Class: NSXDriver::DistributedFirewall

Inherits:
NSXComponent show all
Includes:
NSXRule
Defined in:
lib/distributed_firewall.rb

Overview

Class DistributedFirewall Naming convention for rules names: “<sg_id>-<sg_name>-<vm_id>-<vm_deploy_id>-<nic_id>” <sg_id> : Security Group ID <sg_name> : Security Group name <vm_id> : Virtual Machine ID <vm_deploy_id> : Vmware virtual machine reference ( vm-XXX ) <nic_id> : NIC ID in the virtual machine

Direct Known Subclasses

NSXTdfw, NSXVdfw

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from NSXRule

#extract_rule_data, #extract_vnet_data, #parse_ports, #rule_spec, #to_nets

Methods included from NSXRule::NSXVRule

#nsxv_rule_spec

Methods included from NSXRule::NSXTRule

#nsxt_rule_spec

Methods inherited from NSXComponent

#initialize

Constructor Details

This class inherits a constructor from NSXDriver::NSXComponent

Instance Attribute Details

#one_section_nameObject (readonly)

ATTRIBUTES



58
59
60
 
# File 'lib/distributed_firewall.rb', line 58

def one_section_name
  @one_section_name
end

Class Method Details

.new_child(nsx_client) ⇒ Object 



60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/distributed_firewall.rb', line 60

def self.new_child(nsx_client)
    case nsx_client
    when NSXTClient
        NSXTdfw.new(nsx_client)
    when NSXVClient
        NSXVdfw.new(nsx_client)
    else
        error_msg = "Unknown object type: #{nsx_client}"
        error = NSXError::UnknownObject.new(error_msg)
        raise error
    end
end

Instance Method Details

#clear_all_rules(template) ⇒ Object 



232
233
234
235
236
237
238
239
240
241
 
# File 'lib/distributed_firewall.rb', line 232

def clear_all_rules(template)
    template_xml = Nokogiri::XML(template)
    vm_id = template_xml.xpath('/VM/ID').text
    vm_deploy_id = template_xml.xpath('/VM/DEPLOY_ID').text
    regex = "-#{vm_id}-#{vm_deploy_id}-"
    rules = rules_by_regex(regex, @one_section_id)
    rules.each do |rule|
        delete_rule(rule['id'], @one_section_id) if rule
    end
end

#clear_rules(template, only_detached) ⇒ Object

Remove OpenNebula created fw rules for an instance (given a template)



244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
 
# File 'lib/distributed_firewall.rb', line 244

def clear_rules(template, only_detached)
    template_xml = Nokogiri::XML(template)
    # OpenNebula Instance IDs
    vm_id = template_xml.xpath('/VM/ID').text
    vm_deploy_id = template_xml.xpath('/VM/DEPLOY_ID').text

    # First try to search only new attached NSX Nics
    nsx_nics = NSXDriver::LogicalSwitch.nsx_nics(template_xml,
                                                 only_detached)

    # If there is no NSX Nics
    return if nsx_nics.empty?

    nsx_nics.each do |nic|
        nic_id = nic.xpath('NIC_ID').text
        # network_id = nic.xpath('NETWORK_ID').text
        sec_groups = nic.xpath('SECURITY_GROUPS').text.split(',')
        sec_groups.each do |sec_group|
            # Get Security Group ID and NAME
            xp = "//SECURITY_GROUP_RULE[SECURITY_GROUP_ID=#{sec_group}]"
            sg_id = template_xml.xpath(xp)[0]
                                .xpath('SECURITY_GROUP_ID').text
            sg_name = template_xml.xpath(xp)[0]
                                  .xpath('SECURITY_GROUP_NAME').text
            rule_name =  "#{sg_id}-#{sg_name}-#{vm_id}"
            rule_name << "-#{vm_deploy_id}-#{nic_id}"
            rules = rules_by_name(rule_name, @one_section_id)
            rules.each do |rule|
                delete_rule(rule['id'], @one_section_id) if rule
            end
        end
    end
end

#create_ruleObject

Create new rule



105
 
# File 'lib/distributed_firewall.rb', line 105

def create_rule; end

#create_rules(deploy_id, template, only_attached) ⇒ Object

Create OpenNebula fw rules for an instance (given a template)



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
 
# File 'lib/distributed_firewall.rb', line 167

def create_rules(deploy_id, template, only_attached)
    template_xml = Nokogiri::XML(template)

    # OpenNebula host
    host_name = template_xml
                .xpath('//HISTORY_RECORDS/HISTORY[last()]/HOSTNAME')
                .text
    one_host = VCenterDriver::VIHelper
               .find_by_name(OpenNebula::HostPool, host_name)
    rc = one_host.info
    if OpenNebula.is_error?(rc)
        err_msg = rc.message
        raise err_msg
    end
    host_id = one_host['ID']

    # OpenNebula VM
    one_vm = VCenterDriver::VIHelper
             .one_item(OpenNebula::VirtualMachine, deploy_id)

    vm_data = {
        :id => template_xml.xpath('/VM/ID').text,
        :deploy_id => deploy_id
    }

    # vCenter VirtualMachine
    vi_client = VCenterDriver::VIClient.new_from_host(host_id)
    vm = VCenterDriver::VirtualMachine
         .new_one(vi_client, deploy_id, one_vm)

    # Search NSX Nics
    # First try to search only new attached NSX Nics
    nsx_nics = NSXDriver::LogicalSwitch.nsx_nics(template_xml,
                                                 only_attached)
    # If there is no NSX Nics
    return if nsx_nics.empty?

    # Create rules for each NSX Nic
    nsx_nics.each do |nic|
        # Extract NIC data
        nic_data = extract_nic_data(nic, @nsx_client, vm)
        # Get all Security Groups belonging to each NIC.
        sec_groups = nic.xpath('SECURITY_GROUPS').text.split(',')
        sec_groups.each do |sec_group|
            sg_rules_array = []
            # Get all rules belonging to this Security Group.
            xp = "//SECURITY_GROUP_RULE[SECURITY_GROUP_ID=#{sec_group}]"
            sg_rules = template_xml.xpath(xp)
            sg_rules.each do |sg_rule|
                # Create rules spec
                rule_data = extract_rule_data(sg_rule)
                rule_spec = rule_spec(rule_data,
                                      vm_data,
                                      nic_data,
                                      @nsx_client)
                sg_rules_array.push(rule_spec)
            end
            # Create NSX rules
            sg_rules_array.each do |sg_spec|
                create_rule(sg_spec)
            end
        end
    end
end

#create_section(section_name) ⇒ Object

Create new section



89
 
# File 'lib/distributed_firewall.rb', line 89

def create_section(section_name); end

#delete_ruleObject

Delete rule



111
 
# File 'lib/distributed_firewall.rb', line 111

def delete_rule; end

#delete_section(section_id) ⇒ Object

Delete section



92
 
# File 'lib/distributed_firewall.rb', line 92

def delete_section(section_id); end

#extract_nic_data(nic, nsx_client, vm) ⇒ Object 



113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
 
# File 'lib/distributed_firewall.rb', line 113

def extract_nic_data(nic, nsx_client, vm)
    # Network attributes
    nic_id = nic.xpath('NIC_ID').text
    nic_name = nil
    nic_lp = nil
    network_id = nic.xpath('NETWORK_ID').text
    network_name = nic.xpath('NETWORK').text
    network_vcref = nic.xpath('VCENTER_NET_REF').text
    network_pgtype = nic.xpath('VCENTER_PORTGROUP_TYPE').text
    network_mac = nic.xpath('MAC').text

    # Virtual Machine devices
    vm_devices = vm.item.config.hardware.device
    vm_devices.each do |device|
        next unless VCenterDriver::Network.nic?(device)

        next if device.macAddress != network_mac

        device_label = device.deviceInfo.label
        nic_name = "#{vm.item.name}-#{nic_id}-#{device_label}"

        case network_pgtype
        when NSXConstants::NSXT_LS_TYPE
            lpid = device.externalId
            nic_lp = LogicalPort.new_child(nsx_client, lpid)
            raise "Logical port id: #{lpid} not found" unless nic_lp
        when NSXConstants::NSXV_LS_TYPE
            # lpid is vm instanceUuid.sufix
            # sufix is device number but removing first number
            suffix = device.key.to_s[1..-1]
            lpid = "#{vm.item.config.instanceUuid}.#{suffix}"
            nic_lp = lpid
        else
            error_msg = "Network type is: #{network_pgtype} \
                            and should be \
                            #{NSXConstants::NSXT_LS_TYPE} \
                            or #{NSXConstants::NSXV_LS_TYPE}"
            error = NSXError::UnknownObject.new(error_msg)
            raise error
        end
        break
    end

    {
        :id => nic_id,
        :name => nic_name,
        :network_name => network_name,
        :network_id => network_id,
        :network_vcref => network_vcref,
        :lp => nic_lp
    }
end

#init_sectionObject

Sections Creates OpenNebula section if not exists and returns its section_id. Returns its section_id if OpenNebula section already exists



77
 
# File 'lib/distributed_firewall.rb', line 77

def init_section; end

#rule_by_idObject

Get rule by id



99
 
# File 'lib/distributed_firewall.rb', line 99

def rule_by_id; end

#rulesObject

Rules Get all rules



96
 
# File 'lib/distributed_firewall.rb', line 96

def rules; end

#rules_by_nameObject

Get rule by name



102
 
# File 'lib/distributed_firewall.rb', line 102

def rules_by_name; end

#section_by_id(section_id) ⇒ Object

Get section by id



83
 
# File 'lib/distributed_firewall.rb', line 83

def section_by_id(section_id); end

#section_by_name(section_name) ⇒ Object

Get section by name



86
 
# File 'lib/distributed_firewall.rb', line 86

def section_by_name(section_name); end

#sectionsObject

Get all sections



80
 
# File 'lib/distributed_firewall.rb', line 80

def sections; end

#update_ruleObject

Update rule



108
 
# File 'lib/distributed_firewall.rb', line 108

def update_rule; end