ng = mock.Mock(id="16fd2706-8baf-433b-82eb-8c7fada847da", auto_security_group=True) ng.name = "ngname" ng.cluster.name = "cluster" auto_name = g.generate_auto_security_group_name(ng) ng.security_groups = ['1', '2', auto_name] client = mock.Mock() nova_client.return_value = client client.security_groups.get.side_effect = lambda x: SecurityGroup(x) self.engine._delete_auto_security_group(ng) client.security_groups.delete.assert_called_once_with(auto_name)
def _serialize_auto_security_group(self, ng): security_group_name = g.generate_auto_security_group_name(ng) security_group_description = ( "Auto security group created by Sahara for Node Group " "'%s' of cluster '%s'." % (ng.name, ng.cluster.name)) rules = self._serialize_auto_security_group_rules(ng) return { security_group_name: { "type": "AWS::EC2::SecurityGroup", "properties": { "GroupDescription": security_group_description, "SecurityGroupIngress": rules } } }
def _serialize_auto_security_group(self, ng): security_group_name = g.generate_auto_security_group_name(ng) security_group_description = ( "Auto security group created by Sahara for Node Group " "'%s' of cluster '%s'." % (ng.name, ng.cluster.name)) rules = self._serialize_auto_security_group_rules(ng) return { security_group_name: { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": security_group_description, "SecurityGroupIngress": rules } } }
def _serialize_ng_group(self, ng, outputs, instances_to_delete=None): ng_file_name = "file://" + ng.name + ".yaml" self.files[ng_file_name] = self._serialize_ng_file(ng) outputs[ng.name + "-instances"] = { "value": { "get_attr": [ng.name, "instance"] } } properties = {"instance_index": "%index%"} if ng.cluster.anti_affinity: ng_count = self.node_groups_extra[ng.id]['node_count'] # assuming instance_index also start from index 0 for i in range(0, ng_count): server_group_name = self._get_server_group_name() server_group_resource = {"get_resource": server_group_name} if SERVER_GROUP_NAMES not in properties: properties[SERVER_GROUP_NAMES] = [] properties[SERVER_GROUP_NAMES].insert(i, server_group_resource) if ng.auto_security_group: properties[AUTO_SECURITY_GROUP_PARAM_NAME] = { 'get_resource': g.generate_auto_security_group_name(ng) } removal_policies = [] if self.node_groups_extra[ng.id]['instances_to_delete']: resource_list = [] for name in self.node_groups_extra[ng.id]['instances_to_delete']: resource_list.append(_get_index_from_inst_name(name)) removal_policies.append({'resource_list': resource_list}) return { ng.name: { "type": "OS::Heat::ResourceGroup", "properties": { "count": self.node_groups_extra[ng.id]['node_count'], "removal_policies": removal_policies, "resource_def": { "type": ng_file_name, "properties": properties } } } }
def _serialize_ng_group(self, ng, outputs, instances_to_delete=None): ng_file_name = "file://" + ng.name + ".yaml" self.files[ng_file_name] = self._serialize_ng_file(ng) outputs[ng.name + "-instances"] = { "value": {"get_attr": [ng.name, "instance"]}} properties = {"instance_index": "%index%"} if ng.cluster.anti_affinity: ng_count = self.node_groups_extra[ng.id]['node_count'] # assuming instance_index also start from index 0 for i in range(0, ng_count): server_group_name = self._get_server_group_name() server_group_resource = { "get_resource": server_group_name } if SERVER_GROUP_NAMES not in properties: properties[SERVER_GROUP_NAMES] = [] properties[SERVER_GROUP_NAMES].insert(i, server_group_resource) if ng.auto_security_group: properties[AUTO_SECURITY_GROUP_PARAM_NAME] = { 'get_resource': g.generate_auto_security_group_name(ng)} removal_policies = [] if self.node_groups_extra[ng.id]['instances_to_delete']: resource_list = [] for name in self.node_groups_extra[ng.id]['instances_to_delete']: resource_list.append(_get_index_from_inst_name(name)) removal_policies.append({'resource_list': resource_list}) return { ng.name: { "type": "OS::Heat::ResourceGroup", "properties": { "count": self.node_groups_extra[ng.id]['node_count'], "removal_policies": removal_policies, "resource_def": { "type": ng_file_name, "properties": properties } } } }
def _create_auto_security_group(self, node_group): name = g.generate_auto_security_group_name(node_group) nova_client = nova.client() security_group = nova_client.security_groups.create( name, "Auto security group created by Sahara for Node Group '%s' " "of cluster '%s'." % (node_group.name, node_group.cluster.name)) # ssh remote needs ssh port, agents are not implemented yet nova_client.security_group_rules.create(security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0") # enable ports returned by plugin for port in node_group.open_ports: nova_client.security_group_rules.create(security_group.id, 'tcp', port, port, "0.0.0.0/0") security_groups = list(node_group.security_groups or []) security_groups.append(security_group.id) conductor.node_group_update(context.ctx(), node_group, {"security_groups": security_groups}) return security_groups
def _delete_auto_security_group(self, node_group): if not node_group.auto_security_group: return if not node_group.security_groups: # node group has no security groups # nothing to delete return name = node_group.security_groups[-1] try: client = nova.client().security_groups security_group = client.get(name) if (security_group.name != g.generate_auto_security_group_name(node_group)): LOG.warn(_LW("Auto security group for node group %s is not " "found"), node_group.name) return client.delete(name) except Exception: LOG.exception(_LE("Failed to delete security group %s"), name)
def _create_auto_security_group(self, node_group): name = g.generate_auto_security_group_name(node_group) nova_client = nova.client() security_group = nova_client.security_groups.create( name, "Auto security group created by Sahara for Node Group '%s' " "of cluster '%s'." % (node_group.name, node_group.cluster.name)) # ssh remote needs ssh port, agents are not implemented yet nova_client.security_group_rules.create( security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0") # enable ports returned by plugin for port in node_group.open_ports: nova_client.security_group_rules.create( security_group.id, 'tcp', port, port, "0.0.0.0/0") security_groups = list(node_group.security_groups or []) security_groups.append(security_group.id) conductor.node_group_update(context.ctx(), node_group, {"security_groups": security_groups}) return security_groups
def _delete_auto_security_group(self, node_group): if not node_group.auto_security_group: return if not node_group.security_groups: # node group has no security groups # nothing to delete return name = node_group.security_groups[-1] try: client = nova.client().security_groups security_group = b.execute_with_retries(client.get, name) if (security_group.name != g.generate_auto_security_group_name(node_group)): LOG.warning(_LW("Auto security group for node group {name} is " "not found").format(name=node_group.name)) return b.execute_with_retries(client.delete, name) except Exception: LOG.warning(_LW("Failed to delete security group {name}").format( name=name))