def prepare_instance_filter(self, instance, network_info): """Creates an NWFilter for the given instance. In the process, it makes sure the filters for the provider blocks, security groups, and base filter are all in place. """ self.refresh_provider_fw_rules() ctxt = context.get_admin_context() instance_secgroup_filter_name = \ '%s-secgroup' % (self._instance_filter_name(instance)) instance_secgroup_filter_children = [ 'engine-base-ipv4', 'engine-base-ipv6', 'engine-allow-dhcp-server' ] if FLAGS.use_ipv6: networks = [ network for (network, info) in network_info if info['gateway_v6'] ] if networks: instance_secgroup_filter_children.\ append('engine-allow-ra-server') for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): self.refresh_security_group_rules(security_group['id']) instance_secgroup_filter_children.append('engine-secgroup-%s' % security_group['id']) self._define_filter( self._filter_container(instance_secgroup_filter_name, instance_secgroup_filter_children)) network_filters = self.\ _create_network_filters(instance, network_info, instance_secgroup_filter_name) for (name, children) in network_filters: self._define_filters(name, children)
def prepare_instance_filter(self, instance, network_info): """Creates an NWFilter for the given instance. In the process, it makes sure the filters for the provider blocks, security groups, and base filter are all in place. """ self.refresh_provider_fw_rules() ctxt = context.get_admin_context() instance_secgroup_filter_name = \ '%s-secgroup' % (self._instance_filter_name(instance)) instance_secgroup_filter_children = ['engine-base-ipv4', 'engine-base-ipv6', 'engine-allow-dhcp-server'] if FLAGS.use_ipv6: networks = [network for (network, info) in network_info if info['gateway_v6']] if networks: instance_secgroup_filter_children.\ append('engine-allow-ra-server') for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): self.refresh_security_group_rules(security_group['id']) instance_secgroup_filter_children.append('engine-secgroup-%s' % security_group['id']) self._define_filter( self._filter_container(instance_secgroup_filter_name, instance_secgroup_filter_children)) network_filters = self.\ _create_network_filters(instance, network_info, instance_secgroup_filter_name) for (name, children) in network_filters: self._define_filters(name, children)
def instance_rules(instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server, )) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr, )) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [ mapping['gateway_v6'] for (_n, mapping) in network_info ] for gateway_v6 in gateways_v6: ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6, )) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrv6s = [ network['cidr_v6'] for (network, _m) in network_info ] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, )) security_groups = db.security_group_get_by_instance( ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group( ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port, )] else: args += [ '-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port) ] elif protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += [ '-m', 'icmp', '--icmp-type', icmp_type_arg ] elif version == 6: args += [ '-m', 'icmp6', '--icmpv6-type', icmp_type_arg ] if rule.cidr: LOG.info('Using cidr %r', rule.cidr) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: LOG.info('instance: %r', instance) ips = db.instance_get_fixed_addresses( ctxt, instance['id']) LOG.info('ips: %r', ips) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.info('Using fw_rules: %r', fw_rules) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def get_metadata(self, address): ctxt = context.get_admin_context() search_opts = {'fixed_ip': address, 'deleted': False} try: instance_ref = self.compute_api.get_all(ctxt, search_opts=search_opts) except exception.NotFound: instance_ref = None if not instance_ref: return None # This ensures that all attributes of the instance # are populated. instance_ref = db.instance_get(ctxt, instance_ref[0]['id']) mpi = self._get_mpi_data(ctxt, instance_ref['project_id']) hostname = "%s.%s" % (instance_ref['hostname'], FLAGS.dhcp_domain) host = instance_ref['host'] services = db.service_get_all_by_host(ctxt.elevated(), host) availability_zone = ec2utils.get_availability_zone_by_host( services, host) ip_info = ec2utils.get_ip_info_for_instance(ctxt, instance_ref) floating_ips = ip_info['floating_ips'] floating_ip = floating_ips and floating_ips[0] or '' ec2_id = ec2utils.id_to_ec2_id(instance_ref['id']) image_ec2_id = ec2utils.image_ec2_id(instance_ref['image_ref']) security_groups = db.security_group_get_by_instance( ctxt, instance_ref['id']) security_groups = [x['name'] for x in security_groups] mappings = self._format_instance_mapping(ctxt, instance_ref) data = { 'user-data': base64.b64decode(instance_ref['user_data']), 'meta-data': { 'ami-id': image_ec2_id, 'ami-launch-index': instance_ref['launch_index'], 'ami-manifest-path': 'FIXME', 'block-device-mapping': mappings, 'hostname': hostname, 'instance-action': 'none', 'instance-id': ec2_id, 'instance-type': instance_ref['instance_type']['name'], 'local-hostname': hostname, 'local-ipv4': address, 'placement': { 'availability-zone': availability_zone }, 'public-hostname': hostname, 'public-ipv4': floating_ip, 'reservation-id': instance_ref['reservation_id'], 'security-groups': security_groups, 'mpi': mpi } } # public-keys should be in meta-data only if user specified one if instance_ref['key_name']: data['meta-data']['public-keys'] = { '0': { '_name': instance_ref['key_name'], 'openssh-key': instance_ref['key_data'] } } for image_type in ['kernel', 'ramdisk']: if instance_ref.get('%s_id' % image_type): ec2_id = ec2utils.image_ec2_id( instance_ref['%s_id' % image_type], ec2utils.image_type(image_type)) data['meta-data']['%s-id' % image_type] = ec2_id if False: # TODO(vish): store ancestor ids data['ancestor-ami-ids'] = [] if False: # TODO(vish): store product codes data['product-codes'] = [] return data
def instance_rules(instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server,)) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr,)) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [mapping['gateway_v6'] for (_n, mapping) in network_info] for gateway_v6 in gateways_v6: ipv6_rules.append( '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,)) #Allow project network traffic if FLAGS.allow_same_net_traffic: cidrv6s = [network['cidr_v6'] for (network, _m) in network_info] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,)) security_groups = db.security_group_get_by_instance(ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port,)] else: args += ['-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port)] elif protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] if rule.cidr: LOG.info('Using cidr %r', rule.cidr) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: LOG.info('instance: %r', instance) ips = db.instance_get_fixed_addresses(ctxt, instance['id']) LOG.info('ips: %r', ips) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.info('Using fw_rules: %r', fw_rules) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def get_metadata(self, address): ctxt = context.get_admin_context() search_opts = {'fixed_ip': address, 'deleted': False} try: instance_ref = self.compute_api.get_all(ctxt, search_opts=search_opts) except exception.NotFound: instance_ref = None if not instance_ref: return None # This ensures that all attributes of the instance # are populated. instance_ref = db.instance_get(ctxt, instance_ref[0]['id']) mpi = self._get_mpi_data(ctxt, instance_ref['project_id']) hostname = "%s.%s" % (instance_ref['hostname'], FLAGS.dhcp_domain) host = instance_ref['host'] services = db.service_get_all_by_host(ctxt.elevated(), host) availability_zone = ec2utils.get_availability_zone_by_host(services, host) ip_info = ec2utils.get_ip_info_for_instance(ctxt, instance_ref) floating_ips = ip_info['floating_ips'] floating_ip = floating_ips and floating_ips[0] or '' ec2_id = ec2utils.id_to_ec2_id(instance_ref['id']) image_ec2_id = ec2utils.image_ec2_id(instance_ref['image_ref']) security_groups = db.security_group_get_by_instance(ctxt, instance_ref['id']) security_groups = [x['name'] for x in security_groups] mappings = self._format_instance_mapping(ctxt, instance_ref) data = { 'user-data': base64.b64decode(instance_ref['user_data']), 'meta-data': { 'ami-id': image_ec2_id, 'ami-launch-index': instance_ref['launch_index'], 'ami-manifest-path': 'FIXME', 'block-device-mapping': mappings, 'hostname': hostname, 'instance-action': 'none', 'instance-id': ec2_id, 'instance-type': instance_ref['instance_type']['name'], 'local-hostname': hostname, 'local-ipv4': address, 'placement': {'availability-zone': availability_zone}, 'public-hostname': hostname, 'public-ipv4': floating_ip, 'reservation-id': instance_ref['reservation_id'], 'security-groups': security_groups, 'mpi': mpi}} # public-keys should be in meta-data only if user specified one if instance_ref['key_name']: data['meta-data']['public-keys'] = { '0': {'_name': instance_ref['key_name'], 'openssh-key': instance_ref['key_data']}} for image_type in ['kernel', 'ramdisk']: if instance_ref.get('%s_id' % image_type): ec2_id = ec2utils.image_ec2_id( instance_ref['%s_id' % image_type], ec2utils.image_type(image_type)) data['meta-data']['%s-id' % image_type] = ec2_id if False: # TODO(vish): store ancestor ids data['ancestor-ami-ids'] = [] if False: # TODO(vish): store product codes data['product-codes'] = [] return data