def prepare_instance_filter(self, instance, network_info):
"""Creates an NWFilter for the given instance.
In the process, it makes sure the filters for the provider blocks,
security groups, and base filter are all in place.
"""
self.refresh_provider_fw_rules()
ctxt = context.get_admin_context()
instance_secgroup_filter_name = \
'%s-secgroup' % (self._instance_filter_name(instance))
instance_secgroup_filter_children = [
'engine-base-ipv4', 'engine-base-ipv6', 'engine-allow-dhcp-server'
]
if FLAGS.use_ipv6:
networks = [
network for (network, info) in network_info
if info['gateway_v6']
]
if networks:
instance_secgroup_filter_children.\
append('engine-allow-ra-server')
for security_group in \
db.security_group_get_by_instance(ctxt, instance['id']):
self.refresh_security_group_rules(security_group['id'])
instance_secgroup_filter_children.append('engine-secgroup-%s' %
security_group['id'])
self._define_filter(
self._filter_container(instance_secgroup_filter_name,
instance_secgroup_filter_children))
network_filters = self.\
_create_network_filters(instance, network_info,
instance_secgroup_filter_name)
for (name, children) in network_filters:
self._define_filters(name, children)
def prepare_instance_filter(self, instance, network_info):
"""Creates an NWFilter for the given instance.
In the process, it makes sure the filters for the provider blocks,
security groups, and base filter are all in place.
"""
self.refresh_provider_fw_rules()
ctxt = context.get_admin_context()
instance_secgroup_filter_name = \
'%s-secgroup' % (self._instance_filter_name(instance))
instance_secgroup_filter_children = ['engine-base-ipv4',
'engine-base-ipv6',
'engine-allow-dhcp-server']
if FLAGS.use_ipv6:
networks = [network for (network, info) in network_info if
info['gateway_v6']]
if networks:
instance_secgroup_filter_children.\
append('engine-allow-ra-server')
for security_group in \
db.security_group_get_by_instance(ctxt, instance['id']):
self.refresh_security_group_rules(security_group['id'])
instance_secgroup_filter_children.append('engine-secgroup-%s' %
security_group['id'])
self._define_filter(
self._filter_container(instance_secgroup_filter_name,
instance_secgroup_filter_children))
network_filters = self.\
_create_network_filters(instance, network_info,
instance_secgroup_filter_name)
for (name, children) in network_filters:
self._define_filters(name, children)
def instance_rules(instance, network_info):
ctxt = context.get_admin_context()
ipv4_rules = []
ipv6_rules = []
# Always drop invalid packets
ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
ipv6_rules += ['-m state --state ' 'INVALID -j DROP']
# Allow established connections
ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
# Pass through provider-wide drops
ipv4_rules += ['-j $provider']
ipv6_rules += ['-j $provider']
dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info]
for dhcp_server in dhcp_servers:
ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
'-j ACCEPT' % (dhcp_server, ))
#Allow project network traffic
if FLAGS.allow_same_net_traffic:
cidrs = [network['cidr'] for (network, _m) in network_info]
for cidr in cidrs:
ipv4_rules.append('-s %s -j ACCEPT' % (cidr, ))
# We wrap these in FLAGS.use_ipv6 because they might cause
# a DB lookup. The other ones are just list operations, so
# they're not worth the clutter.
if FLAGS.use_ipv6:
# Allow RA responses
gateways_v6 = [
mapping['gateway_v6'] for (_n, mapping) in network_info
]
for gateway_v6 in gateways_v6:
ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' %
(gateway_v6, ))
#Allow project network traffic
if FLAGS.allow_same_net_traffic:
cidrv6s = [
network['cidr_v6'] for (network, _m) in network_info
]
for cidrv6 in cidrv6s:
ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, ))
security_groups = db.security_group_get_by_instance(
ctxt, instance['id'])
# then, security group chains and rules
for security_group in security_groups:
rules = db.security_group_rule_get_by_security_group(
ctxt, security_group['id'])
for rule in rules:
LOG.debug(_('Adding security group rule: %r'), rule)
if not rule.cidr:
version = 4
else:
version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
fw_rules = ipv6_rules
protocol = rule.protocol
if version == 6 and rule.protocol == 'icmp':
protocol = 'icmpv6'
args = ['-j ACCEPT']
if protocol:
args += ['-p', protocol]
if protocol in ['udp', 'tcp']:
if rule.from_port == rule.to_port:
args += ['--dport', '%s' % (rule.from_port, )]
else:
args += [
'-m', 'multiport', '--dports',
'%s:%s' % (rule.from_port, rule.to_port)
]
elif protocol == 'icmp':
icmp_type = rule.from_port
icmp_code = rule.to_port
if icmp_type == -1:
icmp_type_arg = None
else:
icmp_type_arg = '%s' % icmp_type
if not icmp_code == -1:
icmp_type_arg += '/%s' % icmp_code
if icmp_type_arg:
if version == 4:
args += [
'-m', 'icmp', '--icmp-type', icmp_type_arg
]
elif version == 6:
args += [
'-m', 'icmp6', '--icmpv6-type', icmp_type_arg
]
if rule.cidr:
LOG.info('Using cidr %r', rule.cidr)
args += ['-s', rule.cidr]
fw_rules += [' '.join(args)]
else:
if rule['grantee_group']:
for instance in rule['grantee_group']['instances']:
LOG.info('instance: %r', instance)
ips = db.instance_get_fixed_addresses(
ctxt, instance['id'])
LOG.info('ips: %r', ips)
for ip in ips:
subrule = args + ['-s %s' % ip]
fw_rules += [' '.join(subrule)]
LOG.info('Using fw_rules: %r', fw_rules)
ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback']
return ipv4_rules, ipv6_rules
def get_metadata(self, address):
ctxt = context.get_admin_context()
search_opts = {'fixed_ip': address, 'deleted': False}
try:
instance_ref = self.compute_api.get_all(ctxt,
search_opts=search_opts)
except exception.NotFound:
instance_ref = None
if not instance_ref:
return None
# This ensures that all attributes of the instance
# are populated.
instance_ref = db.instance_get(ctxt, instance_ref[0]['id'])
mpi = self._get_mpi_data(ctxt, instance_ref['project_id'])
hostname = "%s.%s" % (instance_ref['hostname'], FLAGS.dhcp_domain)
host = instance_ref['host']
services = db.service_get_all_by_host(ctxt.elevated(), host)
availability_zone = ec2utils.get_availability_zone_by_host(
services, host)
ip_info = ec2utils.get_ip_info_for_instance(ctxt, instance_ref)
floating_ips = ip_info['floating_ips']
floating_ip = floating_ips and floating_ips[0] or ''
ec2_id = ec2utils.id_to_ec2_id(instance_ref['id'])
image_ec2_id = ec2utils.image_ec2_id(instance_ref['image_ref'])
security_groups = db.security_group_get_by_instance(
ctxt, instance_ref['id'])
security_groups = [x['name'] for x in security_groups]
mappings = self._format_instance_mapping(ctxt, instance_ref)
data = {
'user-data': base64.b64decode(instance_ref['user_data']),
'meta-data': {
'ami-id': image_ec2_id,
'ami-launch-index': instance_ref['launch_index'],
'ami-manifest-path': 'FIXME',
'block-device-mapping': mappings,
'hostname': hostname,
'instance-action': 'none',
'instance-id': ec2_id,
'instance-type': instance_ref['instance_type']['name'],
'local-hostname': hostname,
'local-ipv4': address,
'placement': {
'availability-zone': availability_zone
},
'public-hostname': hostname,
'public-ipv4': floating_ip,
'reservation-id': instance_ref['reservation_id'],
'security-groups': security_groups,
'mpi': mpi
}
}
# public-keys should be in meta-data only if user specified one
if instance_ref['key_name']:
data['meta-data']['public-keys'] = {
'0': {
'_name': instance_ref['key_name'],
'openssh-key': instance_ref['key_data']
}
}
for image_type in ['kernel', 'ramdisk']:
if instance_ref.get('%s_id' % image_type):
ec2_id = ec2utils.image_ec2_id(
instance_ref['%s_id' % image_type],
ec2utils.image_type(image_type))
data['meta-data']['%s-id' % image_type] = ec2_id
if False: # TODO(vish): store ancestor ids
data['ancestor-ami-ids'] = []
if False: # TODO(vish): store product codes
data['product-codes'] = []
return data
def instance_rules(instance, network_info):
ctxt = context.get_admin_context()
ipv4_rules = []
ipv6_rules = []
# Always drop invalid packets
ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
ipv6_rules += ['-m state --state ' 'INVALID -j DROP']
# Allow established connections
ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
# Pass through provider-wide drops
ipv4_rules += ['-j $provider']
ipv6_rules += ['-j $provider']
dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info]
for dhcp_server in dhcp_servers:
ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
'-j ACCEPT' % (dhcp_server,))
#Allow project network traffic
if FLAGS.allow_same_net_traffic:
cidrs = [network['cidr'] for (network, _m) in network_info]
for cidr in cidrs:
ipv4_rules.append('-s %s -j ACCEPT' % (cidr,))
# We wrap these in FLAGS.use_ipv6 because they might cause
# a DB lookup. The other ones are just list operations, so
# they're not worth the clutter.
if FLAGS.use_ipv6:
# Allow RA responses
gateways_v6 = [mapping['gateway_v6'] for (_n, mapping) in
network_info]
for gateway_v6 in gateways_v6:
ipv6_rules.append(
'-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,))
#Allow project network traffic
if FLAGS.allow_same_net_traffic:
cidrv6s = [network['cidr_v6'] for (network, _m) in
network_info]
for cidrv6 in cidrv6s:
ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,))
security_groups = db.security_group_get_by_instance(ctxt,
instance['id'])
# then, security group chains and rules
for security_group in security_groups:
rules = db.security_group_rule_get_by_security_group(ctxt,
security_group['id'])
for rule in rules:
LOG.debug(_('Adding security group rule: %r'), rule)
if not rule.cidr:
version = 4
else:
version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
fw_rules = ipv6_rules
protocol = rule.protocol
if version == 6 and rule.protocol == 'icmp':
protocol = 'icmpv6'
args = ['-j ACCEPT']
if protocol:
args += ['-p', protocol]
if protocol in ['udp', 'tcp']:
if rule.from_port == rule.to_port:
args += ['--dport', '%s' % (rule.from_port,)]
else:
args += ['-m', 'multiport',
'--dports', '%s:%s' % (rule.from_port,
rule.to_port)]
elif protocol == 'icmp':
icmp_type = rule.from_port
icmp_code = rule.to_port
if icmp_type == -1:
icmp_type_arg = None
else:
icmp_type_arg = '%s' % icmp_type
if not icmp_code == -1:
icmp_type_arg += '/%s' % icmp_code
if icmp_type_arg:
if version == 4:
args += ['-m', 'icmp', '--icmp-type',
icmp_type_arg]
elif version == 6:
args += ['-m', 'icmp6', '--icmpv6-type',
icmp_type_arg]
if rule.cidr:
LOG.info('Using cidr %r', rule.cidr)
args += ['-s', rule.cidr]
fw_rules += [' '.join(args)]
else:
if rule['grantee_group']:
for instance in rule['grantee_group']['instances']:
LOG.info('instance: %r', instance)
ips = db.instance_get_fixed_addresses(ctxt,
instance['id'])
LOG.info('ips: %r', ips)
for ip in ips:
subrule = args + ['-s %s' % ip]
fw_rules += [' '.join(subrule)]
LOG.info('Using fw_rules: %r', fw_rules)
ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback']
return ipv4_rules, ipv6_rules
def get_metadata(self, address):
ctxt = context.get_admin_context()
search_opts = {'fixed_ip': address, 'deleted': False}
try:
instance_ref = self.compute_api.get_all(ctxt,
search_opts=search_opts)
except exception.NotFound:
instance_ref = None
if not instance_ref:
return None
# This ensures that all attributes of the instance
# are populated.
instance_ref = db.instance_get(ctxt, instance_ref[0]['id'])
mpi = self._get_mpi_data(ctxt, instance_ref['project_id'])
hostname = "%s.%s" % (instance_ref['hostname'], FLAGS.dhcp_domain)
host = instance_ref['host']
services = db.service_get_all_by_host(ctxt.elevated(), host)
availability_zone = ec2utils.get_availability_zone_by_host(services,
host)
ip_info = ec2utils.get_ip_info_for_instance(ctxt, instance_ref)
floating_ips = ip_info['floating_ips']
floating_ip = floating_ips and floating_ips[0] or ''
ec2_id = ec2utils.id_to_ec2_id(instance_ref['id'])
image_ec2_id = ec2utils.image_ec2_id(instance_ref['image_ref'])
security_groups = db.security_group_get_by_instance(ctxt,
instance_ref['id'])
security_groups = [x['name'] for x in security_groups]
mappings = self._format_instance_mapping(ctxt, instance_ref)
data = {
'user-data': base64.b64decode(instance_ref['user_data']),
'meta-data': {
'ami-id': image_ec2_id,
'ami-launch-index': instance_ref['launch_index'],
'ami-manifest-path': 'FIXME',
'block-device-mapping': mappings,
'hostname': hostname,
'instance-action': 'none',
'instance-id': ec2_id,
'instance-type': instance_ref['instance_type']['name'],
'local-hostname': hostname,
'local-ipv4': address,
'placement': {'availability-zone': availability_zone},
'public-hostname': hostname,
'public-ipv4': floating_ip,
'reservation-id': instance_ref['reservation_id'],
'security-groups': security_groups,
'mpi': mpi}}
# public-keys should be in meta-data only if user specified one
if instance_ref['key_name']:
data['meta-data']['public-keys'] = {
'0': {'_name': instance_ref['key_name'],
'openssh-key': instance_ref['key_data']}}
for image_type in ['kernel', 'ramdisk']:
if instance_ref.get('%s_id' % image_type):
ec2_id = ec2utils.image_ec2_id(
instance_ref['%s_id' % image_type],
ec2utils.image_type(image_type))
data['meta-data']['%s-id' % image_type] = ec2_id
if False: # TODO(vish): store ancestor ids
data['ancestor-ami-ids'] = []
if False: # TODO(vish): store product codes
data['product-codes'] = []
return data
