Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-cluster/nova/files/CVE-2013-4497-grizzly-1.patch
blob: e8e14c0ab747579f75e096b7b946b60ccaf4bfdb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

From df2ea2e3acdede21b40d47b7adbeac04213d031b Mon Sep 17 00:00:00 2001
From: John Garbutt <john.garbutt@rackspace.com>
Date: Thu, 12 Sep 2013 18:11:49 +0100
Subject: [PATCH] xenapi: enforce filters after live-migration

Currently and network filters, including security groups, are
lost after a server has been live-migrated.

This partially fixes the issue by ensuring that security groups are
re-applied to the VM once it reached the destination, and been started.

This leaves a small amount of time during the live-migrate where the VM
is not protected. There is a further bug raised to close the rest of
this whole, but this helps keep the VM protected for the majority of the
time.

Fixes bug 1202266

(Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)

Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a
---
 nova/tests/test_xenapi.py  | 22 +++++++++++++++++++++-
 nova/virt/xenapi/driver.py |  4 ++--
 nova/virt/xenapi/vmops.py  | 18 ++++++++++++++++++
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index f7fb81d..d4c19a4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -2723,7 +2723,27 @@ def test_post_live_migration_at_destination(self):
         # ensure method is present
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
         self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
-        self.conn.post_live_migration_at_destination(None, None, None, None)
+
+        fake_instance = "instance"
+        fake_network_info = "network_info"
+
+        def fake_fw(instance, network_info):
+            self.assertEquals(instance, fake_instance)
+            self.assertEquals(network_info, fake_network_info)
+            fake_fw.called += 1
+
+        fake_fw.called = 0
+        _vmops = self.conn._vmops
+        self.stubs.Set(_vmops.firewall_driver,
+                       'setup_basic_filtering', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'prepare_instance_filter', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'apply_instance_filter', fake_fw)
+
+        self.conn.post_live_migration_at_destination(None, fake_instance,
+                                                     fake_network_info, None)
+        self.assertEqual(fake_fw.called, 3)
 
     def test_check_can_live_migrate_destination_with_block_migration(self):
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index 128f67f..564c587 100755
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -1,4 +1,3 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
 
 # Copyright (c) 2010 Citrix Systems, Inc.
 # Copyright 2010 OpenStack Foundation
@@ -514,7 +513,8 @@ def post_live_migration_at_destination(self, ctxt, instance_ref,
         :params : block_migration: if true, post operation of block_migraiton.
         """
         # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
-        pass
+        self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
+                network_info, block_device_info, block_device_info)
 
     def unfilter_instance(self, instance_ref, network_info):
         """Removes security groups configured for an instance."""
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index eccf3e0..ae5c697 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -1737,6 +1737,24 @@ def live_migrate(self, context, instance, destination_hostname,
                 recover_method(context, instance, destination_hostname,
                                block_migration)
 
+    def post_live_migration_at_destination(self, context, instance,
+                                           network_info, block_migration,
+                                           block_device_info):
+        # FIXME(johngarbutt): we should block all traffic until we have
+        # applied security groups, however this requires changes to XenServer
+        try:
+            self.firewall_driver.setup_basic_filtering(
+                    instance, network_info)
+        except NotImplementedError:
+            # NOTE(salvatore-orlando): setup_basic_filtering might be
+            # empty or not implemented at all, as basic filter could
+            # be implemented with VIF rules created by xapi plugin
+            pass
+
+        self.firewall_driver.prepare_instance_filter(instance,
+                                                     network_info)
+        self.firewall_driver.apply_instance_filter(instance, network_info)
+
     def get_per_instance_usage(self):
         """Get usage info about each active instance."""
         usage = {}
-- 
1.8.4