Commit b35254cf authored by Christos Stavrakakis's avatar Christos Stavrakakis
Browse files

cyclades: Set firewall profile per NIC

Set firewall profile per NIC, because since Floating IPs an instance can
have more than one NICs in a public network. Extend the API call to take
the NIC index as argument, and modify the Ganeti instance tags to be
formated with the NIC index.
parent 754d0a2c
......@@ -49,7 +49,8 @@
#DEFAULT_MAC_FILTERED_BRIDGE = 'prv0'
#
#
## Firewalling
## Firewall tags should contain '%d' to be filled with the NIC
## index.
#GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:0:protected'
#GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:0:unprotected'
#GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:0:limited'
......
......@@ -693,7 +693,8 @@ def set_firewall_profile(request, vm, args):
profile = args.get("profile")
if profile is None:
raise faults.BadRequest("Missing 'profile' attribute")
servers.set_firewall_profile(vm, profile=profile)
index = args.get("index", 0)
servers.set_firewall_profile(vm, profile=profile, index=index)
return HttpResponse(status=202)
......
......@@ -21,7 +21,7 @@ POLL_LIMIT = 3600
# network of this list. If the special network ID "SNF:ANY_PUBLIC" is used,
# Cyclades will automatically choose a public network and connect the server to
# it.
DEFAULT_INSTANCE_NETWORKS=["SNF:ANY_PUBLIC"]
DEFAULT_INSTANCE_NETWORKS = ["SNF:ANY_PUBLIC"]
# Maximum allowed network size for private networks.
MAX_CIDR_BLOCK = 22
......@@ -48,10 +48,11 @@ DEFAULT_ROUTING_TABLE = 'snf_public'
DEFAULT_MAC_FILTERED_BRIDGE = 'prv0'
# Firewalling
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:0:protected'
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:0:unprotected'
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:0:limited'
# Firewalling. Firewall tags should contain '%d' to be filled with the NIC
# index.
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:%d:protected'
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:%d:unprotected'
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:%d:limited'
# The default firewall profile that will be in effect if no tags are defined
DEFAULT_FIREWALL_PROFILE = 'DISABLED'
......
......@@ -761,18 +761,21 @@ def disconnect_from_network(vm, nic):
dry_run=settings.TEST)
def set_firewall_profile(vm, profile):
def set_firewall_profile(vm, profile, index=0):
try:
tag = _firewall_tags[profile]
tag = _firewall_tags[profile] % index
except KeyError:
raise ValueError("Unsopported Firewall Profile: %s" % profile)
log.debug("Setting tag of VM %s to %s", vm, profile)
log.debug("Setting tag of VM %s, NIC index %d, to %s", vm, index, profile)
with pooled_rapi_client(vm) as client:
# Delete all firewall tags
for t in _firewall_tags.values():
client.DeleteInstanceTags(vm.backend_vm_id, [t],
# Delete previous firewall tags
old_tags = client.GetInstanceTags(vm.backend_vm_id)
delete_tags = [(t % index) for t in _firewall_tags.values()
if (t % index) in old_tags]
if delete_tags:
client.DeleteInstanceTags(vm.backend_vm_id, delete_tags,
dry_run=settings.TEST)
client.AddInstanceTags(vm.backend_vm_id, [tag], dry_run=settings.TEST)
......
......@@ -332,12 +332,12 @@ def resize(vm, flavor):
@server_command("SET_FIREWALL_PROFILE")
def set_firewall_profile(vm, profile):
log.info("Setting VM %s firewall %s", vm, profile)
def set_firewall_profile(vm, profile, index=0):
log.info("Setting VM %s, NIC index %s, firewall %s", vm, index, profile)
if profile not in [x[0] for x in NetworkInterface.FIREWALL_PROFILES]:
raise faults.BadRequest("Unsupported firewall profile")
backend.set_firewall_profile(vm, profile)
backend.set_firewall_profile(vm, profile=profile, index=index)
return None
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment