diff --git a/src/vnm_mad/remotes/802.1Q/clean b/src/vnm_mad/remotes/802.1Q/clean index 6a454dda31..ea753aa57d 100755 --- a/src/vnm_mad/remotes/802.1Q/clean +++ b/src/vnm_mad/remotes/802.1Q/clean @@ -20,15 +20,14 @@ $: << File.dirname(__FILE__) $: << File.join(File.dirname(__FILE__), "..") require 'OpenNebulaNetwork' -require 'SecurityGroups' -require 'Firewall' template64 = ARGV[0] -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64) - fw.deactivate -else - sg = OpenNebulaSG.from_base64(template64) - sg.deactivate +begin + filter_driver = OpenNebulaNetwork.filter_driver(template64) + filter_driver.deactivate +rescue Exception => e + OpenNebula.log_error(e.message) + OpenNebula.log_error(e.backtrace) + exit 1 end diff --git a/src/vnm_mad/remotes/802.1Q/post b/src/vnm_mad/remotes/802.1Q/post index 8fae58c232..76ec74671c 100755 --- a/src/vnm_mad/remotes/802.1Q/post +++ b/src/vnm_mad/remotes/802.1Q/post @@ -20,38 +20,15 @@ $: << File.dirname(__FILE__) $: << File.join(File.dirname(__FILE__), "..") require 'OpenNebulaNetwork' -require 'SecurityGroups' -require 'Firewall' template64 = ARGV[0] deploy_id = ARGV[1] -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64, deploy_id) - fw.activate -else - sg = OpenNebulaSG.from_base64(template64, deploy_id) - begin - sg.activate - rescue OpenNebulaSGError => e - error = e.error - stage = e.stage - - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - - case stage - when :bootstrap, :security_groups - OpenNebula.log_info("Deactivating security groups for #{deploy_id}.") - - sg.deactivate - when :deactivate - OpenNebula.log_error("Error deactivating security group rules for #{deploy_id}. Please verify manually.") - end - exit 1 - rescue Exception => error - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - exit 1 - end +begin + filter_driver = OpenNebulaNetwork.filter_driver(template64, deploy_id) + filter_driver.activate +rescue Exception => e + OpenNebula.log_error(e.message) + OpenNebula.log_error(e.backtrace) + exit 1 end diff --git a/src/vnm_mad/remotes/Firewall.rb b/src/vnm_mad/remotes/Firewall.rb index 3d91363fb4..9440eb474b 100644 --- a/src/vnm_mad/remotes/Firewall.rb +++ b/src/vnm_mad/remotes/Firewall.rb @@ -17,7 +17,8 @@ class OpenNebulaFirewall < OpenNebulaNetwork DRIVER = "fw" - XPATH_FILTER = OpenNebulaNetwork::FW_ATTRS + XPATH_FILTER = "TEMPLATE/NIC[ICMP|WHITE_PORTS_TCP|WHITE_PORTS_UDP|" << + "BLACK_PORTS_TCP|BLACK_PORTS_UDP]" def initialize(vm, deploy_id = nil, hypervisor = nil) super(vm,XPATH_FILTER,deploy_id,hypervisor) diff --git a/src/vnm_mad/remotes/OpenNebulaNetwork.rb b/src/vnm_mad/remotes/OpenNebulaNetwork.rb index fa6441dc9d..fdff12df33 100644 --- a/src/vnm_mad/remotes/OpenNebulaNetwork.rb +++ b/src/vnm_mad/remotes/OpenNebulaNetwork.rb @@ -18,10 +18,11 @@ $: << File.dirname(__FILE__) $: << File.join(File.dirname(__FILE__), '..') require 'rexml/document' -require 'OpenNebulaNic' require 'base64' require 'yaml' +require 'OpenNebulaNic' + require 'scripts_common' include OpenNebula @@ -134,14 +135,21 @@ end class OpenNebulaNetwork attr_reader :hypervisor, :vm - FW_ATTRS = "TEMPLATE/NIC[ICMP|WHITE_PORTS_TCP|WHITE_PORTS_UDP|" << - "BLACK_PORTS_TCP|BLACK_PORTS_UDP]" - def self.from_base64(vm_64, deploy_id = nil, hypervisor = nil) vm_xml = Base64::decode64(vm_64) self.new(vm_xml, deploy_id, hypervisor) end + def self.filter_driver(vm_64, deploy_id = nil, hypervisor = nil) + vm_xml = Base64::decode64(vm_64) + + if self.has_fw_attrs?(vm_xml) + OpenNebulaFirewall.new(vm_xml, deploy_id, hypervisor) + else + OpenNebulaSG.new(vm_xml, deploy_id, hypervisor) + end + end + def initialize(vm_tpl, xpath_filter, deploy_id = nil, hypervisor = nil) @locking = false @@ -206,6 +214,24 @@ class OpenNebulaNetwork bridges end +end + +# Dynamic factory method for the filter class +require 'Firewall' +require 'SecurityGroups' +class OpenNebulaNetwork + # Returns a filter object based on the contents of the template + # + # @return OpenNebulaFirewall or OpenNebulaSG object + def self.filter_driver(vm_64, deploy_id = nil, hypervisor = nil) + vm_xml = Base64::decode64(vm_64) + + if self.has_fw_attrs?(vm_xml) + OpenNebulaFirewall.new(vm_xml, deploy_id, hypervisor) + else + OpenNebulaSG.new(vm_xml, deploy_id, hypervisor) + end + end # Returns true if the template contains the deprecated firewall attributes: # - ICMP @@ -215,9 +241,8 @@ class OpenNebulaNetwork # - BLACK_PORTS_UDP # # @return Boolean - def self.has_fw_attrs?(vm_64) - vm_xml = Base64::decode64(vm_64) + def self.has_fw_attrs?(vm_xml) vm_root = REXML::Document.new(vm_xml).root - !vm_root.elements[FW_ATTRS].nil? + !vm_root.elements[OpenNebulaFirewall::XPATH_FILTER].nil? end end diff --git a/src/vnm_mad/remotes/SecurityGroups.rb b/src/vnm_mad/remotes/SecurityGroups.rb index a43479a534..c79edeb4a8 100644 --- a/src/vnm_mad/remotes/SecurityGroups.rb +++ b/src/vnm_mad/remotes/SecurityGroups.rb @@ -514,14 +514,6 @@ end # OpenNebula Firewall with Security Groups Based on IPTables (KVM and Xen) ################################################################################ -class OpenNebulaSGError < StandardError - attr_reader :stage, :error - def initialize(stage, error = nil) - @stage = stage - @error = error - end -end - class OpenNebulaSG < OpenNebulaNetwork DRIVER = "sg" XPATH_FILTER = "TEMPLATE/NIC" @@ -578,7 +570,8 @@ class OpenNebulaSG < OpenNebulaNetwork sg.run! rescue Exception => e unlock - raise OpenNebulaSGError.new(:security_groups, e) + deactivate + raise e end end @@ -596,7 +589,7 @@ class OpenNebulaSG < OpenNebulaNetwork SECURITY_GROUP_CLASS.nic_deactivate(@vm, nic) end rescue Exception => e - raise OpenNebulaSGError.new(:deactivate, e) + raise e ensure unlock end diff --git a/src/vnm_mad/remotes/ebtables/clean b/src/vnm_mad/remotes/ebtables/clean index 37e5a7694a..2e462e6d94 100755 --- a/src/vnm_mad/remotes/ebtables/clean +++ b/src/vnm_mad/remotes/ebtables/clean @@ -21,18 +21,11 @@ $: << File.join(File.dirname(__FILE__), "..") require 'OpenNebulaNetwork' require 'Ebtables' -require 'Firewall' -require 'SecurityGroups' template64 = ARGV[0] onevlan = EbtablesVLAN.from_base64(template64) onevlan.deactivate -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64) - fw.deactivate -else - sg = OpenNebulaSG.from_base64(template64) - sg.deactivate -end +filter_driver = OpenNebulaNetwork.filter_driver(template64) +filter_driver.deactivate diff --git a/src/vnm_mad/remotes/ebtables/post b/src/vnm_mad/remotes/ebtables/post index d25e88358d..88cada3ec7 100755 --- a/src/vnm_mad/remotes/ebtables/post +++ b/src/vnm_mad/remotes/ebtables/post @@ -21,8 +21,6 @@ $: << File.join(File.dirname(__FILE__), "..") require 'OpenNebulaNetwork' require 'Ebtables' -require 'SecurityGroups' -require 'Firewall' template64 = ARGV[0] deploy_id = ARGV[1] @@ -30,33 +28,11 @@ deploy_id = ARGV[1] onevlan = EbtablesVLAN.from_base64(template64, deploy_id) onevlan.activate -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64, deploy_id) - fw.activate -else - sg = OpenNebulaSG.from_base64(template64, deploy_id) - begin - sg.activate - rescue OpenNebulaSGError => e - error = e.error - stage = e.stage - - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - - case stage - when :bootstrap, :security_groups - OpenNebula.log_info("Deactivating security groups for #{deploy_id}.") - - sg.deactivate - when :deactivate - OpenNebula.log_error("Error deactivating security group rules for #{deploy_id}. Please verify manually.") - end - exit 1 - rescue Exception => error - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - exit 1 - end +begin + filter_driver = OpenNebulaNetwork.filter_driver(template64, deploy_id) + filter_driver.activate +rescue Exception => e + OpenNebula.log_error(e.message) + OpenNebula.log_error(e.backtrace) + exit 1 end - diff --git a/src/vnm_mad/remotes/fw/clean b/src/vnm_mad/remotes/fw/clean index 6a454dda31..95d3481aec 100755 --- a/src/vnm_mad/remotes/fw/clean +++ b/src/vnm_mad/remotes/fw/clean @@ -25,10 +25,11 @@ require 'Firewall' template64 = ARGV[0] -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64) - fw.deactivate -else - sg = OpenNebulaSG.from_base64(template64) - sg.deactivate +begin + filter_driver = OpenNebulaNetwork.filter_driver(template64) + filter_driver.deactivate +rescue Exception => e + OpenNebula.log_error(e.message) + OpenNebula.log_error(e.backtrace) + exit 1 end diff --git a/src/vnm_mad/remotes/fw/post b/src/vnm_mad/remotes/fw/post index 8fae58c232..76ec74671c 100755 --- a/src/vnm_mad/remotes/fw/post +++ b/src/vnm_mad/remotes/fw/post @@ -20,38 +20,15 @@ $: << File.dirname(__FILE__) $: << File.join(File.dirname(__FILE__), "..") require 'OpenNebulaNetwork' -require 'SecurityGroups' -require 'Firewall' template64 = ARGV[0] deploy_id = ARGV[1] -if OpenNebulaNetwork.has_fw_attrs?(template64) - fw = OpenNebulaFirewall.from_base64(template64, deploy_id) - fw.activate -else - sg = OpenNebulaSG.from_base64(template64, deploy_id) - begin - sg.activate - rescue OpenNebulaSGError => e - error = e.error - stage = e.stage - - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - - case stage - when :bootstrap, :security_groups - OpenNebula.log_info("Deactivating security groups for #{deploy_id}.") - - sg.deactivate - when :deactivate - OpenNebula.log_error("Error deactivating security group rules for #{deploy_id}. Please verify manually.") - end - exit 1 - rescue Exception => error - OpenNebula.log_error(error.message) - OpenNebula.log_error(error.backtrace) - exit 1 - end +begin + filter_driver = OpenNebulaNetwork.filter_driver(template64, deploy_id) + filter_driver.activate +rescue Exception => e + OpenNebula.log_error(e.message) + OpenNebula.log_error(e.backtrace) + exit 1 end