wakame-vdc-agents 10.11.0

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/NOTICE

@@ -0,0 +1 @@
+Copyright (c) 2009-2010 axsh Ltd.

data/Rakefile

@@ -0,0 +1,142 @@
+# -*- coding: utf-8 -*-
+
+begin
+  require 'rubygems'
+  require 'bundler/setup'
+rescue LoadError
+end
+$:.unshift 'lib'
+
+require 'rake/clean'
+require 'dcmgr'
+
+task :environment do
+  Dcmgr.configure 'dcmgr.conf'
+  Dcmgr.run_initializers
+end
+
+namespace :db do
+  desc 'Create all database tables'
+  task :init => [ :environment ] do
+    ::Kernel.load(File.expand_path('../conf/initializers/sequel.rb', __FILE__))
+    require 'isono'
+    
+    Dcmgr::Models::CREATE_TABLE_CLASSES.each { |c|
+      Dcmgr::Models.const_get(c).create_table!
+    }
+    Isono::Models::NodeState.create_table!
+    Isono::Models::JobState.create_table!
+
+    Dcmgr::Models::CREATE_TABLE_CLASSES.each { |c|
+      Dcmgr::Models.const_get(c).install_data
+    }
+  end
+
+  desc 'Drop all database tables'
+  task :drop => [ :environment ] do
+    require 'sequel'
+    require 'isono'
+    
+    Dcmgr::Models::CREATE_TABLE_CLASSES.each { |c|
+      Dcmgr::Models.const_get(c).drop_table
+    }
+    Isono::Models::NodeState.drop_table
+    Isono::Models::JobState.drop_table
+  end
+end
+
+desc 'run bundle command to install vendored gems.'
+task :bundle do
+  sh <<_ENDCMD
+mkdir .bundle
+cat <<END_ > .bundle/config
+---
+BUNDLE_DISABLE_SHARED_GEMS: "1"
+BUNDLE_PATH: vendor/bundle
+END_
+_ENDCMD
+  sh "bundle install"
+end
+
+desc 'build gem packages'
+task :gem do
+  require 'rubygems'
+  require 'rake/gempackagetask'
+
+  spec = Gem::Specification.new do |s|
+    s.platform = Gem::Platform::RUBY
+    s.version = Dcmgr::VERSION
+    s.authors = ['axsh Ltd.']
+    s.email = ['dev@axsh.net']
+    s.homepage = 'http://wakame.jp/'
+    s.name = 'wakame-vdc-dcmgr'
+    s.summary = "Datacenter management toolkit for IaaS Cloud: datacenter manager and support modules"
+    s.description = ''
+    s.require_path = 'lib'
+    s.required_ruby_version = '>= 1.8.7'
+
+    s.files = Dir['config/**/*.rb', 'lib/**/*.rb', 'web/api/public/**/*.*',
+                  'web/metadata/public/**/*.*'] + 
+      %w(Rakefile LICENSE NOTICE 
+         web/api/config.ru web/metadata/config.ru config/dcmgr.conf.example)
+
+    s.bindir='bin'
+    s.executables = %w(collector)
+
+    s.add_dependency "isono", ">= 0.1.0", "< 0.2"
+    s.add_dependency "eventmachine", "0.12.10"
+    s.add_dependency "log4r"
+    s.add_dependency "extlib", '0.9.15'
+    s.add_dependency "configuration"
+    s.add_dependency "statemachine", '1.1.1'
+    s.add_dependency "ruby-hmac"
+    s.add_dependency "ipaddress", '0.7.0'
+    s.add_dependency "rack", ">= 1.2.1"
+    s.add_dependency "sinatra", "1.0"
+    s.add_dependency "json", ">= 1.2.0"
+    s.add_dependency "sequel", "3.16.0"
+    s.add_dependency "mysql", ">= 2.8.1"
+
+    s.add_development_dependency 'bacon'
+    s.add_development_dependency 'rake'
+  end
+
+  File.open("#{spec.name}.gemspec", 'w'){|f| f.write(spec.to_ruby) }
+  sh "gem build #{spec.name}.gemspec"
+
+  spec = Gem::Specification.new do |s|
+    s.platform = Gem::Platform::RUBY
+    s.version = Dcmgr::VERSION
+    s.authors = ['axsh Ltd.']
+    s.email = ['dev@axsh.net']
+    s.homepage = 'http://wakame.jp/'
+    s.name = 'wakame-vdc-agents'
+    s.summary = "Datacenter management toolkit for IaaS Cloud: agent modules"
+    s.description = ''
+    s.require_path = 'lib'
+    s.required_ruby_version = '>= 1.8.7'
+
+    s.files = Dir['config/**/*.rb', 'lib/**/*.rb'] +
+      %w(Rakefile LICENSE NOTICE
+         config/hva.conf.example config/nsa.conf.example)
+
+    s.bindir='bin'
+    s.executables = %w(hva sta nsa)
+
+    s.add_dependency "isono", ">= 0.1.0", "< 0.2"
+    s.add_dependency "eventmachine", "0.12.10"
+    s.add_dependency "log4r"
+    s.add_dependency "extlib", '0.9.15'
+    s.add_dependency "configuration"
+    s.add_dependency "statemachine", '1.1.1'
+    s.add_dependency "ruby-hmac"
+    s.add_dependency "ipaddress", '0.7.0'
+    s.add_dependency "open4"
+
+    s.add_development_dependency 'bacon'
+    s.add_development_dependency 'rake'
+  end
+  
+  File.open("#{spec.name}.gemspec", 'w'){|f| f.write(spec.to_ruby) }
+  sh "gem build #{spec.name}.gemspec"
+end

data/bin/hva

@@ -0,0 +1,972 @@
+#!/usr/bin/env ruby
+# -*- coding: utf-8 -*-
+
+begin
+  require 'rubygems'
+  require 'bundler'
+  Bundler.setup(:default)
+rescue Exception 
+end
+
+require File.expand_path('../../config/path_resolver', __FILE__)
+
+include Isono::Runner::RpcServer
+require 'fileutils'
+
+class ServiceNetfilter < Isono::NodeModules::Base
+  include Dcmgr::Logger
+
+  initialize_hook do
+    @worker_thread = Isono::ThreadPool.new(1)
+
+    @worker_thread.pass {
+      myinstance.init_netfilter
+    }
+
+    event = Isono::NodeModules::EventChannel.new(node)
+
+    event.subscribe('hva/instance_started', '#') do |args|
+      @worker_thread.pass {
+        logger.info("refresh on instance_started: #{args.inspect}")
+        inst_id = args[0]
+        logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
+        myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+      }
+    end
+
+    event.subscribe('hva/instance_terminated', '#') do |args|
+      @worker_thread.pass {
+        logger.info("refresh on instance_terminated: #{args.inspect}")
+        inst_id = args[0]
+        logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
+        myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+      }
+    end
+
+    event.subscribe('hva/netfilter_updated', '#') do |args|
+      @worker_thread.pass {
+        logger.info("refresh on netfilter_updated: #{args.inspect}")
+        netfilter_group_id = args[0]
+        myinstance.refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
+      }
+    end
+  end
+
+  def init_netfilter
+    begin
+      inst_maps = rpc.request('hva-collector', 'get_alive_instances', node.node_id)
+
+      init_ebtables(inst_maps) if @node.manifest.config.enable_ebtables
+      init_iptables(inst_maps) if @node.manifest.config.enable_iptables
+      logger.info("initialize netfilter")
+    rescue Exception => e
+      p e
+    end
+  end
+
+  # from event_subscriber
+  def refresh_netfilter_by_friend_instance_id(inst_id)
+    raise "UnknownInstanceID" if inst_id.nil?
+
+    begin
+      inst_map = rpc.request('hva-collector', 'get_instance', inst_id)
+      ng = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
+
+      inst_maps = ng.map { |g|
+        rpc.request('hva-collector', 'get_instances_of_netfilter_group', g[:id])
+      }
+
+      if inst_maps.size > 0
+        inst_maps.flatten.uniq.each { |inst_map|
+          unless inst_map.nil?
+            refresh_ebtables(inst_map) if @node.manifest.config.enable_ebtables
+            refresh_iptables(inst_map) if @node.manifest.config.enable_iptables
+          end
+        }
+      end
+    rescue Exception => e
+      p e
+    end
+  end
+
+  # from event_subscriber
+  def refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
+    raise "UnknownNetfilterGroupID" if netfilter_group_id.nil?
+
+    begin
+      inst_maps = rpc.request('hva-collector', 'get_instances_of_netfilter_group', netfilter_group_id)
+      inst_maps.each { |inst_map|
+        unless inst_map.nil?
+          refresh_ebtables(inst_map) if @node.manifest.config.enable_ebtables
+          refresh_iptables(inst_map) if @node.manifest.config.enable_iptables
+        end
+      }
+    rescue Exception => e
+      p e
+    end
+  end
+
+  def init_ebtables(inst_maps = [])
+    cmd = "sudo ebtables --init-table"
+    puts cmd
+    system(cmd)
+
+    inst_maps.each { |inst_map|
+      refresh_ebtables(inst_map)
+    }
+  end
+
+  def init_iptables(inst_maps = [])
+    [ 'nat', 'filter' ].each { |table|
+      [ 'F', 'Z', 'X' ].each { |xcmd|
+        cmd = "sudo iptables -t #{table} -#{xcmd}"
+        puts cmd
+        system(cmd)
+      }
+    }
+
+    inst_maps.each { |inst_map|
+      refresh_iptables(inst_map)
+    }
+  end
+
+  def valid_vif?(vif)
+    cmd = "ifconfig #{vif} >/dev/null 2>&1"
+    system(cmd)
+
+    if $?.exitstatus == 0
+      true
+    else
+      logger.warn("#{vif}: error fetching interface information: Device not found")
+      false
+    end
+  end
+
+  def refresh_ebtables(inst_map = {})
+    logger.debug("refresh_ebtables: #{inst_map[:uuid]} ...")
+
+    # Does the hva have instance?
+    unless inst_map[:host_pool][:node_id] == node.node_id
+      logger.warn("no match for the instance: #{inst_map[:uuid]}")
+      return
+    end
+
+    network_map = rpc.request('hva-collector', 'get_network', inst_map[:host_pool][:network_id])
+    raise "UnknownNetworkId" if network_map.nil?
+
+    vif     = inst_map[:instance_nics].first[:vif]
+    vif_mac = inst_map[:instance_nics].first[:mac_addr].unpack('A2'*6).join(':')
+
+    flush_ebtables(inst_map)
+
+    # Does host have vif?
+    unless valid_vif?(vif)
+      return
+    end
+
+    # group node IPv4 addresses.
+    ipv4s = rpc.request('hva-collector', 'get_group_instance_ipv4s', inst_map[:uuid])
+
+    # xtables commands
+    cmds = []
+
+    # support IP protocol
+    protocol_maps = {
+      'ip4'  => 'ip4',
+      'arp'  => 'arp',
+      #ip6'  => 'ip6',
+      #rarp' => '0x8035',
+    }
+
+    # make chain names.
+    chains = []
+    chains << "s_#{vif}"
+    chains << "d_#{vif}"
+    chains << "s_#{vif}_d_host"
+    protocol_maps.each { |k,v|
+      chains << "s_#{vif}_#{k}"
+      chains << "d_#{vif}_#{k}"
+      chains << "s_#{vif}_d_host_#{k}"
+    }
+
+    # create user defined chains.
+    [ 'N' ].each { |xcmd|
+      chains.each { |chain|
+        cmds << "sudo ebtables -#{xcmd} #{chain}"
+      }
+    }
+
+    # jumt to user defined chains
+    cmds << "sudo ebtables -A FORWARD -i #{vif} -j s_#{vif}"
+    cmds << "sudo ebtables -A FORWARD -o #{vif} -j d_#{vif}"
+    cmds << "sudo ebtables -A INPUT   -i #{vif} -j s_#{vif}_d_host"
+
+    # IP protocol routing
+    protocol_maps.each { |k,v|
+      cmds << "sudo ebtables -A s_#{vif}        -p #{v} -j s_#{vif}_#{k}"
+      cmds << "sudo ebtables -A d_#{vif}        -p #{v} -j d_#{vif}_#{k}"
+      cmds << "sudo ebtables -A s_#{vif}_d_host -p #{v} -j s_#{vif}_d_host_#{k}"
+    }
+
+    # default drop
+    cmds << "sudo ebtables -A s_#{vif}        --log-level warning --log-ip --log-arp --log-prefix 's_#{vif} DROP:'        -j CONTINUE"
+    cmds << "sudo ebtables -A s_#{vif}_d_host --log-level warning --log-ip --log-arp --log-prefix 's_#{vif}_d_host DROP:' -j CONTINUE"
+    cmds << "sudo ebtables -A s_#{vif}        -j DROP"
+    cmds << "sudo ebtables -A s_#{vif}_d_host -j DROP"
+
+    # anti spoof
+    #cmds << "sudo ebtables -A s_#{vif}_arp --protocol arp --arp-mac-src ! #{vif_mac} -j DROP"
+    #cmds << "sudo ebtables -A d_#{vif}_arp --protocol arp --arp-mac-dst ! #{vif_mac} -j DROP"
+
+    # group nodes.
+    ipv4s << network_map[:ipv4_gw]
+    ipv4s << network_map[:dns_server]
+    ipv4s << network_map[:dhcp_server]
+    ipv4s.uniq.each do |ipv4|
+      cmds << "sudo ebtables -A d_#{vif}_arp --protocol arp --arp-ip-src #{ipv4} -j ACCEPT"
+    end
+
+    # deny,allow
+    cmds << "sudo ebtables -A d_#{vif}_arp        --log-level warning --log-ip --log-arp --log-prefix 's_#{vif}_arp DROP:'        -j CONTINUE"
+    cmds << "sudo ebtables -A s_#{vif}_d_host_arp --log-level warning --log-ip --log-arp --log-prefix 's_#{vif}_d_host_arp DROP:' -j CONTINUE"
+    cmds << "sudo ebtables -A d_#{vif}_arp        -j DROP"
+    cmds << "sudo ebtables -A s_#{vif}_d_host_arp -j DROP"
+
+    cmds.uniq! if cmds.size > 0
+    cmds.compact.each { |cmd|
+      puts cmd
+      system(cmd)
+    }
+
+    logger.debug("refresh_ebtables: #{inst_map[:uuid]} done.")
+  end
+
+  def refresh_iptables(inst_map = {})
+    logger.debug("refresh_iptables: #{inst_map[:uuid]} ...")
+
+    # Does the hva have instance?
+    unless inst_map[:host_pool][:node_id] == node.node_id
+      logger.warn "no match for the instance: #{inst_map[:uuid]}"
+      return
+    end
+
+    network_map = rpc.request('hva-collector', 'get_network', inst_map[:host_pool][:network_id])
+    raise "UnknownNetworkId" if network_map.nil?
+
+    vif     = inst_map[:instance_nics].first[:vif]
+    vif_mac = inst_map[:instance_nics].first[:mac_addr].unpack('A2'*6).join(':')
+
+    flush_iptables(inst_map)
+
+    # Does host have vif?
+    unless valid_vif?(vif)
+      return
+    end
+
+    # group node IPv4 addresses.
+    ipv4s = rpc.request('hva-collector', 'get_group_instance_ipv4s', inst_map[:uuid])
+
+    ng = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
+    rules = ng.map { |g|
+      g[:rules].map { |rule| rule[:permission] }
+    }
+    rules.flatten! if rules.size > 0
+
+    # xtables commands
+    cmds = []
+
+    # support IP protocol
+    protocol_maps = {
+      'tcp'  => 'tcp',
+      'udp'  => 'udp',
+      'icmp' => 'icmp',
+    }
+
+    # make chain names.
+    chains = []
+    protocol_maps.each { |k,v|
+      chains << "s_#{vif}_#{k}"
+      chains << "d_#{vif}_#{k}"
+    }
+    chains << "s_#{vif}"
+    chains << "d_#{vif}"
+
+    # metadata-server
+    [ 'A' ].each { |xcmd|
+      system("sudo iptables -t nat -#{xcmd} PREROUTING -m physdev --physdev-is-bridged --physdev-in #{vif} -s 0.0.0.0 -d 169.254.169.254 -p tcp --dport 80 -j DNAT --to-destination #{network_map[:metadata_server]}:80")
+    }
+
+    # create user defined chains.
+    [ 'N' ].each { |xcmd|
+      chains.each { |chain|
+        cmds << "sudo iptables -#{xcmd} #{chain}"
+
+        # logger & drop
+        cmds << "sudo iptables -N #{chain}_drop"
+        cmds << "sudo iptables -A #{chain}_drop -j LOG --log-level 4 --log-prefix '#{chain} DROP:'"
+        cmds << "sudo iptables -A #{chain}_drop -j DROP"
+      }
+    }
+
+    # group nodes
+    ipv4s << network_map[:ipv4_gw]
+    ipv4s.each { |addr|
+      cmds << "sudo iptables -A d_#{vif} -s #{addr} -j ACCEPT"
+    }
+
+    # IP protocol routing
+    [ 's', 'd' ].each do |bound|
+      protocol_maps.each { |k,v|
+        cmds << "sudo iptables -N #{bound}_#{vif}_#{k}"
+
+        case k
+        when 'tcp'
+          case bound
+          when 's'
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif}_#{k}"
+          when 'd'
+            #cmds << "sudo iptables -A #{bound}_#{vif} -m state --state     ESTABLISHED -p #{k} -j #{bound}_#{vif}_#{k}"
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state RELATED,ESTABLISHED -p #{k} -j ACCEPT"
+            cmds << "sudo iptables -A #{bound}_#{vif} -p #{k} -j #{bound}_#{vif}_#{k}"
+          end
+        when 'udp'
+          case bound
+          when 's'
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif}_#{k}"
+          when 'd'
+            #cmds << "sudo iptables -A #{bound}_#{vif} -m state --state     ESTABLISHED -p #{k} -j #{bound}_#{vif}_#{k}"
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state ESTABLISHED -p #{k} -j ACCEPT"
+            cmds << "sudo iptables -A #{bound}_#{vif} -p #{k} -j #{bound}_#{vif}_#{k}"
+          end
+        when 'icmp'
+          case bound
+          when 's'
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state NEW,ESTABLISHED,RELATED -p #{k} -j #{bound}_#{vif}_#{k}"
+          when 'd'
+            #cmds << "sudo iptables -A #{bound}_#{vif} -m state --state NEW,ESTABLISHED,RELATED -p #{k} -j #{bound}_#{vif}_#{k}"
+            cmds << "sudo iptables -A #{bound}_#{vif} -m state --state ESTABLISHED,RELATED -p #{k} -j ACCEPT"
+            cmds << "sudo iptables -A #{bound}_#{vif} -p #{k} -j #{bound}_#{vif}_#{k}"
+          end
+        end
+      }
+    end
+
+    cmds << "sudo iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in  #{vif} -j s_#{vif}"
+    cmds << "sudo iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out #{vif} -j d_#{vif}"
+
+    ##
+    ## ACCEPT
+    ##
+    # DHCP Server
+    cmds << "sudo iptables -A d_#{vif}_udp -p udp -s #{network_map[:dhcp_server]} --sport 67 -j ACCEPT"
+    #cmds << "sudo iptables -A d_#{vif}_udp -p udp --sport 67 -j d_#{vif}_udp_drop"
+    # DNS Server
+    cmds << "sudo iptables -A s_#{vif}_udp -p udp -d #{network_map[:dns_server]} --dport 53 -j ACCEPT"
+
+    ##
+    ## DROP
+    ##
+    protocol_maps.each { |k,v|
+      # DHCP
+      cmds << "sudo iptables -A s_#{vif} -d #{network_map[:dhcp_server]} -p #{k} -j s_#{vif}_#{k}_drop"
+      # DNS
+      cmds << "sudo iptables -A s_#{vif} -d #{network_map[:dns_server]} -p #{k} -j s_#{vif}_#{k}_drop"
+    }
+
+    # security group
+    # rules
+    build_rule(rules).each do |rule|
+      case rule[:ip_protocol]
+      when 'tcp', 'udp'
+        cmds << "sudo iptables -A d_#{vif}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_dport]} -j ACCEPT"
+      when 'icmp'
+        # ToDo: implement
+        # - icmp_type : -1...
+        # - icmp_code : -1...
+        # cmds << "sudo iptables -A d_#{vif}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT"
+        cmds << "sudo iptables -A d_#{vif}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT"
+      end
+    end
+
+    # drop other routings
+    protocol_maps.each { |k,v|
+      cmds << "sudo iptables -A d_#{vif}_#{k} -p #{k} -j d_#{vif}_#{k}_drop"
+    }
+
+    # IP protocol routing
+    [ 'd' ].each do |bound|
+      protocol_maps.each { |k,v|
+        cmds << "sudo iptables -A #{bound}_#{vif}_#{k} -j #{bound}_#{vif}_#{k}_drop"
+      }
+    end
+
+    cmds.uniq! if cmds.size > 0
+    cmds.compact.each { |cmd|
+      puts cmd
+      system(cmd)
+    }
+
+    logger.debug("refresh_iptables: #{inst_map[:uuid]} done.")
+  end
+
+  def flush_ebtables(inst_map = {})
+    logger.debug("flush_ebtables: #{inst_map[:uuid]} ...")
+
+    # Does the hva have instance?
+    unless inst_map[:host_pool][:node_id] == node.node_id
+      logger.warn "no match for the instance: #{inst_map[:uuid]}"
+      return
+    end
+
+    network_map = rpc.request('hva-collector', 'get_network', inst_map[:host_pool][:network_id])
+    raise "UnknownNetworkId" if network_map.nil?
+
+    vif     = inst_map[:instance_nics].first[:vif]
+
+    # support IP protocol
+    protocol_maps = {
+      'ip4'  => 'ip4',
+      'arp'  => 'arp',
+      #ip6'  => 'ip6',
+      #rarp' => '0x8035',
+    }
+
+    # make chain names.
+    chains = []
+    chains << "s_#{vif}"
+    chains << "d_#{vif}"
+    chains << "s_#{vif}_d_host"
+    protocol_maps.each { |k,v|
+      chains << "s_#{vif}_#{k}"
+      chains << "d_#{vif}_#{k}"
+      chains << "s_#{vif}_d_host_#{k}"
+    }
+
+    # clear rules if exists.
+    system("sudo ebtables -L s_#{vif} >/dev/null 2>&1")
+    if $?.exitstatus == 0
+      cmd = "sudo ebtables -D FORWARD -i #{vif} -j s_#{vif}"
+      puts cmd
+      system(cmd)
+    end
+
+    system("sudo ebtables -L d_#{vif} >/dev/null 2>&1")
+    if $?.exitstatus == 0
+      cmd = "sudo ebtables -D FORWARD -o #{vif} -j d_#{vif}"
+      puts cmd
+      system(cmd)
+    end
+
+    system("sudo ebtables -L s_#{vif}_d_host >/dev/null 2>&1")
+    if $?.exitstatus == 0
+      cmd = "sudo ebtables -D INPUT -i #{vif} -j s_#{vif}_d_host"
+      puts cmd
+      system(cmd)
+    end
+
+    [ 'F', 'Z', 'X' ].each { |xcmd|
+      chains.each { |chain|
+        system("sudo ebtables -L #{chain} >/dev/null 2>&1")
+        if $?.exitstatus == 0
+          cmd = "sudo ebtables -#{xcmd} #{chain}"
+          puts cmd
+          system(cmd)
+        end
+      }
+    }
+
+    logger.debug("flush_ebtables: #{inst_map[:uuid]} #{vif} done.")
+  end
+
+  def flush_iptables(inst_map = {})
+    logger.debug("flush_iptables: #{inst_map[:uuid]} ...")
+
+    # Does the hva have instance?
+    unless inst_map[:host_pool][:node_id] == node.node_id
+      logger.warn "no match for the instance: #{inst_map[:uuid]}"
+      return
+    end
+
+    network_map = rpc.request('hva-collector', 'get_network', inst_map[:host_pool][:network_id])
+    raise "UnknownNetworkId" if network_map.nil?
+
+    vif     = inst_map[:instance_nics].first[:vif]
+
+    # support IP protocol
+    protocol_maps = {
+      'tcp'  => 'tcp',
+      'udp'  => 'udp',
+      'icmp' => 'icmp',
+    }
+
+    # make chain names.
+    chains = []
+    protocol_maps.each { |k,v|
+      chains << "s_#{vif}_#{k}"
+      chains << "d_#{vif}_#{k}"
+      chains << "s_#{vif}_#{k}_drop"
+      chains << "d_#{vif}_#{k}_drop"
+    }
+    chains << "s_#{vif}"
+    chains << "d_#{vif}"
+    chains << "s_#{vif}_drop"
+    chains << "d_#{vif}_drop"
+
+    # metadata-server
+    [ 'D' ].each { |xcmd|
+      system("sudo iptables -t nat -#{xcmd} PREROUTING -m physdev --physdev-is-bridged --physdev-in #{vif} -s 0.0.0.0 -d 169.254.169.254 -p tcp --dport 80 -j DNAT --to-destination #{network_map[:metadata_server]}:80 >/dev/null 2>&1")
+    }
+
+    # clean rules if exists.
+    system("sudo iptables -nL s_#{vif} >/dev/null 2>&1")
+    if $?.exitstatus == 0
+      system("sudo iptables -D FORWARD -m physdev --physdev-is-bridged --physdev-in #{vif} -j s_#{vif}")
+    end
+
+    system("sudo iptables -nL d_#{vif} >/dev/null 2>&1")
+    if $?.exitstatus == 0
+      system("sudo iptables -D FORWARD -m physdev --physdev-is-bridged --physdev-out #{vif} -j d_#{vif}")
+    end
+
+    [ 'F', 'Z', 'X' ].each { |xcmd|
+      chains.each { |chain|
+        system("sudo iptables -nL #{chain} >/dev/null 2>&1")
+        if $?.exitstatus == 0
+          system("sudo iptables -#{xcmd} #{chain}")
+        end
+      }
+    }
+
+    logger.debug("flush_iptables: #{inst_map[:uuid]} #{vif} done.")
+  end
+
+  def build_rule(rules = [])
+    require 'ipaddress'
+
+    rule_maps = []
+
+    rules.each do |rule|
+      # ex.
+      # "tcp:22,22,ip4:0.0.0.0"
+      # "udp:53,53,ip4:0.0.0.0"
+      # "icmp:-1,-1,ip4:0.0.0.0"
+
+      # 1st phase
+      # ip_dport    : tcp,udp? 1 - 16bit, icmp: -1
+      # id_port has been separeted in first phase.
+      from_pair, ip_dport, source_pair = rule.split(',')
+
+      # 2nd phase
+      # ip_protocol : [ tcp | udp | icmp ]
+      # ip_sport    : tcp,udp? 1 - 16bit, icmp: -1
+      ip_protocol, ip_sport = from_pair.split(':')
+
+      # protocol    : [ ip4 | ip6 ]
+      # ip_source   : ip4? xxx.xxx.xxx.xxx./[0-32], ip6?: not yet supprted.
+      protocol, ip_source = source_pair.split(':')
+
+      # validate
+      next unless protocol == 'ip4'
+      # next unless IPAddress.valid?(ip_source)
+
+      # IPAddress does't support prefix '0'.
+      ip_addr, prefix = ip_source.split('/', 2)
+      if prefix.to_i == 0
+        ip_source = ip_addr
+      end
+
+      begin
+        ip = IPAddress(ip_source)
+        ip_source = case ip.u32
+                    when 0
+                      "#{ip.address}/0"
+                    else
+                      "#{ip.address}/#{ip.prefix}"
+                    end
+
+      rescue Exception => e
+        p e
+        next
+      end
+
+      case ip_protocol
+      when 'tcp', 'udp'
+        rule_maps << {
+          :ip_protocol => ip_protocol,
+          :ip_sport    => ip_sport.to_i,
+          :ip_dport    => ip_dport.to_i,
+          :protocol    => protocol,
+          :ip_source   => ip_source,
+        }
+      when 'icmp'
+        # via http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/
+        #
+        # For the ICMP protocol, the ICMP type and code must be specified.
+        # This must be specified in the format type:code where both are integers.
+        # Type, code, or both can be specified as -1, which is a wildcard.
+
+        rule_maps << {
+          :ip_protocol => ip_protocol,
+          :icmp_type   => -1, # ip_dport.to_i, # -1 or 0,       3,    5,       8,        11, 12, 13, 14, 15, 16, 17, 18
+          :icmp_code   => -1, # ip_sport.to_i, # -1 or 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+          :protocol    => protocol,
+          :ip_source   => ip_source,
+        }
+      end
+    end
+
+    rule_maps
+  end
+
+  def rpc
+    @rpc ||= Isono::NodeModules::RpcChannel.new(@node)
+  end
+
+  def event
+    @event ||= Isono::NodeModules::EventChannel.new(@node)
+  end
+
+end
+
+require 'shellwords'
+raise "Shellword is old version." unless Shellwords.respond_to?(:shellescape)
+require 'open4'
+
+module CliHelper
+  class TimeoutError < RuntimeError; end
+  
+  def tryagain(opts={:timeout=>60, :retry=>3}, &blk)
+    timedout = false
+    curthread = Thread.current
+
+    timersig = EventMachine.add_timer(opts[:timeout]) {
+      timedout = true
+      if curthread
+        curthread.raise(TimeoutError.new("timeout"))
+        curthread.pass
+      end
+    }
+
+    begin
+      count = 0
+      begin
+        break if blk.call
+      end while !timedout && ((count += 1) < opts[:retry])
+    rescue TimeoutError => e
+      raise e
+    ensure
+      curthread = nil
+      EventMachine.cancel_timer(timersig) rescue nil
+    end
+  end
+
+  class CommandError < StandardError
+    attr_reader :stderr, :stdout
+    def initialize(msg, stdout, stderr)
+      super(msg)
+      @stdout = stdout
+      @stderr = stderr
+    end
+  end
+  
+  def sh(cmd, args=[], opts={})
+    opts = opts.merge({:expect_exitcode=>0})
+    cmd = sprintf(cmd, *args.map {|a| Shellwords.shellescape(a.to_s) })
+
+    outbuf = errbuf = ''
+    blk = proc {|pid, stdin, stdout, stderr|
+      stdin.close
+      outbuf = stdout
+      errbuf = stderr
+    }
+    stat = Open4::popen4(cmd, &blk)
+    if self.respond_to? :logger
+      logger.debug("Exec command (pid=#{stat.pid}): #{cmd}")
+      logger.debug("STDOUT:\n#{outbuf}\nSTDERR:\n#{errbuf}")
+    end
+    if stat.exitstatus != opts[:expect_exitcode]
+      raise CommandError, "Unexpected exit code=#{stat.extstatus} (expected=#{opts{:expect_exitcode}})",
+         outbuf, errbuf
+    end
+    true
+  end
+end
+
+require 'net/telnet'
+
+module KvmHelper
+  # Establish telnet connection to KVM monitor console
+  def connect_monitor(port, &blk)
+    begin
+      telnet = ::Net::Telnet.new("Host" => "localhost",
+                                 "Port"=>port.to_s,
+                                 "Prompt" => /\n\(qemu\) /,
+                                 "Timeout" => 60,
+                                 "Waittime" => 0.2)
+
+      blk.call(telnet)
+    rescue => e
+      logger.error(e) if self.respond_to?(:logger)
+    ensure
+      telnet.close
+    end
+  end
+end
+
+class KvmHandler < EndpointBuilder
+  include Dcmgr::Logger
+  include CliHelper
+  include KvmHelper
+
+  job :run_local_store do
+    #hva = rpc.delegate('hva-collector')
+    inst_id = request.args[0]
+    logger.info("Booting #{inst_id}")
+    #inst = hva.get_instance(inst_id)
+
+    inst = rpc.request('hva-collector', 'get_instance',  inst_id)
+    raise "Invalid instance state: #{inst[:state]}" unless inst[:state].to_s == 'init'
+
+    # setup vm data folder
+    inst_data_dir = File.expand_path("#{inst_id}", @node.manifest.config.vm_data_dir)
+    FileUtils.mkdir(inst_data_dir)
+    # copy image file
+    img_src = inst[:image][:source]
+    case img_src[:type].to_sym
+    when :http
+      img_path = File.expand_path("#{inst_id}/#{inst[:uuid]}", @node.manifest.config.vm_data_dir)
+      sh("curl --silent -o '#{img_path}' #{img_src[:uri]}")
+    else
+      raise "Unknown image source type: #{img_src[:type]}"
+    end
+
+    # boot virtual machine
+    cmd = "kvm -m %d -smp %d -name vdc-%s -vnc :%d -drive file=%s -pidfile %s -daemonize -monitor telnet::%d,server,nowait"
+    args = [
+            inst[:instance_spec][:memory_size],
+            inst[:instance_spec][:cpu_cores],
+            inst_id,
+            inst[:runtime_config][:vnc_port],
+            img_path,
+            File.expand_path('kvm.pid', inst_data_dir),
+            inst[:runtime_config][:telnet_port]
+           ]
+    sh(cmd, args)
+    
+    rpc.request('hva-collector', 'update_instance',  inst_id, {:state=>:running})
+    event.publish('hva/instance_started', :args=>[inst_id])
+  end
+
+  job :run_vol_store do
+    inst_id = request.args[0]
+    vol_id = request.args[1]
+    
+    inst = rpc.request('hva-collector', 'get_instance', inst_id)
+    vol = rpc.request('sta-collector', 'get_volume', vol_id)
+    logger.info("Booting #{inst_id}")
+    raise "Invalid instance state: #{inst[:state]}" unless inst[:state].to_s == 'init'
+
+    # setup vm data folder
+    inst_data_dir = File.expand_path("#{inst_id}", @node.manifest.config.vm_data_dir)
+    FileUtils.mkdir(inst_data_dir)
+    
+    # create volume from snapshot
+    jobreq.run("zfs-handle.#{vol[:storage_pool][:node_id]}", "create_volume", vol_id)
+    
+    logger.debug("volume created on #{vol[:storage_pool][:node_id]}: #{vol_id}")
+    # reload volume info
+    vol = rpc.request('sta-collector', 'get_volume', vol_id)
+
+    # check under until the dev file is created.
+    # /dev/disk/by-path/ip-192.168.1.21:3260-iscsi-iqn.1986-03.com.sun:02:a1024afa-775b-65cf-b5b0-aa17f3476bfc-lun-0
+    linux_dev_path = "/dev/disk/by-path/ip-%s-iscsi-%s-lun-%d" % ["#{vol[:storage_pool][:ipaddr]}:3260",
+                                                                  vol[:transport_information][:iqn],
+                                                                  vol[:transport_information][:lun]]
+    
+    # attach disk
+    tryagain do
+      sh("iscsiadm -m discovery -t sendtargets -p #{vol[:storage_pool][:ipaddr]}")
+      sh("iscsiadm -m node -l -T '#{vol[:transport_information][:iqn]}' --portal '#{vol[:storage_pool][:ipaddr]}:3260'")
+      sleep 1
+      File.exist?(linux_dev_path)
+    end
+    
+    # run vm
+    cmd = "kvm -m %d -smp %d -name vdc-%s -vnc :%d -drive file=%s -pidfile %s -daemonize -monitor telnet::%d,server,nowait"
+    args=[inst[:instance_spec][:memory_size],
+          inst[:instance_spec][:cpu_cores],
+          inst_id,
+          inst[:runtime_config][:vnc_port],
+          linux_dev_path,
+          File.expand_path('kvm.pid', inst_data_dir),
+          inst[:runtime_config][:telnet_port]
+          ]
+    if vnic = inst[:instance_nics].first
+      cmd += " -net nic,macaddr=%s -net tap,ifname=%s"
+      args << vnic[:mac_addr].unpack('A2'*6).join(':')
+      args << vnic[:vif]
+    end
+    sh(cmd, args)
+    
+    rpc.request('hva-collector', 'update_instance',  inst_id, {:state=>:running})
+    event.publish('hva/instance_started', :args=>[inst_id])
+  end
+  
+  job :terminate do
+    inst_id = request.args[0]
+
+    inst = rpc.request('hva-collector', 'get_instance', inst_id)
+    raise "Invalid instance state: #{inst[:state]}" unless inst[:state].to_s == 'running'
+
+    rpc.request('hva-collector', 'update_instance',  inst_id, {:state=>:shuttingdown})
+    
+    kvm_pid=`pgrep -u root -f vdc-#{inst_id}`
+    unless $?.exitstatus == 0 && kvm_pid.to_s =~ /^\d+$/
+      raise "No such VM process: kvm -name vdc-#{inst_id}"
+    end
+    
+    sh("/bin/kill #{kvm_pid}")
+
+    unless inst[:volume].nil?
+      inst[:volume].each { |volid, v|
+        sh("iscsiadm -m node -T '#{v[:transport_information][:iqn]}' --logout")
+      }
+    end
+
+    # cleanup vm data folder
+    FileUtils.rm_r(File.expand_path("#{inst_id}", @node.manifest.config.vm_data_dir))
+    
+    rpc.request('hva-collector', 'update_instance',  inst_id, {:state=>:terminated})
+    event.publish('hva/instance_terminated', :args=>[inst_id])
+  end
+
+  job :attach do
+    inst_id = request.args[0]
+    vol_id = request.args[1]
+
+    job = Dcmgr::Stm::VolumeContext.new(vol_id)
+    inst = rpc.request('hva-collector', 'get_instance', inst_id)
+    vol = rpc.request('sta-collector', 'get_volume', vol_id)
+    logger.info("Attaching #{vol_id}")
+    job.stm.state = vol[:state].to_sym
+    raise "Invalid volume state: #{vol[:state]}" unless vol[:state].to_s == 'available'
+
+    job.stm.on_attach
+    # check under until the dev file is created.
+    # /dev/disk/by-path/ip-192.168.1.21:3260-iscsi-iqn.1986-03.com.sun:02:a1024afa-775b-65cf-b5b0-aa17f3476bfc-lun-0
+    linux_dev_path = "/dev/disk/by-path/ip-%s-iscsi-%s-lun-%d" % ["#{vol[:storage_pool][:ipaddr]}:3260",
+                                                                  vol[:transport_information][:iqn],
+                                                                  vol[:transport_information][:lun]]
+
+    # attach disk on host os
+    tryagain do
+      sh("iscsiadm -m discovery -t sendtargets -p #{vol[:storage_pool][:ipaddr]}")
+      sh("iscsiadm -m node -l -T '#{vol[:transport_information][:iqn]}' --portal '#{vol[:storage_pool][:ipaddr]}:3260'")
+      sleep 1
+      File.exist?(linux_dev_path)
+    end
+
+    rpc.request('sta-collector', 'update_volume', job.to_hash(:host_device_name => linux_dev_path))
+    logger.info("Attaching #{vol_id} on #{inst_id}")
+    job.stm.on_attach
+    job.on_attach
+
+    # attach disk on guest os
+    require 'net/telnet'
+    slot_number = nil
+    pci = nil
+
+    slink = `ls -la #{linux_dev_path}`.scan(/.+\s..\/..\/([a-z]+)/)
+    raise "volume has not attached host os" if slink.nil?
+
+    begin
+      telnet = ::Net::Telnet.new("Host" => "localhost", "Port"=>"#{inst[:runtime_config][:telnet_port]}", "Prompt" => /\n\(qemu\) /, "Timeout" => 60, "Waittime" => 0.2)
+      telnet.cmd({"String" => "pci_add auto storage file=/dev/#{slink},if=scsi", "Match" => /.+slot\s[0-9]+.+/}){|c|
+        pci_add = c.scan(/.+slot\s([0-9]+).+/)
+        slot_number = pci_add unless pci_add.empty?
+      }
+      telnet.cmd("info pci"){|c|
+        pci = c.scan(/^(.+[a-zA-z]+.+[0-9],.+device.+#{slot_number},.+:)/)
+      }
+    rescue => e
+      logger.error(e)
+    ensure
+      telnet.close
+    end
+    raise "volume has not attached" if pci.nil?
+    rpc.request('sta-collector', 'update_volume', job.to_hash(:guest_device_name=>slot_number))
+    logger.info("Attached #{vol_id} on #{inst_id}")
+  end
+
+  job :detach do
+    inst_id = request.args[0]
+    vol_id = request.args[1]
+
+    job = Dcmgr::Stm::VolumeContext.new(vol_id)
+    inst = rpc.request('hva-collector', 'get_instance', inst_id)
+    vol = rpc.request('sta-collector', 'get_volume', vol_id)
+    logger.info("Detaching #{vol_id} on #{inst_id}")
+    job.stm.state = vol[:state].to_sym
+    raise "Invalid volume state: #{vol[:state]}" unless vol[:state].to_s == 'attached'
+
+    job.stm.on_detach
+    # detach disk on guest os
+    require 'net/telnet'
+    pci = nil
+
+    begin
+      telnet = ::Net::Telnet.new("Host" => "localhost", "Port"=>"#{inst[:runtime_config][:telnet_port]}", "Prompt" => /\n\(qemu\) /, "Timeout" => 60, "Waittime" => 0.2)
+      telnet.cmd("pci_del #{vol[:guest_device_name]}")
+      telnet.cmd("info pci"){|c|
+        pci = c.scan(/^(.+[a-zA-z]+.+[0-9],.+device.+#{vol[:guest_device_name]},.+:)/)
+      }
+    rescue => e
+      logger.error(e)
+    ensure
+      telnet.close
+    end
+    raise "volume has not detached" unless pci.empty?
+    rpc.request('sta-collector', 'update_volume', job.to_hash)
+
+    # iscsi logout
+    job.stm.on_detach
+    job.on_detach
+    logger.info("iscsi logout #{vol_id}: #{vol[:transport_information][:iqn]}")
+    initiator = `sudo iscsiadm -m node -T '#{vol[:transport_information][:iqn]}' --logout`
+    rpc.request('sta-collector', 'update_volume', job.to_hash)
+  end
+
+  def rpc
+    @rpc ||= Isono::NodeModules::RpcChannel.new(@node)
+  end
+
+  def jobreq
+    @jobreq ||= Isono::NodeModules::JobChannel.new(@node)
+  end
+
+  def event
+    @event ||= Isono::NodeModules::EventChannel.new(@node)
+  end
+end
+
+
+manifest = DEFAULT_MANIFEST.dup
+manifest.instance_eval do
+  node_name 'hva'
+  node_instance_id "#{Isono::Util.default_gw_ipaddr}"
+  load_module Isono::NodeModules::NodeHeartbeat
+  load_module ServiceNetfilter
+
+  config do |c|
+    c.vm_data_dir = '/var/lib/vm'
+    c.enable_ebtables = true
+    c.enable_iptables = true
+  end
+
+  config_path File.expand_path('config/hva.conf', app_root)
+  load_config
+end
+
+start(manifest) do
+  endpoint "kvm-handle.#{@node.node_id}", KvmHandler
+end