def resource_list(self, context, filters=None, fields=None):
ret_list = []
# collect phase
all_sgs = []
if filters and 'tenant_id' in filters:
project_ids = self._validate_project_ids(context,
filters['tenant_id'])
for p_id in project_ids:
project_sgs = sg_handler.SecurityGroupHandler(
self._vnc_lib).resource_list_by_project(p_id)
all_sgs.append(project_sgs)
else: # no filters
p_id = None
if context and not context['is_admin']:
p_id = self._project_id_neutron_to_vnc(context['tenant'])
project_sgs = sg_handler.SecurityGroupHandler(
self._vnc_lib).resource_list_by_project(p_id)
all_sgs.append(project_sgs)
# prune phase
for project_sgs in all_sgs:
for sg_obj in project_sgs:
# TODO() implement same for name specified in filter
sgr_info = self.security_group_rules_read(sg_obj,
fields=fields,
filters=filters)
if sgr_info:
ret_list.extend(sgr_info)
return ret_list
def _security_group_rule_delete(self, sg_obj, sg_rule):
rules = sg_obj.get_security_group_entries()
rules.get_policy_rule().remove(sg_rule)
sg_obj.set_security_group_entries(rules)
sg_handler.SecurityGroupHandler(
self._vnc_lib).resource_update_obj(sg_obj)
return
def _create_vmi_obj(self, port_q, vn_obj):
project_id = self._project_id_neutron_to_vnc(port_q['tenant_id'])
try:
proj_obj = self._project_read(proj_id=project_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception('ProjectNotFound',
projec_id=project_id,
resource='port')
id_perms = vnc_api.IdPermsType(enable=True)
vmi_uuid = str(uuid.uuid4())
if port_q.get('name'):
vmi_name = port_q['name']
else:
vmi_name = vmi_uuid
vmi_obj = vnc_api.VirtualMachineInterface(vmi_name,
proj_obj,
id_perms=id_perms)
vmi_obj.uuid = vmi_uuid
vmi_obj.set_virtual_network(vn_obj)
vmi_obj.set_security_group_list([])
if ('security_groups' not in port_q
or port_q['security_groups'].__class__ is object):
sg_obj = vnc_api.SecurityGroup("default", proj_obj)
uid = sg_handler.SecurityGroupHandler(
self._vnc_lib)._ensure_default_security_group_exists(
proj_obj.uuid)
sg_obj.uuid = uid
vmi_obj.add_security_group(sg_obj)
return vmi_obj
def _prepare_res_handlers(self):
contrail_extension_enabled = cfg.CONF.APISERVER.contrail_extensions
apply_subnet_host_routes = cfg.CONF.APISERVER.apply_subnet_host_routes
kwargs = {
'contrail_extensions_enabled': contrail_extension_enabled,
'apply_subnet_host_routes': apply_subnet_host_routes
}
self._res_handlers['network'] = vn_handler.VNetworkHandler(
self._vnc_lib, **kwargs)
self._res_handlers['subnet'] = subnet_handler.SubnetHandler(
self._vnc_lib, **kwargs)
self._res_handlers['port'] = vmi_handler.VMInterfaceHandler(
self._vnc_lib, **kwargs)
self._res_handlers['router'] = rtr_handler.LogicalRouterHandler(
self._vnc_lib, **kwargs)
self._res_handlers['floatingip'] = fip_handler.FloatingIpHandler(
self._vnc_lib, **kwargs)
self._res_handlers['security_group'] = sg_handler.SecurityGroupHandler(
self._vnc_lib, **kwargs)
self._res_handlers['security_group_rule'] = (
sgrule_handler.SecurityGroupRuleHandler(self._vnc_lib, **kwargs))
self._res_handlers['ipam'] = ipam_handler.IPamHandler(
self._vnc_lib, **kwargs)
self._res_handlers['policy'] = policy_handler.PolicyHandler(
self._vnc_lib, **kwargs)
self._res_handlers['route_table'] = (
route_table_handler.RouteTableHandler(self._vnc_lib, **kwargs))
self._res_handlers['svc'] = svc_instance_handler.SvcInstanceHandler(
self._vnc_lib, **kwargs)
self._res_handlers['virtual_router'] = \
vrouter_handler.VirtualRouterHandler(self._vnc_lib, **kwargs)
def _security_group_rule_find(self, sgr_id, project_uuid=None):
dom_projects = []
if not project_uuid:
dom_projects = self._project_list_domain(None)
else:
dom_projects = [{'uuid': project_uuid}]
for project in dom_projects:
proj_id = project['uuid']
project_sgs = sg_handler.SecurityGroupHandler(
self._vnc_lib).resource_list_by_project(proj_id)
for sg_obj in project_sgs:
sgr_entries = sg_obj.get_security_group_entries()
if sgr_entries is None:
continue
for sg_rule in sgr_entries.get_policy_rule():
if sg_rule.get_rule_uuid() == sgr_id:
return sg_obj, sg_rule
return None, None
def _security_group_rule_create(self, sg_id, sg_rule, project_id):
sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib)
try:
sg_vnc = sghandler.get_sg_obj(id=sg_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sg_id,
resource='security_group')
if project_id and sg_vnc.parent_uuid != self._project_id_neutron_to_vnc(
project_id):
self._raise_contrail_exception('NotFound')
rules = sg_vnc.get_security_group_entries()
if rules is None:
rules = vnc_api.PolicyEntriesType([sg_rule])
else:
rules.add_policy_rule(sg_rule)
sg_vnc.set_security_group_entries(rules)
try:
sghandler.resource_update_obj(sg_vnc)
except vnc_exc.PermissionDenied as e:
self._raise_contrail_exception('BadRequest',
resource='security_group_rule',
msg=str(e))
except vnc_exc.BadRequest as e:
self._raise_contrail_exception('BadRequest',
resource='security_group_rule',
msg=str(e.content))
except vnc_exc.RefsExistError as e:
try:
rule_uuid = str(e).split(':')[1].strip()
except IndexError:
rule_uuid = None
self._raise_contrail_exception('SecurityGroupRuleExists',
resource='security_group_rule',
id=rule_uuid)
return
def _security_group_rule_neutron_to_vnc(self, sgr_q):
# default port values
if sgr_q['protocol'] in (constants.PROTO_NAME_ICMP,
str(constants.PROTO_NUM_ICMP)):
port_min = None
port_max = None
else:
port_min = 0
port_max = 65535
if sgr_q['port_range_min'] is not None:
port_min = sgr_q['port_range_min']
if sgr_q['port_range_max'] is not None:
port_max = sgr_q['port_range_max']
if sgr_q['remote_ip_prefix'] and sgr_q['remote_group_id']:
self._raise_contrail_exception(
"BadRequest",
msg="Can't set remote_ip_prefix with remote_group_id",
resource="security_group_rule")
endpt = [vnc_api.AddressType(security_group='any')]
if sgr_q['remote_ip_prefix']:
cidr = sgr_q['remote_ip_prefix'].split('/')
pfx = cidr[0]
pfx_len = int(cidr[1])
endpt = [
vnc_api.AddressType(subnet=vnc_api.SubnetType(pfx, pfx_len))
]
elif sgr_q['remote_group_id']:
try:
sg_obj = sg_handler.SecurityGroupHandler(
self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id'])
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sgr_q['remote_group_id'],
resource='security_group_rule')
if sgr_q.get('tenant_id') and (sg_obj.parent_uuid !=
self._project_id_neutron_to_vnc(
sgr_q['tenant_id'])):
self._raise_contrail_exception("NotFound")
endpt = [
vnc_api.AddressType(security_group=sg_obj.get_fq_name_str())
]
if sgr_q['direction'] == 'ingress':
_dir = '>'
local = endpt
remote = [vnc_api.AddressType(security_group='local')]
else:
_dir = '>'
remote = endpt
local = [vnc_api.AddressType(security_group='local')]
if not sgr_q['protocol']:
sgr_q['protocol'] = 'any'
if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']:
if not sgr_q['ethertype']:
sgr_q['ethertype'] = 'IPv4'
sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id']
rule = vnc_api.PolicyRuleType(
rule_uuid=sgr_uuid,
direction=_dir,
protocol=sgr_q['protocol'],
src_addresses=local,
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=remote,
dst_ports=[vnc_api.PortType(port_min, port_max)],
ethertype=sgr_q['ethertype'])
return rule
def _security_group_rule_vnc_to_neutron(self,
sg_id,
sg_rule,
sg_obj=None,
fields=None):
sgr_q_dict = {}
if sg_id is None:
return sgr_q_dict
if not sg_obj:
try:
sg_obj = sg_handler.SecurityGroupHandler(
self._vnc_lib).get_sg_obj(id=sg_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sg_id,
resource='security_group_rule')
remote_cidr = None
remote_sg_uuid = None
saddr = sg_rule.get_src_addresses()[0]
daddr = sg_rule.get_dst_addresses()[0]
if saddr.get_security_group() == 'local':
direction = 'egress'
addr = daddr
elif daddr.get_security_group() == 'local':
direction = 'ingress'
addr = saddr
else:
self._raise_contrail_exception('SecurityGroupRuleNotFound',
id=sg_rule.get_rule_uuid(),
resource='security_group_rule')
if addr.get_subnet():
remote_cidr = '%s/%s' % (addr.get_subnet().get_ip_prefix(),
addr.get_subnet().get_ip_prefix_len())
elif addr.get_security_group():
if addr.get_security_group() != 'any' and (
addr.get_security_group() != 'local'):
remote_sg = addr.get_security_group()
if remote_sg != ':'.join(sg_obj.get_fq_name()):
try:
remote_sg_uuid = self._vnc_lib.fq_name_to_id(
'security-group', remote_sg.split(':'))
except vnc_exc.NoIdError:
# Filter rule out as the remote security group does not
# exist anymore
return sgr_q_dict
else:
remote_sg_uuid = sg_obj.uuid
sgr_q_dict['id'] = sg_rule.get_rule_uuid()
sgr_q_dict['tenant_id'] = self._project_id_vnc_to_neutron(
sg_obj.parent_uuid)
sgr_q_dict['security_group_id'] = sg_obj.uuid
if hasattr(sg_rule, 'get_ethertype'):
sgr_q_dict['ethertype'] = sg_rule.get_ethertype()
else:
sgr_q_dict['ethertype'] = 'IPv4'
sgr_q_dict['direction'] = direction
proto = sg_rule.get_protocol()
sgr_q_dict['protocol'] = None if proto == 'any' else proto
port_min = sg_rule.get_dst_ports()[0].get_start_port()
if sgr_q_dict['protocol'] in (constants.PROTO_NAME_ICMP,
str(constants.PROTO_NUM_ICMP)):
sgr_q_dict['port_range_min'] = port_min
else:
sgr_q_dict['port_range_min'] = None if port_min == 0 else port_min
port_max = (sg_rule.get_dst_ports()[0].get_end_port())
sgr_q_dict['port_range_max'] = None if port_max == 65535 else port_max
sgr_q_dict['remote_ip_prefix'] = remote_cidr
sgr_q_dict['remote_group_id'] = remote_sg_uuid
if fields:
sgr_q_dict = self._filter_res_dict(sgr_q_dict, fields)
return sgr_q_dict
def initialize(self):
logger.info("Initializing ConGl (Contrail Gluon) mechanism driver ...")
logger.warn("Cfg is %s %d" % (cfg.CONF.ml2_driver_contrail.controller,
cfg.CONF.ml2_driver_contrail.port))
cfg.CONF.register_opts(vnc_extra_opts, 'APISERVER')
admin_user = cfg.CONF.keystone_authtoken.admin_user
admin_password = cfg.CONF.keystone_authtoken.admin_password
admin_tenant_name = cfg.CONF.keystone_authtoken.admin_tenant_name
try:
api_srvr_ip = cfg.CONF.ml2_driver_contrail.controller
except cfg.NoSuchOptError:
logger.info("No controller address in config - using default")
api_srvr_ip = "127.0.0.1"
try:
api_srvr_port = cfg.CONF.ml2_driver_contrail.port
except cfg.NoSuchOptError:
logger.info("No controller port in config - using default")
api_srvr_port = 8082
try:
auth_host = cfg.CONF.keystone_authtoken.auth_host
except cfg.NoSuchOptError:
auth_host = "127.0.0.1"
try:
auth_protocol = cfg.CONF.keystone_authtoken.auth_protocol
except cfg.NoSuchOptError:
auth_protocol = "http"
try:
auth_port = cfg.CONF.keystone_authtoken.auth_port
except cfg.NoSuchOptError:
auth_port = "35357"
try:
auth_url = cfg.CONF.keystone_authtoken.auth_url
except cfg.NoSuchOptError:
auth_url = "/v2.0/tokens"
try:
auth_type = cfg.CONF.auth_strategy
except cfg.NoSuchOptError:
auth_type = "keystone"
try:
api_server_url = cfg.CONF.APISERVER.api_server_url
except cfg.NoSuchOptError:
api_server_url = "/"
logger.info("Connecting to Contrail server %s : %s" %
(api_srvr_ip, api_srvr_port))
connected = False
while not connected:
try:
self._vnc_lib = vnc_api.VncApi(admin_user,
admin_password,
admin_tenant_name,
api_srvr_ip,
api_srvr_port,
api_server_url,
auth_host=auth_host,
auth_port=auth_port,
auth_protocol=auth_protocol,
auth_url=auth_url,
auth_type=auth_type)
connected = True
except requests.exceptions.RequestException:
time.sleep(3)
self.handlers = {
Hndl.VirtualNetwork: vn_res_handler.VNetworkHandler(self._vnc_lib),
Hndl.Subnet: subnet_res_handler.SubnetHandler(self._vnc_lib),
Hndl.VMInterface:
vmi_res_handler.VMInterfaceHandler(self._vnc_lib),
Hndl.SecurityGroup:
sg_res_handler.SecurityGroupHandler(self._vnc_lib),
Hndl.SGRule: sgrule_handler.SecurityGroupRuleHandler(self._vnc_lib)
}
