def _update_security_group_rules(self, load_balancer, sec_grp_id):
rules = self.neutron_client.list_security_group_rules(
security_group_id=sec_grp_id)
updated_ports = [
listener.protocol_port for listener in load_balancer.listeners
if listener.provisioning_status != constants.PENDING_DELETE and
listener.provisioning_status != constants.DELETED]
peer_ports = [
listener.peer_port for listener in load_balancer.listeners
if listener.provisioning_status != constants.PENDING_DELETE and
listener.provisioning_status != constants.DELETED]
updated_ports.extend(peer_ports)
# Just going to use port_range_max for now because we can assume that
# port_range_max and min will be the same since this driver is
# responsible for creating these rules
old_ports = [rule.get('port_range_max')
for rule in rules.get('security_group_rules', [])
# Don't remove egress rules and don't
# confuse other protocols with None ports
# with the egress rules. VRRP uses protocol
# 51 and 112
if rule.get('direction') != 'egress' and
rule.get('protocol').lower() == 'tcp']
add_ports = set(updated_ports) - set(old_ports)
del_ports = set(old_ports) - set(updated_ports)
for rule in rules.get('security_group_rules', []):
if rule.get('port_range_max') in del_ports:
self.neutron_client.delete_security_group_rule(rule.get('id'))
ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address)
for port in add_ports:
self._create_security_group_rule(sec_grp_id, 'TCP', port_min=port,
port_max=port,
ethertype=ethertype)
# Currently we are using the VIP network for VRRP
# so we need to open up the protocols for it
if (CONF.controller_worker.loadbalancer_topology ==
constants.TOPOLOGY_ACTIVE_STANDBY):
try:
self._create_security_group_rule(
sec_grp_id,
constants.VRRP_PROTOCOL_NUM,
direction='ingress',
ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
try:
self._create_security_group_rule(
sec_grp_id, constants.AUTH_HEADER_PROTOCOL_NUMBER,
direction='ingress', ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
def _plug_amphora_vip(self, amphora, subnet):
# We need a vip port owned by Octavia for Act/Stby and failover
try:
port = {
constants.PORT: {
constants.NAME: 'octavia-lb-vrrp-' + amphora.id,
constants.NETWORK_ID: subnet.network_id,
constants.FIXED_IPS: [{
'subnet_id': subnet.id
}],
constants.ADMIN_STATE_UP: True,
constants.DEVICE_OWNER: OCTAVIA_OWNER
}
}
new_port = self.neutron_client.create_port(port)
new_port = utils.convert_port_dict_to_model(new_port)
LOG.debug('Created vip port: %(port_id)s for amphora: %(amp)s', {
'port_id': new_port.id,
'amp': amphora.id
})
except Exception as e:
message = _('Error creating the base (VRRP) port for the VIP with '
'port details: {}').format(port)
LOG.exception(message)
raise base.PlugVIPException(message) from e
try:
interface = self.plug_port(amphora, new_port)
except Exception as e:
message = _('Error plugging amphora (compute_id: {compute_id}) '
'into vip network {network_id}.').format(
compute_id=amphora.compute_id,
network_id=subnet.network_id)
LOG.exception(message)
try:
if new_port:
self.neutron_client.delete_port(new_port.id)
LOG.debug(
'Deleted base (VRRP) port %s due to plug_port '
'failure.', new_port.id)
except Exception:
LOG.exception(
'Failed to delete base (VRRP) port %s after '
'plug_port failed. This resource is being '
'abandoned and should be manually deleted when '
'neutron is functional.', new_port.id)
raise base.PlugVIPException(message) from e
return interface
def _plug_amphora_vip(self, amphora, subnet):
# We need a vip port owned by Octavia for Act/Stby and failover
try:
port = {
'port': {
'name': 'octavia-lb-vrrp-' + amphora.id,
'network_id': subnet.network_id,
'fixed_ips': [{
'subnet_id': subnet.id
}],
'admin_state_up': True,
'device_owner': OCTAVIA_OWNER
}
}
new_port = self.neutron_client.create_port(port)
new_port = utils.convert_port_dict_to_model(new_port)
LOG.debug('Created vip port: %(port_id)s for amphora: %(amp)s', {
'port_id': new_port.id,
'amp': amphora.id
})
interface = self.plug_port(amphora, new_port)
except Exception:
message = _('Error plugging amphora (compute_id: {compute_id}) '
'into vip network {network_id}.').format(
compute_id=amphora.compute_id,
network_id=subnet.network_id)
LOG.exception(message)
raise base.PlugVIPException(message)
return interface
def _add_vip_security_group_to_port(self, load_balancer_id, port_id):
sec_grp = self._get_lb_security_group(load_balancer_id)
try:
self._add_security_group_to_port(sec_grp.get('id'), port_id)
except base.PortNotFound as e:
raise e
except base.NetworkException as e:
raise base.PlugVIPException(str(e))
def _plug_amphora_vip(self, compute_id, network_id):
try:
interface = self.plug_network(compute_id, network_id)
except Exception:
message = _LE('Error plugging amphora (compute_id: {compute_id}) '
'into vip network {network_id}.').format(
compute_id=compute_id, network_id=network_id)
LOG.exception(message)
raise base.PlugVIPException(message)
return interface
def _add_vip_address_pair(self, port_id, vip_address):
try:
self._add_allowed_address_pair_to_port(port_id, vip_address)
except neutron_client_exceptions.PortNotFoundClient as e:
raise base.PortNotFound(str(e))
except Exception:
message = _('Error adding allowed address pair {ip} '
'to port {port_id}.').format(ip=vip_address,
port_id=port_id)
LOG.exception(message)
raise base.PlugVIPException(message)
def _add_vip_security_group_to_port(self,
load_balancer_id,
port_id,
sec_grp_id=None):
sec_grp_id = (sec_grp_id
or self._get_lb_security_group(load_balancer_id).get(
constants.ID))
try:
self._add_security_group_to_port(sec_grp_id, port_id)
except base.PortNotFound:
raise
except base.NetworkException as e:
raise base.PlugVIPException(str(e))
def _update_security_group_rules(self, load_balancer, sec_grp_id):
rules = self.neutron_client.list_security_group_rules(
security_group_id=sec_grp_id)
updated_ports = []
for listener in load_balancer.listeners:
if (listener.provisioning_status
in [constants.PENDING_DELETE, constants.DELETED]):
continue
protocol = constants.PROTOCOL_TCP.lower()
if listener.protocol == constants.PROTOCOL_UDP:
protocol = constants.PROTOCOL_UDP.lower()
elif listener.protocol == lib_consts.PROTOCOL_SCTP:
protocol = lib_consts.PROTOCOL_SCTP.lower()
if listener.allowed_cidrs:
for ac in listener.allowed_cidrs:
port = (listener.protocol_port, protocol, ac.cidr)
updated_ports.append(port)
else:
port = (listener.protocol_port, protocol, None)
updated_ports.append(port)
# As the peer port will hold the tcp connection for keepalived and
# haproxy session synchronization, so here the security group rule
# should be just related with tcp protocol only.
updated_ports.append(
(listener.peer_port, constants.PROTOCOL_TCP.lower(), None))
# Just going to use port_range_max for now because we can assume that
# port_range_max and min will be the same since this driver is
# responsible for creating these rules
old_ports = []
for rule in rules.get('security_group_rules', []):
# Don't remove egress rules and don't confuse other protocols with
# None ports with the egress rules. VRRP uses protocol 51 and 112
if (rule.get('direction') == 'egress'
or rule.get('protocol').upper() not in [
constants.PROTOCOL_TCP, constants.PROTOCOL_UDP,
lib_consts.PROTOCOL_SCTP
]):
continue
old_ports.append(
(rule.get('port_range_max'), rule.get('protocol').lower(),
rule.get('remote_ip_prefix')))
add_ports = set(updated_ports) - set(old_ports)
del_ports = set(old_ports) - set(updated_ports)
for rule in rules.get('security_group_rules', []):
if (rule.get('protocol', '')
and rule.get('protocol', '').lower() in ['tcp', 'udp']
and (rule.get('port_range_max'), rule.get('protocol'),
rule.get('remote_ip_prefix')) in del_ports):
rule_id = rule.get(constants.ID)
try:
self.neutron_client.delete_security_group_rule(rule_id)
except neutron_client_exceptions.NotFound:
LOG.info(
"Security group rule %s not found, will assume "
"it is already deleted.", rule_id)
ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address)
for port_protocol in add_ports:
self._create_security_group_rule(sec_grp_id,
port_protocol[1],
port_min=port_protocol[0],
port_max=port_protocol[0],
ethertype=ethertype,
cidr=port_protocol[2])
# Currently we are using the VIP network for VRRP
# so we need to open up the protocols for it
if load_balancer.topology == constants.TOPOLOGY_ACTIVE_STANDBY:
try:
self._create_security_group_rule(sec_grp_id,
constants.VRRP_PROTOCOL_NUM,
direction='ingress',
ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
try:
self._create_security_group_rule(
sec_grp_id,
constants.AUTH_HEADER_PROTOCOL_NUMBER,
direction='ingress',
ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
def _update_security_group_rules(self, load_balancer, sec_grp_id):
rules = self.neutron_client.list_security_group_rules(
security_group_id=sec_grp_id)
updated_ports = [
(listener.protocol_port, constants.PROTOCOL_TCP.lower()
if listener.protocol != constants.PROTOCOL_UDP else
constants.PROTOCOL_UDP.lower())
for listener in load_balancer.listeners
if listener.provisioning_status != constants.PENDING_DELETE
and listener.provisioning_status != constants.DELETED
]
# As the peer port will hold the tcp connection for keepalived and
# haproxy session synchronization, so here the security group rule
# should be just related with tcp protocol only.
peer_ports = [
(listener.peer_port, constants.PROTOCOL_TCP.lower())
for listener in load_balancer.listeners
if listener.provisioning_status != constants.PENDING_DELETE
and listener.provisioning_status != constants.DELETED
]
updated_ports.extend(peer_ports)
# Just going to use port_range_max for now because we can assume that
# port_range_max and min will be the same since this driver is
# responsible for creating these rules
old_ports = [
(rule.get('port_range_max'), rule.get('protocol'))
for rule in rules.get('security_group_rules', [])
# Don't remove egress rules and don't
# confuse other protocols with None ports
# with the egress rules. VRRP uses protocol
# 51 and 112
if rule.get('direction') != 'egress'
and rule.get('protocol', '').lower() in ['tcp', 'udp']
]
add_ports = set(updated_ports) - set(old_ports)
del_ports = set(old_ports) - set(updated_ports)
for rule in rules.get('security_group_rules', []):
if (rule.get('protocol', '')
and rule.get('protocol', '').lower() in ['tcp', 'udp']
and (rule.get('port_range_max'), rule.get('protocol'))
in del_ports):
rule_id = rule.get('id')
try:
self.neutron_client.delete_security_group_rule(rule_id)
except neutron_client_exceptions.NotFound:
LOG.info(
"Security group rule %s not found, will assume "
"it is already deleted.", rule_id)
ethertype = self._get_ethertype_for_ip(load_balancer.vip.ip_address)
for port_protocol in add_ports:
self._create_security_group_rule(sec_grp_id,
port_protocol[1],
port_min=port_protocol[0],
port_max=port_protocol[0],
ethertype=ethertype)
# Currently we are using the VIP network for VRRP
# so we need to open up the protocols for it
if (CONF.controller_worker.loadbalancer_topology ==
constants.TOPOLOGY_ACTIVE_STANDBY):
try:
self._create_security_group_rule(sec_grp_id,
constants.VRRP_PROTOCOL_NUM,
direction='ingress',
ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
try:
self._create_security_group_rule(
sec_grp_id,
constants.AUTH_HEADER_PROTOCOL_NUMBER,
direction='ingress',
ethertype=ethertype)
except neutron_client_exceptions.Conflict:
# It's ok if this rule already exists
pass
except Exception as e:
raise base.PlugVIPException(str(e))
