wakame-vdc-dcmgr 11.06.0 → 11.12.0

data/lib/dcmgr/vnet/isolators/by_securitygroup.rb

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Isolators
+    
+      # Isolates instances based on security groups
+      # Access to instances in another security group is blocked
+      class BySecurityGroup < Isolator
+        def determine_friends(me,others)
+          #TODO: make sure that me and others are vnic maps
+          others.dup.delete_if { |other|
+            # Delete if we are not in the same security group
+            me[:security_groups].find {|my_group| other[:security_groups].member?(my_group) }.nil?
+          }
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/isolators/dummy.rb

@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Isolators
+    
+      # This isolator just returns an empty array as friends
+      # This means all instances will be isolated from each other
+      class DummyIsolator < Isolator
+        def determine_friends(me,others)
+          []
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/netfilter/cache.rb

@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Netfilter
+    
+      class NetfilterCache < Cache
+        include Dcmgr::Logger
+        
+        def initialize(node)
+          # Initialize the values needed to do rpc requests
+          @node = node
+          @rpc ||= Isono::NodeModules::RpcChannel.new(@node)
+        end
+
+        # Makes a call to the database and updates the Cache
+        def update
+          logger.info "updating cache from database"
+          @cache = @rpc.request('hva-collector', 'get_netfilter_data', @node.node_id)
+        end
+        
+        # Returns the cache
+        # if _force_update_ is set to true, the cache will be updated from the database
+        def get(force_update = false)
+          self.update if @cache.nil? || force_update
+          
+          # Always return a duplicate of the cache. We don't want any external program messing with the original contents.
+          #TODO: Do this in a faster way than marshall
+          Marshal.load( Marshal.dump(@cache) )
+        end
+        
+        # Adds a newly started instance to the existing cache
+        def add_instance(inst_map)
+          if @cache.is_a? Hash
+            logger.info "adding instance '#{inst_map[:uuid]} to cache'"
+            @cache << inst_map
+          else
+          
+          end
+        end
+        
+        # Removes a terminated instance from the existing cache
+        def remove_instance(inst_id)
+          logger.info "removing Instance '#{inst_id}' from cache"
+          @cache[:instances].delete_if {|inst_map| inst_map[:uuid] == inst_id }
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/netfilter/chain.rb

@@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Netfilter
+    
+      class Chain
+        attr_reader :name
+        attr_reader :table
+        
+        def initialize(table,name)
+          @table = table
+          @name = name
+        end
+      end
+      
+      #IptablesPreMadeChains = {
+          #:filter => [:input,:output,:forward],
+          #:nat => [:prerouting,:postrouting,:output],
+          #:mangle => [:prerouting,:output,:input,:postrouting],
+          #:raw => [:prerouting, :output]
+      #}
+      
+      class IptablesChain < Chain
+        def initialize(table,name)
+          raise ArgumentError, "table #{table} doesn't exist. Existing tables are '#{self.class.pre_made.keys.join(",")}'." unless self.class.pre_made.keys.member?(table)
+          raise ArgumentError, "name can not be any of the following: '#{self.class.pre_made[table].join(",")}'." if self.class.pre_made[table].member?(name)
+          
+          super
+        end
+        
+        def self.pre_made
+          {
+            :filter => [:input,:output,:forward],
+            :nat => [:prerouting,:postrouting,:output],
+            :mangle => [:prerouting,:output,:input,:postrouting],
+            :raw => [:prerouting, :output]
+          }
+        end
+      end
+      
+      #EbtablesPreMadeChains = {
+          #:filter => [:input,:output,:forward],
+          #:nat => [:prerouting,:postrouting,:output],
+          #:broute => [:brouting]
+      #}
+      
+      class EbtablesChain < Chain
+        def initialize(table,name)
+          raise ArgumentError, "table #{table} doesn't exist. Existing tables are '#{self.class.pre_made.keys.join(",")}'." unless self.class.pre_made.keys.member?(table)
+          raise ArgumentError, "name can not be any of the following: '#{self.class.pre_made[table].join(",")}'." if self.class.pre_made[table].member?(name)
+          
+          super
+        end
+        
+        def self.pre_made
+          {
+            :filter => [:input,:output,:forward],
+            :nat => [:prerouting,:postrouting,:output],
+            :broute => [:brouting]
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/netfilter/controller.rb

@@ -0,0 +1,193 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Netfilter
+    
+      class NetfilterController < Controller
+        include Dcmgr::Logger
+        attr_accessor :task_manager
+        attr_reader :node
+        
+        # This controller should use a cache
+        
+        def initialize(node)
+          logger.info "initializing controller"
+          super()
+          @node = node
+          
+          @cache = NetfilterCache.new(@node)
+          
+          @isolator = IsolatorFactory.create_isolator
+          
+          self.task_manager = TaskManagerFactory.create_task_manager(node)
+          raise "#{self.task_manager} must be a NetfilterTaskManager" unless self.task_manager.is_a?(NetfilterTaskManager)
+          
+          # Initialize Netfilter configuration
+          cmds = []
+          cmds << init_iptables if node.manifest.config.enable_iptables
+          cmds << init_ebtables if node.manifest.config.enable_ebtables
+          cmds.flatten! 
+            
+          puts cmds.join("\n") if node.manifest.config.verbose_netfilter
+          system(cmds.join("\n"))
+          
+          self.task_manager.apply_tasks([DebugIptables.new]) if node.manifest.config.debug_iptables
+          
+          # Apply the current instances if there are any
+          @cache.get[:instances].each { |inst_map|
+            logger.info "initializing instance '#{inst_map[:uuid]}'"
+            self.init_instance(inst_map)
+          }
+        end
+        
+        def apply_instance(instance)
+          if instance.is_a? String
+            # We got a uuid. Find it in the cache.
+            inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == instance}
+
+            # If we couldn't find this instance's uuid in the cache, we update the cache and try again
+            if inst_map.nil?
+              @cache.update
+              inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == instance}
+            end
+          elsif instance.is_a? Hash
+            inst_map = instance
+          else
+            raise ArgumentError, "instance must be either a uuid or an instance's hash map" unless instance.is_a? Hash
+          end
+          
+          logger.info "applying instance '#{inst_map[:uuid]}'"
+          
+          # Create all the rules for this instance
+          init_instance(inst_map)
+          
+          # Apply isolation tasks for this new instance to its friends
+          inst_map[:vif].each { |vnic|
+            other_vnics = get_other_vnics(vnic,@cache)
+            # Determine which vnics need to be isolated from this one
+            friends = @isolator.determine_friends(vnic, other_vnics)
+            
+            friends.each { |friend|
+              # Remove the drop rules so the isolation rules don't ger applied after them
+              #self.task_manager.remove_vnic_tasks(friend,TaskFactory.create_drop_tasks_for_vnic(friend,self.node))
+              
+              # Put in the new isolation rules
+              self.task_manager.apply_vnic_tasks(friend,TaskFactory.create_tasks_for_isolation(friend,[vnic],self.node))
+              # Put the drop rules back
+              #self.task_manager.apply_vnic_tasks(friend,TaskFactory.create_drop_tasks_for_vnic(friend,self.node))
+            }
+          }
+        end
+        
+        def get_other_vnics(vnic,cache)
+          cache.get[:instances].map { |inst_map|
+              inst_map[:vif].delete_if { |other_vnic|
+                other_vnic == vnic
+            }
+          }.flatten
+        end
+        
+        def init_instance(inst_map)
+          # Call the factory to create all tasks for each vnic. Then apply them
+          inst_map[:vif].each { |vnic|
+            # Get a list of all other vnics in this host
+            other_vnics = get_other_vnics(vnic,@cache)
+            
+            # Determine which vnics need to be isolated from this one
+            friends = @isolator.determine_friends(vnic, other_vnics)
+            
+            # Determine the security group rules for this vnic
+            security_groups = @cache.get[:security_groups].delete_if { |group|
+              not vnic[:security_groups].member? group[:uuid]
+            }
+          
+            self.task_manager.apply_vnic_chains(vnic)
+            self.task_manager.apply_vnic_tasks(vnic,TaskFactory.create_tasks_for_vnic(vnic,friends,security_groups,node))
+          }
+        end
+        
+        def remove_instance(inst_id)
+          logger.info "removing instance '#{inst_id}'"
+          # Find the instance in the cache
+          inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == inst_id}
+          
+          #Clean up the isolation tasks in friends' chains
+          inst_map[:vif].each { |vnic|
+            other_vnics = get_other_vnics(vnic,@cache)
+            friends = @isolator.determine_friends(vnic, other_vnics)
+            
+            friends.each { |friend|
+              self.task_manager.remove_vnic_tasks(friend,TaskFactory.create_tasks_for_isolation(friend,[vnic],self.node))
+            }
+          }
+          
+          inst_map[:vif].each { |vnic|
+            # Removing the nat tasks separately because they include an arp reply
+            # that isn't put in a separate chain
+            other_vnics = get_other_vnics(vnic,@cache)
+            # Determine which vnics need to be isolated from this one
+            friends = @isolator.determine_friends(vnic, other_vnics)
+            
+            self.task_manager.remove_vnic_tasks(vnic, TaskFactory.create_nat_tasks_for_vnic(vnic,self.node) )
+            self.task_manager.remove_vnic_chains(vnic)
+          }
+          
+          # Remove the terminated instance from the cache
+          @cache.remove_instance(inst_id)
+        end
+        
+        def update_security_group(group)
+          logger.info "updating security group '#{group}'"
+          # Get the old security group info from the cache
+          old_cache = @cache.get
+          
+          # Get a list of vnics that are in this security group
+          vnics = old_cache[:instances].map {|inst_map| inst_map[:vif].delete_if { |vnic| not vnic[:security_groups].member?(group) } }.flatten
+          unless vnics.empty?
+            # Get the rules for this security group
+            old_group = old_cache[:security_groups].find {|sg| sg[:uuid] == group}
+          
+            # Get the new info from the cache
+            new_cache = @cache.get(true)
+            new_group = new_cache[:security_groups].find {|sg| sg[:uuid] == group}
+            
+            vnics.each { |vnic_map|
+              # Remove the old security group tasks
+              self.task_manager.remove_vnic_tasks(vnic_map, TaskFactory.create_tasks_for_secgroup(old_group))
+              
+              # Remove the drop tasks so the new group's tasks don't get applied behind it
+              #self.task_manager.remove_vnic_tasks(vnic_map, TaskFactory.create_drop_tasks_for_vnic(vnic_map,self.node))
+              # Add the new security group tasks
+              self.task_manager.apply_vnic_tasks(vnic_map, TaskFactory.create_tasks_for_secgroup(new_group))
+              # Put the drop tasks back in place
+              #self.task_manager.apply_vnic_tasks(vnic_map, TaskFactory.create_drop_tasks_for_vnic(vnic_map,self.node))
+            }
+          end
+        end
+        
+        private
+        def init_iptables
+          [
+            "iptables -t nat -F",
+            "iptables -t nat -X",
+            "iptables -t nat -Z",
+            "iptables -t filter -F",
+            "iptables -t filter -X",
+            "iptables -t filter -Z",
+            #"iptables -t filter -P FORWARD  DROP"
+          ]
+        end
+        
+        def init_ebtables
+          [
+              "ebtables -t nat --init-table",
+              "ebtables -t filter --init-table",
+              #"ebtables -t filter -P FORWARD DROP"
+          ]
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/netfilter/ebtables_rule.rb

@@ -0,0 +1,53 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Netfilter
+    
+      class EbtablesRule < Rule
+        attr_accessor :table
+        attr_accessor :chain
+        attr_accessor :rule
+        # Should be either :incoming or :outgoing
+        attr_accessor :bound
+        attr_accessor :protocol
+        
+        def initialize(table = nil, chain = nil,  protocol = nil, bound = nil, rule = nil)
+          super()
+          raise ArgumentError, "table does not exist: #{table}" unless EbtablesChain.pre_made.keys.member?(table)
+          self.table = table
+          self.chain = chain
+          self.protocol = protocol
+          self.bound = bound
+          self.rule = rule
+        end
+        
+        # Override the chain getter to allow us to handle premade chains
+        # with symbols instead of all caps strings. ie, :forward instead of "FORWARD"
+        def chain
+          if EbtablesChain.pre_made[self.table].member?(@chain)
+            @chain.to_s.upcase 
+          else
+            @chain
+          end
+        end
+        
+        # Little static method that returns the part of an ebtables rule required for logging arp
+        def self.log_arp(prefix)
+          "--log-ip --log-arp --log-prefix '#{prefix}'"
+        end
+        
+        # Getter for a hashmap of ebtables protocols
+        def self.protocols
+          {
+            'ip4'  => 'ip4',
+            'arp'  => 'arp',
+            #'ip6'  => 'ip6',
+            #'rarp' => '0x8035',
+          }
+        end
+      end
+    
+    end
+  end
+end

data/lib/dcmgr/vnet/netfilter/iptables_rule.rb

@@ -0,0 +1,45 @@
+# -*- coding: utf-8 -*-
+
+module Dcmgr
+  module VNet
+    module Netfilter
+    
+      class IptablesRule < Rule
+        attr_accessor :table
+        attr_accessor :chain
+        attr_accessor :rule
+        # Should be either :incoming or :outgoing
+        attr_accessor :bound
+        attr_accessor :protocol
+        
+        def initialize(table = nil, chain = nil, protocol = nil, bound = nil, rule = nil)
+          super()
+          raise ArgumentError, "table does not exist: #{table}" unless IptablesChain.pre_made.keys.member?(table)
+          self.table = table
+          self.chain = chain
+          self.protocol = protocol
+          self.bound = bound
+          self.rule = rule
+        end
+        
+        def chain
+          if IptablesChain.pre_made[self.table].member?(@chain)
+            @chain.to_s.upcase 
+          else
+            @chain
+          end
+        end
+        
+        # Getter for the protocols iptables supports
+        def self.protocols
+          {
+            'tcp'  => 'tcp',
+            'udp'  => 'udp',
+            'icmp' => 'icmp',
+          }
+        end
+      end
+    
+    end
+  end
+end