def _initial_secure_host(self, instance, ports=None):
"""
Lock down the host in it's default state
"""
# TODO(tim.simpson) This hangs if the "lock_path" FLAG value refers to
# a directory which can't be locked. It'd be nice
# if we could somehow detect that and raise an error
# instead.
#
# Get the ip and network information
ctxt = context.get_admin_context()
ip = db.instance_get_fixed_address(ctxt, instance["id"])
network = db.fixed_ip_get_network(ctxt, ip)
# Create our table instance and add our chains for the instance
table_ipv4 = linux_net.iptables_manager.ipv4["filter"]
table_ipv6 = linux_net.iptables_manager.ipv6["filter"]
table_ipv4.add_chain(instance["name"])
table_ipv6.add_chain(instance["name"])
# As of right now there is no API call to manage security
# so there are no rules applied, this really is just a pass.
# The thought here is to allow us to pass a list of ports
# that should be globally open and lock down the rest but
# cannot implement this until the API passes a security
# context object down to us.
# Apply the rules
linux_net.iptables_manager.apply()
def _add_ip(self, instance, netif="eth0", if_file="etc/network/interfaces"):
"""
Add an ip to the container
"""
ctxt = context.get_admin_context()
ip = db.instance_get_fixed_address(ctxt, instance["id"])
network = db.fixed_ip_get_network(ctxt, ip)
net_path = "%s/%s" % (FLAGS.ovz_ve_private_dir, instance["id"])
if_file_path = net_path + "/" + if_file
try:
os.chdir(net_path)
with open(FLAGS.ovz_network_template) as fh:
network_file = fh.read() % {
"gateway_dev": netif,
"address": ip,
"netmask": network["netmask"],
"gateway": network["gateway"],
}
# TODO(imsplitbit): Find a way to write to this file without
# mangling the perms.
utils.execute("sudo", "chmod", "666", if_file_path)
fh = open(if_file_path, "a")
fh.write(network_file)
fh.close()
utils.execute("sudo", "chmod", "644", if_file_path)
except Exception as err:
LOG.error(err)
raise exception.Error("Error adding IP")
def is_allocated_in_project(address, project_id):
"""Returns true if address is in specified project"""
project_net = db.project_get_network(context.get_admin_context(),
project_id)
network = db.fixed_ip_get_network(context.get_admin_context(), address)
instance = db.fixed_ip_get_instance(context.get_admin_context(), address)
# instance exists until release
return instance is not None and network['id'] == project_net['id']
def allocate_fixed_ip(self, context, instance_id, *args, **kwargs):
"""Setup dhcp for this network."""
address = super(FlatDHCPManager,
self).allocate_fixed_ip(context, instance_id, *args,
**kwargs)
network_ref = db.fixed_ip_get_network(context, address)
if not FLAGS.fake_network:
self.driver.update_dhcp(context, network_ref['id'])
return address
def _is_allocated_in_project(self, address, project_id):
"""Returns true if address is in specified project"""
project_net = db.network_get_by_bridge(context.get_admin_context(),
FLAGS.flat_network_bridge)
network = db.fixed_ip_get_network(context.get_admin_context(), address)
instance = db.fixed_ip_get_instance(context.get_admin_context(),
address)
# instance exists until release
return instance is not None and network['id'] == project_net['id']
def allocate_fixed_ip(self, context, instance_id, *args, **kwargs):
"""Setup dhcp for this network."""
address = super(FlatDHCPManager, self).allocate_fixed_ip(context,
instance_id,
*args,
**kwargs)
network_ref = db.fixed_ip_get_network(context, address)
if not FLAGS.fake_network:
self.driver.update_dhcp(context, network_ref['id'])
return address
def release_ip(private_ip):
"""Run del command on dhcpbridge"""
network_ref = db.fixed_ip_get_network(context.get_admin_context(),
private_ip)
instance_ref = db.fixed_ip_get_instance(context.get_admin_context(),
private_ip)
cmd = (binpath('nova-dhcpbridge'), 'del',
instance_ref['mac_address'],
private_ip, 'fake')
env = {'DNSMASQ_INTERFACE': network_ref['bridge'],
'TESTING': '1',
'FLAGFILE': FLAGS.dhcpbridge_flagfile}
(out, err) = utils.execute(*cmd, addl_env=env)
LOG.debug("RELEASE_IP: %s, %s ", out, err)
def _set_nameserver(self, instance):
"""
Get the nameserver for the assigned network and set it using
OpenVz's tools.
"""
ctxt = context.get_admin_context()
ip = db.instance_get_fixed_address(ctxt, instance["id"])
network = db.fixed_ip_get_network(ctxt, ip)
try:
_, err = utils.execute("sudo", "vzctl", "set", instance["id"], "--save", "--nameserver", network["dns"])
if err:
LOG.error(err)
except Exception as err:
LOG.error(err)
raise exception.Error("Unable to set nameserver for %s" % instance["id"])
