Skip to content

Commit 951cba9

Browse files
committed
Merge branch 'sg-in-advanced-zone'
Conflicts: server/src/com/cloud/network/NetworkManagerImpl.java server/src/com/cloud/vm/UserVmManagerImpl.java
2 parents 3dea9a7 + 8a86d08 commit 951cba9

7 files changed

Lines changed: 81 additions & 106 deletions

File tree

server/src/com/cloud/configuration/ConfigurationManagerImpl.java

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1523,13 +1523,11 @@ public DataCenter editZone(UpdateZoneCmd cmd) {
15231523
// check if zone has necessary trafficTypes before enabling
15241524
try {
15251525
PhysicalNetwork mgmtPhyNetwork;
1526-
if (NetworkType.Advanced == zone.getNetworkType()) {
1527-
// zone should have a physical network with public and management traffiType
1526+
// zone should have a physical network with management traffiType
1527+
mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management);
1528+
if (NetworkType.Advanced == zone.getNetworkType() && ! zone.isSecurityGroupEnabled() ) {
1529+
// advanced zone without SG should have a physical network with public Thpe
15281530
_networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Public);
1529-
mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management);
1530-
} else {
1531-
// zone should have a physical network with management traffiType
1532-
mgmtPhyNetwork = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Management);
15331531
}
15341532

15351533
try {

server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -756,19 +756,28 @@ protected Map<String, Object> createProxyInstance(long dataCenterId, HypervisorT
756756

757757
DataCenterDeployment plan = new DataCenterDeployment(dataCenterId);
758758

759-
TrafficType defaultTrafficType = TrafficType.Public;
760-
if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) {
761-
defaultTrafficType = TrafficType.Guest;
762-
}
763-
764-
List<NetworkVO> defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType);
759+
NetworkVO defaultNetwork = null;
760+
if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) {
761+
List<NetworkVO> networks = _networkDao.listByZoneSecurityGroup(dataCenterId);
762+
if (networks == null || networks.size() == 0) {
763+
throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc);
764+
}
765+
defaultNetwork = networks.get(0);
766+
} else {
767+
TrafficType defaultTrafficType = TrafficType.Public;
768+
if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) {
769+
defaultTrafficType = TrafficType.Guest;
770+
}
771+
List<NetworkVO> defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType);
765772

766-
if (defaultNetworks.size() != 1) {
767-
throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1");
773+
// api should never allow this situation to happen
774+
if (defaultNetworks.size() != 1) {
775+
throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type "
776+
+ defaultTrafficType + " when expect to find 1");
777+
}
778+
defaultNetwork = defaultNetworks.get(0);
768779
}
769780

770-
NetworkVO defaultNetwork = defaultNetworks.get(0);
771-
772781
List<? extends NetworkOffering> offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOffering.SystemControlNetwork, NetworkOffering.SystemManagementNetwork);
773782
List<Pair<NetworkVO, NicProfile>> networks = new ArrayList<Pair<NetworkVO, NicProfile>>(offerings.size() + 1);
774783
NicProfile defaultNic = new NicProfile();

server/src/com/cloud/network/NetworkManagerImpl.java

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1859,11 +1859,14 @@ public Network createGuestNetwork(long networkOfferingId, String name, String di
18591859
}
18601860
// Only Account specific Isolated network with sourceNat service disabled are allowed in security group
18611861
// enabled zone
1862-
boolean allowCreation = (ntwkOff.getGuestType() == GuestType.Isolated
1863-
&& !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat));
1864-
if (!allowCreation) {
1865-
throw new InvalidParameterValueException("Only Account specific Isolated network with sourceNat " +
1866-
"service disabled are allowed in security group enabled zone");
1862+
if ( ntwkOff.getGuestType() != GuestType.Shared ){
1863+
throw new InvalidParameterValueException("Only shared guest network can be created in security group enabled zone");
1864+
}
1865+
if ( _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) {
1866+
throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone");
1867+
}
1868+
if ( ! _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) {
1869+
throw new InvalidParameterValueException("network must have SecurityGroup provider in security group enabled zone");
18671870
}
18681871
}
18691872

server/src/com/cloud/resource/ResourceManagerImpl.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -427,6 +427,12 @@ public List<? extends Cluster> discoverCluster(AddClusterCmd cmd)
427427
+ cmd.getHypervisor() + " to a supported ");
428428
}
429429

430+
if (zone.isSecurityGroupEnabled()) {
431+
if( hypervisorType != HypervisorType.KVM && hypervisorType != HypervisorType.XenServer ) {
432+
throw new InvalidParameterValueException("Don't support hypervisor type " + hypervisorType + " in advanced security enabled zone");
433+
}
434+
}
435+
430436
Cluster.ClusterType clusterType = null;
431437
if (cmd.getClusterType() != null && !cmd.getClusterType().isEmpty()) {
432438
clusterType = Cluster.ClusterType.valueOf(cmd.getClusterType());

server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java

Lines changed: 20 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -540,19 +540,27 @@ protected Map<String, Object> createSecStorageVmInstance(long dataCenterId, Seco
540540
DataCenterDeployment plan = new DataCenterDeployment(dataCenterId);
541541
DataCenter dc = _dcDao.findById(plan.getDataCenterId());
542542

543-
TrafficType defaultTrafficType = TrafficType.Public;
544-
if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) {
545-
defaultTrafficType = TrafficType.Guest;
546-
}
547-
548-
List<NetworkVO> defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType);
549-
550-
//api should never allow this situation to happen
551-
if (defaultNetworks.size() != 1) {
552-
throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type " + defaultTrafficType + " when expect to find 1");
543+
NetworkVO defaultNetwork = null;
544+
if (dc.getNetworkType() == NetworkType.Advanced && dc.isSecurityGroupEnabled()) {
545+
List<NetworkVO> networks = _networkDao.listByZoneSecurityGroup(dataCenterId);
546+
if (networks == null || networks.size() == 0) {
547+
throw new CloudRuntimeException("Can not found security enabled network in SG Zone " + dc);
548+
}
549+
defaultNetwork = networks.get(0);
550+
} else {
551+
TrafficType defaultTrafficType = TrafficType.Public;
552+
553+
if (dc.getNetworkType() == NetworkType.Basic || dc.isSecurityGroupEnabled()) {
554+
defaultTrafficType = TrafficType.Guest;
555+
}
556+
List<NetworkVO> defaultNetworks = _networkDao.listByZoneAndTrafficType(dataCenterId, defaultTrafficType);
557+
// api should never allow this situation to happen
558+
if (defaultNetworks.size() != 1) {
559+
throw new CloudRuntimeException("Found " + defaultNetworks.size() + " networks of type "
560+
+ defaultTrafficType + " when expect to find 1");
561+
}
562+
defaultNetwork = defaultNetworks.get(0);
553563
}
554-
555-
NetworkVO defaultNetwork = defaultNetworks.get(0);
556564

557565
List<? extends NetworkOffering> offerings = _networkModel.getSystemAccountNetworkOfferings(NetworkOfferingVO.SystemControlNetwork, NetworkOfferingVO.SystemManagementNetwork, NetworkOfferingVO.SystemStorageNetwork);
558566
List<Pair<NetworkVO, NicProfile>> networks = new ArrayList<Pair<NetworkVO, NicProfile>>(offerings.size() + 1);

server/src/com/cloud/vm/UserVmManagerImpl.java

Lines changed: 24 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -2867,94 +2867,47 @@ public UserVm createAdvancedSecurityGroupVirtualMachine(DataCenter zone, Service
28672867

28682868
Account caller = UserContext.current().getCaller();
28692869
List<NetworkVO> networkList = new ArrayList<NetworkVO>();
2870-
boolean isSecurityGroupEnabledNetworkUsed = false;
28712870
boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware));
2871+
if (isVmWare) {
2872+
throw new InvalidParameterValueException("Security group feature is not supported for vmWare hypervisor");
2873+
}
28722874

28732875
// Verify that caller can perform actions in behalf of vm owner
28742876
_accountMgr.checkAccess(caller, null, true, owner);
2875-
2876-
// If no network is specified, find system security group enabled
2877-
// network
28782877
if (networkIdList == null || networkIdList.isEmpty()) {
2879-
Network networkWithSecurityGroup = _networkModel.getNetworkWithSecurityGroupEnabled(zone.getId());
2880-
if (networkWithSecurityGroup == null) {
2881-
throw new InvalidParameterValueException(
2882-
"No network with security enabled is found in zone id="
2883-
+ zone.getId());
2884-
}
2885-
2886-
networkList.add(_networkDao.findById(networkWithSecurityGroup.getId()));
2887-
isSecurityGroupEnabledNetworkUsed = true;
2888-
2889-
} else if (securityGroupIdList != null
2890-
&& !securityGroupIdList.isEmpty()) {
2891-
if (isVmWare) {
2892-
throw new InvalidParameterValueException(
2893-
"Security group feature is not supported for vmWare hypervisor");
2894-
}
2895-
// Only one network can be specified, and it should be security
2896-
// group enabled
2897-
if (networkIdList.size() > 1) {
2898-
throw new InvalidParameterValueException(
2899-
"Only support one network per VM if security group enabled");
2900-
}
2901-
2902-
NetworkVO network = _networkDao.findById(networkIdList.get(0)
2903-
.longValue());
2904-
2878+
throw new InvalidParameterValueException("need to specify networkIDs");
2879+
}
2880+
if (networkIdList.size() > 1 ) {
2881+
throw new InvalidParameterValueException("VM can only be on one network in Zone with Security group enabled zone");
2882+
}
2883+
// Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks
2884+
for (Long networkId : networkIdList) {
2885+
NetworkVO network = _networkDao.findById(networkId);
29052886
if (network == null) {
29062887
throw new InvalidParameterValueException(
29072888
"Unable to find network by id "
29082889
+ networkIdList.get(0).longValue());
29092890
}
29102891

2911-
if (!_networkModel.isSecurityGroupSupportedInNetwork(network)) {
2912-
throw new InvalidParameterValueException("Network is not security group enabled: " + network.getId());
2913-
}
2914-
2915-
networkList.add(network);
2916-
isSecurityGroupEnabledNetworkUsed = true;
2917-
2918-
} else {
2919-
// Verify that all the networks are Shared/Guest; can't create combination of SG enabled and disabled networks
2920-
for (Long networkId : networkIdList) {
2921-
NetworkVO network = _networkDao.findById(networkId);
2922-
2923-
if (network == null) {
2924-
throw new InvalidParameterValueException(
2925-
"Unable to find network by id "
2926-
+ networkIdList.get(0).longValue());
2927-
}
2928-
2929-
boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network);
2930-
if (isSecurityGroupEnabled) {
2931-
if (networkIdList.size() > 1) {
2932-
throw new InvalidParameterValueException("Can't create a vm with multiple networks one of" +
2933-
" which is Security Group enabled");
2934-
}
2935-
2936-
isSecurityGroupEnabledNetworkUsed = true;
2937-
}
2892+
boolean isSecurityGroupEnabled = _networkModel.isSecurityGroupSupportedInNetwork(network);
2893+
if ( ! isSecurityGroupEnabled) {
2894+
throw new InvalidParameterValueException("Only support Security Group enabled networks in Security enabled zone, network " + network.getUuid() + " doesn't support security group ");
2895+
}
29382896

2939-
if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) {
2940-
throw new InvalidParameterValueException("Can specify only Shared Guest networks when" +
2897+
if (!(network.getTrafficType() == TrafficType.Guest && network.getGuestType() == Network.GuestType.Shared)) {
2898+
throw new InvalidParameterValueException("Can specify only Shared Guest networks when" +
29412899
" deploy vm in Advance Security Group enabled zone");
2942-
}
2900+
}
29432901

2944-
// Perform account permission check
2945-
if (network.getAclType() == ACLType.Account) {
2946-
_accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network);
2947-
}
2948-
networkList.add(network);
2902+
// Perform account permission check
2903+
if (network.getAclType() == ACLType.Account) {
2904+
_accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network);
29492905
}
2906+
networkList.add(network);
29502907
}
2951-
29522908
// if network is security group enabled, and no security group is specified, then add the default security group automatically
2953-
if (isSecurityGroupEnabledNetworkUsed && !isVmWare && _networkModel.canAddDefaultSecurityGroup()) {
2954-
2955-
// add the default securityGroup only if no security group is
2956-
// specified
2957-
if (securityGroupIdList == null || securityGroupIdList.isEmpty()) {
2909+
if ( _networkModel.canAddDefaultSecurityGroup()) {
2910+
if(securityGroupIdList == null || securityGroupIdList.isEmpty()){
29582911
if (securityGroupIdList == null) {
29592912
securityGroupIdList = new ArrayList<Long>();
29602913
}
@@ -2978,7 +2931,6 @@ public UserVm createAdvancedSecurityGroupVirtualMachine(DataCenter zone, Service
29782931
}
29792932
}
29802933
}
2981-
29822934
return createVirtualMachine(zone, serviceOffering, template, hostName, displayName, owner, diskOfferingId,
29832935
diskSize, networkList, securityGroupIdList, group, userData, sshKeyPair, hypervisor, caller, requestedIps, defaultIps, keyboard);
29842936
}

ui/scripts/zoneWizard.js

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -373,7 +373,6 @@
373373
var nonSupportedHypervisors = {};
374374
if(args.context.zones[0]['network-model'] == "Advanced" && args.context.zones[0]['zone-advanced-sg-enabled'] == "on") {
375375
firstOption = "KVM";
376-
nonSupportedHypervisors["XenServer"] = 1; //to developers: comment this line if you need to test Advanced SG-enabled zone with XenServer hypervisor
377376
nonSupportedHypervisors["VMware"] = 1;
378377
nonSupportedHypervisors["BareMetal"] = 1;
379378
nonSupportedHypervisors["Ovm"] = 1;

0 commit comments

Comments
 (0)