Multiple networks support for vms in advanced zone with security group (and kvm support)

core/src/main/java/com/cloud/agent/api/RebootCommand.java

@@ -19,8 +19,11 @@
 
 package com.cloud.agent.api;
 
+import com.cloud.agent.api.to.VirtualMachineTO;
+
 public class RebootCommand extends Command {
     String vmName;
+    VirtualMachineTO vm;
     protected boolean executeInSequence = false;
 
     protected RebootCommand() {
@@ -35,6 +38,14 @@ public String getVmName() {
         return this.vmName;
     }
 
+    public void setVirtualMachine(VirtualMachineTO vm) {
+        this.vm = vm;
+    }
+
+    public VirtualMachineTO getVirtualMachine() {
+        return vm;
+    }
+
     @Override
     public boolean executeInSequence() {
         return this.executeInSequence;

core/src/main/java/com/cloud/agent/api/SecurityGroupRulesCmd.java

@@ -30,12 +30,13 @@
 import org.apache.log4j.Logger;
 
 import com.cloud.agent.api.LogLevel.Log4jLevel;
+import com.cloud.agent.api.to.VirtualMachineTO;
 import com.cloud.utils.net.NetUtils;
 
 public class SecurityGroupRulesCmd extends Command {
     private static final String CIDR_LENGTH_SEPARATOR = "/";
-    private static final char RULE_TARGET_SEPARATOR = ',';
-    private static final char RULE_COMMAND_SEPARATOR = ';';
+    public static final char RULE_TARGET_SEPARATOR = ',';
+    public static final char RULE_COMMAND_SEPARATOR = ';';
     protected static final String EGRESS_RULE = "E:";
     protected static final String INGRESS_RULE = "I:";
     private static final Logger LOGGER = Logger.getLogger(SecurityGroupRulesCmd.class);
@@ -51,6 +52,7 @@ public class SecurityGroupRulesCmd extends Command {
     private List<IpPortAndProto> ingressRuleSet;
     private List<IpPortAndProto> egressRuleSet;
     private final List<String> secIps;
+    private VirtualMachineTO vmTO;
 
     public static class IpPortAndProto {
         private final String proto;
@@ -252,6 +254,14 @@ public Long getVmId() {
         return vmId;
     }
 
+    public void setVmTO(VirtualMachineTO vmTO) {
+        this.vmTO = vmTO;
+    }
+
+    public VirtualMachineTO getVmTO() {
+        return vmTO;
+    }
+
     /**
      * used for logging
      * @return the number of Cidrs in the in and egress rule sets for this security group rules command.

server/src/main/java/com/cloud/network/security/SecurityGroupManager.java → engine/components-api/src/main/java/com/cloud/network/security/SecurityGroupManager.java

@@ -53,4 +53,6 @@ public interface SecurityGroupManager {
     SecurityGroup getSecurityGroup(String name, long accountId);
 
     boolean isVmMappedToDefaultSecurityGroup(long vmId);
+
+    void scheduleRulesetUpdateToHosts(List<Long> affectedVms, boolean updateSeqno, Long delayMs);
 }

engine/orchestration/src/main/java/com/cloud/vm/VirtualMachineManagerImpl.java

@@ -24,6 +24,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -166,6 +167,7 @@
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.router.VirtualRouter;
+import com.cloud.network.security.SecurityGroupManager;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.DiskOfferingInfo;
 import com.cloud.offering.NetworkOffering;
@@ -333,6 +335,8 @@ public class VirtualMachineManagerImpl extends ManagerBase implements VirtualMac
     private NetworkOfferingDetailsDao networkOfferingDetailsDao;
     @Inject
     private NetworkDetailsDao networkDetailsDao;
+    @Inject
+    private SecurityGroupManager _securityGroupManager;
 
     VmWorkJobHandlerProxy _jobHandlerProxy = new VmWorkJobHandlerProxy(this);
 
@@ -3140,11 +3144,18 @@ private void orchestrateReboot(final String vmUuid, final Map<VirtualMachineProf
         try {
 
             final Commands cmds = new Commands(Command.OnError.Stop);
-            cmds.addCommand(new RebootCommand(vm.getInstanceName(), getExecuteInSequence(vm.getHypervisorType())));
+            RebootCommand rebootCmd = new RebootCommand(vm.getInstanceName(), getExecuteInSequence(vm.getHypervisorType()));
+            rebootCmd.setVirtualMachine(getVmTO(vm.getId()));
+            cmds.addCommand(rebootCmd);
             _agentMgr.send(host.getId(), cmds);
 
             final Answer rebootAnswer = cmds.getAnswer(RebootAnswer.class);
             if (rebootAnswer != null && rebootAnswer.getResult()) {
+                if (dc.isSecurityGroupEnabled() && vm.getType() == VirtualMachine.Type.User) {
+                    List<Long> affectedVms = new ArrayList<Long>();
+                    affectedVms.add(vm.getId());
+                    _securityGroupManager.scheduleRulesetUpdateToHosts(affectedVms, true, null);
+                }
                 return;
             }
             s_logger.info("Unable to reboot VM " + vm + " on " + dest.getHost() + " due to " + (rebootAnswer == null ? " no reboot answer" : rebootAnswer.getDetails()));
@@ -3154,6 +3165,29 @@ private void orchestrateReboot(final String vmUuid, final Map<VirtualMachineProf
         }
     }
 
+    protected VirtualMachineTO getVmTO(Long vmId) {
+        final VMInstanceVO vm = _vmDao.findById(vmId);
+        final VirtualMachineProfile profile = new VirtualMachineProfileImpl(vm);
+        final List<NicVO> nics = _nicsDao.listByVmId(profile.getId());
+        Collections.sort(nics, new Comparator<NicVO>() {
+            @Override
+            public int compare(NicVO nic1, NicVO nic2) {
+                Long nicId1 = Long.valueOf(nic1.getDeviceId());
+                Long nicId2 = Long.valueOf(nic2.getDeviceId());
+                return nicId1.compareTo(nicId2);
+            }
+        });
+        for (final NicVO nic : nics) {
+            final Network network = _networkModel.getNetwork(nic.getNetworkId());
+            final NicProfile nicProfile =
+                    new NicProfile(nic, network, nic.getBroadcastUri(), nic.getIsolationUri(), null, _networkModel.isSecurityGroupSupportedInNetwork(network),
+                            _networkModel.getNetworkTag(profile.getHypervisorType(), network));
+            profile.addNic(nicProfile);
+        }
+        final VirtualMachineTO to = toVmTO(profile);
+        return to;
+    }
+
     public Command cleanup(final VirtualMachine vm, Map<String, DpdkTO> dpdkInterfaceMapping) {
         StopCommand cmd = new StopCommand(vm, getExecuteInSequence(vm.getHypervisorType()), false);
         cmd.setControlIp(getControlNicIpForVM(vm));
@@ -3670,7 +3704,7 @@ private boolean orchestrateRemoveNicFromVm(final VirtualMachine vm, final Nic ni
 
         //3) Remove the nic
         _networkMgr.removeNic(vmProfile, nic);
-        _nicsDao.expunge(nic.getId());
+        _nicsDao.remove(nic.getId());
         return true;
     }
 

engine/schema/src/main/java/com/cloud/vm/dao/NicDao.java

@@ -50,6 +50,8 @@ public interface NicDao extends GenericDao<NicVO, Long> {
 
     NicVO findDefaultNicForVM(long instanceId);
 
+    NicVO findFirstNicForVM(long instanceId);
+
     /**
      * @param networkId
      * @param instanceId

engine/schema/src/main/java/com/cloud/vm/dao/NicDaoImpl.java

@@ -69,6 +69,7 @@ protected void init() {
         AllFieldsSearch.and("strategy", AllFieldsSearch.entity().getReservationStrategy(), Op.EQ);
         AllFieldsSearch.and("reserverName",AllFieldsSearch.entity().getReserver(),Op.EQ);
         AllFieldsSearch.and("macAddress", AllFieldsSearch.entity().getMacAddress(), Op.EQ);
+        AllFieldsSearch.and("deviceid", AllFieldsSearch.entity().getDeviceId(), Op.EQ);
         AllFieldsSearch.done();
 
         IpSearch = createSearchBuilder(String.class);
@@ -222,6 +223,14 @@ public NicVO findDefaultNicForVM(long instanceId) {
         return findOneBy(sc);
     }
 
+    @Override
+    public NicVO findFirstNicForVM(long instanceId) {
+        SearchCriteria<NicVO> sc = AllFieldsSearch.create();
+        sc.setParameters("instance", instanceId);
+        sc.setParameters("deviceid", 0);
+        return findOneBy(sc);
+    }
+
     @Override
     public NicVO getControlNicForVM(long vmId){
         SearchCriteria<NicVO> sc = AllFieldsSearch.create();

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java

@@ -106,6 +106,7 @@
 import com.cloud.agent.resource.virtualnetwork.VRScripts;
 import com.cloud.agent.resource.virtualnetwork.VirtualRouterDeployer;
 import com.cloud.agent.resource.virtualnetwork.VirtualRoutingResource;
+import com.cloud.agent.api.SecurityGroupRulesCmd;
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InternalErrorException;
 import com.cloud.host.Host.Type;
@@ -146,6 +147,7 @@
 import com.cloud.hypervisor.kvm.storage.KVMStoragePoolManager;
 import com.cloud.hypervisor.kvm.storage.KVMStorageProcessor;
 import com.cloud.network.Networks.BroadcastDomainType;
+import com.cloud.network.Networks.IsolationType;
 import com.cloud.network.Networks.RouterPrivateIpStrategy;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.resource.RequestWrapper;
@@ -3548,7 +3550,117 @@ public boolean destroyNetworkRulesForVM(final Connect conn, final String vmName)
         return true;
     }
 
-    public boolean defaultNetworkRules(final Connect conn, final String vmName, final NicTO nic, final Long vmId, final String secIpStr) {
+    /**
+     * Function to destroy the security group rules applied to the nic's
+     * @param conn
+     * @param vmName
+     * @param nic
+     * @return
+     *      true   : If success
+     *      false  : If failure
+     */
+    public boolean destroyNetworkRulesForNic(final Connect conn, final String vmName, final NicTO nic) {
+        if (!_canBridgeFirewall) {
+            return false;
+        }
+        final List<String> nicSecIps = nic.getNicSecIps();
+        String secIpsStr;
+        final StringBuilder sb = new StringBuilder();
+        if (nicSecIps != null) {
+            for (final String ip : nicSecIps) {
+                sb.append(ip).append(SecurityGroupRulesCmd.RULE_COMMAND_SEPARATOR);
+            }
+            secIpsStr = sb.toString();
+        } else {
+            secIpsStr = "0" + SecurityGroupRulesCmd.RULE_COMMAND_SEPARATOR;
+        }
+        final List<InterfaceDef> intfs = getInterfaces(conn, vmName);
+        if (intfs.size() == 0 || intfs.size() < nic.getDeviceId()) {
+            return false;
+        }
+
+        final InterfaceDef intf = intfs.get(nic.getDeviceId());
+        final String brname = intf.getBrName();
+        final String vif = intf.getDevName();
+
+        final Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
+        cmd.add("destroy_network_rules_for_vm");
+        cmd.add("--vmname", vmName);
+        if (nic.getIp() != null) {
+            cmd.add("--vmip", nic.getIp());
+        }
+        cmd.add("--vmmac", nic.getMac());
+        cmd.add("--vif", vif);
+        cmd.add("--nicsecips", secIpsStr);
+
+        final String result = cmd.execute();
+        if (result != null) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Function to apply default network rules for a VM
+     * @param conn
+     * @param vm
+     * @param checkBeforeApply
+     * @return
+     */
+    public boolean applyDefaultNetworkRules(final Connect conn, final VirtualMachineTO vm, final boolean checkBeforeApply) {
+        NicTO[] nicTOs = new NicTO[] {};
+        if (vm != null && vm.getNics() != null) {
+            s_logger.debug("Checking default network rules for vm " + vm.getName());
+            nicTOs = vm.getNics();
+        }
+        for (NicTO nic : nicTOs) {
+            if (vm.getType() != VirtualMachine.Type.User) {
+                nic.setPxeDisable(true);
+            }
+        }
+        boolean isFirstNic = true;
+        for (final NicTO nic : nicTOs) {
+            if (nic.isSecurityGroupEnabled() || nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
+                if (vm.getType() != VirtualMachine.Type.User) {
+                    configureDefaultNetworkRulesForSystemVm(conn, vm.getName());
+                    break;
+                }
+                if (!applyDefaultNetworkRulesOnNic(conn, vm.getName(), vm.getId(), nic, isFirstNic, checkBeforeApply)) {
+                    s_logger.error("Unable to apply default network rule for nic " + nic.getName() + " for VM " + vm.getName());
+                    return false;
+                }
+                isFirstNic = false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Function to apply default network rules for a NIC
+     * @param conn
+     * @param vmName
+     * @param vmId
+     * @param nic
+     * @param isFirstNic
+     * @param checkBeforeApply
+     * @return
+     */
+    public boolean applyDefaultNetworkRulesOnNic(final Connect conn, final String vmName, final Long vmId, final NicTO nic, boolean isFirstNic, boolean checkBeforeApply) {
+        final List<String> nicSecIps = nic.getNicSecIps();
+        String secIpsStr;
+        final StringBuilder sb = new StringBuilder();
+        if (nicSecIps != null) {
+            for (final String ip : nicSecIps) {
+                sb.append(ip).append(SecurityGroupRulesCmd.RULE_COMMAND_SEPARATOR);
+            }
+            secIpsStr = sb.toString();
+        } else {
+            secIpsStr = "0" + SecurityGroupRulesCmd.RULE_COMMAND_SEPARATOR;
+        }
+        return defaultNetworkRules(conn, vmName, nic, vmId, secIpsStr, isFirstNic, checkBeforeApply);
+    }
+
+    public boolean defaultNetworkRules(final Connect conn, final String vmName, final NicTO nic, final Long vmId, final String secIpStr, final boolean isFirstNic, final boolean checkBeforeApply) {
         if (!_canBridgeFirewall) {
             return false;
         }
@@ -3576,6 +3688,12 @@ public boolean defaultNetworkRules(final Connect conn, final String vmName, fina
         cmd.add("--vif", vif);
         cmd.add("--brname", brname);
         cmd.add("--nicsecips", secIpStr);
+        if (isFirstNic) {
+            cmd.add("--isFirstNic");
+        }
+        if (checkBeforeApply) {
+            cmd.add("--check");
+        }
         final String result = cmd.execute();
         if (result != null) {
             return false;
@@ -3665,7 +3783,7 @@ public boolean addNetworkRules(final String vmName, final String vmId, final Str
         return true;
     }
 
-    public boolean configureNetworkRulesVMSecondaryIP(final Connect conn, final String vmName, final String secIp, final String action) {
+    public boolean configureNetworkRulesVMSecondaryIP(final Connect conn, final String vmName, final String vmMac, final String secIp, final String action) {
 
         if (!_canBridgeFirewall) {
             return false;
@@ -3674,6 +3792,7 @@ public boolean configureNetworkRulesVMSecondaryIP(final Connect conn, final Stri
         final Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
         cmd.add("network_rules_vmSecondaryIp");
         cmd.add("--vmname", vmName);
+        cmd.add("--vmmac", vmMac);
         cmd.add("--nicsecips", secIp);
         cmd.add("--action=" + action);
 

plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtNetworkRulesVmSecondaryIpCommandWrapper.java

@@ -41,11 +41,11 @@ public Answer execute(final NetworkRulesVmSecondaryIpCommand command, final Libv
             final LibvirtUtilitiesHelper libvirtUtilitiesHelper = libvirtComputingResource.getLibvirtUtilitiesHelper();
 
             final Connect conn = libvirtUtilitiesHelper.getConnectionByVmName(command.getVmName());
-            result = libvirtComputingResource.configureNetworkRulesVMSecondaryIP(conn, command.getVmName(), command.getVmSecIp(), command.getAction());
+            result = libvirtComputingResource.configureNetworkRulesVMSecondaryIP(conn, command.getVmName(), command.getVmMac(), command.getVmSecIp(), command.getAction());
         } catch (final LibvirtException e) {
             s_logger.debug("Could not configure VM secondary IP! => " + e.getLocalizedMessage());
         }
 
         return new Answer(command, result, "");
     }
-}
+}