M #-: Enable SG for elastic driver

install.sh

@@ -1734,9 +1734,12 @@ NETWORK_VCENTER_FILES="src/vnm_mad/remotes/vcenter/pre \
 
 NETWORK_ELASTIC_FILES="src/vnm_mad/remotes/elastic/elastic.rb \
                        src/vnm_mad/remotes/elastic/clean \
+                       src/vnm_mad/remotes/elastic/remote_clean \
                        src/vnm_mad/remotes/elastic/post \
+                       src/vnm_mad/remotes/elastic/remote_post \
                        src/vnm_mad/remotes/elastic/pre \
-                       src/vnm_mad/remotes/elastic/update_sg "
+                       src/vnm_mad/remotes/elastic/update_sg \
+                       src/vnm_mad/remotes/elastic/remote_update_sg "
 
 #-------------------------------------------------------------------------------
 # Virtual Network Manager drivers configuration to be installed under $REMOTES_LOCATION/etc/vnm

src/vnm_mad/remotes/elastic/clean

@@ -48,11 +48,17 @@ require 'CommandManager'
 template64 = STDIN.read
 hostname   = ARGV[0]
 
+remote_clean ="/var/tmp/one/vnm/elastic/remote_clean #{hostname}"
+
 begin
     drv = ElasticDriver.from_base64(template64, hostname)
 
     drv.unassign
 
+    rc = SSHCommand.run(remote_clean, hostname, nil, template64)
+
+    raise rc.stderr unless rc.code == 0
+
     drv.run_hooks_remote(ARGV, template64) if drv.deactivate == 0
 rescue StandardError => e
     OpenNebula.log_error(e.message)

src/vnm_mad/remotes/elastic/post

@@ -49,12 +49,18 @@ template64 = STDIN.read
 deploy_id = ARGV[0]
 hostname  = ARGV[1]
 
+remote_post ="/var/tmp/one/vnm/elastic/remote_post #{deploy_id} #{hostname}"
+
 begin
     drv = ElasticDriver.from_base64(template64, hostname, deploy_id)
 
     exit 1 if drv.assign
 
     begin
+        rc = SSHCommand.run(remote_post, hostname, nil, template64)
+
+        raise StandardError.new rc.stderr unless rc.code == 0
+
         drv.run_hooks(ARGV, template64) if drv.activate == 0
     rescue StandardError => e
         drv.unassign # rollback assign

src/vnm_mad/remotes/elastic/remote_clean

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2021, OpenNebula Project, OpenNebula Systems                #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+$: << File.dirname(__FILE__)
+$: << File.join(File.dirname(__FILE__), "..")
+
+require 'vnmmad'
+
+template64   = STDIN.read
+deploy_id    = nil
+xpath_filter = "TEMPLATE/NIC[VN_MAD='elastic']"
+
+begin
+    filter_driver = VNMMAD::VNMDriver.filter_driver(template64,
+                                                    xpath_filter,
+                                                    deploy_id,
+                                                    false)
+    filter_driver.deactivate
+rescue Exception => e
+    OpenNebula.log_error(e.message)
+    OpenNebula.log_error(e.backtrace)
+    exit 1
+end

src/vnm_mad/remotes/elastic/remote_post

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2021, OpenNebula Project, OpenNebula Systems                #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+$: << File.dirname(__FILE__)
+$: << File.join(File.dirname(__FILE__), "..")
+
+require 'vnmmad'
+
+template64   = STDIN.read
+deploy_id    = ARGV[0]
+xpath_filter = "TEMPLATE/NIC[VN_MAD='elastic']"
+
+begin
+    filter_driver = VNMMAD::VNMDriver.filter_driver(template64,
+                                                    xpath_filter,
+                                                    deploy_id,
+                                                    false)
+    filter_driver.activate
+rescue Exception => e
+    OpenNebula.log_error(e.message)
+    OpenNebula.log_error(e.backtrace)
+    exit 1
+end

src/vnm_mad/remotes/elastic/remote_update_sg

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2021, OpenNebula Project, OpenNebula Systems                #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+$: << File.dirname(__FILE__)
+$: << File.join(File.dirname(__FILE__), "..")
+
+require 'vnmmad'
+
+template64   = STDIN.read
+deploy_id    = ARGV[0]
+xpath_filter = "TEMPLATE/NIC[VN_MAD='elastic']"
+
+begin
+    filter_driver = VNMMAD::VNMDriver.filter_driver(template64,
+                                                    xpath_filter,
+                                                    deploy_id,
+                                                    false)
+    filter_driver.activate(true)
+rescue Exception => e
+    OpenNebula.log_error(e.message)
+    OpenNebula.log_error(e.backtrace)
+    exit 1
+end

src/vnm_mad/remotes/elastic/update_sg

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env ruby
 
 # -------------------------------------------------------------------------- #
 # Copyright 2002-2021, OpenNebula Project, OpenNebula Systems                #
@@ -16,4 +16,25 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #
 
-exit 0
+$LOAD_PATH << File.dirname(__FILE__)
+$LOAD_PATH << File.join(File.dirname(__FILE__), '..')
+
+require 'vnmmad'
+
+template64 = STDIN.read
+
+deploy_id = ARGV[0]
+hostname  = ARGV[1]
+
+update_sg ="/var/tmp/one/vnm/elastic/remote_update_sg #{deploy_id} #{hostname}"
+
+begin
+    rc = SSHCommand.run(update_sg, hostname, nil, template64)
+
+    raise rc.stderr unless rc.code == 0
+
+rescue StandardError => e
+    OpenNebula.log_error(e.message)
+    OpenNebula.log_error(e.backtrace)
+    exit 1
+end

src/vnm_mad/remotes/lib/security_groups_iptables.rb

@@ -287,22 +287,27 @@ module SGIPTables
     #   1.- Creates the GLOBAL_CHAIN chain
     #   2.- Forwards the bridge traffic to the GLOBAL_CHAIN
     #   3.- By default ACCEPT all traffic
-    def self.global_bootstrap
+    #
+    # If inbound packets are routed (not bridged) by the hypervisor OpenNebula 
+    # process all forwarding traffic.
+    def self.global_bootstrap(bridged)
         info = SGIPTables.info
 
         commands = VNMNetwork::Commands.new
 
+        rrule  = '-A FORWARD'
+        rrule << ' -m physdev --physdev-is-bridged' if bridged
+        rrule << " -j #{GLOBAL_CHAIN}"
+
         if !info[:iptables_s].split("\n").include?("-N #{GLOBAL_CHAIN}")
             commands.add :iptables, "-N #{GLOBAL_CHAIN}"
-            commands.add :iptables, "-A FORWARD -m physdev "\
-                "--physdev-is-bridged -j #{GLOBAL_CHAIN}"
+            commands.add :iptables, rrule
             commands.add :iptables, "-A #{GLOBAL_CHAIN} -j ACCEPT"
         end
 
         if !info[:ip6tables_s].split("\n").include?("-N #{GLOBAL_CHAIN}")
             commands.add :ip6tables, "-N #{GLOBAL_CHAIN}"
-            commands.add :ip6tables, "-A FORWARD -m physdev "\
-                "--physdev-is-bridged -j #{GLOBAL_CHAIN}"
+            commands.add :ip6tables, rrule
             commands.add :ip6tables, "-A #{GLOBAL_CHAIN} -j ACCEPT"
         end
 
@@ -343,6 +348,9 @@ module SGIPTables
     #
     #  This method also sets mac_spoofing, and ip_spoofing rules
     #
+    #  If incoming traffic is routed to the VM (not bridged) SG is apply by
+    #  dst IP. Note that outbound traffic is always bridged. Only IPv4 traffic
+    #
     #  Example, for VM 3 and NIC 0
     #   iptables -N one-3-0-i
     #   iptables -N one-3-0-o
@@ -358,7 +366,7 @@ module SGIPTables
     #
     #   IP spoofing
     #   iptables -A one-3-0-o ! --source 10.0.0.1 -j DROP
-    def self.nic_pre(vm, nic)
+    def self.nic_pre(bridged, vm, nic)
         commands = VNMNetwork::Commands.new
 
         vars = SGIPTables.vars(vm, nic)
@@ -373,15 +381,22 @@ module SGIPTables
         commands.add :ip6tables, "-N #{chain_out}" # outbound
 
         # Send traffic to the NIC chains
-        commands.add :iptables, "-I #{GLOBAL_CHAIN} -m physdev "\
-            "--physdev-out #{nic[:tap]} --physdev-is-bridged -j #{chain_in}"
-        commands.add :iptables, "-I #{GLOBAL_CHAIN} -m physdev "\
-            "--physdev-in  #{nic[:tap]} --physdev-is-bridged -j #{chain_out}"
 
-        commands.add :ip6tables, "-I #{GLOBAL_CHAIN} -m physdev "\
-            "--physdev-out #{nic[:tap]} --physdev-is-bridged -j #{chain_in}"
-        commands.add :ip6tables, "-I #{GLOBAL_CHAIN} -m physdev "\
-            "--physdev-in  #{nic[:tap]} --physdev-is-bridged -j #{chain_out}"
+        base_br = "-I #{GLOBAL_CHAIN} -m physdev --physdev-is-bridged "
+        nro     = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}"
+
+        if bridged
+            nri = "#{base_br} --physdev-out #{nic[:tap]} -j #{chain_in}"
+        else
+            nri = "-I #{GLOBAL_CHAIN} -d #{nic[:ip]} -j #{chain_in}"
+        end
+
+        #TODO routed traffic is only filtered for IPv4 addressing
+        commands.add :iptables, nri
+        commands.add :iptables, nro
+
+        commands.add :ip6tables, nri if bridged
+        commands.add :ip6tables, nro
 
         # ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6)
         ## Allow routers to send router advertisements

src/vnm_mad/remotes/lib/sg_driver.rb

@@ -41,9 +41,11 @@ module VNMMAD
         # @param [String] hypervisor ID for the VM
         # @param [String] hypervisor (e.g. 'kvm' ...)
         # @param [String] Xpath for the NICs using the SG driver
-        def initialize(vm_64, xpath_filter = nil, deploy_id = nil)
+        def initialize(vm_64, xpath_filter = nil, deploy_id = nil, bridged=true)
             @locking = true
 
+            @bridged = bridged
+
             vm = Base64::decode64(vm_64)
 
             xpath_filter ||= XPATH_FILTER
@@ -76,7 +78,7 @@ module VNMMAD
             lock
 
             # Global Bootstrap
-            SGIPTables.global_bootstrap
+            SGIPTables.global_bootstrap(@bridged)
 
             attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID'] if !do_all
 
@@ -89,7 +91,7 @@ module VNMMAD
                     @security_group_rules = EMPTY_RULES
                 end
 
-                SGIPTables.nic_pre(@vm, nic)
+                SGIPTables.nic_pre(@bridged, @vm, nic)
 
                 sg_ids = nic[:security_groups].split(",")
 

src/vnm_mad/remotes/lib/vnm_driver.rb

@@ -258,8 +258,8 @@ module VNMMAD
         # Returns a filter object based on the contents of the template
         #
         # @return SGDriver object
-        def self.filter_driver(vm_64, xpath_filter, deploy_id)
-            SGDriver.new(vm_64, xpath_filter, deploy_id)
+        def self.filter_driver(vm_64, xpath_filter, deploy_id, bridged = true)
+            SGDriver.new(vm_64, xpath_filter, deploy_id, bridged)
         end
 
         # Returns the associated command including sudo and other configuration