Class: NSXDriver::DistributedFirewall

Inherits:
NSXComponent show all
Includes:
NSXRule
Defined in:
lib/distributed_firewall.rb

Overview

Class DistributedFirewall Naming convention for rules names: “<sg_id>-<sg_name>-<vm_id>-<vm_deploy_id>-<nic_id>” <sg_id> : Security Group ID <sg_name> : Security Group name <vm_id> : Virtual Machine ID <vm_deploy_id> : Vmware virtual machine reference ( vm-XXX ) <nic_id> : NIC ID in the virtual machine

Direct Known Subclasses

NSXTdfw, NSXVdfw

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from NSXRule

#extract_rule_data, #extract_vnet_data, #parse_ports, #rule_spec, #to_nets

Methods included from NSXRule::NSXVRule

#nsxv_rule_spec

Methods included from NSXRule::NSXTRule

#nsxt_rule_spec

Methods inherited from NSXComponent

#initialize

Constructor Details

This class inherits a constructor from NSXDriver::NSXComponent

Instance Attribute Details

#one_section_nameObject (readonly)

ATTRIBUTES



71
72
73
 
# File 'lib/distributed_firewall.rb', line 71

def one_section_name
  @one_section_name
end

Class Method Details

.new_child(nsx_client) ⇒ Object 



73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/distributed_firewall.rb', line 73

def self.new_child(nsx_client)
    case nsx_client
    when NSXTClient
        NSXTdfw.new(nsx_client)
    when NSXVClient
        NSXVdfw.new(nsx_client)
    else
        error_msg = "Unknown object type: #{nsx_client}"
        error = NSXError::UnknownObject.new(error_msg)
        raise error
    end
end

Instance Method Details

#clear_all_rules(template) ⇒ Object 



245
246
247
248
249
250
251
252
253
254
 
# File 'lib/distributed_firewall.rb', line 245

def clear_all_rules(template)
    template_xml = Nokogiri::XML(template)
    vm_id = template_xml.xpath('/VM/ID').text
    vm_deploy_id = template_xml.xpath('/VM/DEPLOY_ID').text
    regex = "-#{vm_id}-#{vm_deploy_id}-"
    rules = rules_by_regex(regex, @one_section_id)
    rules.each do |rule|
        delete_rule(rule['id'], @one_section_id) if rule
    end
end

#clear_rules(template, only_detached) ⇒ Object

Remove OpenNebula created fw rules for an instance (given a template)



257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
 
# File 'lib/distributed_firewall.rb', line 257

def clear_rules(template, only_detached)
    template_xml = Nokogiri::XML(template)
    # OpenNebula Instance IDs
    vm_id = template_xml.xpath('/VM/ID').text
    vm_deploy_id = template_xml.xpath('/VM/DEPLOY_ID').text

    # First try to search only new attached NSX Nics
    nsx_nics = NSXDriver::LogicalSwitch.nsx_nics(template_xml,
                                                 only_detached)

    # If there is no NSX Nics
    return if nsx_nics.empty?

    nsx_nics.each do |nic|
        nic_id = nic.xpath('NIC_ID').text
        # network_id = nic.xpath('NETWORK_ID').text
        sec_groups = nic.xpath('SECURITY_GROUPS').text.split(',')
        sec_groups.each do |sec_group|
            # Get Security Group ID and NAME
            xp = "//SECURITY_GROUP_RULE[SECURITY_GROUP_ID=#{sec_group}]"
            sg_id = template_xml.xpath(xp)[0]
                                .xpath('SECURITY_GROUP_ID').text
            sg_name = template_xml.xpath(xp)[0]
                                  .xpath('SECURITY_GROUP_NAME').text
            rule_name =  "#{sg_id}-#{sg_name}-#{vm_id}"
            rule_name << "-#{vm_deploy_id}-#{nic_id}"
            rules = rules_by_name(rule_name, @one_section_id)
            rules.each do |rule|
                delete_rule(rule['id'], @one_section_id) if rule
            end
        end
    end
end

#create_ruleObject

Create new rule



118
 
# File 'lib/distributed_firewall.rb', line 118

def create_rule; end

#create_rules(deploy_id, template, only_attached) ⇒ Object

Create OpenNebula fw rules for an instance (given a template)



180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
 
# File 'lib/distributed_firewall.rb', line 180

def create_rules(deploy_id, template, only_attached)
    template_xml = Nokogiri::XML(template)

    # OpenNebula host
    host_name = template_xml
                .xpath('//HISTORY_RECORDS/HISTORY[last()]/HOSTNAME')
                .text
    one_host = VCenterDriver::VIHelper
               .find_by_name(OpenNebula::HostPool, host_name)
    rc = one_host.info
    if OpenNebula.is_error?(rc)
        err_msg = rc.message
        raise err_msg
    end
    host_id = one_host['ID']

    # OpenNebula VM
    one_vm = VCenterDriver::VIHelper
             .one_item(OpenNebula::VirtualMachine, deploy_id)

    vm_data = {
        :id => template_xml.xpath('/VM/ID').text,
        :deploy_id => deploy_id
    }

    # vCenter VirtualMachine
    vi_client = VCenterDriver::VIClient.new_from_host(host_id)
    vm = VCenterDriver::VirtualMachine
         .new_one(vi_client, deploy_id, one_vm)

    # Search NSX Nics
    # First try to search only new attached NSX Nics
    nsx_nics = NSXDriver::LogicalSwitch.nsx_nics(template_xml,
                                                 only_attached)
    # If there is no NSX Nics
    return if nsx_nics.empty?

    # Create rules for each NSX Nic
    nsx_nics.each do |nic|
        # Extract NIC data
        nic_data = extract_nic_data(nic, @nsx_client, vm)
        # Get all Security Groups belonging to each NIC.
        sec_groups = nic.xpath('SECURITY_GROUPS').text.split(',')
        sec_groups.each do |sec_group|
            sg_rules_array = []
            # Get all rules belonging to this Security Group.
            xp = "//SECURITY_GROUP_RULE[SECURITY_GROUP_ID=#{sec_group}]"
            sg_rules = template_xml.xpath(xp)
            sg_rules.each do |sg_rule|
                # Create rules spec
                rule_data = extract_rule_data(sg_rule)
                rule_spec = rule_spec(rule_data,
                                      vm_data,
                                      nic_data,
                                      @nsx_client)
                sg_rules_array.push(rule_spec)
            end
            # Create NSX rules
            sg_rules_array.each do |sg_spec|
                create_rule(sg_spec)
            end
        end
    end
end

#create_section(section_name) ⇒ Object

Create new section



102
 
# File 'lib/distributed_firewall.rb', line 102

def create_section(section_name); end

#delete_ruleObject

Delete rule



124
 
# File 'lib/distributed_firewall.rb', line 124

def delete_rule; end

#delete_section(section_id) ⇒ Object

Delete section



105
 
# File 'lib/distributed_firewall.rb', line 105

def delete_section(section_id); end

#extract_nic_data(nic, nsx_client, vm) ⇒ Object 



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/distributed_firewall.rb', line 126

def extract_nic_data(nic, nsx_client, vm)
    # Network attributes
    nic_id = nic.xpath('NIC_ID').text
    nic_name = nil
    nic_lp = nil
    network_id = nic.xpath('NETWORK_ID').text
    network_name = nic.xpath('NETWORK').text
    network_vcref = nic.xpath('VCENTER_NET_REF').text
    network_pgtype = nic.xpath('VCENTER_PORTGROUP_TYPE').text
    network_mac = nic.xpath('MAC').text

    # Virtual Machine devices
    vm_devices = vm.item.config.hardware.device
    vm_devices.each do |device|
        next unless VCenterDriver::Network.nic?(device)

        next if device.macAddress != network_mac

        device_label = device.deviceInfo.label
        nic_name = "#{vm.item.name}-#{nic_id}-#{device_label}"

        case network_pgtype
        when NSXConstants::NSXT_LS_TYPE
            lpid = device.externalId
            nic_lp = LogicalPort.new_child(nsx_client, lpid)
            raise "Logical port id: #{lpid} not found" unless nic_lp
        when NSXConstants::NSXV_LS_TYPE
            # lpid is vm instanceUuid.sufix
            # sufix is device number but removing first number
            suffix = device.key.to_s[1..-1]
            lpid = "#{vm.item.config.instanceUuid}.#{suffix}"
            nic_lp = lpid
        else
            error_msg = "Network type is: #{network_pgtype} \
                            and should be \
                            #{NSXConstants::NSXT_LS_TYPE} \
                            or #{NSXConstants::NSXV_LS_TYPE}"
            error = NSXError::UnknownObject.new(error_msg)
            raise error
        end
        break
    end

    {
        :id => nic_id,
        :name => nic_name,
        :network_name => network_name,
        :network_id => network_id,
        :network_vcref => network_vcref,
        :lp => nic_lp
    }
end

#init_sectionObject

Sections Creates OpenNebula section if not exists and returns its section_id. Returns its section_id if OpenNebula section already exists



90
 
# File 'lib/distributed_firewall.rb', line 90

def init_section; end

#rule_by_idObject

Get rule by id



112
 
# File 'lib/distributed_firewall.rb', line 112

def rule_by_id; end

#rulesObject

Rules Get all rules



109
 
# File 'lib/distributed_firewall.rb', line 109

def rules; end

#rules_by_nameObject

Get rule by name



115
 
# File 'lib/distributed_firewall.rb', line 115

def rules_by_name; end

#section_by_id(section_id) ⇒ Object

Get section by id



96
 
# File 'lib/distributed_firewall.rb', line 96

def section_by_id(section_id); end

#section_by_name(section_name) ⇒ Object

Get section by name



99
 
# File 'lib/distributed_firewall.rb', line 99

def section_by_name(section_name); end

#sectionsObject

Get all sections



93
 
# File 'lib/distributed_firewall.rb', line 93

def sections; end

#update_ruleObject

Update rule



121
 
# File 'lib/distributed_firewall.rb', line 121

def update_rule; end