deltacloud-core 1.0.4 → 1.0.5

data/lib/cimi/models/volume.rb

@@ -17,20 +17,22 @@ class CIMI::Model::Volume < CIMI::Model::Base
 
   acts_as_root_entity
 
-  struct :capacity do
-    scalar :quantity
-    scalar :units
-  end
+  text :state
+
+  text :type
+
+  text :capacity
+
   text :bootable
-  text :supports_snapshots
+
   array :snapshots do
     scalar :ref
   end
-  text :guest_interface
+
   array :meters do
     scalar :ref
   end
-  href :eventlog
+
   array :operations do
     scalar :rel, :href
   end
@@ -40,7 +42,7 @@ class CIMI::Model::Volume < CIMI::Model::Base
     opts = ( id == :all ) ? {} : { :id => id }
     volumes = context.driver.storage_volumes(context.credentials, opts)
     volumes.collect!{ |volume| from_storage_volume(volume, context) }
-    return volumes.first unless volumes.length > 1
+    return volumes.first unless volumes.length > 1 || volumes.length == 0
     return volumes
   end
 
@@ -68,14 +70,14 @@ class CIMI::Model::Volume < CIMI::Model::Base
 
   def self.find_to_attach_from_json(json_in, context)
     json = JSON.parse(json_in)
-    volumes = json["volumes"].map{|v| {:volume=>self.find(v["volume"]["href"].split("/volumes/").last, context),
-                                       :attachment_point=>v["attachmentPoint"]  }}
+    json["volumes"].map{|v| {:volume=>self.find(v["volume"]["href"].split("/volumes/").last, context),
+                             :attachment_point=>v["attachmentPoint"]  }}
   end
 
   def self.find_to_attach_from_xml(xml_in, context)
     xml = XmlSimple.xml_in(xml_in)
-    volumes = xml["volume"].map{|v| {:volume => self.find(v["href"].split("/volumes/").last, context),
-                                      :attachment_point=>v["attachmentPoint"] }}
+    xml["volume"].map{|v| {:volume => self.find(v["href"].split("/volumes/").last, context),
+                           :attachment_point=>v["attachmentPoint"] }}
   end
 
   private
@@ -90,14 +92,13 @@ class CIMI::Model::Volume < CIMI::Model::Base
   def self.from_storage_volume(volume, context)
     self.new( { :name => volume.id,
                 :description => volume.id,
-                :created => volume.created,
+                :created => Time.parse(volume.created).xmlschema,
                 :id => context.volume_url(volume.id),
                 :capacity => { :quantity=>volume.capacity, :units=>"gibibyte"  }, #FIXME... units will vary
                 :bootable => "false", #fixme ... will vary... ec2 doesn't expose this
-                :supports_snapshots => "true", #fixme, will vary (true for ec2)
                 :snapshots => [], #fixme...
-                :guest_interface => "",
-                :eventlog => {:href=> "http://eventlogs"},#FIXME
+                :type => 'http://schemas.dmtf.org/cimi/1/mapped',
+                :state => volume.state,
                 :meters => []
             } )
   end

data/lib/cimi/models/volume_configuration.rb

@@ -18,12 +18,9 @@ class CIMI::Model::VolumeConfiguration < CIMI::Model::Base
   acts_as_root_entity :as => "volumeConfigs"
 
   text :format
-  struct :capacity do
-    scalar :quantity
-    scalar :units
-  end
-  text :supports_snapshots
-  text :guest_interface
+
+  text :capacity
+
   array :operations do
     scalar :rel, :href
   end
@@ -50,10 +47,10 @@ class CIMI::Model::VolumeConfiguration < CIMI::Model::Base
   def self.create(size, context)
     self.new( {
                 :id => context.volume_configuration_url(size),
-                :name => size,
-                :description => "volume configuration with #{size} GiB",
-                :created => Time.now.to_s,
-                :capacity => {:quantity=>size, :units=>"gibibytes"},
+                :name => "volume-#{size}",
+                :description => "Volume configuration with #{size} kilobytes",
+                :created => Time.now.xmlschema,
+                :capacity => context.to_kibibyte(size, "MB"),
                 :supports_snapshots => "true"
                 # FIXME :guest_interface => "NFS"
             } )

data/lib/cimi/models/volume_image.rb

@@ -41,7 +41,7 @@ class CIMI::Model::VolumeImage < CIMI::Model::Base
     self.new( {
                :name => snapshot.id,
                :description => snapshot.id,
-               :created => snapshot.created,
+               :created => Time.parse(snapshot.created).xmlschema,
                :id => context.volume_image_url(snapshot.id),
                :image_location => {:href=>context.volume_url(snapshot.storage_volume_id)},
                :bootable => "false"  #FIXME

data/lib/deltacloud/collections/base.rb

@@ -43,7 +43,7 @@ module Deltacloud::Collections
       report_error
     end
 
-    error Deltacloud::ExceptionHandler::ValidationFailure do
+    error Deltacloud::Exceptions::ValidationFailure do
       report_error
     end
 

data/lib/deltacloud/collections/firewalls.rb

@@ -99,8 +99,8 @@ module Deltacloud::Collections
           params['addresses'] = addresses
           params['groups'] = groups
           if addresses.empty? && groups.empty?
-            raise Deltacloud::ExceptionHandler::ValidationFailure.new(
-              StandardError.new("No sources. Specify at least one source ip_address or group")
+            raise Deltacloud::Exceptions.exception_from_status(
+              400, 'No sources. Specify at least one source ip address or group.'
             )
           end
           driver.create_firewall_rule(credentials, params)

data/lib/deltacloud/collections/load_balancers.rb

@@ -23,7 +23,7 @@ module Deltacloud::Collections
     end
 
     collection :load_balancers do
-      description "Load balancers are used distribute workload across multiple instances"
+      description "Load balancers are used to distribute workload across multiple instances"
 
       standard_index_operation
 
@@ -32,7 +32,13 @@ module Deltacloud::Collections
         control do
           @load_balancer = driver.load_balancer(credentials, params)
           @registered_instances = @load_balancer.instances.collect{|i| {:id => i.id, :name=> i.name}}
-          @unregistered_instances = driver.instances(credentials).collect{|i| {:id => i.id, :name => i.name}} - @registered_instances
+          # if provider supports realm_filter and load balancer has only one realm (which is mostly the case), use optimization:
+          if @load_balancer.realms.size == 1 and driver.class.has_feature?(:instances, :realm_filter)
+            all_instances = driver.instances(credentials, :realm_id => @load_balancer.realms.first.id).collect{|i| {:id => i.id, :name => i.name}}
+          elsif
+            all_instances = driver.instances(credentials).collect{|i| {:id => i.id, :name => i.name} }
+          end
+          @unregistered_instances = all_instances - @registered_instances
           respond_to do |format|
             format.xml { haml :'load_balancers/show' }
             format.json { xml_to_json('load_balancers/show') }

data/lib/deltacloud/core_ext.rb

@@ -22,3 +22,4 @@ require_relative './core_ext/integer'
 require_relative './core_ext/ordered_hash'
 require_relative './core_ext/proc'
 require_relative './core_ext/string'
+require_relative './core_ext/base'

data/lib/deltacloud/core_ext/base.rb

@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.  The
+# ASF licenses this file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance with the
+# License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+def get_current_memory_usage
+  `ps -o rss= -p #{Process.pid}`.to_i
+end
+
+def profile_memory(&block)
+  before = get_current_memory_usage
+  file, line, _ = caller[0].split(':')
+  if block_given?
+    instance_eval(&block)
+    puts "[#{file}:#{line}: #{(get_current_memory_usage - before) / 1024} MB (consumed)]"
+  else
+    before = 0
+    puts "[#{file}:#{line}: #{(get_current_memory_usage - before) / 1024} MB (all)]"
+  end
+end

data/lib/deltacloud/drivers.rb

@@ -26,7 +26,7 @@ module Deltacloud
         Thread::current[:drivers] = {}
         top_srcdir = File.join(File.dirname(__FILE__), '..', '..')
         Dir[File.join(top_srcdir, 'config', 'drivers', '*.yaml')].each do |driver_file|
-          Thread::current[:drivers].merge!(YAML::load(File::read(driver_file)))
+          Thread::current[:drivers].merge!(YAML::load_file(driver_file))
         end
       end
       Thread::current[:drivers]

data/lib/deltacloud/drivers/base_driver.rb

@@ -23,7 +23,7 @@ module Deltacloud
 
   class BaseDriver
 
-    include ExceptionHandler
+    include Exceptions
 
     STATE_MACHINE_OPTS = {
       :all_states => [:start, :pending, :running, :stopping, :stopped, :finish],

data/lib/deltacloud/drivers/condor/condor_driver.rb

@@ -192,7 +192,7 @@ module Deltacloud
 
         def new_client(credentials)
           if ( credentials.user != 'condor' ) or ( credentials.password != 'deltacloud' )
-            raise Deltacloud::ExceptionHandler::AuthenticationFailure.new
+            raise Deltacloud::Exceptions::AuthenticationFailure.new
           end
           safely do
             yield CondorCloud::DefaultExecutor.new

data/lib/deltacloud/drivers/exceptions.rb

@@ -15,7 +15,7 @@
 #
 
 module Deltacloud
-  module ExceptionHandler
+  module Exceptions
 
     class DeltacloudException < StandardError
 
@@ -30,6 +30,13 @@ module Deltacloud
 
     end
 
+    class AcceptedButNotCompletedError < DeltacloudException
+      def initialize(e, message=nil)
+        message ||= e.message
+        super(202, e.class.name, message, e.backtrace)
+      end
+    end
+
     class AuthenticationFailure < DeltacloudException
       def initialize(e, message=nil)
         message ||= e.message
@@ -115,6 +122,7 @@ module Deltacloud
       def initialize(conditions, &block)
         @conditions = conditions
         instance_eval(&block) if block_given?
+        self
       end
 
       def status(code)
@@ -142,21 +150,26 @@ module Deltacloud
       def handler(e)
         return @handler if @handler
         case @status
-          when 401 then Deltacloud::ExceptionHandler::AuthenticationFailure.new(e, @message)
-          when 403 then Deltacloud::ExceptionHandler::ForbiddenError.new(e, @message)
-          when 404 then Deltacloud::ExceptionHandler::ObjectNotFound.new(e, @message)
-          when 406 then Deltacloud::ExceptionHandler::UnknownMediaTypeError.new(e, @message)
-          when 405 then Deltacloud::ExceptionHandler::MethodNotAllowed.new(e, @message)
-          when 400 then Deltacloud::ExceptionHandler::ValidationFailure.new(e, @message)
-          when 500 then Deltacloud::ExceptionHandler::BackendError.new(e, @message)
-          when 501 then Deltacloud::ExceptionHandler::NotImplemented.new(e, @message)
-          when 502 then Deltacloud::ExceptionHandler::ProviderError.new(e, @message)
-          when 504 then Deltacloud::ExceptionHandler::ProviderTimeout.new(e, @message)
+          when 202 then AcceptedButNotCompletedError.new(e, @message)
+          when 401 then AuthenticationFailure.new(e, @message)
+          when 403 then ForbiddenError.new(e, @message)
+          when 404 then ObjectNotFound.new(e, @message)
+          when 406 then UnknownMediaTypeError.new(e, @message)
+          when 405 then MethodNotAllowed.new(e, @message)
+          when 400 then ValidationFailure.new(e, @message)
+          when 500 then BackendError.new(e, @message)
+          when 501 then NotImplemented.new(e, @message)
+          when 502 then ProviderError.new(e, @message)
+          when 504 then ProviderTimeout.new(e, @message)
         end
       end
 
     end
 
+    def self.exception_from_status(code, message)
+      ExceptionDef.new(nil) { status code}.handler(StandardError.new(message))
+    end
+
     class Exceptions
       attr_reader :exception_definitions
 
@@ -198,17 +211,14 @@ module Deltacloud
       begin
         block.call
       rescue => e
-        log = ExceptionHandler.logger
         self.class.exceptions.each do |definitions|
           next unless definitions.any? e
           if (new_exception = definitions.handler(e)) and new_exception.message
             message = new_exception.message
           end
           message ||= e.message
-          log.error "#{[e.class.to_s, message].join(':')}\n#{e.backtrace[0..10].join("\n")}" unless ENV['RACK_ENV'] == 'test'
           raise definitions.handler(e) unless new_exception.nil?
         end
-        log.error "[NO HANDLED] #{[e.class.to_s, e.message].join(': ')}\n#{e.backtrace.join("\n")}" unless ENV['RACK_ENV'] == 'test'
         raise BackendError.new(e, "Unhandled exception or status code (#{e.message})")
       end
     end

data/lib/deltacloud/drivers/features.rb

@@ -135,14 +135,14 @@ module Deltacloud
       end
 
       feature :instance_count, :for => :instances do
-        description "Number of instances to be launch with at once"
+        description "Number of instances to launch at once"
         operation :create do
           param :instance_count,  :string,  :optional
         end
       end
 
       feature :attach_snapshot, :for => :instances do
-        description "Attach an snapshot to instance on create"
+        description "Attach a snapshot to instance on create"
         operation :create do
           param :snapshot_id,  :string,  :optional
           param :device_name,  :string,  :optional
@@ -150,7 +150,7 @@ module Deltacloud
       end
 
       feature :sandboxing, :for => :instances do
-        description "Allow lanuching sandbox images"
+        description "Allow launching sandbox images"
         operation :create do
           param :sandbox, :string,  :optional
         end

data/lib/deltacloud/drivers/fgcp/fgcp_driver.rb

@@ -29,6 +29,7 @@ class FgcpDriver < Deltacloud::BaseDriver
 
   feature :instances, :user_name
   feature :instances, :metrics
+  feature :instances, :realm_filter
   feature :images, :user_name
   feature :images, :user_description
 
@@ -168,19 +169,18 @@ class FgcpDriver < Deltacloud::BaseDriver
     realms = []
     safely do
       client = new_client(credentials)
-  # opts may include scope: system, network
-  # first retrieve list of VSYS ids (and add if scope is not only filtering for network)
+
       if opts and opts[:id]
 
-        # determine id belongs to vsys or network
+        # determine id belongs to system or network
         vsys_id = client.extract_vsys_id(opts[:id])
         vsys = client.get_vsys_attributes(vsys_id)['vsys'][0]
         realm_name = vsys['vsysName'][0]
-        limit = '[VSYS]'
+        limit = '[System]'
         if opts[:id] != vsys_id # network id specified
           opts[:id] =~ /^.*\b(\w+)$/
-          realm_name += ' [' + $1 + ']' # vsys name or vsys name + network [DMZ/SECURE1/SECURE2]
-          limit = '[Network segment]'
+          realm_name += ' [' + $1 + ']' # system name or system name + network [DMZ/SECURE1/SECURE2]
+          limit = '[Network]'
         end
         realms << Realm::new(
                     :id => opts[:id],
@@ -188,7 +188,6 @@ class FgcpDriver < Deltacloud::BaseDriver
                     #:limit => :unlimited,
                     :limit => limit,
                     :state => 'AVAILABLE' # map to state of FW/VSYS (reconfiguring = unavailable)?
-                   # :scope => 'system'
                   )
       elsif xml = client.list_vsys['vsyss']
 
@@ -197,11 +196,10 @@ class FgcpDriver < Deltacloud::BaseDriver
 
           realms << Realm::new(
                       :id => vsys['vsysId'][0], # vsysId or networkId
-                      :name => vsys['vsysName'][0], # vsys name or vsys name + network (DMZ/SECURE1/SECURE2)
+                      :name => vsys['vsysName'][0], # system name or system name + network (DMZ/SECURE1/SECURE2)
                       #:limit => :unlimited,
-                      :limit => '[VSYS]',
+                      :limit => '[System]',
                       :state => 'AVAILABLE' # map to state of FW/VSYS (reconfiguring = unavailable)?
-                     # :scope => 'system'
                     )
           # then retrieve and add list of network segments
           client.get_vsys_configuration(vsys['vsysId'][0])['vsys'][0]['vnets'][0]['vnet'].each do |vnet|
@@ -212,9 +210,8 @@ class FgcpDriver < Deltacloud::BaseDriver
                         :id => vnet['networkId'][0], # vsysId or networkId
                         :name => realm_name,
                         #:limit => :unlimited,
-                        :limit => '[Network segment]',
+                        :limit => '[Network]',
                         :state => 'AVAILABLE' # map to state of FW/VSYS (reconfiguring = unavailable)?
-                      #  :scope => 'network'
                       )
           end
         end
@@ -232,20 +229,25 @@ class FgcpDriver < Deltacloud::BaseDriver
     safely do
       client = new_client(credentials)
 
-      if opts and opts[:id]
-        vsys_id = client.extract_vsys_id(opts[:id])
+      if opts and opts[:id] or opts[:realm_id]
+        vsys_id = client.extract_vsys_id(opts[:id] || opts[:realm_id])
         vsys_config = client.get_vsys_configuration(vsys_id)
         vsys_config['vsys'][0]['vservers'][0]['vserver'].each do |vserver|
-          if vserver['vserverId'][0] == opts[:id]
+          network_id = vserver['vnics'][0]['vnic'][0]['networkId'][0]
+          # :realm_id can point to system or network
+          if vsys_id == opts[:realm_id] or vserver['vserverId'][0] == opts[:id] or network_id == opts[:realm_id]
 
-            # check state first as it may be filtered on
-            state_data = instance_state_data(vserver, client)
-            if opts[:state].nil? or opts[:state] == state_data[:state]
+            # skip firewall if filtering by realm
+            unless opts[:realm_id] and determine_server_type(vserver) == 'FW'
+              # check state first as it may be filtered on
+              state_data = instance_state_data(vserver, client)
+              if opts[:state].nil? or opts[:state] == state_data[:state]
 
-              instance = convert_to_instance(client, vserver, state_data)
-              add_instance_details(instance, client, vserver)
+                instance = convert_to_instance(client, vserver, state_data)
+                add_instance_details(instance, client, vserver)
 
-              instances << instance
+                instances << instance
+              end
             end
           end
         end
@@ -258,12 +260,16 @@ class FgcpDriver < Deltacloud::BaseDriver
           vsys_config = client.get_vsys_configuration(vsys['vsysId'][0])
           vsys_config['vsys'][0]['vservers'][0]['vserver'].each do |vserver|
 
-            # to keep the response time of this method acceptable, retrieve state
-            # only if required because state is filtered on
-            state_data = opts[:state] ? instance_state_data(vserver, client) : nil
-            # filter on state
-            if opts[:state].nil? or opts[:state] == state_data[:state]
-              instances << convert_to_instance(client, vserver, state_data)
+            # skip firewalls - they probably don't belong here and their new type ('firewall' instead of 
+            # 'economy') causes errors when trying to map to available profiles)
+            unless determine_server_type(vserver) == 'FW'
+              # to keep the response time of this method acceptable, retrieve state
+              # only if required because state is filtered on
+              state_data = opts[:state] ? instance_state_data(vserver, client) : nil
+              # filter on state
+              if opts[:state].nil? or opts[:state] == state_data[:state]
+                instances << convert_to_instance(client, vserver, state_data)
+              end
             end
           end
         end
@@ -343,6 +349,12 @@ class FgcpDriver < Deltacloud::BaseDriver
     network_id = opts[:realm_id]
     safely do
       client = new_client(credentials)
+      if not network_id
+        xml = client.list_vsys['vsyss']
+
+        # use first returned system's DMZ as realm
+        network_id = xml ? xml[0]['vsys'][0]['vsysId'][0] + '-N-DMZ' : nil
+      end
       xml = client.create_vserver(name, hwp, image_id, network_id)
       # returns vserver details
       instances(credentials, {:id => xml['vserverId'][0]}).first
@@ -404,7 +416,12 @@ class FgcpDriver < Deltacloud::BaseDriver
     safely do
       client = new_client(credentials)
       if opts and opts[:id]
-        vdisk = client.get_vdisk_attributes(opts[:id])['vdisk'][0]
+        begin
+          vdisk = client.get_vdisk_attributes(opts[:id])['vdisk'][0]
+        rescue Exception => ex
+          return [] if ex.message =~ /VALIDATION_ERROR.*t exist./
+          raise
+        end
         state = client.get_vdisk_status(opts[:id])['vdiskStatus'][0]
         actions = []
         if state == 'NORMAL'
@@ -474,7 +491,7 @@ class FgcpDriver < Deltacloud::BaseDriver
       elsif xml = client.list_vsys['vsyss']
 
         # use first vsys returned as realm
-        opts[:realm_id] = xml[0]['vsys'][0]['vsysId'][0]
+        opts[:realm_id] = xml[0]['vsys'][0]['vsysId'][0] if xml
       end
 
       vdisk_id = client.create_vdisk(opts[:realm_id], opts[:name], opts[:capacity])['vdiskId'][0]
@@ -528,18 +545,24 @@ class FgcpDriver < Deltacloud::BaseDriver
       if opts and opts[:id]
         vdisk_id, backup_id = split_snapshot_id(opts[:id])
 
-        if backups = client.list_vdisk_backup(vdisk_id)['backups']
+        begin
+          if backups = client.list_vdisk_backup(vdisk_id)['backups']
 
-          backups[0]['backup'].each do |backup|
+            backups[0]['backup'].each do |backup|
 
-            snapshots << StorageSnapshot.new(
-              :id => opts[:id],
-              #:state => ?,
-              :storage_volume_id => vdisk_id,
-              :created => backup['backupTime'][0]
-            ) if backup_id = backup['backupId'][0]
+              snapshots << StorageSnapshot.new(
+                :id => opts[:id],
+                #:state => ?,
+                :storage_volume_id => vdisk_id,
+                :created => backup['backupTime'][0]
+              ) if backup_id = backup['backupId'][0]
+            end
           end
+        rescue Exception => ex
+          return [] if ex.message =~ /RESOURCE_NOT_FOUND/
+          raise
         end
+
       elsif xml = client.list_vsys['vsyss']
 
         return [] if xml.nil?
@@ -683,8 +706,8 @@ class FgcpDriver < Deltacloud::BaseDriver
         opts[:realm_id] = client.extract_vsys_id(opts[:realm_id])
       else
         # get first vsys
-        xml = client.list_vsys
-        opts[:realm_id] = xml['vsyss'][0]['vsys'][0]['vsysId'][0] if xml['vsyss']
+        xml = client.list_vsys['vsyss']
+        opts[:realm_id] = xml[0]['vsys'][0]['vsysId'][0] if xml
       end
 
       client.allocate_public_ip(opts[:realm_id])
@@ -834,49 +857,56 @@ class FgcpDriver < Deltacloud::BaseDriver
 </Request>
 eofwpxml
 
-        fw = client.get_efm_configuration(opts[:id], 'FW_POLICY', configuration_xml)
+        begin
+          fw = client.get_efm_configuration(opts[:id], 'FW_POLICY', configuration_xml)
+        rescue Exception => ex
+          return [] if ex.message =~ /RESOURCE_NOT_FOUND/
+          raise
+        end
         fw_name = fw['efm'][0]['efmName'][0] # currently always 'Firewall'
         fw_owner_id = fw['efm'][0]['creator'][0]
         rule50000_log = true
 
-        fw['efm'][0]['firewall'][0]['directions'][0]['direction'].each do |direction|
+        if fw['efm'][0]['firewall'][0]['directions'] and fw['efm'][0]['firewall'][0]['directions'][0]['direction']
+          fw['efm'][0]['firewall'][0]['directions'][0]['direction'].each do |direction|
 
-          direction['policies'][0]['policy'].each do |policy|
+            direction['policies'][0]['policy'].each do |policy|
 
-            sources = []
-            ['src', 'dst'].each do |e|
+              sources = []
+              ['src', 'dst'].each do |e|
 
-              if policy[e] and policy[e][0] and not policy[e][0].empty?
+                if policy[e] and policy[e][0] and not policy[e][0].empty?
 
-                ip_address_type = policy["#{e}Type"][0]
-                address = policy[e][0]
-                address.sub!('any', '0.0.0.0/0') if ip_address_type == 'IP'
-                address += '/32' if ip_address_type == 'IP' and not address =~ /.*\/.*/
+                  ip_address_type = policy["#{e}Type"][0]
+                  address = policy[e][0]
+                  address.sub!('any', '0.0.0.0/0') if ip_address_type == 'IP'
+                  address += '/32' if ip_address_type == 'IP' and not address =~ /.*\/.*/
 
-                sources << {
-                  :type    => 'address',
-                  :family  => 'ipv4',
-                  :address => address.split('/').first,
-                  :prefix  => ip_address_type == 'IP' ? address.split('/').last : nil
-                }
+                  sources << {
+                    :type    => 'address',
+                    :family  => 'ipv4',
+                    :address => address.split('/').first,
+                    :prefix  => ip_address_type == 'IP' ? address.split('/').last : nil
+                  }
+                end
               end
-            end
 
-            # defining ingress as access going from Internet/Intranet -> DMZ -> SECURE1 -> SECURE2
-            ingress = policy['id'][0] =~ /[13].*/ ? 'ingress' : 'egress'
-
-            rules << FirewallRule.new({
-              :id             => policy['id'][0],
-              :rule_action    => policy['action'][0].downcase,
-              :log_rule       => policy['log'][0] == 'On',
-              :allow_protocol => policy['protocol'][0],
-              :port_from      => policy['srcPort'] ? policy['srcPort'][0] : nil, # not set for e.g. ICMP
-              :port_to        => policy['dstPort'] ? policy['dstPort'][0] : nil, # not set for e.g. ICMP
-              :direction      => ingress,
-              :sources        => sources
-            }) unless policy['id'][0] == '50000' # special case added later
-
-            rule50000_log = (policy['log'][0] == 'On') if policy['id'][0] == '50000'
+              # defining ingress as access going from Internet/Intranet -> DMZ -> SECURE1 -> SECURE2
+              ingress = policy['id'][0] =~ /[13].*/ ? 'ingress' : 'egress'
+
+              rules << FirewallRule.new({
+                :id             => policy['id'][0],
+                :rule_action    => policy['action'][0].downcase,
+                :log_rule       => policy['log'][0] == 'On',
+                :allow_protocol => policy['protocol'][0],
+                :port_from      => policy['srcPort'] ? policy['srcPort'][0] : nil, # not set for e.g. ICMP
+                :port_to        => policy['dstPort'] ? policy['dstPort'][0] : nil, # not set for e.g. ICMP
+                :direction      => ingress,
+                :sources        => sources
+              }) unless policy['id'][0] == '50000' # special case added later
+
+              rule50000_log = (policy['log'][0] == 'On') if policy['id'][0] == '50000'
+            end
           end
         end
 
@@ -947,7 +977,31 @@ eofwpxml
   def delete_firewall(credentials, opts={})
     safely do
       client = new_client(credentials)
-      client.destroy_vsys(client.extract_vsys_id(opts[:id]))
+      begin
+        # try to stop FW first
+        opts[:id] =~ /^(.*-S-)\d\d\d\d/
+        fw_id = $1 + '0001'
+        client.stop_efm(fw_id)
+      rescue Exception => ex
+        raise ex if not ex.message =~ /ALREADY_STOPPED.*/
+        client.destroy_vsys(client.extract_vsys_id(opts[:id]))
+        return
+      end
+
+      Thread.new {
+        attempts = 0
+        begin
+          sleep 30
+          # this may fail if the FW is still stopping
+          client.destroy_vsys(client.extract_vsys_id(opts[:id]))
+        rescue Exception => ex
+          raise unless attempts < 20 and ex.message =~ /SERVER_RUNNING.*/
+          # Stopping takes a few minutes, so keep trying for a while
+          attempts += 1
+          retry
+        end
+      }
+      raise 'Firewall will be deleted once it has stopped'
     end
   end
 
@@ -1050,7 +1104,7 @@ eofwopxml
             realm = Realm::new(
               :id => vserver['vnics'][0]['vnic'][0]['networkId'][0],
               :name => realm_name,
-              :limit => '[Network segment]',
+              :limit => '[Network]',
               :state => 'AVAILABLE' # map to state of FW/VSYS (reconfiguring = unavailable)?
             )
             balancer = LoadBalancer.new({
@@ -1085,7 +1139,7 @@ eofwopxml
           realm = Realm::new(
             :id => vserver['vnics'][0]['vnic'][0]['networkId'][0],
             :name => realm_name,
-            :limit => '[Network segment]',
+            :limit => '[Network]',
             :state => 'AVAILABLE' # map to state of FW/VSYS (reconfiguring = unavailable)?
           )
           balancer = LoadBalancer.new({
@@ -1143,6 +1197,12 @@ eofwopxml
       # if opts['realm_id'].nil? network id specified, pick first vsys' DMZ?
       # CreateEFM -vsysId vsysId -efmType SLB -efmName opts['name'] -networkId opts['realm_id']
       network_id = opts[:realm_id]
+      if not network_id
+        xml = client.list_vsys['vsyss']
+
+        # use first returned system's DMZ as realm
+        network_id = xml ? xml[0]['vsys'][0]['vsysId'][0] + '-N-DMZ' : nil
+      end
       efm = client.create_efm('SLB', opts[:name], network_id)
 #        [{:load_balancer_port => opts['listener_balancer_port'],
 #          :instance_port => opts['listener_instance_port'],
@@ -1214,7 +1274,12 @@ eofwopxml
   def metric(credentials, opts={})
     safely do
       client = new_client(credentials)
-      perf = client.get_performance_information(opts[:id], 'hour')
+      begin
+        perf = client.get_performance_information(opts[:id], 'hour')
+      rescue Exception => ex
+        return nil if ex.message =~ /RESOURCE_NOT_FOUND/
+        raise
+      end
 
       metric = Metric.new(
         :id         => opts[:id],
@@ -1273,47 +1338,47 @@ eofwopxml
 
   exceptions do
 
+    # FW will be deleted in async polling thread, so can't guarantee successful completion
+    on /Firewall will be deleted once it has stopped/ do
+      status 202 # Accepted
+    end
+
     on /ALREADY_STARTED/ do
-      status 405
+      status 405 # Method Not Allowed
     end
 
     # trying to start a running vserver, etc.
     on /ILLEGAL_STATE/ do
-      status 405
+      status 405 # Method Not Allowed
     end
 
     on /AuthFailure/ do
-      status 401
+      status 401 # Unauthorized
     end
 
     # User not found: using certificate with wrong region
     on /User not found in selectData./ do
-      status 401
+      status 401 # Unauthorized
     end
 
     # if user doesn't have privileges to view or operate a particular resource
     on /User doesn.t have the right of access./ do
-      status 400
-    end
-
-    # time out of sync with ntp
-    on /VALIDATION_ERROR.*synchronized.*API-Server time/ do
-      status 502
+      status 403 # Forbidden
     end
 
     # wrong vserverId, etc.
     on /VALIDATION_ERROR/ do
-      status 404
+      status 404 # Not Found
     end
 
     # wrong vdiskId, etc.
     on /RESOURCE_NOT_FOUND/ do
-      status 404
+      status 404 # Not Found
     end
 
     # wrong FW description (vsys descriptor)
     on /does not exist. Specify one of / do
-      status 404
+      status 404 # Not Found
     end
 
     # trying an operation that is not supported (yet) by the target region
@@ -1321,19 +1386,24 @@ eofwopxml
       status 501 # Not Implemented
     end
 
+    # time out of sync with ntp
+    on /VALIDATION_ERROR.*synchronized.*API-Server time/ do
+      status 502 # Bad Gateway
+    end
+
     # destroying a running SLB, etc.
     on /ALREADY_STARTED/ do
-      status 502 #?
+      status 502 # Bad Gateway?
     end
 
     # trying to start a running vserver, etc.
     on /ILLEGAL_STATE/ do
-      status 502
+      status 502 # Bad Gateway
     end
 
     # endpoint for country of certificate subject not found
     on /API endpoint not found/ do
-      status 502
+      status 502 # Bad Gateway
     end
 
     on /.*/ do
@@ -1406,7 +1476,8 @@ eofwopxml
         vsys_id = client.extract_vsys_id(instance.id)
         if slbs = client.list_efm(vsys_id, 'SLB')['efms']
           slbs[0]['efm'].find do |slb|
-            instance.private_addresses << InstanceAddress.new(slb['slbVip'][0], :type => :ipv4) if slb['efmId'][0] == instance.id
+            # note that slbVip may not be set yet (in just created SLBs)
+            instance.private_addresses << InstanceAddress.new(slb['slbVip'][0], :type => :ipv4) if slb['slbVip'] and slb['efmId'][0] == instance.id
           end
         end
       end