From 95aef332cc851f91bafb9af7bf5f0f682bb566ce Mon Sep 17 00:00:00 2001 From: anthony Date: Wed, 23 Jan 2013 11:08:24 -0800 Subject: [PATCH 1/4] CLOUDSTACK-737, allow to add security group enabled networks in security group enabled zone --- .../ConfigurationManagerImpl.java | 10 +++--- .../consoleproxy/ConsoleProxyManagerImpl.java | 31 +++++++++++------- .../SecondaryStorageManagerImpl.java | 32 ++++++++++++------- 3 files changed, 44 insertions(+), 29 deletions(-) diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index df6642af9ca..f976fd204dc 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1526,13 +1526,11 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura // check if zone has necessary trafficTypes before enabling try { PhysicalNetwork mgmtPhyNetwork; - if (NetworkType.Advanced == zone.getNetworkType()) { - // zone should have a physical network with public and management traffiType + // zone should have a physical network with management traffiType + mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); + if (NetworkType.Advanced == zone.getNetworkType() && ! zone.isSecurityGroupEnabled() ) { + // advanced zone without SG should have a physical network with public Thpe _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Public); - mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); - } else { - // zone should have a physical network with management traffiType - mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management); } try { diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java index 6b2d8ad8e42..2d104978223 100755 --- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java +++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java @@ -756,19 +756,28 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx DataCenterDeployment plan = new DataCenterDeployment(dataCenterId); - TrafficType defaultTrafficType = TrafficType.Public; - if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { - defaultTrafficType = TrafficType.Guest; + NetworkVO defaultNetwork = null; + if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) { + List networks = _networkDao.listByZoneSecurityGroup(dataCenterId); + if (networks == null || networks.size() == 0) { + throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc); + } + defaultNetwork = networks.get(0); + } else { + TrafficType defaultTrafficType = TrafficType.Public; + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { + defaultTrafficType = TrafficType.Guest; + } + List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); + + // api should never allow this situation to happen + if (defaultNetworks.size() != 1) { + throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + + defaultTrafficType + " when expect to find 1"); + } + defaultNetwork = defaultNetworks.get(0); } - List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); - - if (defaultNetworks.size() != 1) { - throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1"); - } - - NetworkVO defaultNetwork = defaultNetworks.get(0); - List offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOffering.SystemControlNetwork, NetworkOffering.SystemManagementNetwork); List> networks = new ArrayList>(offerings.size() + 1); NicProfile defaultNic = new NicProfile(); diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java index e4208811f23..b53ecd3293d 100755 --- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java +++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java @@ -537,19 +537,27 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V DataCenterDeployment plan = new DataCenterDeployment(dataCenterId); DataCenter dc = _dcDao.findById(plan.getDataCenterId()); - TrafficType defaultTrafficType = TrafficType.Public; - if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { - defaultTrafficType = TrafficType.Guest; + NetworkVO defaultNetwork = null; + if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) { + List networks = _networkDao.listByZoneSecurityGroup(dataCenterId); + if (networks == null || networks.size() == 0) { + throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc); + } + defaultNetwork = networks.get(0); + } else { + TrafficType defaultTrafficType = TrafficType.Public; + + if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) { + defaultTrafficType = TrafficType.Guest; + } + List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); + // api should never allow this situation to happen + if (defaultNetworks.size() != 1) { + throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + + defaultTrafficType + " when expect to find 1"); + } + defaultNetwork = defaultNetworks.get(0); } - - List defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType); - - //api should never allow this situation to happen - if (defaultNetworks.size() != 1) { - throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1"); - } - - NetworkVO defaultNetwork = defaultNetworks.get(0); List offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemControlNetwork, NetworkOfferingVO.SystemManagementNetwork, NetworkOfferingVO.SystemStorageNetwork); List> networks = new ArrayList>(offerings.size() + 1); From d7201dfe1f49fb75054e1f0b6922ed21446ad130 Mon Sep 17 00:00:00 2001 From: anthony Date: Thu, 24 Jan 2013 17:26:51 -0800 Subject: [PATCH 2/4] CLOUDSTACK-737 add xenserver support in UI only XenServer and KVM clusters are allowed in security enabled zone. only shared security enabled networks are allowed in security enabled zone. --- .../src/com/cloud/network/NetworkManagerImpl.java | 15 +++++++++------ .../com/cloud/resource/ResourceManagerImpl.java | 6 ++++++ ui/scripts/zoneWizard.js | 1 - 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index bb60dcfcdc8..b3273919002 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1870,13 +1870,16 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener { } else if (zone.getNetworkType() == NetworkType.Advanced) { if (zone.isSecurityGroupEnabled()) { - // Only Account specific Isolated network with sourceNat service disabled are allowed in security group + // Only shared network with sourceNat service disabled are allowed in security group // enabled zone - boolean allowCreation = (ntwkOff.getGuestType() == GuestType.Isolated - && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)); - if (!allowCreation) { - throw new InvalidParameterValueException("Only Account specific Isolated network with sourceNat " + - "service disabled are allowed in security group enabled zone"); + if ( ntwkOff.getGuestType() != GuestType.Shared ){ + throw new InvalidParameterValueException("Only shared guest network can be created in security group enabled zone"); + } + if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) { + throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone"); + } + if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) { + throw new InvalidParameterValueException("network must have SecurityGroup provider in security group enabled zone"); } } diff --git a/server/src/com/cloud/resource/ResourceManagerImpl.java b/server/src/com/cloud/resource/ResourceManagerImpl.java index f82424a10c2..5817d4d827e 100755 --- a/server/src/com/cloud/resource/ResourceManagerImpl.java +++ b/server/src/com/cloud/resource/ResourceManagerImpl.java @@ -388,6 +388,12 @@ public class ResourceManagerImpl implements ResourceManager, ResourceService, Ma throw new InvalidParameterValueException("Unable to resolve " + cmd.getHypervisor() + " to a supported "); } + if (zone.isSecurityGroupEnabled()) { + if( hypervisorType != HypervisorType.KVM && hypervisorType != HypervisorType.XenServer ) { + throw new InvalidParameterValueException("Don't support hypervisor type " + hypervisorType + " in advanced security enabled zone"); + } + } + Cluster.ClusterType clusterType = null; if (cmd.getClusterType() != null && !cmd.getClusterType().isEmpty()) { clusterType = Cluster.ClusterType.valueOf(cmd.getClusterType()); diff --git a/ui/scripts/zoneWizard.js b/ui/scripts/zoneWizard.js index 26838a173c3..141cd6dd24a 100755 --- a/ui/scripts/zoneWizard.js +++ b/ui/scripts/zoneWizard.js @@ -373,7 +373,6 @@ var nonSupportedHypervisors = {}; if(args.context.zones[0]['network-model'] == "Advanced" && args.context.zones[0]['zone-advanced-sg-enabled'] == "on") { firstOption = "KVM"; - nonSupportedHypervisors["XenServer"] = 1; //to developers: comment this line if you need to test Advanced SG-enabled zone with XenServer hypervisor nonSupportedHypervisors["VMware"] = 1; nonSupportedHypervisors["BareMetal"] = 1; nonSupportedHypervisors["Ovm"] = 1; From 65210f4e7ee62b237ccdd8d853553e7c990f19c8 Mon Sep 17 00:00:00 2001 From: Anthony Xu Date: Thu, 31 Jan 2013 15:45:52 -0800 Subject: [PATCH 3/4] CLOUDSTACK-737 support multiple NICs in Security group in java side --- .../com/cloud/network/NetworkManagerImpl.java | 2 +- .../src/com/cloud/vm/UserVmManagerImpl.java | 82 +++++-------------- 2 files changed, 22 insertions(+), 62 deletions(-) diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index b3273919002..da0a560938b 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1878,7 +1878,7 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener { if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) { throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone"); } - if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) { + if ( ! _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) { throw new InvalidParameterValueException("network must have SecurityGroup provider in security group enabled zone"); } } diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 58910562beb..8ceee383028 100644 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -2048,80 +2048,41 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager Account caller = UserContext.current().getCaller(); List networkList = new ArrayList(); - boolean isSecurityGroupEnabledNetworkUsed = false; boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware)); + if (isVmWare) { + throw new InvalidParameterValueException("Security group feature is not supported for vmWare hypervisor"); + } //Verify that caller can perform actions in behalf of vm owner _accountMgr.checkAccess(caller, null, true, owner); - - // If no network is specified, find system security group enabled network if (networkIdList == null || networkIdList.isEmpty()) { - Network networkWithSecurityGroup = _networkModel.getNetworkWithSecurityGroupEnabled(zone.getId()); - if (networkWithSecurityGroup == null) { - throw new InvalidParameterValueException("No network with security enabled is found in zone id=" + zone.getId()); - } - - networkList.add(_networkDao.findById(networkWithSecurityGroup.getId())); - isSecurityGroupEnabledNetworkUsed = true; - - } else if (securityGroupIdList != null && !securityGroupIdList.isEmpty()) { - if (isVmWare) { - throw new InvalidParameterValueException("Security group feature is not supported for vmWare hypervisor"); - } - // Only one network can be specified, and it should be security group enabled - if (networkIdList.size() > 1) { - throw new InvalidParameterValueException("Only support one network per VM if security group enabled"); - } - - NetworkVO network = _networkDao.findById(networkIdList.get(0).longValue()); - + throw new InvalidParameterValueException("need to specify networkIDs"); + } + // Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks + for (Long networkId : networkIdList) { + NetworkVO network = _networkDao.findById(networkId); if (network == null) { throw new InvalidParameterValueException("Unable to find network by id " + networkIdList.get(0).longValue()); } - if (!_networkModel.isSecurityGroupSupportedInNetwork(network)) { - throw new InvalidParameterValueException("Network is not security group enabled: " + network.getId()); - } + boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network); + if ( ! isSecurityGroupEnabled) { + throw new InvalidParameterValueException("Only support Security Group enabled networks in Security enabled zone, network " + network.getUuid() + " doesn't support security group "); + } - networkList.add(network); - isSecurityGroupEnabledNetworkUsed = true; - - } else { - // Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks - for (Long networkId : networkIdList) { - NetworkVO network = _networkDao.findById(networkId); - - if (network == null) { - throw new InvalidParameterValueException("Unable to find network by id " + networkIdList.get(0).longValue()); - } - - boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network); - if (isSecurityGroupEnabled) { - if (networkIdList.size() > 1) { - throw new InvalidParameterValueException("Can't create a vm with multiple networks one of" + - " which is Security Group enabled"); - } - - isSecurityGroupEnabledNetworkUsed = true; - } - - if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) { - throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + + if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) { + throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + " deploy vm in Advance Security Group enabled zone"); - } - - // Perform account permission check - if (network.getAclType() == ACLType.Account) { - _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network); - } - networkList.add(network); } - } + // Perform account permission check + if (network.getAclType() == ACLType.Account) { + _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network); + } + networkList.add(network); + } // if network is security group enabled, and no security group is specified, then add the default security group automatically - if (isSecurityGroupEnabledNetworkUsed && !isVmWare && _networkModel.canAddDefaultSecurityGroup()) { - - //add the default securityGroup only if no security group is specified + if ( _networkModel.canAddDefaultSecurityGroup()) { if(securityGroupIdList == null || securityGroupIdList.isEmpty()){ if (securityGroupIdList == null) { securityGroupIdList = new ArrayList(); @@ -2140,7 +2101,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } } } - return createVirtualMachine(zone, serviceOffering, template, hostName, displayName, owner, diskOfferingId, diskSize, networkList, securityGroupIdList, group, userData, sshKeyPair, hypervisor, caller, requestedIps, defaultIp, keyboard); } From 8a86d08fe307719e50d28d61d8e9025e56ab27da Mon Sep 17 00:00:00 2001 From: Anthony Xu Date: Mon, 4 Feb 2013 17:09:06 -0800 Subject: [PATCH 4/4] CLOUDSTACK-737 Security Group script assume there is only one nic per VM, it is a big task to support multiple NICs, may seperate that as another project --- server/src/com/cloud/vm/UserVmManagerImpl.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 8ceee383028..7a139f418a8 100644 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -2058,6 +2058,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (networkIdList == null || networkIdList.isEmpty()) { throw new InvalidParameterValueException("need to specify networkIDs"); } + if (networkIdList.size() > 1 ) { + throw new InvalidParameterValueException("VM can only be on one network in Zone with Security group enabled zone"); + } // Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks for (Long networkId : networkIdList) { NetworkVO network = _networkDao.findById(networkId);