def _create_default_security_group(self, proj_dict):
proj_obj = vnc_api.Project.from_dict(**proj_dict)
sgr_uuid = str(uuid.uuid4())
ingress_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[
AddressType(security_group=proj_obj.get_fq_name_str() + ':' +
'default')
],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)])
sg_rules = PolicyEntriesType([ingress_rule])
sgr_uuid = str(uuid.uuid4())
egress_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[AddressType(security_group='local')],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('0.0.0.0', 0))],
dst_ports=[PortType(0, 65535)])
sg_rules.add_policy_rule(egress_rule)
# create security group
sg_obj = vnc_api.SecurityGroup(name='default',
parent_obj=proj_obj,
security_group_entries=sg_rules)
self._vnc_lib.security_group_create(sg_obj)
def _create_vmi_obj(self, port_q, vn_obj):
project_id = self._project_id_neutron_to_vnc(port_q['tenant_id'])
try:
proj_obj = self._project_read(proj_id=project_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception(
'ProjectNotFound',
projec_id=project_id, resource='port')
id_perms = vnc_api.IdPermsType(enable=True)
vmi_uuid = str(uuid.uuid4())
if port_q.get('name'):
vmi_name = port_q['name']
else:
vmi_name = vmi_uuid
vmi_obj = vnc_api.VirtualMachineInterface(vmi_name, proj_obj,
id_perms=id_perms)
vmi_obj.uuid = vmi_uuid
vmi_obj.set_virtual_network(vn_obj)
vmi_obj.set_security_group_list([])
if ('security_groups' not in port_q or
port_q['security_groups'].__class__ is object):
sg_obj = vnc_api.SecurityGroup("default", proj_obj)
uid = sg_handler.SecurityGroupHandler(
self._vnc_lib)._ensure_default_security_group_exists(
proj_obj.uuid)
sg_obj.uuid = uid
vmi_obj.add_security_group(sg_obj)
return vmi_obj
def construct_security_group(project):
security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG,
parent_obj=project)
security_group_entry = vnc_api.PolicyEntriesType()
ingress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(
security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(security_group='local')],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
egress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(security_group='local')],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
security_group_entry.add_policy_rule(ingress_rule)
security_group_entry.add_policy_rule(egress_rule)
security_group.set_security_group_entries(security_group_entry)
return security_group
def _create_default_security_group(vnc_lib, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
rules = [_get_rule(True, 'default', None, 'IPv4'),
_get_rule(True, 'default', None, 'IPv6'),
_get_rule(False, None, '0.0.0.0', 'IPv4'),
_get_rule(False, None, '::', 'IPv6')]
sg_rules = PolicyEntriesType(rules)
# create security group
sg_obj = vnc_api.SecurityGroup(name='default', parent_obj=proj_obj,
security_group_entries=sg_rules)
vnc_lib.security_group_create(sg_obj)
def _create_security_group(self, sg_q):
project_id = self._project_id_neutron_to_vnc(sg_q['tenant_id'])
try:
project_obj = self._project_read(proj_id=project_id)
except vnc_exc.NoIdError:
raise self._raise_contrail_exception('ProjectNotFound',
project_id=project_id,
resource='security_group')
id_perms = vnc_api.IdPermsType(enable=True,
description=sg_q.get('description'))
sg_vnc = vnc_api.SecurityGroup(name=sg_q['name'],
parent_obj=project_obj,
id_perms=id_perms)
return sg_vnc
def _create_no_rule_sg(self):
domain_obj = vnc_api.Domain(SG_NO_RULE_FQ_NAME[0])
proj_obj = vnc_api.Project(SG_NO_RULE_FQ_NAME[1], domain_obj)
sg_rules = vnc_api.PolicyEntriesType()
id_perms = vnc_api.IdPermsType(
enable=True,
description="Security group with no rules",
user_visible=False)
sg_obj = vnc_api.SecurityGroup(name=SG_NO_RULE_NAME,
parent_obj=proj_obj,
security_group_entries=sg_rules,
id_perms=id_perms)
self._resource_create(sg_obj)
return sg_obj
def _create_default_security_group(vnc_lib, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(security_group=proj_obj.get_fq_name_str() +
':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
rules = [
_get_rule(True, 'default', None, 'IPv4'),
_get_rule(True, 'default', None, 'IPv6'),
_get_rule(False, None, '0.0.0.0', 'IPv4'),
_get_rule(False, None, '::', 'IPv6')
]
sg_rules = PolicyEntriesType(rules)
# create security group
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
sg_obj = vnc_api.SecurityGroup(name='default',
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
vnc_lib.security_group_create(sg_obj)
# neutron doesn't propagate user token
vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
def security_group(project):
return vnc_api.SecurityGroup(
name='security-group-name',
parent_obj=project,
)
