You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/04/21 21:18:05 UTC
git commit: updated refs/heads/CLOUDSTACK-8395 to ce930e5
Repository: cloudstack
Updated Branches:
refs/heads/CLOUDSTACK-8395 c11080a99 -> ce930e5cf (forced update)
CLOUDSTACK-8395: vmops plugin should work on both XS 6.5 and 6.2 :fist:
This fixes the issue of Security Groups not working in case of XenServer 6.5;
- Uses nethash ipset data-structure to store CIDRs (efficient than iphash and
avoids overflow errors in case users add /8 /4 ingress/egress cidrs)
- Support for ipset versions both on 6.2 and 6.5, both have different outputs. This
fixes the issue of destroy_network_rules_for_vm failing
- Implements defensive filtering of list, instead of popping last item without
checking if it's None or empty
- Greps using names that are 'quoted' to avoid bash errors
- Before setting up new network rule, tries to clean and remove old ipset entry
- Idents, whitespace and naming fixes
PS. This is my 1000th commit to the :monkey_face: project :)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ce930e5c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ce930e5c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ce930e5c
Branch: refs/heads/CLOUDSTACK-8395
Commit: ce930e5cfd54564e37028300c16d09e37ac80cf2
Parents: 64ab355
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Apr 21 17:35:36 2015 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Tue Apr 21 21:15:57 2015 +0200
----------------------------------------------------------------------
scripts/vm/hypervisor/xenserver/vmops | 109 +++++++++++++++--------------
1 file changed, 55 insertions(+), 54 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ce930e5c/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 8abddff..571e49c 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -368,17 +368,17 @@ def allow_egress_traffic(session):
return 'true'
-def ipset(ipsetname, proto, start, end, ips):
+def ipset(ipsetname, proto, start, end, cidrs):
try:
- util.pread2(['ipset', '-N', ipsetname, 'iphash'])
+ util.pread2(['ipset', '-N', ipsetname, 'nethash'])
except:
- logging.debug("ipset chain already exists" + ipsetname)
+ logging.debug("ipset chain already exists: " + ipsetname)
result = True
ipsettmp = ''.join(''.join(ipsetname.split('-')).split('_')) + str(int(time.time()) % 1000)
try:
- util.pread2(['ipset', '-N', ipsettmp, 'iphash'])
+ util.pread2(['ipset', '-N', ipsettmp, 'nethash'])
except:
logging.debug("Failed to create temp ipset, reusing old name= " + ipsettmp)
try:
@@ -388,10 +388,11 @@ def ipset(ipsetname, proto, start, end, ips):
return False
try:
- for ip in ips:
+ for cidr in cidrs:
try:
- util.pread2(['ipset', '-A', ipsettmp, ip])
+ util.pread2(['ipset', '-A', ipsettmp, cidr])
except CommandException, cex:
+ logging.debug("ipset cidr add failed due to: " + str(cex.reason))
if cex.reason.rfind('already in set') == -1:
raise
except:
@@ -428,7 +429,7 @@ def destroy_network_rules_for_vm(session, args):
util.pread2(['iptables', '-F', vmchain_default])
util.pread2(['iptables', '-X', vmchain_default])
except:
- logging.debug("Ignoring failure to delete chain " + vmchain_default)
+ logging.debug("Ignoring failure to delete chain " + vmchain_default)
destroy_ebtables_rules(vmchain)
destroy_arptables_rules(vmchain)
@@ -451,51 +452,43 @@ def destroy_network_rules_for_vm(session, args):
if 1 in [ vm_name.startswith(c) for c in ['r-', 's-', 'v-', 'l-'] ]:
return 'true'
-
+
try:
- setscmd = "ipset --save | grep " + vmchain + " | grep '^-N' | awk '{print $2}'"
- setsforvm = util.pread2(['/bin/bash', '-c', setscmd]).split('\n')
- for set in setsforvm:
- if set != '':
- util.pread2(['ipset', '-F', set])
- util.pread2(['ipset', '-X', set])
+ setscmd = "ipset --save | grep '%s' | grep -e '^-N' -e '^create' | awk '{print $2}'" % vmchain
+ ipset_names = filter(None, util.pread2(['/bin/bash', '-c', setscmd]).split('\n'))
+ for ipset_name in ipset_names:
+ if ipset_name != '':
+ util.pread2(['ipset', '-F', ipset_name])
+ util.pread2(['ipset', '-X', ipset_name])
except:
logging.debug("Failed to destroy ipsets for %" % vm_name)
-
-
+
return 'true'
@echo
def destroy_ebtables_rules(vm_chain):
-
- delcmd = "ebtables-save | grep " + vm_chain + " | sed 's/-A/-D/'"
+ delcmd = "ebtables-save | grep '%s' | sed 's/-A/-D/'" % vm_chain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'ebtables')
- util.pread2(dc)
+ dc = 'ebtables ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete ebtables rules for vm " + vm_chain)
try:
util.pread2(['ebtables', '-F', vm_chain])
util.pread2(['ebtables', '-X', vm_chain])
except:
- logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_chain)
+ logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_chain)
@echo
def destroy_arptables_rules(vm_chain):
- delcmd = "arptables -vL FORWARD | grep " + vm_chain + " | sed 's/-i any//' | sed 's/-o any//' | awk '{print $1,$2,$3,$4}' "
+ delcmd = "arptables -vL FORWARD | grep '%s' | sed 's/-i any//' | sed 's/-o any//' | awk '{print $1,$2,$3,$4}' " % vm_chain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'arptables')
- dc.insert(1, '-D')
- dc.insert(2, 'FORWARD')
- util.pread2(dc)
+ dc = 'arptables -D FORWARD ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete arptables rules for vm " + vm_chain)
@@ -880,16 +873,13 @@ def check_domid_changed(session, vmName):
def delete_rules_for_vm_in_bridge_firewall_chain(vmName):
vm_name = vmName
vmchain = chain_name_def(vm_name)
-
- delcmd = "iptables-save | grep '\-A BRIDGE-FIREWALL' | grep " + vmchain + " | sed 's/-A/-D/'"
+
+ delcmd = "iptables-save | grep '\-A BRIDGE-FIREWALL' | grep '%s' | sed 's/-A/-D/'" % vmchain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'iptables')
- dc.pop()
- util.pread2(filter(None, dc))
+ dc = 'iptables ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete rules for vm " + vmName)
@@ -1390,23 +1380,35 @@ def network_rules(session, args):
logging.debug("Programming network rules for vm %s seqno=%s numrules=%s signature=%s guestIp=%s,"\
" update iptables, reason=%s" % (vm_name, seqno, len(lines), signature, vm_ip, reason))
-
+
+ try:
+ setscmd = "ipset --save | grep -e '%s_' -e '%s_' | grep -e '^-N' -e '^create' | awk '{print $2}'" % (egress_chain_name(vm_name), chain_name(vm_name))
+ ipset_names = filter(None, util.pread2(['/bin/bash', '-c', setscmd]).split('\n'))
+ for ipset_name in ipset_names:
+ if ipset_name != '':
+ util.pread2(['ipset', '-F', ipset_name])
+ try:
+ util.pread2(['ipset', '-X', ipset_name])
+ except:
+ pass
+ except:
+ logging.debug("Failed to cleanup old ipset entries for %" % vm_name)
+
cmds = []
egressrules = 0
for line in lines:
tokens = line.split(':')
if len(tokens) != 5:
continue
- type = tokens[0]
+ token_type = tokens[0]
protocol = tokens[1]
start = tokens[2]
end = tokens[3]
- cidrs = tokens.pop();
- ips = cidrs.split(",")
- ips.pop()
+ cidrs = tokens.pop().split(",")
+ cidrs.pop()
allow_any = False
- if type == 'E':
+ if token_type == 'E':
vmchain = egress_chain_name(vm_name)
action = "RETURN"
direction = "dst"
@@ -1415,17 +1417,17 @@ def network_rules(session, args):
vmchain = chain_name(vm_name)
action = "ACCEPT"
direction = "src"
- if '0.0.0.0/0' in ips:
- i = ips.index('0.0.0.0/0')
- del ips[i]
+ if '0.0.0.0/0' in cidrs:
+ i = cidrs.index('0.0.0.0/0')
+ del cidrs[i]
allow_any = True
range = start + ":" + end
- if ips:
+ if cidrs:
ipsetname = vmchain + "_" + protocol + "_" + start + "_" + end
if start == "-1":
ipsetname = vmchain + "_" + protocol + "_any"
- if ipset(ipsetname, protocol, start, end, ips) == False:
+ if ipset(ipsetname, protocol, start, end, cidrs) == False:
logging.debug(" failed to create ipset for rule " + str(tokens))
if protocol == 'all':
@@ -1437,10 +1439,9 @@ def network_rules(session, args):
if start == "-1":
range = "any"
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', keyword, ipsetname, direction, '-j', action]
-
cmds.append(iptables)
logging.debug(iptables)
-
+
if allow_any and protocol != 'all':
if protocol != 'icmp':
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', action]
@@ -1451,7 +1452,7 @@ def network_rules(session, args):
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', action]
cmds.append(iptables)
logging.debug(iptables)
-
+
vmchain = chain_name(vm_name)
try:
util.pread2(['iptables', '-F', vmchain])