1:55 p.m.
Appologies for previous email with the huge subject line - i try again:
These patches implement a second version of firewalling for the terremark driver.
This is still a prototype - we will try and see if this model 'fits' for ec2
before
committing to using this (terremark and ec2 are the only clouds that require
management of firewall rules in order to gain access to a given instance).
Currently a firewall_rule consists of:
public_ip, public_port, protocol, private_ip, private_port (think NAT).
--marios
1:55 p.m.
New subject: ['PATCH core'] Firewalling - v2 (with prototype for terremark - ec2 next) These patches implement a second version of firewalling for the terremark driver. This is still a prototype - we will try and see if this model 'fits' for ec2 before committing to using this (terremark and ec2 are the only clouds that require management of firewall rules in order to gain access to a given instance). Currently a firewall_rule consists of: public_ip, public_port, protocol, private_ip, private_port (t
From: marios <marios(a)redhat.com>
Current operations are list (index), create and delete a firewall rule. Also these patches
contain only the html haml (not yet xml - want to decide if this is the model before doing
this).
---
server/deltacloud.rb | 1 +
server/lib/deltacloud/base_driver/base_driver.rb | 16 +++
.../drivers/terremark/terremark_driver.rb | 100 +++++++++++++++++++-
server/lib/deltacloud/models/firewall_rule.rb | 9 ++
server/server.rb | 88 ++++++++++++++++--
server/views/firewall_rules/index.html.haml | 37 +++++++
server/views/firewall_rules/new.html.haml | 22 +++++
server/views/firewall_rules/show.html.haml | 21 ++++
8 files changed, 285 insertions(+), 9 deletions(-)
create mode 100644 server/lib/deltacloud/models/firewall_rule.rb
create mode 100644 server/views/firewall_rules/index.html.haml
create mode 100644 server/views/firewall_rules/new.html.haml
create mode 100644 server/views/firewall_rules/show.html.haml
diff --git a/server/deltacloud.rb b/server/deltacloud.rb
index 1c19a5d..561fdfb 100644
--- a/server/deltacloud.rb
+++ b/server/deltacloud.rb
@@ -12,3 +12,4 @@ require 'deltacloud/models/instance'
require 'deltacloud/models/instance_profile'
require 'deltacloud/models/storage_snapshot'
require 'deltacloud/models/storage_volume'
+require 'deltacloud/models/firewall_rule'
diff --git a/server/lib/deltacloud/base_driver/base_driver.rb
b/server/lib/deltacloud/base_driver/base_driver.rb
index a2b3bbe..b334db1 100644
--- a/server/lib/deltacloud/base_driver/base_driver.rb
+++ b/server/lib/deltacloud/base_driver/base_driver.rb
@@ -154,6 +154,22 @@ module Deltacloud
def reboot_instance(credentials, id)
end
+ def firewall_rules(credentials, opts)
+ []
+ end
+
+ def firewall_rule(credentials, opts)
+ rules = firewall_rules(credentials, opts)
+ return rules.first unless rules.empty?
+ nil
+ end
+
+ def create_firewall_rule(credentials, opts)
+ end
+ def delete_firewall_rule(credentials, opts)
+ end
+
+
def storage_volume(credentials, opts)
volumes = storage_volumes(credentials, opts)
return volumes.first unless volumes.empty?
diff --git a/server/lib/deltacloud/drivers/terremark/terremark_driver.rb
b/server/lib/deltacloud/drivers/terremark/terremark_driver.rb
index ae3c554..d464052 100644
--- a/server/lib/deltacloud/drivers/terremark/terremark_driver.rb
+++ b/server/lib/deltacloud/drivers/terremark/terremark_driver.rb
@@ -32,7 +32,7 @@ module Deltacloud
class TerremarkDriver < Deltacloud::BaseDriver
- feature :instances, :user_name
+# feature :instances, :user_name
#--
# Vapp State Map... for use with convert_instance (get an integer back from terremark)
@@ -50,6 +50,89 @@ VAPP_STATE_MAP = { "0" => "PENDING",
"1" => "PENDING", "2" => "STOPPED",
"4"
#storage_disks [1..15]
#--
+# FIREWALL RULES
+#--
+ def firewall_rules(credentials, opts=nil)
+ firewall_rules = []
+ terremark_client = new_client(credentials)
+ services =
terremark_client.get_internet_services(terremark_client.default_vdc_id).body['InternetServices'].each
do |service|
+ s_id = service['Id'].to_s
+ public_ip = service['PublicIpAddress']['Name']
+ public_port = service['Port']
+ protocol = service['Protocol']
+ nodes = terremark_client.get_node_services(s_id).body['NodeServices']
+ unless nodes.empty?
+ nodes.each do |node|
+ #puts "Id is #{node['Id']}, public_ip is #{public_ip}, public_port
is #{public_port}, Private IP is #{node['IpAddress']}, private port is
#{node['Port']} and protocol is #{protocol}"
+ firewall_rules << FirewallRule.new({ :id => s_id,
+ :public_address => public_ip,
+ :public_port => public_port,
+ :private_address =>
node['IpAddress'],
+ :private_port =>
node['Port'],
+ :protocol => protocol
+ })
+ end #nodes.each do
+ end #unless nodes empty
+ end #services.each do
+ firewall_rules = filter_on( firewall_rules, :id, opts )
+ firewall_rules
+ end
+
+#--
+# DELETE FIREWALL RULE
+#--can expect that the service ID is passed in the opts...
+ def delete_firewall_rule(credentials, opts=nil)
+ service_id = opts[:id].to_s
+ terremark_client = new_client(credentials)
+ nodes = terremark_client.get_node_services(service_id).body['NodeServices']
+ unless nodes.empty?
+ nodes.each do |node|
+ terremark_client.delete_node_service(node['Id'])
+ end
+ end
+ terremark_client.delete_internet_service(service_id)
+ end
+
+#--
+# CREATE NEW FIREWALL RULE
+#--expected input: private and public ip address, private and public ports, protocol
+#--opts['public_address']
+#--pts['service_protocol']
+#--opts['public_port']
+#--opts['private_port']
+#--opts['private_address']
+#--opts['service_name'] - OPTIONAL
+#--opts['node_name'] - OPTIONAL
+ def create_firewall_rule(credentials, opts=nil)
+ terremark_client = new_client(credentials)
+ public_address = opts['public_address']
+ public_port = opts['public_port']
+ protocol = opts['service_protocol']
+ #check if internet service exists or creating a new one
+ service_id = internet_service_exists(terremark_client, public_address, public_port,
protocol)
+ unless service_id
+ ip_id = nil
+ #need to deduce the ip id to create a new internet service
+ ips =
terremark_client.get_public_ips(terremark_client.default_vdc_id).body['PublicIpAddresses']
+ ips.each do |ip|
+ if (ip['name'] == public_address)
+ ip_id = ip['id'].to_s
+ break
+ end
+ end #end ips.each
+ service_name ||= opts['service_name']
+ service_name ||= "svc" + (rand(1000)*Time.now.to_i).to_s.slice(0,7)
+ service_id = terremark_client.add_internet_service(ip_id, service_name, protocol,
public_port).body['Id'].to_s
+ end
+ #it adds the node service to the internet service...
+ node_name ||= opts['node_name']
+ node_name ||= "nod" + (rand(1000)*Time.now.to_i).to_s.slice(0,7)
+ private_address = opts['private_address']
+ private_port = opts['private_port']
+ terremark_client.add_node_service(service_id, private_address, node_name,
private_port)
+ end
+
+#--
# IMAGES
#--
#aka "vapp_templates"
@@ -183,6 +266,21 @@ end
private
#--
+# INTERNET_SERVICE_EXISTS
+#-- helper to check if a given public IP/Port combination are defined as an existing
internet service
+#-- used by the create_firewall_rule method
+def internet_service_exists(terremark_client, public_address, public_port, protocol)
+ services = terremark_client.get_internet_services(terremark_client.default_vdc_id)
+ services.body['InternetServices'].each do |current_service|
+ if ( (current_service['PublicIpAddress']['Name'] == public_address)
&& (current_service['Port'].to_s == public_port) &&
+ (current_service['Protocol'].upcase == protocol.upcase) )
+ return current_service['Id']
+ end
+ end
+ nil
+end
+
+#--
# CONVERT IMAGE
#--
#gets a vapp_template from a catalog and makes it a Image
diff --git a/server/lib/deltacloud/models/firewall_rule.rb
b/server/lib/deltacloud/models/firewall_rule.rb
new file mode 100644
index 0000000..390ede3
--- /dev/null
+++ b/server/lib/deltacloud/models/firewall_rule.rb
@@ -0,0 +1,9 @@
+class FirewallRule < BaseModel
+
+ attr_accessor :public_address
+ attr_accessor :public_port
+ attr_accessor :private_address
+ attr_accessor :private_port
+ attr_accessor :protocol
+
+end
\ No newline at end of file
diff --git a/server/server.rb b/server/server.rb
index b5bdfac..cb15bdf 100644
--- a/server/server.rb
+++ b/server/server.rb
@@ -65,6 +65,8 @@ def show(model)
end
+
+
#
# Error handlers
#
@@ -108,7 +110,60 @@ get '/api\/?' do
end
end
+get '/api/firewall_rules/:id/destroy' do
+ method = "delete_firewall_rule"
+ not_found unless driver.respond_to?(method)
+ opts = {}
+ opts[:id] = params[:id]
+ driver.send(method, credentials, opts)
+ redirect firewall_rules_url
+end
+
+get '/api/firewall_rules/new' do
+ respond_to do |format|
+ format.html { haml :"firewall_rules/new" }
+ end
+end
+
+
+def delete_firewall_rule(service_id)
+ driver.send(delete_firewall_rule, credentials, {:id => params[:id]})
+end
+
# Rabbit DSL
+collection :firewall_rules do
+
+ description "Allow user to expose a public IP address/port and map these onto an
internal IP address/port. eg expose ssh access [port 22, tcp]."
+ operation :index do
+ description 'Show all available network services'
+ control { filter_all(:firewall_rules) }
+ end
+
+ operation :show do
+ description 'Show a firewall rule identified by its id'
+ param :id, :string, :required
+ control { show(:firewall_rule) }
+ end
+
+ operation :create do
+ description 'Create a new firewall rule'
+ param :public_address, :string, :required
+ param :public_port, :string, :required
+ param :private_address, :string, :required
+ param :private_port, :string, :required
+ param :service_protocol, :string, :required
+ control do
+ driver.create_firewall_rule(credentials, params )
+ filter_all(:firewall_rules)
+ end
+ end
+
+ operation :destroy, :method => :post do
+ description 'destroy given firewall rule'
+ param :id, :string, :required
+ control { delete_firewall_rule(:id) }
+ end
+end
collection :realms do
description "Within a cloud provider a realm represents a boundary containing
resources. The exact definition of a realm is left to the cloud provider. In some cases, a
realm may represent different datacenters, different continents, or different pools of
resources within a single datacenter. A cloud provider may insist that resources must all
exist within a single realm in order to cooperate. For instance, storage volumes may only
be allowed to be mounted to instances within the same realm."
@@ -186,6 +241,22 @@ collection :instance_states do
end
end
+# Special instance get operations that we only allow for HTML
+get "/api/instances/:id/:action" do
+ meth = :"#{params[:action]}_instance"
+ not_found unless driver.respond_to?(meth)
+ respond_to do |format|
+ format.html do
+ driver.send(meth, credentials, params[:id])
+ if ( (params[:action] == 'destroy') or (params[:action] == 'stop') )
+ redirect instances_url
+ else
+ redirect instance_url(params[:id])
+ end
+ end
+ end
+end
+
get "/api/instances/new" do
@instance = Instance.new( { :id=>params[:id], :image_id=>params[:image_id] } )
@image = driver.image( credentials, :id => params[:image_id] )
@@ -197,14 +268,15 @@ get "/api/instances/new" do
end
def instance_action(name)
- @instance = driver.send(:"#{name}_instance", credentials,
params["id"])
-
- return redirect(instances_url) if name.eql?(:destroy) or @instance.class!=Instance
-
- respond_to do |format|
- format.html { haml :"instances/show" }
- format.xml { haml :"instances/show" }
- format.json {convert_to_json(:instance, @instance) }
+ @instance = driver.send(:"#{name}_instance", credentials, params[:id])
+ if name==:destroy
+ redirect instances_url
+ else
+ respond_to do |format|
+ format.html { haml :"instances/show" }
+ format.xml { haml :"instances/show" }
+ format.json {convert_to_json(:instance, @instance) }
+ end
end
end
diff --git a/server/views/firewall_rules/index.html.haml
b/server/views/firewall_rules/index.html.haml
new file mode 100644
index 0000000..47990b0
--- /dev/null
+++ b/server/views/firewall_rules/index.html.haml
@@ -0,0 +1,37 @@
+%h1
+ Firewall Rules
+%h3
+ = link_to("Create new firewall rule", firewall_rules_url() +
"/new")
+%table.display
+ %thead
+ %tr
+ %th
+ ID
+ %th
+ Public Address
+ %th
+ Public Port
+ %th
+ Private Address
+ %th
+ Private Port
+ %th
+ Protocol
+ %tbody
+ - if @firewall_rules
+ - for rule in @firewall_rules
+ %tr
+ %td
+ = link_to rule.id, firewall_rules_url()+"/#{rule.id}"
+ %td
+ = rule.public_address
+ %td
+ = rule.public_port
+ %td
+ = rule.private_address
+ %td
+ = rule.private_port
+ %td
+ = rule.protocol
+ %td
+ = link_to("destroy",
firewall_rules_url()+"/#{rule.id}/destroy", {:method => :post})
\ No newline at end of file
diff --git a/server/views/firewall_rules/new.html.haml
b/server/views/firewall_rules/new.html.haml
new file mode 100644
index 0000000..9c6f0a0
--- /dev/null
+++ b/server/views/firewall_rules/new.html.haml
@@ -0,0 +1,22 @@
+%h1 New Firewall Rule
+
+%form{ :action => firewall_rules_url, :method => :post }
+ %p
+ %label
+ Public Address:
+ %input{ :name => 'public_address', :size => 16 }
+ %label
+ Public Port:
+ %input{ :name => 'public_port', :size => 6}
+ %label
+ Protocol:
+ %input{ :name => 'service_protocol', :size => 5}
+ %p
+ %label
+ Private Address:
+ %input{ :name => 'private_address', :size => 16 }
+ %label
+ Private Port:
+ %input{ :name => 'private_port', :size => 6}
+ %p
+ %input{ :type => :submit, :name => 'commit', :value =>
"create" }
\ No newline at end of file
diff --git a/server/views/firewall_rules/show.html.haml
b/server/views/firewall_rules/show.html.haml
new file mode 100644
index 0000000..8ec81c2
--- /dev/null
+++ b/server/views/firewall_rules/show.html.haml
@@ -0,0 +1,21 @@
+%h1 Firewall Rule
+%h2
+ = @firewall_rule.id
+
+%dl
+ %di
+ %dt Public IP
+ %dd
+ = @firewall_rule.public_address
+ %dt Public Port
+ %dd
+ = @firewall_rule.public_port
+ %dt Private IP
+ %dd
+ = @firewall_rule.private_address
+ %dt Private Port
+ %dd
+ = @firewall_rule.private_port
+ %dt Protocol
+ %dd
+ = @firewall_rule.protocol
\ No newline at end of file
--
1.6.6.1
7:30 a.m.
New subject: ['PATCH core'] Firewalling - v2
On 02/06/10 19:55 +0100, mandreou(a)redhat.com wrote:
Some comments inline:
+get '/api/firewall_rules/new' do
+ respond_to do |format|
+ format.html { haml :"firewall_rules/new" }
+ end
+end
+
+
+def delete_firewall_rule(service_id)
+ driver.send(delete_firewall_rule, credentials, {:id => params[:id]})
+end
+
# Rabbit DSL
+collection :firewall_rules do
+
+ description "Allow user to expose a public IP address/port and map these onto an
internal IP address/port. eg expose ssh access [port 22, tcp]."
Please use:
description <<END
Allow user to expose a public IP address/port and map these onto an
internal IP address/port. eg expose ssh access [port 22, tcp]
END
here to keep code 'clean' ;-) I recently updated all description here to
use this syntax.
+ operation :index do
+ description 'Show all available network services'
+ control { filter_all(:firewall_rules) }
+ end
+
+ operation :show do
+ description 'Show a firewall rule identified by its id'
+ param :id, :string, :required
+ control { show(:firewall_rule) }
+ end
+
+ operation :create do
+ description 'Create a new firewall rule'
+ param :public_address, :string, :required
+ param :public_port, :string, :required
+ param :private_address, :string, :required
+ param :private_port, :string, :required
+ param :service_protocol, :string, :required
+ control do
+ driver.create_firewall_rule(credentials, params )
+ filter_all(:firewall_rules)
+ end
+ end
+
+ operation :destroy, :method => :post do
Actually, there is no need to specify a 'method'. Method for ':destroy'
action is already defined in rabbit.rb (DELETE).
+ description 'destroy given firewall rule'
+ param :id, :string, :required
+ control { delete_firewall_rule(:id) }
+ end
+end
collection :realms do
description "Within a cloud provider a realm represents a boundary containing
resources. The exact definition of a realm is left to the cloud provider. In some cases, a
realm may represent different datacenters, different continents, or different pools of
resources within a single datacenter. A cloud provider may insist that resources must all
exist within a single realm in order to cooperate. For instance, storage volumes may only
be allowed to be mounted to instances within the same realm."
@@ -186,6 +241,22 @@ collection :instance_states do
end
end
+# Special instance get operations that we only allow for HTML
+get "/api/instances/:id/:action" do
+ meth = :"#{params[:action]}_instance"
+ not_found unless driver.respond_to?(meth)
+ respond_to do |format|
+ format.html do
+ driver.send(meth, credentials, params[:id])
+ if ( (params[:action] == 'destroy') or (params[:action] == 'stop') )
+ redirect instances_url
+ else
+ redirect instance_url(params[:id])
+ end
+ end
+ end
+end
+
Also this method is no longer needed. Please pull/rebase your patch.
Actions which require POST/DELETE HTTP methods are now called using
Javascript from HTML UI.
get "/api/instances/new" do
@instance = Instance.new( { :id=>params[:id], :image_id=>params[:image_id] } )
@image = driver.image( credentials, :id => params[:image_id] )
@@ -197,14 +268,15 @@ get "/api/instances/new" do
end
def instance_action(name)
- @instance = driver.send(:"#{name}_instance", credentials,
params["id"])
-
- return redirect(instances_url) if name.eql?(:destroy) or @instance.class!=Instance
-
- respond_to do |format|
- format.html { haml :"instances/show" }
- format.xml { haml :"instances/show" }
- format.json {convert_to_json(:instance, @instance) }
+ @instance = driver.send(:"#{name}_instance", credentials, params[:id])
+ if name==:destroy
+ redirect instances_url
+ else
+ respond_to do |format|
+ format.html { haml :"instances/show" }
+ format.xml { haml :"instances/show" }
+ format.json {convert_to_json(:instance, @instance) }
+ end
end
end
diff --git a/server/views/firewall_rules/index.html.haml
b/server/views/firewall_rules/index.html.haml
new file mode 100644
index 0000000..47990b0
--- /dev/null
+++ b/server/views/firewall_rules/index.html.haml
@@ -0,0 +1,37 @@
+%h1
+ Firewall Rules
+%h3
+ = link_to("Create new firewall rule", firewall_rules_url() +
"/new")
+%table.display
+ %thead
+ %tr
+ %th
+ ID
+ %th
+ Public Address
+ %th
+ Public Port
+ %th
+ Private Address
+ %th
+ Private Port
+ %th
+ Protocol
+ %tbody
+ - if @firewall_rules
+ - for rule in @firewall_rules
+ %tr
+ %td
+ = link_to rule.id, firewall_rules_url()+"/#{rule.id}"
+ %td
+ = rule.public_address
+ %td
+ = rule.public_port
+ %td
+ = rule.private_address
+ %td
+ = rule.private_port
+ %td
+ = rule.protocol
+ %td
+ = link_to("destroy",
firewall_rules_url()+"/#{rule.id}/destroy", {:method => :post})
There should be a 'destroy_firewall_rule(rule.id)' helper (once you declare
operation in firewall_rules collection, you will get helper for free ;-))
\ No newline at end of file
diff --git a/server/views/firewall_rules/new.html.haml
b/server/views/firewall_rules/new.html.haml
new file mode 100644
index 0000000..9c6f0a0
--- /dev/null
+++ b/server/views/firewall_rules/new.html.haml
@@ -0,0 +1,22 @@
+%h1 New Firewall Rule
+
+%form{ :action => firewall_rules_url, :method => :post }
+ %p
+ %label
+ Public Address:
+ %input{ :name => 'public_address', :size => 16 }
Hmm I spot :size here and it will be a good idea to move size validation to
Rabbit. Right now we have just 'type' and 'required/optional' validation.
/me taking a note ;-)
+ %label
+ Public Port:
+ %input{ :name => 'public_port', :size => 6}
+ %label
+ Protocol:
+ %input{ :name => 'service_protocol', :size => 5}
+ %p
+ %label
+ Private Address:
+ %input{ :name => 'private_address', :size => 16 }
+ %label
+ Private Port:
+ %input{ :name => 'private_port', :size => 6}
+ %p
+ %input{ :type => :submit, :name => 'commit', :value =>
"create" }
\ No newline at end of file
diff --git a/server/views/firewall_rules/show.html.haml
b/server/views/firewall_rules/show.html.haml
new file mode 100644
index 0000000..8ec81c2
--- /dev/null
+++ b/server/views/firewall_rules/show.html.haml
@@ -0,0 +1,21 @@
+%h1 Firewall Rule
+%h2
+ = @firewall_rule.id
+
+%dl
+ %di
+ %dt Public IP
+ %dd
+ = @firewall_rule.public_address
+ %dt Public Port
+ %dd
+ = @firewall_rule.public_port
+ %dt Private IP
+ %dd
+ = @firewall_rule.private_address
+ %dt Private Port
+ %dd
+ = @firewall_rule.private_port
+ %dt Protocol
+ %dd
+ = @firewall_rule.protocol
\ No newline at end of file
Actually this patch looks great and I looking forward for EC2 version.
Good job!
-- Michal
--
--------------------------------------------------------
Michal Fojtik, mfojtik(a)redhat.com, +420 532 294 4307
Ruby / Ruby On Rails Developer
Deltacloud API: http://deltacloud.org
--------------------------------------------------------
5111
days inactive
5113
days old
deltacloud-devel@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
marios@redhat.com -
Michal Fojtik