wakame-vdc-agents 11.06.0 → 11.12.0

data/lib/dcmgr/vnet/tasks/drop_mac_spoofing.rb

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Tasks
+    
+      # Disables instances from spoofing another mac address
+      class DropMacSpoofing < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :mac
+        attr_accessor :enable_logging
+        attr_accessor :log_prefix
+        
+        def initialize(mac,enable_logging,log_prefix)
+        super()
+        self.mac = mac
+        self.enable_logging = enable_logging
+        self.log_prefix = log_prefix
+        
+        # Prevent spoofing to the outside world
+        self.rules << EbtablesRule.new(:filter,:forward,:arp,:outgoing,"--protocol arp --arp-mac-src ! #{self.mac} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent spoofing to the host
+        self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-mac-src ! #{self.mac} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent spoofing from the outside world
+        self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-mac-dst ! #{self.mac} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent spoofing from the host
+        self.rules << EbtablesRule.new(:filter,:output,:arp,:incoming,"--protocol arp --arp-mac-dst ! #{self.mac} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/exclude_from_nat.rb

@@ -0,0 +1,47 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Tasks
+    
+      # Contains specific rules for ip addresses to which connections should
+      # not be natted.
+      class ExcludeFromNat < Task
+        include Dcmgr::VNet::Netfilter
+        #An array of the ip addresses excluded from nat
+        attr_accessor :excluded_ips
+        
+        def initialize(ips,self_ip)
+          super()
+          raise ArgumentError, "ips Must be an array containing IP addresses" unless ips.is_a? Array
+          
+          ips.each { |ip|
+            if ip.is_a? String
+              exclude = IPAddress(ip)
+            elsif ip.is_a? IPAddress
+              exclude = ip
+            else
+              next
+            end
+            
+            #self.rules << IptablesRule.new(:nat,:prerouting,nil,:incoming,"-d #{self_ip} -s #{ip} -j ACCEPT")
+            self.rules << IptablesRule.new(:nat,:postrouting,nil,:outgoing,"-d #{ip} -s #{self_ip} -j ACCEPT")
+          }
+        end
+      end
+      
+      # Contains specific rules for ip addresses to which connections should
+      # not be natted. Depends on the netfilter IpSet module
+      class ExcludeFromNatIpSet < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :excluded_ips
+        
+        def initialize(ips,self_ip)
+          raise NotImplementedError
+        end
+        #TODO: Write this class!
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/security_group.rb

@@ -0,0 +1,37 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Tasks
+    
+      class SecurityGroup < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize(group_map)
+          super()
+          group_map[:rules].each { |rule|
+            case rule[:ip_protocol]
+            when 'tcp', 'udp'
+              if rule[:ip_fport] == rule[:ip_tport]
+                self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]} -j ACCEPT")
+              else
+                self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]}:#{rule[:ip_tport]} -j ACCEPT")
+              end
+            when 'icmp'
+              # icmp
+              #   This extension can be used if `--protocol icmp' is specified. It provides the following option:
+              #   [!] --icmp-type {type[/code]|typename}
+              #     This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
+              #      iptables -p icmp -h
+              if rule[:icmp_type] == -1 && rule[:icmp_code] == -1
+                self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT")
+              else
+                self.rules << IptablesRule.new(:filter,:forward,rule[:ip_protocol].to_sym,:incoming,"-p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT")
+              end
+            end
+          }
+        end
+      end
+
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/static_nat.rb

@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Tasks
+    
+      class StaticNatLog < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :inside_ip
+        attr_accessor :outside_ip
+        attr_accessor :snat_log_prefix
+        attr_accessor :dnat_log_prefix
+        
+        def initialize(inside_ip,outside_ip,snat_log_prefix = "",dnat_log_prefix = "")
+          super()
+          
+          self.inside_ip = inside_ip
+          self.outside_ip = outside_ip
+          self.snat_log_prefix = snat_log_prefix
+          self.dnat_log_prefix = dnat_log_prefix
+          
+          self.rules = []
+          self.rules << IptablesRule.new(:nat,:prerouting,nil,:incoming,"-d #{self.outside_ip} -j LOG --log-prefix '#{self.dnat_log_prefix}'")
+          self.rules << IptablesRule.new(:nat,:postrouting,nil,:outgoing,"-s #{self.inside_ip} -j LOG --log-prefix '#{self.snat_log_prefix}'")
+        end
+      end
+      
+      class StaticNat < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :inside_ip
+        attr_accessor :outside_ip
+        attr_accessor :mac_address
+        
+        def initialize(inside_ip, outside_ip, mac_address)
+          super()
+          
+          self.inside_ip = inside_ip
+          self.outside_ip = outside_ip
+          self.mac_address = mac_address
+          
+          self.rules = []
+          
+          # Reply ARP requests for the outside ip
+          self.rules << EbtablesRule.new(:nat,:prerouting,:arp,:incoming,"-p arp --arp-ip-dst #{self.outside_ip} --arp-opcode REQUEST -j arpreply --arpreply-mac #{self.mac_address}")
+          
+          # Translate the ip
+          self.rules << IptablesRule.new(:nat,:postrouting,nil,:outgoing,"-s #{self.inside_ip} -j SNAT --to #{self.outside_ip}")
+          self.rules << IptablesRule.new(:nat,:prerouting,nil,:incoming,"-d #{self.outside_ip} -j DNAT --to #{self.inside_ip}")
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/translate_metadata_address.rb

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Tasks
+    
+      class TranslateMetadataAddress < Task
+        include Dcmgr::VNet::Netfilter
+        #TODO: allow ARP traffic to metadata server
+        attr_reader :metadata_ip
+        attr_reader :metadata_port
+        attr_reader :metadata_fake_ip
+        attr_reader :metadata_fake_port
+        
+        def initialize(vnic_id,metadata_ip,metadata_port,metadata_fake_ip = "169.254.169.254",metadata_fake_port = "80")
+          super()
+          
+          @metadata_ip = metadata_ip
+          @metadata_port = metadata_port
+          @metadata_fake_ip = metadata_fake_ip
+          @metadata_fake_port = metadata_fake_port
+          
+          # Translate requests to the metadata server
+          self.rules << IptablesRule.new(:nat,:prerouting,:tcp,:outgoing,"-m physdev --physdev-in #{vnic_id} -d #{self.metadata_fake_ip} -p tcp --dport #{self.metadata_fake_port} -j DNAT --to-destination #{self.metadata_ip}:#{self.metadata_port}")
+          # Accept tcp traffic to the metadata server
+          self.rules << IptablesRule.new(:filter,:forward,:tcp,:outgoing,"-p tcp -d #{self.metadata_ip} --dport #{self.metadata_port} -j ACCEPT")
+        end
+      end
+    
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: wakame-vdc-agents
 version: !ruby/object:Gem::Version 
-  hash: 95
-  prerelease: false
+  hash: 119
+  prerelease: 
   segments: 
   - 11
-  - 6
+  - 12
   - 0
-  version: 11.06.0
+  version: 11.12.0
 platform: ruby
 authors: 
 - axsh Ltd.
@@ -15,28 +15,28 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-30 00:00:00 +09:00
-default_executable: 
+date: 2011-12-22 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
+  name: isono
   prerelease: false
-  version_requirements: &id001 !ruby/object:Gem::Requirement 
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 17
+        hash: 5
         segments: 
         - 0
         - 2
-        - 3
-        version: 0.2.3
-  requirement: *id001
+        - 9
+        version: 0.2.9
   type: :runtime
-  name: isono
+  version_requirements: *id001
 - !ruby/object:Gem::Dependency 
+  name: log4r
   prerelease: false
-  version_requirements: &id002 !ruby/object:Gem::Requirement 
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -45,12 +45,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id002
   type: :runtime
-  name: log4r
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
+  name: extlib
   prerelease: false
-  version_requirements: &id003 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
@@ -61,12 +61,12 @@ dependencies:
         - 9
         - 15
         version: 0.9.15
-  requirement: *id003
   type: :runtime
-  name: extlib
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
+  name: configuration
   prerelease: false
-  version_requirements: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -75,28 +75,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id004
-  type: :runtime
-  name: configuration
-- !ruby/object:Gem::Dependency 
-  prerelease: false
-  version_requirements: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - "="
-      - !ruby/object:Gem::Version 
-        hash: 17
-        segments: 
-        - 1
-        - 1
-        - 1
-        version: 1.1.1
-  requirement: *id005
   type: :runtime
-  name: statemachine
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
+  name: ruby-hmac
   prerelease: false
-  version_requirements: &id006 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -105,12 +89,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id006
   type: :runtime
-  name: ruby-hmac
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
+  name: ipaddress
   prerelease: false
-  version_requirements: &id007 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
@@ -121,12 +105,12 @@ dependencies:
         - 7
         - 0
         version: 0.7.0
-  requirement: *id007
   type: :runtime
-  name: ipaddress
+  version_requirements: *id006
 - !ruby/object:Gem::Dependency 
+  name: open4
   prerelease: false
-  version_requirements: &id008 !ruby/object:Gem::Requirement 
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -135,12 +119,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id008
   type: :runtime
-  name: open4
+  version_requirements: *id007
 - !ruby/object:Gem::Dependency 
+  name: bacon
   prerelease: false
-  version_requirements: &id009 !ruby/object:Gem::Requirement 
+  requirement: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -149,12 +133,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id009
   type: :development
-  name: bacon
+  version_requirements: *id008
 - !ruby/object:Gem::Dependency 
+  name: rake
   prerelease: false
-  version_requirements: &id010 !ruby/object:Gem::Requirement 
+  requirement: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -163,10 +147,9 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id010
   type: :development
-  name: rake
-description: ""
+  version_requirements: *id009
+description: Datacenter Hypervisor
 email: 
 - dev@axsh.net
 executables: 
@@ -179,6 +162,7 @@ extra_rdoc_files: []
 
 files: 
 - config/path_resolver.rb
+- config/db/migrations/0001_v1110_origin.rb
 - config/initializers/passenger.rb
 - config/initializers/isono.rb
 - config/initializers/sequel.rb
@@ -192,38 +176,46 @@ files:
 - lib/sinatra/lazy_auth.rb
 - lib/dcmgr/rack/request_logger.rb
 - lib/dcmgr/rack/run_initializer.rb
-- lib/dcmgr/stm/snapshot_context.rb
-- lib/dcmgr/stm/volume_context.rb
-- lib/dcmgr/stm/instance.rb
 - lib/dcmgr/version.rb
-- lib/dcmgr/scheduler/find_random.rb
-- lib/dcmgr/scheduler/find_last.rb
+- lib/dcmgr/scheduler/host_node/least_usage.rb
+- lib/dcmgr/scheduler/host_node/per_instance.rb
+- lib/dcmgr/scheduler/host_node/specify_node.rb
+- lib/dcmgr/scheduler/host_node/exclude_same.rb
+- lib/dcmgr/scheduler/host_node/find_first.rb
+- lib/dcmgr/scheduler/network/per_instance.rb
+- lib/dcmgr/scheduler/network/vif_template.rb
+- lib/dcmgr/scheduler/network/flat_single.rb
+- lib/dcmgr/scheduler/network/nat_one_to_one.rb
+- lib/dcmgr/scheduler/storage_node/least_usage.rb
+- lib/dcmgr/scheduler/storage_node/find_first.rb
 - lib/dcmgr/scheduler.rb
 - lib/dcmgr/endpoints/metadata.rb
 - lib/dcmgr/endpoints/errors.rb
-- lib/dcmgr/endpoints/core_api_mock.rb
 - lib/dcmgr/endpoints/core_api.rb
 - lib/dcmgr/tags.rb
+- lib/dcmgr/vnet.rb
 - lib/dcmgr/models/ip_lease.rb
-- lib/dcmgr/models/instance_netfilter_group.rb
 - lib/dcmgr/models/volume_snapshot.rb
-- lib/dcmgr/models/storage_pool.rb
-- lib/dcmgr/models/netfilter_rule.rb
 - lib/dcmgr/models/tag_mapping.rb
 - lib/dcmgr/models/instance_spec.rb
-- lib/dcmgr/models/host_pool.rb
 - lib/dcmgr/models/instance_nic.rb
 - lib/dcmgr/models/mac_lease.rb
 - lib/dcmgr/models/vlan_lease.rb
+- lib/dcmgr/models/host_node.rb
+- lib/dcmgr/models/security_group_rule.rb
 - lib/dcmgr/models/base_new.rb
+- lib/dcmgr/models/instance_security_group.rb
 - lib/dcmgr/models/account.rb
+- lib/dcmgr/models/dhcp_range.rb
+- lib/dcmgr/models/security_group.rb
 - lib/dcmgr/models/frontend_system.rb
 - lib/dcmgr/models/image.rb
 - lib/dcmgr/models/instance.rb
 - lib/dcmgr/models/volume.rb
-- lib/dcmgr/models/netfilter_group.rb
 - lib/dcmgr/models/tag.rb
 - lib/dcmgr/models/account_resource.rb
+- lib/dcmgr/models/physical_network.rb
+- lib/dcmgr/models/storage_node.rb
 - lib/dcmgr/models/hostname_lease.rb
 - lib/dcmgr/models/network.rb
 - lib/dcmgr/models/request_log.rb
@@ -232,27 +224,74 @@ files:
 - lib/dcmgr/models/history.rb
 - lib/dcmgr/models/ssh_key_pair.rb
 - lib/dcmgr/logger.rb
+- lib/dcmgr/drivers/iscsi_target.rb
 - lib/dcmgr/drivers/lxc.rb
+- lib/dcmgr/drivers/comstar.rb
+- lib/dcmgr/drivers/linux_iscsi.rb
 - lib/dcmgr/drivers/iijgio_storage.rb
+- lib/dcmgr/drivers/raw.rb
+- lib/dcmgr/drivers/backing_store.rb
 - lib/dcmgr/drivers/s3_storage.rb
+- lib/dcmgr/drivers/storage_initiator.rb
+- lib/dcmgr/drivers/zfs.rb
 - lib/dcmgr/drivers/snapshot_storage.rb
 - lib/dcmgr/drivers/hypervisor.rb
 - lib/dcmgr/drivers/kvm.rb
+- lib/dcmgr/drivers/local_storage.rb
+- lib/dcmgr/drivers/sun_iscsi.rb
 - lib/dcmgr/rubygems.rb
 - lib/dcmgr/storage_service.rb
+- lib/dcmgr/rpc/sta_handler.rb
 - lib/dcmgr/rpc/hva_handler.rb
 - lib/dcmgr/messaging_client.rb
+- lib/dcmgr/helpers/ec2_metadata_helper.rb
 - lib/dcmgr/helpers/nic_helper.rb
 - lib/dcmgr/helpers/cli_helper.rb
+- lib/dcmgr/helpers/snapshot_storage_helper.rb
+- lib/dcmgr/node_modules/openflow_controller.rb
 - lib/dcmgr/node_modules/hva_collector.rb
 - lib/dcmgr/node_modules/instance_ha.rb
+- lib/dcmgr/node_modules/scheduler.rb
+- lib/dcmgr/node_modules/sta_tgt_initializer.rb
 - lib/dcmgr/node_modules/sta_collector.rb
+- lib/dcmgr/node_modules/service_openflow.rb
 - lib/dcmgr/node_modules/instance_monitor.rb
 - lib/dcmgr/node_modules/service_netfilter.rb
+- lib/dcmgr/vnet/netfilter/chain.rb
+- lib/dcmgr/vnet/netfilter/controller.rb
+- lib/dcmgr/vnet/netfilter/task_manager.rb
+- lib/dcmgr/vnet/netfilter/ebtables_rule.rb
+- lib/dcmgr/vnet/netfilter/iptables_rule.rb
+- lib/dcmgr/vnet/netfilter/cache.rb
+- lib/dcmgr/vnet/factories.rb
+- lib/dcmgr/vnet/tasks/drop_ip_from_anywhere.rb
+- lib/dcmgr/vnet/tasks/accept_related_established.rb
+- lib/dcmgr/vnet/tasks/accept_wakame_dns_only.rb
+- lib/dcmgr/vnet/tasks/drop_arp_to_host.rb
+- lib/dcmgr/vnet/tasks/static_nat.rb
+- lib/dcmgr/vnet/tasks/drop_arp_forwarding.rb
+- lib/dcmgr/vnet/tasks/accept_arp_to_host.rb
+- lib/dcmgr/vnet/tasks/accept_ip_from_gateway.rb
+- lib/dcmgr/vnet/tasks/accept_arp_from_friends.rb
+- lib/dcmgr/vnet/tasks/security_group.rb
+- lib/dcmgr/vnet/tasks/accept_wakame_dhcp_only.rb
+- lib/dcmgr/vnet/tasks/accept_arp_broadcast.rb
+- lib/dcmgr/vnet/tasks/accept_ip_from_friends.rb
+- lib/dcmgr/vnet/tasks/translate_metadata_address.rb
+- lib/dcmgr/vnet/tasks/accept_all_dns.rb
+- lib/dcmgr/vnet/tasks/drop_ip_spoofing.rb
+- lib/dcmgr/vnet/tasks/drop_mac_spoofing.rb
+- lib/dcmgr/vnet/tasks/accept_arp_from_gateway.rb
+- lib/dcmgr/vnet/tasks/debug_iptables.rb
+- lib/dcmgr/vnet/tasks/exclude_from_nat.rb
+- lib/dcmgr/vnet/tasks/accept_ip_to_anywhere.rb
+- lib/dcmgr/vnet/isolators/by_securitygroup.rb
+- lib/dcmgr/vnet/isolators/dummy.rb
 - lib/dcmgr/cli/vlan.rb
 - lib/dcmgr/cli/storage.rb
 - lib/dcmgr/cli/spec.rb
 - lib/dcmgr/cli/errors.rb
+- lib/dcmgr/cli/security_group.rb
 - lib/dcmgr/cli/host.rb
 - lib/dcmgr/cli/image.rb
 - lib/dcmgr/cli/tag.rb
@@ -260,7 +299,6 @@ files:
 - lib/dcmgr/cli/network.rb
 - lib/dcmgr/cli/base.rb
 - lib/dcmgr/cli/quota.rb
-- lib/dcmgr/cli/group.rb
 - lib/ext/time.rb
 - Rakefile
 - LICENSE
@@ -270,7 +308,6 @@ files:
 - bin/hva
 - bin/sta
 - bin/nsa
-has_rdoc: true
 homepage: http://wakame.jp/
 licenses: []
 
@@ -302,9 +339,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.8.6
 signing_key: 
 specification_version: 3
-summary: "Datacenter management toolkit for IaaS Cloud: agent modules"
+summary: "Wakame-VDC: Agent modules"
 test_files: []