Class: Dcmgr::VNet::Netfilter::NetfilterController

Inherits:
Controller
  • Object
show all
Includes:
Logger
Defined in:
lib/dcmgr/vnet/netfilter/controller.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Logger

create, default_logdev, included

Methods inherited from Controller

#join_security_group, #leave_security_group

Constructor Details

#initialize(node) ⇒ NetfilterController

This controller should use a cache



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 14

def initialize(node)
  logger.info "initializing controller"
  super()
  @node = node
  
  @cache = NetfilterCache.new(@node)
  
  @isolator = IsolatorFactory.create_isolator
  
  self.task_manager = TaskManagerFactory.create_task_manager(node)
  raise "#{self.task_manager} must be a NetfilterTaskManager" unless self.task_manager.is_a?(NetfilterTaskManager)
  
  # Initialize Netfilter configuration
  cmds = []
  cmds << init_iptables if node.manifest.config.enable_iptables
  cmds << init_ebtables if node.manifest.config.enable_ebtables
  cmds.flatten! 
    
  puts cmds.join("\n") if node.manifest.config.verbose_netfilter
  system(cmds.join("\n"))
  
  self.task_manager.apply_tasks([DebugIptables.new]) if node.manifest.config.debug_iptables
  
  # Apply the current instances if there are any
  @cache.get[:instances].each { |inst_map|
    logger.info "initializing instance '#{inst_map[:uuid]}'"
    self.init_instance(inst_map)
  }
end

Instance Attribute Details

#nodeObject (readonly)

Returns the value of attribute node.



10
11
12
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 10

def node
  @node
end

#task_managerObject

Returns the value of attribute task_manager.



9
10
11
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 9

def task_manager
  @task_manager
end

Instance Method Details

#apply_instance(instance) ⇒ Object 



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 44

def apply_instance(instance)
  if instance.is_a? String
    # We got a uuid. Find it in the cache.
    inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == instance}

    # If we couldn't find this instance's uuid in the cache, we update the cache and try again
    if inst_map.nil?
      @cache.update
      inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == instance}
    end
  elsif instance.is_a? Hash
    inst_map = instance
  else
    raise ArgumentError, "instance must be either a uuid or an instance's hash map" unless instance.is_a? Hash
  end
  
  logger.info "applying instance '#{inst_map[:uuid]}'"
  
  # Create all the rules for this instance
  init_instance(inst_map)
  
  # Apply isolation tasks for this new instance to its friends
  inst_map[:vif].each { |vnic|
    other_vnics = get_other_vnics(vnic,@cache)
    # Determine which vnics need to be isolated from this one
    friends = @isolator.determine_friends(vnic, other_vnics)
    
    friends.each { |friend|
      # Remove the drop rules so the isolation rules don't ger applied after them
      #self.task_manager.remove_vnic_tasks(friend,TaskFactory.create_drop_tasks_for_vnic(friend,self.node))
      
      # Put in the new isolation rules
      self.task_manager.apply_vnic_tasks(friend,TaskFactory.create_tasks_for_isolation(friend,[vnic],self.node))
      # Put the drop rules back
      #self.task_manager.apply_vnic_tasks(friend,TaskFactory.create_drop_tasks_for_vnic(friend,self.node))
    }
  }
end

#get_other_vnics(vnic, cache) ⇒ Object 



83
84
85
86
87
88
89
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 83

def get_other_vnics(vnic,cache)
  cache.get[:instances].map { |inst_map|
      inst_map[:vif].delete_if { |other_vnic|
        other_vnic == vnic
    }
  }.flatten
end

#init_instance(inst_map) ⇒ Object 



91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 91

def init_instance(inst_map)
  # Call the factory to create all tasks for each vnic. Then apply them
  inst_map[:vif].each { |vnic|
    # Get a list of all other vnics in this host
    other_vnics = get_other_vnics(vnic,@cache)
    
    # Determine which vnics need to be isolated from this one
    friends = @isolator.determine_friends(vnic, other_vnics)
    
    # Determine the security group rules for this vnic
    security_groups = @cache.get[:security_groups].delete_if { |group|
      not vnic[:security_groups].member? group[:uuid]
    }
  
    self.task_manager.apply_vnic_chains(vnic)
    self.task_manager.apply_vnic_tasks(vnic,TaskFactory.create_tasks_for_vnic(vnic,friends,security_groups,node))
  }
end

#remove_instance(inst_id) ⇒ Object 



110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 110

def remove_instance(inst_id)
  logger.info "removing instance '#{inst_id}'"
  # Find the instance in the cache
  inst_map = @cache.get[:instances].find { |inst| inst[:uuid] == inst_id}
  
  #Clean up the isolation tasks in friends' chains
  inst_map[:vif].each { |vnic|
    other_vnics = get_other_vnics(vnic,@cache)
    friends = @isolator.determine_friends(vnic, other_vnics)
    
    friends.each { |friend|
      self.task_manager.remove_vnic_tasks(friend,TaskFactory.create_tasks_for_isolation(friend,[vnic],self.node))
    }
  }
  
  inst_map[:vif].each { |vnic|
    # Removing the nat tasks separately because they include an arp reply
    # that isn't put in a separate chain
    other_vnics = get_other_vnics(vnic,@cache)
    # Determine which vnics need to be isolated from this one
    friends = @isolator.determine_friends(vnic, other_vnics)
    
    self.task_manager.remove_vnic_tasks(vnic, TaskFactory.create_nat_tasks_for_vnic(vnic,self.node) )
    self.task_manager.remove_vnic_chains(vnic)
  }
  
  # Remove the terminated instance from the cache
  @cache.remove_instance(inst_id)
end

#update_security_group(group) ⇒ Object 



140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
# File 'lib/dcmgr/vnet/netfilter/controller.rb', line 140

def update_security_group(group)
  logger.info "updating security group '#{group}'"
  # Get the old security group info from the cache
  old_cache = @cache.get
  
  # Get a list of vnics that are in this security group
  vnics = old_cache[:instances].map {|inst_map| inst_map[:vif].delete_if { |vnic| not vnic[:security_groups].member?(group) } }.flatten
  unless vnics.empty?
    # Get the rules for this security group
    old_group = old_cache[:security_groups].find {|sg| sg[:uuid] == group}
  
    # Get the new info from the cache
    new_cache = @cache.get(true)
    new_group = new_cache[:security_groups].find {|sg| sg[:uuid] == group}
    
    vnics.each { |vnic_map|
      # Remove the old security group tasks
      self.task_manager.remove_vnic_tasks(vnic_map, TaskFactory.create_tasks_for_secgroup(old_group))
      
      # Remove the drop tasks so the new group's tasks don't get applied behind it
      #self.task_manager.remove_vnic_tasks(vnic_map, TaskFactory.create_drop_tasks_for_vnic(vnic_map,self.node))
      # Add the new security group tasks
      self.task_manager.apply_vnic_tasks(vnic_map, TaskFactory.create_tasks_for_secgroup(new_group))
      # Put the drop tasks back in place
      #self.task_manager.apply_vnic_tasks(vnic_map, TaskFactory.create_drop_tasks_for_vnic(vnic_map,self.node))
    }
  end
end