OpenStack Compute (nova)

Merge lp:~soren/nova/nwfilter into lp:~hudson-openstack/nova/trunk

  1. nwfilter
  2. Merge into trunk
Proposed by Soren Hansen
Status: Rejected
Rejected by: Soren Hansen
Proposed branch: lp:~soren/nova/nwfilter
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 178 lines (+64/-24)
6 files modified
nova/db/sqlalchemy/models.py (+3/-0)
nova/tests/virt_unittest.py (+43/-21)
nova/virt/libvirt.qemu.xml.template (+3/-0)
nova/virt/libvirt.uml.xml.template (+3/-0)
nova/virt/libvirt_conn.py (+11/-3)
run_tests.py (+1/-0)
To merge this branch: bzr merge lp:~soren/nova/nwfilter
Reviewer Review Type Date Requested Status
Devin Carlen (community) Approve
Review via email: mp+35521@code.launchpad.net

Description of the change

Prevent libvirt guests from doing MAC, ARP, and/or IP spoofing using libvirt's nwfilter mechanism.

To post a comment you must log in.
Revision history for this message
Devin Carlen (devcamcar) wrote :

lgtm

review: Approve
Revision history for this message
Soren Hansen (soren) wrote :

This needs adjustment after we merged orm_deux.

Revision history for this message
Soren Hansen (soren) wrote :

Ignore this. It's superseded by the ec2-security-groups branch.

Unmerged revisions

272. By Soren Hansen

Merge trunk

271. By Soren Hansen

Make virt unittests run at run_tests.py time.

270. By Soren Hansen

Make unit tests use ElementTree instead of string parsing. *shudder*

269. By Soren Hansen

Get ip_address out of the data model, fix up the templates and revive the unit tests.

268. By Soren Hansen

Merge trunk.

267. By Soren Hansen

Merge trunk.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/db/sqlalchemy/models.py'
2--- nova/db/sqlalchemy/models.py 2010-09-23 19:31:17 +0000
3+++ nova/db/sqlalchemy/models.py 2010-09-24 11:28:47 +0000
4@@ -112,6 +112,9 @@
5 def __getitem__(self, key):
6 return getattr(self, key)
7
8+ def __contains__(self, key):
9+ return hasattr(self, key)
10+
11 def __iter__(self):
12 self._i = iter(object_mapper(self).columns)
13 return self
14
15=== modified file 'nova/tests/virt_unittest.py'
16--- nova/tests/virt_unittest.py 2010-08-13 21:46:44 +0000
17+++ nova/tests/virt_unittest.py 2010-09-24 11:28:47 +0000
18@@ -14,36 +14,50 @@
19 # License for the specific language governing permissions and limitations
20 # under the License.
21
22+from xml.etree.ElementTree import fromstring as parseXml
23+
24 from nova import flags
25 from nova import test
26 from nova.virt import libvirt_conn
27
28 FLAGS = flags.FLAGS
29
30-
31 class LibvirtConnTestCase(test.TrialTestCase):
32 def test_get_uri_and_template(self):
33- class MockDataModel(object):
34- def __init__(self):
35- self.datamodel = { 'name' : 'i-cafebabe',
36- 'memory_kb' : '1024000',
37- 'basepath' : '/some/path',
38- 'bridge_name' : 'br100',
39- 'mac_address' : '02:12:34:46:56:67',
40- 'vcpus' : 2 }
41+ instance = { 'name' : 'i-cafebabe',
42+ 'id' : 'i-cafebabe',
43+ 'memory_kb' : '1024000',
44+ 'basepath' : '/some/path',
45+ 'bridge_name' : 'br100',
46+ 'mac_address' : '02:12:34:46:56:67',
47+ 'vcpus' : 2,
48+ 'project_id' : 'fake',
49+ 'ip_address' : '10.11.12.13',
50+ 'bridge' : 'br101',
51+ 'instance_type' : 'm1.small'}
52+ FLAGS.instances_path = ''
53
54 type_uri_map = { 'qemu' : ('qemu:///system',
55- [lambda s: '<domain type=\'qemu\'>' in s,
56- lambda s: 'type>hvm</type' in s,
57- lambda s: 'emulator>/usr/bin/kvm' not in s]),
58+ [(lambda t: t.find('.').tag, 'domain'),
59+ (lambda t: t.find('.').get('type'), 'qemu'),
60+ (lambda t: t.find('./os/type').text, 'hvm'),
61+ (lambda t: t.find('./devices/emulator'), None)]),
62 'kvm' : ('qemu:///system',
63- [lambda s: '<domain type=\'kvm\'>' in s,
64- lambda s: 'type>hvm</type' in s,
65- lambda s: 'emulator>/usr/bin/qemu<' not in s]),
66+ [(lambda t: t.find('.').tag, 'domain'),
67+ (lambda t: t.find('.').get('type'), 'kvm'),
68+ (lambda t: t.find('./os/type').text, 'hvm'),
69+ (lambda t: t.find('./devices/emulator'), None)]),
70 'uml' : ('uml:///system',
71- [lambda s: '<domain type=\'uml\'>' in s,
72- lambda s: 'type>uml</type' in s]),
73- }
74+ [(lambda t: t.find('.').tag, 'domain'),
75+ (lambda t: t.find('.').get('type'), 'uml'),
76+ (lambda t: t.find('./os/type').text, 'uml')]),
77+ }
78+ common_checks = [(lambda t: \
79+ t.find('./devices/interface/filterref/parameter') \
80+ .get('name'), 'IP'),
81+ (lambda t: \
82+ t.find('./devices/interface/filterref/parameter') \
83+ .get('value'), '10.11.12.13')]
84
85 for (libvirt_type,(expected_uri, checks)) in type_uri_map.iteritems():
86 FLAGS.libvirt_type = libvirt_type
87@@ -52,9 +66,17 @@
88 uri, template = conn.get_uri_and_template()
89 self.assertEquals(uri, expected_uri)
90
91- for i, check in enumerate(checks):
92- xml = conn.toXml(MockDataModel())
93- self.assertTrue(check(xml), '%s failed check %d' % (xml, i))
94+ xml = conn.to_xml(instance)
95+ tree = parseXml(xml)
96+ for i, (check, expected_result) in enumerate(checks):
97+ self.assertEqual(check(tree),
98+ expected_result,
99+ '%s failed check %d' % (xml, i))
100+
101+ for i, (check, expected_result) in enumerate(common_checks):
102+ self.assertEqual(check(tree),
103+ expected_result,
104+ '%s failed common check %d' % (xml, i))
105
106 # Deliberately not just assigning this string to FLAGS.libvirt_uri and
107 # checking against that later on. This way we make sure the
108
109=== modified file 'nova/virt/libvirt.qemu.xml.template'
110--- nova/virt/libvirt.qemu.xml.template 2010-09-07 12:34:37 +0000
111+++ nova/virt/libvirt.qemu.xml.template 2010-09-24 11:28:47 +0000
112@@ -20,6 +20,9 @@
113 <source bridge='%(bridge_name)s'/>
114 <mac address='%(mac_address)s'/>
115 <!-- <model type='virtio'/> CANT RUN virtio network right now -->
116+ <filterref filter="clean-traffic">
117+ <parameter name="IP" value="%(ip_address)s" />
118+ </filterref>
119 </interface>
120 <serial type="file">
121 <source path='%(basepath)s/console.log'/>
122
123=== modified file 'nova/virt/libvirt.uml.xml.template'
124--- nova/virt/libvirt.uml.xml.template 2010-09-07 12:34:37 +0000
125+++ nova/virt/libvirt.uml.xml.template 2010-09-24 11:28:47 +0000
126@@ -14,6 +14,9 @@
127 <interface type='bridge'>
128 <source bridge='%(bridge_name)s'/>
129 <mac address='%(mac_address)s'/>
130+ <filterref filter="clean-traffic">
131+ <parameter name="IP" value="%(ip_address)s" />
132+ </filterref>
133 </interface>
134 <console type="file">
135 <source path='%(basepath)s/console.log'/>
136
137=== modified file 'nova/virt/libvirt_conn.py'
138--- nova/virt/libvirt_conn.py 2010-09-09 15:55:09 +0000
139+++ nova/virt/libvirt_conn.py 2010-09-24 11:28:47 +0000
140@@ -314,17 +314,25 @@
141 def to_xml(self, instance):
142 # TODO(termie): cache?
143 logging.debug('instance %s: starting toXML method', instance['name'])
144- network = db.project_get_network(None, instance['project_id'])
145 # FIXME(vish): stick this in db
146 instance_type = instance_types.INSTANCE_TYPES[instance['instance_type']]
147+
148+ # Fill in the blanks
149+ if 'ip_address' not in instance:
150+ instance['ip_address'] = db.instance_get_fixed_address({}, instance['id'])
151+
152+ if 'bridge' not in instance:
153+ instance['bridge'] = db.project_get_network(None, instance['project_id'])['bridge']
154+
155 xml_info = {'type': FLAGS.libvirt_type,
156 'name': instance['name'],
157 'basepath': os.path.join(FLAGS.instances_path,
158 instance['name']),
159 'memory_kb': instance_type['memory_mb'] * 1024,
160 'vcpus': instance_type['vcpus'],
161- 'bridge_name': network['bridge'],
162- 'mac_address': instance['mac_address']}
163+ 'bridge_name': instance['bridge'],
164+ 'mac_address': instance['mac_address'],
165+ 'ip_address': instance['ip_address'] }
166 libvirt_xml = self.libvirt_xml % xml_info
167 logging.debug('instance %s: finished toXML method', instance['name'])
168
169
170=== modified file 'run_tests.py'
171--- run_tests.py 2010-09-21 20:58:08 +0000
172+++ run_tests.py 2010-09-24 11:28:47 +0000
173@@ -63,6 +63,7 @@
174 from nova.tests.scheduler_unittest import *
175 from nova.tests.service_unittest import *
176 from nova.tests.validator_unittest import *
177+from nova.tests.virt_unittest import *
178 from nova.tests.volume_unittest import *
179
180