vmware-nsx/quantum/db/l3_db.py
Hisaharu Ishii 3240d7a456 check subnet overlapping when adding interface to router
Fixes bug 1046061

Add logic in _check_for_dup_router_subnet to check subnets are not overlapped.
Add testcase test_router_add_interface_overlapped_cidr.

Change-Id: I71b6cce07273686cc5e4636ce640b7201ce00b32
2012-09-07 21:18:04 -07:00

654 lines
29 KiB
Python

"""
# vim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Copyright 2012 Nicira Networks, Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# @author: Dan Wendlandt, Nicira, Inc
#
"""
import logging
import netaddr
import sqlalchemy as sa
from sqlalchemy import orm
from sqlalchemy.orm import exc
import webob.exc as w_exc
from quantum.api.v2 import attributes
from quantum.common import exceptions as q_exc
from quantum.common import utils
from quantum.db import model_base
from quantum.db import models_v2
from quantum.extensions import l3
from quantum.openstack.common import cfg
from quantum import policy
LOG = logging.getLogger(__name__)
l3_opts = [
cfg.StrOpt('metadata_ip_address', default='127.0.0.1'),
cfg.IntOpt('metadata_port', default=8775)
]
# Register the configuration options
cfg.CONF.register_opts(l3_opts)
DEVICE_OWNER_ROUTER_INTF = "network:router_interface"
DEVICE_OWNER_ROUTER_GW = "network:router_gateway"
DEVICE_OWNER_FLOATINGIP = "network:floatingip"
class Router(model_base.BASEV2, models_v2.HasId, models_v2.HasTenant):
"""Represents a v2 quantum router."""
name = sa.Column(sa.String(255))
status = sa.Column(sa.String(16))
admin_state_up = sa.Column(sa.Boolean)
gw_port_id = sa.Column(sa.String(36), sa.ForeignKey('ports.id',
ondelete="CASCADE"))
gw_port = orm.relationship(models_v2.Port)
class ExternalNetwork(model_base.BASEV2):
network_id = sa.Column(sa.String(36),
sa.ForeignKey('networks.id', ondelete="CASCADE"),
primary_key=True)
class FloatingIP(model_base.BASEV2, models_v2.HasId, models_v2.HasTenant):
"""Represents a floating IP, which may or many not be
allocated to a tenant, and may or may not be associated with
an internal port/ip address/router.
"""
floating_ip_address = sa.Column(sa.String(64), nullable=False)
floating_network_id = sa.Column(sa.String(36), nullable=False)
floating_port_id = sa.Column(sa.String(36), sa.ForeignKey('ports.id'),
nullable=False)
fixed_port_id = sa.Column(sa.String(36), sa.ForeignKey('ports.id'))
fixed_ip_address = sa.Column(sa.String(64))
router_id = sa.Column(sa.String(36), sa.ForeignKey('routers.id'))
class L3_NAT_db_mixin(l3.RouterPluginBase):
"""Mixin class to add L3/NAT router methods to db_plugin_base_v2"""
def _get_router(self, context, id):
try:
router = self._get_by_id(context, Router, id)
except exc.NoResultFound:
raise l3.RouterNotFound(router_id=id)
except exc.MultipleResultsFound:
LOG.error('Multiple routers match for %s' % id)
raise l3.RouterNotFound(router_id=id)
return router
def _make_router_dict(self, router, fields=None):
res = {'id': router['id'],
'name': router['name'],
'tenant_id': router['tenant_id'],
'admin_state_up': router['admin_state_up'],
'status': router['status'],
'external_gateway_info': None}
if router['gw_port_id']:
nw_id = router.gw_port['network_id']
res['external_gateway_info'] = {'network_id': nw_id}
return self._fields(res, fields)
def create_router(self, context, router):
r = router['router']
has_gw_info = False
if 'external_gateway_info' in r:
has_gw_info = True
gw_info = r['external_gateway_info']
del r['external_gateway_info']
tenant_id = self._get_tenant_id_for_create(context, r)
with context.session.begin(subtransactions=True):
# pre-generate id so it will be available when
# configuring external gw port
router_db = Router(id=utils.str_uuid(),
tenant_id=tenant_id,
name=r['name'],
admin_state_up=r['admin_state_up'],
status="ACTIVE")
context.session.add(router_db)
if has_gw_info:
self._update_router_gw_info(context, router_db['id'], gw_info)
return self._make_router_dict(router_db)
def update_router(self, context, id, router):
r = router['router']
has_gw_info = False
if 'external_gateway_info' in r:
has_gw_info = True
gw_info = r['external_gateway_info']
del r['external_gateway_info']
with context.session.begin(subtransactions=True):
if has_gw_info:
self._update_router_gw_info(context, id, gw_info)
router_db = self._get_router(context, id)
# Ensure we actually have something to update
if r.keys():
router_db.update(r)
return self._make_router_dict(router_db)
def _update_router_gw_info(self, context, router_id, info):
# TODO(salvatore-orlando): guarantee atomic behavior also across
# operations that span beyond the model classes handled by this
# class (e.g.: delete_port)
router = self._get_router(context, router_id)
gw_port = router.gw_port
network_id = info.get('network_id', None) if info else None
if network_id:
self._get_network(context, network_id)
if not self._network_is_external(context, network_id):
msg = "Network %s is not a valid external network" % network_id
raise q_exc.BadRequest(resource='router', msg=msg)
# figure out if we need to delete existing port
if gw_port and gw_port['network_id'] != network_id:
with context.session.begin(subtransactions=True):
router.update({'gw_port_id': None})
context.session.add(router)
self.delete_port(context, gw_port['id'], l3_port_check=False)
if network_id is not None and (gw_port is None or
gw_port['network_id'] != network_id):
# Port has no 'tenant-id', as it is hidden from user
gw_port = self.create_port(context, {
'port':
{'network_id': network_id,
'mac_address': attributes.ATTR_NOT_SPECIFIED,
'fixed_ips': attributes.ATTR_NOT_SPECIFIED,
'device_id': router_id,
'device_owner': DEVICE_OWNER_ROUTER_GW,
'admin_state_up': True,
'name': ''}})
if not len(gw_port['fixed_ips']):
self.delete_port(context, gw_port['id'], l3_port_check=False)
msg = ('No IPs available for external network %s' %
network_id)
raise q_exc.BadRequest(resource='router', msg=msg)
with context.session.begin(subtransactions=True):
router.update({'gw_port_id': gw_port['id']})
context.session.add(router)
def delete_router(self, context, id):
with context.session.begin(subtransactions=True):
router = self._get_router(context, id)
device_filter = {'device_id': [id],
'device_owner': [DEVICE_OWNER_ROUTER_INTF]}
ports = self.get_ports(context, filters=device_filter)
if ports:
raise l3.RouterInUse(router_id=id)
# NOTE(salvatore-orlando): gw port will be automatically deleted
# thanks to cascading on the ORM relationship
context.session.delete(router)
def get_router(self, context, id, fields=None):
router = self._get_router(context, id)
return self._make_router_dict(router, fields)
def get_routers(self, context, filters=None, fields=None):
return self._get_collection(context, Router,
self._make_router_dict,
filters=filters, fields=fields)
def _check_for_dup_router_subnet(self, context, router_id,
network_id, subnet_id):
try:
rport_qry = context.session.query(models_v2.Port)
rports = rport_qry.filter_by(
device_id=router_id,
device_owner=DEVICE_OWNER_ROUTER_INTF,).all()
# its possible these ports on on the same network, but
# different subnet
new_cidr = self._get_subnet(context, subnet_id)['cidr']
new_ipnet = netaddr.IPNetwork(new_cidr)
for p in rports:
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = ("Router already has a port on subnet %s"
% subnet_id)
raise q_exc.BadRequest(resource='router', msg=msg)
cidr = self._get_subnet(context, ip['subnet_id'])['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [new_cidr])
if match1 or match2:
msg = (("Cidr %s of subnet %s is overlapped "
+ "with cidr %s of subnet %s")
% (new_cidr, subnet_id, cidr, ip['subnet_id']))
raise q_exc.BadRequest(resource='router', msg=msg)
except exc.NoResultFound:
pass
def add_router_interface(self, context, router_id, interface_info):
# make sure router exists - will raise if not
self._get_router(context, router_id)
if not interface_info:
msg = "Either subnet_id or port_id must be specified"
raise q_exc.BadRequest(resource='router', msg=msg)
if 'port_id' in interface_info:
if 'subnet_id' in interface_info:
msg = "cannot specify both subnet-id and port-id"
raise q_exc.BadRequest(resource='router', msg=msg)
port = self._get_port(context, interface_info['port_id'])
if port['device_id']:
raise q_exc.PortInUse(net_id=port['network_id'],
port_id=port['id'],
device_id=port['device_id'])
fixed_ips = [ip for ip in port['fixed_ips']]
if len(fixed_ips) != 1:
msg = 'Router port must have exactly one fixed IP'
raise q_exc.BadRequest(resource='router', msg=msg)
self._check_for_dup_router_subnet(context, router_id,
port['network_id'],
fixed_ips[0]['subnet_id'])
with context.session.begin(subtransactions=True):
port.update({'device_id': router_id,
'device_owner': DEVICE_OWNER_ROUTER_INTF})
elif 'subnet_id' in interface_info:
subnet_id = interface_info['subnet_id']
subnet = self._get_subnet(context, subnet_id)
# Ensure the subnet has a gateway
if not subnet['gateway_ip']:
msg = 'Subnet for router interface must have a gateway IP'
raise q_exc.BadRequest(resource='router', msg=msg)
self._check_for_dup_router_subnet(context, router_id,
subnet['network_id'], subnet_id)
fixed_ip = {'ip_address': subnet['gateway_ip'],
'subnet_id': subnet['id']}
port = self.create_port(context, {
'port':
{'network_id': subnet['network_id'],
'fixed_ips': [fixed_ip],
'mac_address': attributes.ATTR_NOT_SPECIFIED,
'admin_state_up': True,
'device_id': router_id,
'device_owner': DEVICE_OWNER_ROUTER_INTF,
'name': ''}})
return {'port_id': port['id'],
'subnet_id': port['fixed_ips'][0]['subnet_id']}
def remove_router_interface(self, context, router_id, interface_info):
# make sure router exists
router = self._get_router(context, router_id)
if not interface_info:
msg = "Either subnet_id or port_id must be specified"
raise q_exc.BadRequest(resource='router', msg=msg)
if 'port_id' in interface_info:
port_id = interface_info['port_id']
port_db = self._get_port(context, port_id)
if not (port_db['device_owner'] == DEVICE_OWNER_ROUTER_INTF and
port_db['device_id'] == router_id):
raise w_exc.HTTPNotFound("Router %(router_id)s does not have "
" an interface with id %(port_id)s"
% locals())
if 'subnet_id' in interface_info:
port_subnet_id = port_db['fixed_ips'][0]['subnet_id']
if port_subnet_id != interface_info['subnet_id']:
raise w_exc.HTTPConflict("subnet_id %s on port does not "
"match requested one (%s)"
% (port_subnet_id,
interface_info['subnet_id']))
if port_db['device_id'] != router_id:
raise w_exc.HTTPConflict("port_id %s not used by router" %
port_db['id'])
self.delete_port(context, port_db['id'], l3_port_check=False)
elif 'subnet_id' in interface_info:
subnet_id = interface_info['subnet_id']
subnet = self._get_subnet(context, subnet_id)
found = False
try:
rport_qry = context.session.query(models_v2.Port)
ports = rport_qry.filter_by(
device_id=router_id,
device_owner=DEVICE_OWNER_ROUTER_INTF,
network_id=subnet['network_id']).all()
for p in ports:
if p['fixed_ips'][0]['subnet_id'] == subnet_id:
self.delete_port(context, p['id'], l3_port_check=False)
found = True
break
except exc.NoResultFound:
pass
if not found:
raise w_exc.HTTPNotFound("Router %(router_id)s has no "
"interface on subnet %(subnet_id)s"
% locals())
def _get_floatingip(self, context, id):
try:
floatingip = self._get_by_id(context, FloatingIP, id)
except exc.NoResultFound:
raise l3.FloatingIPNotFound(floatingip_id=id)
except exc.MultipleResultsFound:
LOG.error('Multiple floating ips match for %s' % id)
raise l3.FloatingIPNotFound(floatingip_id=id)
return floatingip
def _make_floatingip_dict(self, floatingip, fields=None):
res = {'id': floatingip['id'],
'tenant_id': floatingip['tenant_id'],
'floating_ip_address': floatingip['floating_ip_address'],
'floating_network_id': floatingip['floating_network_id'],
'router_id': floatingip['router_id'],
'port_id': floatingip['fixed_port_id'],
'fixed_ip_address': floatingip['fixed_ip_address']}
return self._fields(res, fields)
def _get_router_for_internal_subnet(self, context, internal_port,
internal_subnet_id):
subnet_db = self._get_subnet(context, internal_subnet_id)
if not subnet_db['gateway_ip']:
msg = ('Cannot add floating IP to port on subnet %s '
'which has no gateway_ip' % internal_subnet_id)
raise q_exc.BadRequest(resource='floatingip', msg=msg)
#FIXME(danwent): can do join, but cannot use standard F-K syntax?
# just do it inefficiently for now
port_qry = context.session.query(models_v2.Port)
ports = port_qry.filter_by(network_id=internal_port['network_id'])
for p in ports:
ips = [ip['ip_address'] for ip in p['fixed_ips']]
if len(ips) != 1:
continue
fixed = p['fixed_ips'][0]
if (fixed['ip_address'] == subnet_db['gateway_ip'] and
fixed['subnet_id'] == internal_subnet_id):
router_qry = context.session.query(Router)
try:
router = router_qry.filter_by(id=p['device_id']).one()
return router['id']
except exc.NoResultFound:
pass
raise l3.ExternalGatewayForFloatingIPNotFound(
subnet_id=internal_subnet_id,
port_id=internal_port['id'])
def get_assoc_data(self, context, fip, floating_network_id):
"""When a floating IP is associated with an internal port,
we need to extract/determine some data associated with the
internal port, including the internal_ip_address, and router_id.
We also need to confirm that this internal port is owned by the
tenant who owns the floating IP.
"""
internal_port = self._get_port(context, fip['port_id'])
if not internal_port['tenant_id'] == fip['tenant_id']:
msg = ('Port %s is associated with a different tenant'
'and therefore cannot be found to floating IP %s'
% (fip['port_id'], fip['id']))
raise q_exc.BadRequest(resource='floating', msg=msg)
internal_subnet_id = None
if 'fixed_ip_address' in fip and fip['fixed_ip_address']:
internal_ip_address = fip['fixed_ip_address']
for ip in internal_port['fixed_ips']:
if ip['ip_address'] == internal_ip_address:
internal_subnet_id = ip['subnet_id']
if not internal_subnet_id:
msg = ('Port %s does not have fixed ip %s' %
(internal_port['id'], internal_ip_address))
raise q_exc.BadRequest(resource='floatingip', msg=msg)
else:
ips = [ip['ip_address'] for ip in internal_port['fixed_ips']]
if len(ips) == 0:
msg = ('Cannot add floating IP to port %s that has'
'no fixed IP addresses' % internal_port['id'])
raise q_exc.BadRequest(resource='floatingip', msg=msg)
if len(ips) > 1:
msg = ('Port %s has multiple fixed IPs. Must provide'
' a specific IP when assigning a floating IP' %
internal_port['id'])
raise q_exc.BadRequest(resource='floatingip', msg=msg)
internal_ip_address = internal_port['fixed_ips'][0]['ip_address']
internal_subnet_id = internal_port['fixed_ips'][0]['subnet_id']
router_id = self._get_router_for_internal_subnet(context,
internal_port,
internal_subnet_id)
# confirm that this router has a floating
# ip enabled gateway with support for this floating IP network
try:
port_qry = context.session.query(models_v2.Port)
ports = port_qry.filter_by(
network_id=floating_network_id,
device_id=router_id,
device_owner=DEVICE_OWNER_ROUTER_GW).one()
except exc.NoResultFound:
raise l3.ExternalGatewayForFloatingIPNotFound(
subnet_id=internal_subnet_id,
port_id=internal_port['id'])
return (fip['port_id'], internal_ip_address, router_id)
def _update_fip_assoc(self, context, fip, floatingip_db, external_port):
port_id = internal_ip_address = router_id = None
if 'port_id' in fip and fip['port_id']:
port_qry = context.session.query(FloatingIP)
try:
port_qry.filter_by(fixed_port_id=fip['port_id']).one()
raise l3.FloatingIPPortAlreadyAssociated(
port_id=fip['port_id'])
except exc.NoResultFound:
pass
port_id, internal_ip_address, router_id = self.get_assoc_data(
context,
fip,
floatingip_db['floating_network_id'])
floatingip_db.update({'fixed_ip_address': internal_ip_address,
'fixed_port_id': port_id,
'router_id': router_id})
def create_floatingip(self, context, floatingip):
fip = floatingip['floatingip']
tenant_id = self._get_tenant_id_for_create(context, fip)
fip_id = utils.str_uuid()
f_net_id = fip['floating_network_id']
if not self._network_is_external(context, f_net_id):
msg = "Network %s is not a valid external network" % f_net_id
raise q_exc.BadRequest(resource='floatingip', msg=msg)
# This external port is never exposed to the tenant.
# it is used purely for internal system and admin use when
# managing floating IPs.
external_port = self.create_port(context, {
'port':
{'network_id': f_net_id,
'mac_address': attributes.ATTR_NOT_SPECIFIED,
'fixed_ips': attributes.ATTR_NOT_SPECIFIED,
'admin_state_up': True,
'device_id': fip_id,
'device_owner': DEVICE_OWNER_FLOATINGIP,
'name': ''}})
# Ensure IP addresses are allocated on external port
if not external_port['fixed_ips']:
msg = "Unable to find any IP address on external network"
# remove the external port
self.delete_port(context, external_port['id'], l3_port_check=False)
raise q_exc.BadRequest(resource='floatingip', msg=msg)
floating_ip_address = external_port['fixed_ips'][0]['ip_address']
try:
with context.session.begin(subtransactions=True):
floatingip_db = FloatingIP(
id=fip_id,
tenant_id=tenant_id,
floating_network_id=fip['floating_network_id'],
floating_ip_address=floating_ip_address,
floating_port_id=external_port['id'])
fip['tenant_id'] = tenant_id
# Update association with internal port
# and define external IP address
self._update_fip_assoc(context, fip,
floatingip_db, external_port)
context.session.add(floatingip_db)
# TODO(salvatore-orlando): Avoid broad catch
# Maybe by introducing base class for L3 exceptions
except Exception:
LOG.exception("Floating IP association failed")
# Remove the port created for internal purposes
self.delete_port(context, external_port['id'], l3_port_check=False)
raise
return self._make_floatingip_dict(floatingip_db)
def update_floatingip(self, context, id, floatingip):
fip = floatingip['floatingip']
with context.session.begin(subtransactions=True):
floatingip_db = self._get_floatingip(context, id)
fip['tenant_id'] = floatingip_db['tenant_id']
fip['id'] = id
fip_port_id = floatingip_db['floating_port_id']
self._update_fip_assoc(context, fip, floatingip_db,
self.get_port(context, fip_port_id))
return self._make_floatingip_dict(floatingip_db)
def delete_floatingip(self, context, id):
floatingip = self._get_floatingip(context, id)
with context.session.begin(subtransactions=True):
context.session.delete(floatingip)
self.delete_port(context, floatingip['floating_port_id'],
l3_port_check=False)
def get_floatingip(self, context, id, fields=None):
floatingip = self._get_floatingip(context, id)
return self._make_floatingip_dict(floatingip, fields)
def get_floatingips(self, context, filters=None, fields=None):
return self._get_collection(context, FloatingIP,
self._make_floatingip_dict,
filters=filters, fields=fields)
def prevent_l3_port_deletion(self, context, port_id):
""" Checks to make sure a port is allowed to be deleted, raising
an exception if this is not the case. This should be called by
any plugin when the API requests the deletion of a port, since
some ports for L3 are not intended to be deleted directly via a
DELETE to /ports, but rather via other API calls that perform the
proper deletion checks.
"""
port_db = self._get_port(context, port_id)
if port_db['device_owner'] in [DEVICE_OWNER_ROUTER_INTF,
DEVICE_OWNER_ROUTER_GW,
DEVICE_OWNER_FLOATINGIP]:
raise l3.L3PortInUse(port_id=port_id,
device_owner=port_db['device_owner'])
def disassociate_floatingips(self, context, port_id):
with context.session.begin(subtransactions=True):
try:
fip_qry = context.session.query(FloatingIP)
floating_ip = fip_qry.filter_by(fixed_port_id=port_id).one()
floating_ip.update({'fixed_port_id': None,
'fixed_ip_address': None,
'router_id': None})
except exc.NoResultFound:
return
except exc.MultipleResultsFound:
# should never happen
raise Exception('Multiple floating IPs found for port %s'
% port_id)
def _check_l3_view_auth(self, context, network):
return policy.check(context,
"extension:router:view",
network)
def _enforce_l3_set_auth(self, context, network):
return policy.enforce(context,
"extension:router:set",
network)
def _network_is_external(self, context, net_id):
try:
context.session.query(ExternalNetwork).filter_by(
network_id=net_id).one()
return True
except exc.NoResultFound:
return False
def _extend_network_dict_l3(self, context, network):
if self._check_l3_view_auth(context, network):
network['router:external'] = self._network_is_external(
context, network['id'])
def _process_l3_create(self, context, net_data, net_id):
external = net_data.get('router:external')
external_set = attributes.is_attr_set(external)
if not external_set:
return
self._enforce_l3_set_auth(context, net_data)
if external:
# expects to be called within a plugin's session
context.session.add(ExternalNetwork(network_id=net_id))
def _process_l3_update(self, context, net_data, net_id):
new_value = net_data.get('router:external')
if not attributes.is_attr_set(new_value):
return
self._enforce_l3_set_auth(context, net_data)
existing_value = self._network_is_external(context, net_id)
if existing_value == new_value:
return
if new_value:
context.session.add(ExternalNetwork(network_id=net_id))
else:
# must make sure we do not have any external gateway ports
# (and thus, possible floating IPs) on this network before
# allow it to be update to external=False
try:
context.session.query(models_v2.Port).filter_by(
device_owner=DEVICE_OWNER_ROUTER_GW,
network_id=net_id).first()
raise ExternalNetworkInUse(net_id=net_id)
except exc.NoResultFound:
pass # expected
context.session.query(ExternalNetwork).filter_by(
network_id=net_id).delete()
def _filter_nets_l3(self, context, nets, filters):
vals = filters.get('router:external', [])
if not vals:
return nets
ext_nets = set([en['network_id'] for en in
context.session.query(ExternalNetwork).all()])
if vals[0]:
return [n for n in nets if n['id'] in ext_nets]
else:
return [n for n in nets if n['id'] not in ext_nets]