diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 750b8b84682..d95bd6a067c 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1523,13 +1523,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati // check if zone has necessary trafficTypes before enabling try { PhysicalNetwork mgmtPhyNetwork; - if (NetworkType.Advanced == zone.getNetworkType()) { - // zone should have a physical network with public and management traffiType + // zone should have a physical network with management traffiType + mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); + if (NetworkType.Advanced == zone.getNetworkType() && ! zone.isSecurityGroupEnabled() ) { + // advanced zone without SG should have a physical network with public Thpe _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Public); - mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); - } else { - // zone should have a physical network with management traffiType - mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); } try { diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java index 168ac0e43cb..f1a26a347af 100755 --- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java +++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java @@ -756,19 +756,28 @@ public class ConsoleProxyManagerImpl extends ManagerBase implements ConsoleProxy DataCenterDeployment plan = new DataCenterDeployment(dataCenterId); - TrafficType defaultTrafficType = TrafficType.Public; - if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { - defaultTrafficType = TrafficType.Guest; + NetworkVO defaultNetwork = null; + if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) { + List networks = _networkDao.listByZoneSecurityGroup(dataCenterId); + if (networks == null || networks.size() == 0) { + throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc); + } + defaultNetwork = networks.get(0); + } else { + TrafficType defaultTrafficType = TrafficType.Public; + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { + defaultTrafficType = TrafficType.Guest; + } + List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); + + // api should never allow this situation to happen + if (defaultNetworks.size() != 1) { + throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + + defaultTrafficType + " when expect to find 1"); + } + defaultNetwork = defaultNetworks.get(0); } - List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); - - if (defaultNetworks.size() != 1) { - throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1"); - } - - NetworkVO defaultNetwork = defaultNetworks.get(0); - List offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOffering.SystemControlNetwork, NetworkOffering.SystemManagementNetwork); List> networks = new ArrayList>(offerings.size() + 1); NicProfile defaultNic = new NicProfile(); diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index f24623ef577..07128204b02 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1859,11 +1859,14 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L } // Only Account specific Isolated network with sourceNat service disabled are allowed in security group // enabled zone - boolean allowCreation = (ntwkOff.getGuestType() == GuestType.Isolated - && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)); - if (!allowCreation) { - throw new InvalidParameterValueException("Only Account specific Isolated network with sourceNat " + - "service disabled are allowed in security group enabled zone"); + if ( ntwkOff.getGuestType() != GuestType.Shared ){ + throw new InvalidParameterValueException("Only shared guest network can be created in security group enabled zone"); + } + if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) { + throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone"); + } + if ( ! _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) { + throw new InvalidParameterValueException("network must have SecurityGroup provider in security group enabled zone"); } } diff --git a/server/src/com/cloud/resource/ResourceManagerImpl.java b/server/src/com/cloud/resource/ResourceManagerImpl.java index 82013d4380d..55e377d7906 100755 --- a/server/src/com/cloud/resource/ResourceManagerImpl.java +++ b/server/src/com/cloud/resource/ResourceManagerImpl.java @@ -427,6 +427,12 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager, + cmd.getHypervisor() + " to a supported "); } + if (zone.isSecurityGroupEnabled()) { + if( hypervisorType != HypervisorType.KVM && hypervisorType != HypervisorType.XenServer ) { + throw new InvalidParameterValueException("Don't support hypervisor type " + hypervisorType + " in advanced security enabled zone"); + } + } + Cluster.ClusterType clusterType = null; if (cmd.getClusterType() != null && !cmd.getClusterType().isEmpty()) { clusterType = Cluster.ClusterType.valueOf(cmd.getClusterType()); diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java index fca89dcb1cb..bb17ae0b123 100755 --- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java +++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java @@ -540,19 +540,27 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar DataCenterDeployment plan = new DataCenterDeployment(dataCenterId); DataCenter dc = _dcDao.findById(plan.getDataCenterId()); - TrafficType defaultTrafficType = TrafficType.Public; - if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { - defaultTrafficType = TrafficType.Guest; + NetworkVO defaultNetwork = null; + if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) { + List networks = _networkDao.listByZoneSecurityGroup(dataCenterId); + if (networks == null || networks.size() == 0) { + throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc); + } + defaultNetwork = networks.get(0); + } else { + TrafficType defaultTrafficType = TrafficType.Public; + + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { + defaultTrafficType = TrafficType.Guest; + } + List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); + // api should never allow this situation to happen + if (defaultNetworks.size() != 1) { + throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + + defaultTrafficType + " when expect to find 1"); + } + defaultNetwork = defaultNetworks.get(0); } - - List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); - - //api should never allow this situation to happen - if (defaultNetworks.size() != 1) { - throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1"); - } - - NetworkVO defaultNetwork = defaultNetworks.get(0); List offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemControlNetwork, NetworkOfferingVO.SystemManagementNetwork, NetworkOfferingVO.SystemStorageNetwork); List> networks = new ArrayList>(offerings.size() + 1); diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 662dab39bf9..7dd726c825e 100644 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -2867,94 +2867,47 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use Account caller = UserContext.current().getCaller(); List networkList = new ArrayList(); - boolean isSecurityGroupEnabledNetworkUsed = false; boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware)); + if (isVmWare) { + throw new InvalidParameterValueException("Security group feature is not supported for vmWare hypervisor"); + } // Verify that caller can perform actions in behalf of vm owner _accountMgr.checkAccess(caller, null, true, owner); - - // If no network is specified, find system security group enabled - // network if (networkIdList == null || networkIdList.isEmpty()) { - Network networkWithSecurityGroup = _networkModel.getNetworkWithSecurityGroupEnabled(zone.getId()); - if (networkWithSecurityGroup == null) { - throw new InvalidParameterValueException( - "No network with security enabled is found in zone id=" - + zone.getId()); - } - - networkList.add(_networkDao.findById(networkWithSecurityGroup.getId())); - isSecurityGroupEnabledNetworkUsed = true; - - } else if (securityGroupIdList != null - && !securityGroupIdList.isEmpty()) { - if (isVmWare) { - throw new InvalidParameterValueException( - "Security group feature is not supported for vmWare hypervisor"); - } - // Only one network can be specified, and it should be security - // group enabled - if (networkIdList.size() > 1) { - throw new InvalidParameterValueException( - "Only support one network per VM if security group enabled"); - } - - NetworkVO network = _networkDao.findById(networkIdList.get(0) - .longValue()); - + throw new InvalidParameterValueException("need to specify networkIDs"); + } + if (networkIdList.size() > 1 ) { + throw new InvalidParameterValueException("VM can only be on one network in Zone with Security group enabled zone"); + } + // Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks + for (Long networkId : networkIdList) { + NetworkVO network = _networkDao.findById(networkId); if (network == null) { throw new InvalidParameterValueException( "Unable to find network by id " + networkIdList.get(0).longValue()); } - if (!_networkModel.isSecurityGroupSupportedInNetwork(network)) { - throw new InvalidParameterValueException("Network is not security group enabled: " + network.getId()); - } + boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network); + if ( ! isSecurityGroupEnabled) { + throw new InvalidParameterValueException("Only support Security Group enabled networks in Security enabled zone, network " + network.getUuid() + " doesn't support security group "); + } - networkList.add(network); - isSecurityGroupEnabledNetworkUsed = true; - - } else { - // Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks - for (Long networkId : networkIdList) { - NetworkVO network = _networkDao.findById(networkId); - - if (network == null) { - throw new InvalidParameterValueException( - "Unable to find network by id " - + networkIdList.get(0).longValue()); - } - - boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network); - if (isSecurityGroupEnabled) { - if (networkIdList.size() > 1) { - throw new InvalidParameterValueException("Can't create a vm with multiple networks one of" + - " which is Security Group enabled"); - } - - isSecurityGroupEnabledNetworkUsed = true; - } - - if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) { - throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + + if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) { + throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + " deploy vm in Advance Security Group enabled zone"); - } - - // Perform account permission check - if (network.getAclType() == ACLType.Account) { - _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network); - } - networkList.add(network); } - } + // Perform account permission check + if (network.getAclType() == ACLType.Account) { + _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network); + } + networkList.add(network); + } // if network is security group enabled, and no security group is specified, then add the default security group automatically - if (isSecurityGroupEnabledNetworkUsed && !isVmWare && _networkModel.canAddDefaultSecurityGroup()) { - - // add the default securityGroup only if no security group is - // specified - if (securityGroupIdList == null || securityGroupIdList.isEmpty()) { + if ( _networkModel.canAddDefaultSecurityGroup()) { + if(securityGroupIdList == null || securityGroupIdList.isEmpty()){ if (securityGroupIdList == null) { securityGroupIdList = new ArrayList(); } @@ -2978,7 +2931,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use } } } - return createVirtualMachine(zone, serviceOffering, template, hostName, displayName, owner, diskOfferingId, diskSize, networkList, securityGroupIdList, group, userData, sshKeyPair, hypervisor, caller, requestedIps, defaultIps, keyboard); } diff --git a/ui/scripts/zoneWizard.js b/ui/scripts/zoneWizard.js index 26838a173c3..141cd6dd24a 100755 --- a/ui/scripts/zoneWizard.js +++ b/ui/scripts/zoneWizard.js @@ -373,7 +373,6 @@ var nonSupportedHypervisors = {}; if(args.context.zones[0]['network-model'] == "Advanced" && args.context.zones[0]['zone-advanced-sg-enabled'] == "on") { firstOption = "KVM"; - nonSupportedHypervisors["XenServer"] = 1; //to developers: comment this line if you need to test Advanced SG-enabled zone with XenServer hypervisor nonSupportedHypervisors["VMware"] = 1; nonSupportedHypervisors["BareMetal"] = 1; nonSupportedHypervisors["Ovm"] = 1;