You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/04/22 18:18:33 UTC
git commit: updated refs/heads/CLOUDSTACK-8395 to c63d79b
Repository: cloudstack
Updated Branches:
refs/heads/CLOUDSTACK-8395 ce930e5cf -> c63d79bec (forced update)
CLOUDSTACK-8395: vmops plugin should work on both XS 6.5 and 6.2 :fist:
This fixes the issue of Security Groups not working in case of XenServer 6.5;
- Uses nethash ipset data-structure to store CIDRs (efficient than iphash and
avoids overflow errors in case users add /8 /4 ingress/egress cidrs)
- Support for ipset versions both on 6.2 and 6.5, both have different outputs. This
fixes the issue of destroy_network_rules_for_vm failing
- Implements defensive filtering of list, instead of popping last item without
checking if it's None or empty
- Greps using names that are 'quoted' to avoid bash errors
- Before setting up new network rule, tries to clean and remove old ipset entry
- Idents, whitespace and naming fixes
PS. This is my 1000th commit to the :monkey_face: project :)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c63d79be
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c63d79be
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c63d79be
Branch: refs/heads/CLOUDSTACK-8395
Commit: c63d79bec2af57d4e7f5995ce45b3e42dff4b8d2
Parents: 64ab355
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Apr 21 17:35:36 2015 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Wed Apr 22 18:18:12 2015 +0200
----------------------------------------------------------------------
scripts/vm/hypervisor/xenserver/vmops | 146 ++++++++++++++---------------
1 file changed, 70 insertions(+), 76 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c63d79be/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 8abddff..80c61c4 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -368,17 +368,17 @@ def allow_egress_traffic(session):
return 'true'
-def ipset(ipsetname, proto, start, end, ips):
+def ipset(ipsetname, proto, start, end, cidrs):
try:
- util.pread2(['ipset', '-N', ipsetname, 'iphash'])
+ util.pread2(['ipset', '-N', ipsetname, 'nethash'])
except:
- logging.debug("ipset chain already exists" + ipsetname)
+ logging.debug("ipset chain already exists: " + ipsetname)
result = True
ipsettmp = ''.join(''.join(ipsetname.split('-')).split('_')) + str(int(time.time()) % 1000)
try:
- util.pread2(['ipset', '-N', ipsettmp, 'iphash'])
+ util.pread2(['ipset', '-N', ipsettmp, 'nethash'])
except:
logging.debug("Failed to create temp ipset, reusing old name= " + ipsettmp)
try:
@@ -386,12 +386,12 @@ def ipset(ipsetname, proto, start, end, ips):
except:
logging.debug("Failed to clear old temp ipset name=" + ipsettmp)
return False
-
try:
- for ip in ips:
+ for cidr in cidrs:
try:
- util.pread2(['ipset', '-A', ipsettmp, ip])
+ util.pread2(['ipset', '-A', ipsettmp, cidr])
except CommandException, cex:
+ logging.debug("ipset cidr add failed due to: " + str(cex.reason))
if cex.reason.rfind('already in set') == -1:
raise
except:
@@ -400,11 +400,19 @@ def ipset(ipsetname, proto, start, end, ips):
util.pread2(['ipset', '-X', ipsettmp])
return False
- try:
- util.pread2(['ipset', '-W', ipsettmp, ipsetname])
+ try:
+ util.pread2(['ipset', '-W', ipsettmp, ipsetname])
except:
- logging.debug("Failed to swap ipset " + ipsetname)
- result = False
+ logging.debug("Failed to swap ipset, trying to delete and swap ipset: " + ipsetname)
+ # the old ipset entry could be of iphash type, try to delete and recreate
+ try:
+ util.pread2(['ipset', '-X', ipsetname])
+ util.pread2(['ipset', '-N', ipsetname, 'nethash'])
+ util.pread2(['ipset', '-W', ipsettmp, ipsetname])
+ except:
+ logging.debug("Failed to swap ipset " + ipsetname)
+ result = False
+ logging.debug("Succeeded in re-initializing and swapping ipset")
try:
util.pread2(['ipset', '-F', ipsettmp])
@@ -428,7 +436,7 @@ def destroy_network_rules_for_vm(session, args):
util.pread2(['iptables', '-F', vmchain_default])
util.pread2(['iptables', '-X', vmchain_default])
except:
- logging.debug("Ignoring failure to delete chain " + vmchain_default)
+ logging.debug("Ignoring failure to delete chain " + vmchain_default)
destroy_ebtables_rules(vmchain)
destroy_arptables_rules(vmchain)
@@ -451,51 +459,44 @@ def destroy_network_rules_for_vm(session, args):
if 1 in [ vm_name.startswith(c) for c in ['r-', 's-', 'v-', 'l-'] ]:
return 'true'
-
+
try:
- setscmd = "ipset --save | grep " + vmchain + " | grep '^-N' | awk '{print $2}'"
- setsforvm = util.pread2(['/bin/bash', '-c', setscmd]).split('\n')
- for set in setsforvm:
- if set != '':
- util.pread2(['ipset', '-F', set])
- util.pread2(['ipset', '-X', set])
+ setscmd = "ipset --save | grep '%s' | grep -e '^-N' -e '^create' | awk '{print $2}'" % vmchain
+ ipset_names = filter(None, util.pread2(['/bin/bash', '-c', setscmd]).split('\n'))
+ for ipset_name in ipset_names:
+ if not ipset_name:
+ continue
+ util.pread2(['ipset', '-F', ipset_name])
+ util.pread2(['ipset', '-X', ipset_name])
except:
logging.debug("Failed to destroy ipsets for %" % vm_name)
-
-
+
return 'true'
@echo
def destroy_ebtables_rules(vm_chain):
-
- delcmd = "ebtables-save | grep " + vm_chain + " | sed 's/-A/-D/'"
+ delcmd = "ebtables-save | grep '%s' | sed 's/-A/-D/'" % vm_chain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'ebtables')
- util.pread2(dc)
+ dc = 'ebtables ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete ebtables rules for vm " + vm_chain)
try:
util.pread2(['ebtables', '-F', vm_chain])
util.pread2(['ebtables', '-X', vm_chain])
except:
- logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_chain)
+ logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_chain)
@echo
def destroy_arptables_rules(vm_chain):
- delcmd = "arptables -vL FORWARD | grep " + vm_chain + " | sed 's/-i any//' | sed 's/-o any//' | awk '{print $1,$2,$3,$4}' "
+ delcmd = "arptables -vL FORWARD | grep '%s' | sed 's/-i any//' | sed 's/-o any//' | awk '{print $1,$2,$3,$4}' " % vm_chain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'arptables')
- dc.insert(1, '-D')
- dc.insert(2, 'FORWARD')
- util.pread2(dc)
+ dc = 'arptables -D FORWARD ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete arptables rules for vm " + vm_chain)
@@ -770,7 +771,6 @@ def default_network_rules(session, args):
vmchain_default = chain_name_def(vm_name)
destroy_ebtables_rules(vmchain)
-
try:
util.pread2(['iptables', '-N', vmchain])
@@ -880,20 +880,16 @@ def check_domid_changed(session, vmName):
def delete_rules_for_vm_in_bridge_firewall_chain(vmName):
vm_name = vmName
vmchain = chain_name_def(vm_name)
-
- delcmd = "iptables-save | grep '\-A BRIDGE-FIREWALL' | grep " + vmchain + " | sed 's/-A/-D/'"
+
+ delcmd = "iptables-save | grep '\-A BRIDGE-FIREWALL' | grep '%s' | sed 's/-A/-D/'" % vmchain
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
- delcmds.pop()
- for cmd in delcmds:
+ for cmd in filter(None, delcmds):
try:
- dc = cmd.split(' ')
- dc.insert(0, 'iptables')
- dc.pop()
- util.pread2(filter(None, dc))
+ dc = 'iptables ' + cmd
+ util.pread2(filter(None, dc.split(' ')))
except:
logging.debug("Ignoring failure to delete rules for vm " + vmName)
-
@echo
def network_rules_for_rebooted_vm(session, vmName):
vm_name = vmName
@@ -1390,23 +1386,37 @@ def network_rules(session, args):
logging.debug("Programming network rules for vm %s seqno=%s numrules=%s signature=%s guestIp=%s,"\
" update iptables, reason=%s" % (vm_name, seqno, len(lines), signature, vm_ip, reason))
-
+
+ # Flush iptables rules to clear ipset references and before re-applying iptable rules
+ vmchain = chain_name(vm_name)
+ try:
+ util.pread2(['iptables', '-F', vmchain])
+ except:
+ logging.debug("Ignoring failure to delete chain " + vmchain)
+ util.pread2(['iptables', '-N', vmchain])
+
+ egress_vmchain = egress_chain_name(vm_name)
+ try:
+ util.pread2(['iptables', '-F', egress_vmchain])
+ except:
+ logging.debug("Ignoring failure to delete chain " + egress_vmchain)
+ util.pread2(['iptables', '-N', egress_vmchain])
+
cmds = []
egressrules = 0
for line in lines:
tokens = line.split(':')
if len(tokens) != 5:
continue
- type = tokens[0]
+ token_type = tokens[0]
protocol = tokens[1]
start = tokens[2]
end = tokens[3]
- cidrs = tokens.pop();
- ips = cidrs.split(",")
- ips.pop()
+ cidrs = tokens.pop().split(",")
+ cidrs.pop()
allow_any = False
- if type == 'E':
+ if token_type == 'E':
vmchain = egress_chain_name(vm_name)
action = "RETURN"
direction = "dst"
@@ -1415,17 +1425,17 @@ def network_rules(session, args):
vmchain = chain_name(vm_name)
action = "ACCEPT"
direction = "src"
- if '0.0.0.0/0' in ips:
- i = ips.index('0.0.0.0/0')
- del ips[i]
+ if '0.0.0.0/0' in cidrs:
+ i = cidrs.index('0.0.0.0/0')
+ del cidrs[i]
allow_any = True
range = start + ":" + end
- if ips:
+ if cidrs:
ipsetname = vmchain + "_" + protocol + "_" + start + "_" + end
if start == "-1":
ipsetname = vmchain + "_" + protocol + "_any"
- if ipset(ipsetname, protocol, start, end, ips) == False:
+ if ipset(ipsetname, protocol, start, end, cidrs) == False:
logging.debug(" failed to create ipset for rule " + str(tokens))
if protocol == 'all':
@@ -1437,10 +1447,9 @@ def network_rules(session, args):
if start == "-1":
range = "any"
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', keyword, ipsetname, direction, '-j', action]
-
cmds.append(iptables)
logging.debug(iptables)
-
+
if allow_any and protocol != 'all':
if protocol != 'icmp':
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', action]
@@ -1451,25 +1460,10 @@ def network_rules(session, args):
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', action]
cmds.append(iptables)
logging.debug(iptables)
-
- vmchain = chain_name(vm_name)
- try:
- util.pread2(['iptables', '-F', vmchain])
- except:
- logging.debug("Ignoring failure to delete chain " + vmchain)
- util.pread2(['iptables', '-N', vmchain])
- egress_vmchain = egress_chain_name(vm_name)
- try:
- util.pread2(['iptables', '-F', egress_vmchain])
- except:
- logging.debug("Ignoring failure to delete chain " + egress_vmchain)
- util.pread2(['iptables', '-N', egress_vmchain])
-
-
for cmd in cmds:
util.pread2(cmd)
-
+
if egressrules == 0 :
util.pread2(['iptables', '-A', egress_vmchain, '-j', 'RETURN'])
else: