Moti Asayag has uploaded a new change for review. Change subject: BZ#811807 Define network filter on libvirt ......................................................................
BZ#811807 Define network filter on libvirt The patch defines custom network filter on libvirt in order to control the VM traffic. The custom filter is being set when VDSM service is being started. Change-Id: I9f1708385dec6a87bc404e4ab25c4da8ab8a8acc Signed-off-by: Moti Asayag <[email protected]> --- M vdsm.spec.in M vdsm/Makefile.am A vdsm/nwfilter.py M vdsm/vdsmd.init.in 4 files changed, 120 insertions(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/54/7354/1 diff --git a/vdsm.spec.in b/vdsm.spec.in index 892eee3..6af8a14 100644 --- a/vdsm.spec.in +++ b/vdsm.spec.in @@ -577,6 +577,7 @@ %{_datadir}/%{vdsm_name}/vdsm-store-net-config %{_datadir}/%{vdsm_name}/vm.py* %{_datadir}/%{vdsm_name}/write-net-config +%attr (755,vdsm,kvm) %{_datadir}/%{vdsm_name}/nwfilter.py* %config(noreplace) %{_sysconfdir}/%{vdsm_name}/logger.conf %config(noreplace) %{_sysconfdir}/%{vdsm_name}/mom.conf %config(noreplace) %{_sysconfdir}/%{vdsm_name}/mom.policy diff --git a/vdsm/Makefile.am b/vdsm/Makefile.am index 5992cfa..1a6d446 100644 --- a/vdsm/Makefile.am +++ b/vdsm/Makefile.am @@ -52,7 +52,8 @@ tc.py \ vdsmDebugPlugin.py \ vmChannels.py \ - vm.py + vm.py \ + nwfilter.py dist_vdsmpylib_PYTHON = \ __init__.py \ diff --git a/vdsm/nwfilter.py b/vdsm/nwfilter.py new file mode 100755 index 0000000..0be7568 --- /dev/null +++ b/vdsm/nwfilter.py @@ -0,0 +1,101 @@ +#! /usr/bin/python +# Copyright 2012 IBM, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# +# Refer to the README and COPYING files for full details of the license +# + +import libvirt +import logging +from vdsm import libvirtconnection + + +def main(): + """ + Defines network filters on libvirt + """ + conn = libvirtconnection.get() + defineNwFilter(conn, NoMacSpoofingFilter()) + try: + conn.close() + except: + pass + +def defineNwFilter(conn, nwFilter): + """ + define vdsm network filter on libvirt to control VM traffic + """ + + filter = None + filterName = nwFilter.filterName + filterXml = nwFilter.buildFilterXml() + + try: + filter = conn.nwfilterLookupByName(filterName) + except libvirt.libvirtError: + logging.debug("No such filter: %s" % (filterName)) + + if filter: + logging.debug("Undefine filter %s" % (filter.name())) + try: + filter.undefine() + except libvirt.libvirtError: + # Ignore failure if filter already exists. Failure might occur when + # attempting to remove a filter which is being used by running VMs + pass + try: + nwFilter = conn.nwfilterDefineXML(filterXml) + except libvirt.libvirtError: + logging.error("Failed to define filter %s" % (filterName)) + raise + else: + logging.debug("Filter %s was defined" % (nwFilter.name())) + + +class VdsmNwFilter(object): + """ + Base class for custom network filters + """ + + def __init__(self, name): + self.filterName = name + + def getFilterXml(self): + raise NotImplementedError("Should have implemented this") + + def buildFilterXml(self): + return self.getFilterXml() % self.filterName + + +class NoMacSpoofingFilter(VdsmNwFilter): + """ + Class defines the vdsm-no-mac-spoofing filter which is comprised of + two libvirt OOB filters: no-mac-spoofing and no-arp-mac-spoofing + """ + + def __init__(self): + VdsmNwFilter.__init__(self, 'vdsm-no-mac-spoofing') + + def getFilterXml(self): + return '''<filter name='%s' chain='root'> + <!-- preventing MAC spoofing --> + <filterref filter='no-mac-spoofing'/> + <!-- preventing ARP MAC spoofing --> + <filterref filter='no-arp-mac-spoofing'/> + </filter> ''' + +if __name__ == '__main__': + main() diff --git a/vdsm/vdsmd.init.in b/vdsm/vdsmd.init.in index d34b48d..70d4cd9 100755 --- a/vdsm/vdsmd.init.in +++ b/vdsm/vdsmd.init.in @@ -440,6 +440,20 @@ startout=`/sbin/initctl start libvirtd 2>&1` if [[ "$?" -eq 0 || "$startout" =~ .*already\ running.* ]]; then + + # Begin workaround + # Libvirt reports its service status as responsive despite its socket + # is not yet ready. Once issue fixed on libvirt, this WA shouls be removed. + for i in {1..20} + do + if pgrep libvirtd > /dev/null 2>&1; + then + return 0 + fi + sleep 1 + done + # End workaround + return 0 else echo "$startout" >&2 @@ -469,6 +483,8 @@ return $ret_val fi + @VDSMDIR@/nwfilter.py + @VDSMDIR@/vdsm-restore-net-config load_needed_modules mk_data_center -- To view, visit http://gerrit.ovirt.org/7354 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9f1708385dec6a87bc404e4ab25c4da8ab8a8acc Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Moti Asayag <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
