func TestAddRuleICMPZero(t *testing.T) {
th.SetupHTTP()
defer th.TeardownHTTP()
mockAddRuleResponseICMPZero(t)
opts := secgroups.CreateRuleOpts{
ParentGroupID: groupID,
FromPort: 0,
ToPort: 0,
IPProtocol: "ICMP",
CIDR: "0.0.0.0/0",
}
rule, err := secgroups.CreateRule(client.ServiceClient(), opts).Extract()
th.AssertNoErr(t, err)
expected := &secgroups.Rule{
FromPort: 0,
ToPort: 0,
Group: secgroups.Group{},
IPProtocol: "ICMP",
ParentGroupID: groupID,
IPRange: secgroups.IPRange{CIDR: "0.0.0.0/0"},
ID: ruleID,
}
th.AssertDeepEquals(t, expected, rule)
}
func resourceComputeSecGroupV2Update(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
computeClient, err := config.computeV2Client(GetRegion(d))
if err != nil {
return fmt.Errorf("Error creating OpenStack compute client: %s", err)
}
updateOpts := secgroups.UpdateOpts{
Name: d.Get("name").(string),
Description: d.Get("description").(string),
}
log.Printf("[DEBUG] Updating Security Group (%s) with options: %+v", d.Id(), updateOpts)
_, err = secgroups.Update(computeClient, d.Id(), updateOpts).Extract()
if err != nil {
return fmt.Errorf("Error updating OpenStack security group (%s): %s", d.Id(), err)
}
if d.HasChange("rule") {
oldSGRaw, newSGRaw := d.GetChange("rule")
oldSGRSet, newSGRSet := oldSGRaw.(*schema.Set), newSGRaw.(*schema.Set)
secgrouprulesToAdd := newSGRSet.Difference(oldSGRSet)
secgrouprulesToRemove := oldSGRSet.Difference(newSGRSet)
log.Printf("[DEBUG] Security group rules to add: %v", secgrouprulesToAdd)
log.Printf("[DEBUG] Security groups rules to remove: %v", secgrouprulesToRemove)
for _, rawRule := range secgrouprulesToAdd.List() {
createRuleOpts := resourceSecGroupRuleCreateOptsV2(d, rawRule)
rule, err := secgroups.CreateRule(computeClient, createRuleOpts).Extract()
if err != nil {
return fmt.Errorf("Error adding rule to OpenStack security group (%s): %s", d.Id(), err)
}
log.Printf("[DEBUG] Added rule (%s) to OpenStack security group (%s) ", rule.ID, d.Id())
}
for _, r := range secgrouprulesToRemove.List() {
rule := resourceSecGroupRuleV2(d, r)
err := secgroups.DeleteRule(computeClient, rule.ID).ExtractErr()
if err != nil {
if _, ok := err.(gophercloud.ErrDefault404); ok {
continue
}
return fmt.Errorf("Error removing rule (%s) from OpenStack security group (%s)", rule.ID, d.Id())
} else {
log.Printf("[DEBUG] Removed rule (%s) from OpenStack security group (%s): %s", rule.ID, d.Id(), err)
}
}
}
return resourceComputeSecGroupV2Read(d, meta)
}
// CreateSecurityGroupRule will create a security group rule with a random name
// and a random TCP port range between port 80 and 99. An error will be
// returned if the rule failed to be created.
func CreateSecurityGroupRule(t *testing.T, client *gophercloud.ServiceClient, securityGroupID string) (secgroups.Rule, error) {
createOpts := secgroups.CreateRuleOpts{
ParentGroupID: securityGroupID,
FromPort: tools.RandomInt(80, 89),
ToPort: tools.RandomInt(90, 99),
IPProtocol: "TCP",
CIDR: "0.0.0.0/0",
}
rule, err := secgroups.CreateRule(client, createOpts).Extract()
if err != nil {
return *rule, err
}
t.Logf("Created security group rule: %s", rule.ID)
return *rule, nil
}
func resourceComputeSecGroupV2Create(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
computeClient, err := config.computeV2Client(GetRegion(d))
if err != nil {
return fmt.Errorf("Error creating OpenStack compute client: %s", err)
}
// Before creating the security group, make sure all rules are valid.
if err := checkSecGroupV2RulesForErrors(d); err != nil {
return err
}
// If all rules are valid, proceed with creating the security gruop.
createOpts := secgroups.CreateOpts{
Name: d.Get("name").(string),
Description: d.Get("description").(string),
}
log.Printf("[DEBUG] Create Options: %#v", createOpts)
sg, err := secgroups.Create(computeClient, createOpts).Extract()
if err != nil {
return fmt.Errorf("Error creating OpenStack security group: %s", err)
}
d.SetId(sg.ID)
// Now that the security group has been created, iterate through each rule and create it
createRuleOptsList := resourceSecGroupRulesV2(d)
for _, createRuleOpts := range createRuleOptsList {
_, err := secgroups.CreateRule(computeClient, createRuleOpts).Extract()
if err != nil {
return fmt.Errorf("Error creating OpenStack security group rule: %s", err)
}
}
return resourceComputeSecGroupV2Read(d, meta)
}
// deploy achieves the aims of Deploy().
func (p *openstackp) deploy(resources *Resources, requiredPorts []int) (err error) {
// the resource name can only contain letters, numbers, underscores,
// spaces and hyphens
if !openstackValidResourceNameRegexp.MatchString(resources.ResourceName) {
err = Error{"openstack", "deploy", ErrBadResourceName}
return
}
// get/create key pair
kp, err := keypairs.Get(p.computeClient, resources.ResourceName).Extract()
if err != nil {
if _, notfound := err.(gophercloud.ErrDefault404); notfound {
// create a new keypair; we can't just let Openstack create one for
// us because in latest versions it does not return a DER encoded
// key, which is what GO built-in library supports.
privateKey, errk := rsa.GenerateKey(rand.Reader, 1024)
if errk != nil {
err = errk
return
}
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
privateKeyPEMBytes := pem.EncodeToMemory(privateKeyPEM)
pub, errk := ssh.NewPublicKey(&privateKey.PublicKey)
if errk != nil {
err = errk
return err
}
publicKeyStr := ssh.MarshalAuthorizedKey(pub)
kp, err = keypairs.Create(p.computeClient, keypairs.CreateOpts{Name: resources.ResourceName, PublicKey: string(publicKeyStr)}).Extract()
if err != nil {
return
}
resources.PrivateKey = string(privateKeyPEMBytes)
} else {
return
}
}
resources.Details["keypair"] = kp.Name
// based on hostname, see if we're currently running on an openstack server,
// in which case we'll use this server's security group and network.
hostname, err := os.Hostname()
inCloud := false
if err == nil {
pager := servers.List(p.computeClient, servers.ListOpts{})
err = pager.EachPage(func(page pagination.Page) (bool, error) {
serverList, err := servers.ExtractServers(page)
if err != nil {
return false, err
}
for _, server := range serverList {
if server.Name == hostname {
p.ownName = hostname
// get the first networkUUID we come across *** not sure
// what the other possibilities are and what else we can do
// instead
for networkName := range server.Addresses {
networkUUID, _ := networks.IDFromName(p.networkClient, networkName)
if networkUUID != "" {
p.networkName = networkName
p.networkUUID = networkUUID
break
}
}
// get the first security group *** again, not sure how to
// pick the "best" if more than one
for _, smap := range server.SecurityGroups {
if value, found := smap["name"]; found && value.(string) != "" {
p.securityGroup = value.(string)
break
}
}
if p.networkUUID != "" && p.securityGroup != "" {
inCloud = true
return false, nil
}
}
}
return true, nil
})
}
//*** actually, if in cloud, we should create a security group that allows
// the given ports, only accessible by things in the current security group
// don't create any more resources if we're already running in OpenStack
if inCloud {
return
}
// get/create security group
pager := secgroups.List(p.computeClient)
var group *secgroups.SecurityGroup
foundGroup := false
err = pager.EachPage(func(page pagination.Page) (bool, error) {
groupList, err := secgroups.ExtractSecurityGroups(page)
if err != nil {
return false, err
}
for _, g := range groupList {
if g.Name == resources.ResourceName {
group = &g
foundGroup = true
return false, nil
}
}
return true, nil
})
if err != nil {
return
}
if !foundGroup {
// create a new security group with rules allowing the desired ports
group, err = secgroups.Create(p.computeClient, secgroups.CreateOpts{Name: resources.ResourceName, Description: "access amongst wr-spawned nodes"}).Extract()
if err != nil {
return
}
//*** check if the rules are already there, in case we previously died
// between previous line and this one
for _, port := range requiredPorts {
_, err = secgroups.CreateRule(p.computeClient, secgroups.CreateRuleOpts{
ParentGroupID: group.ID,
FromPort: port,
ToPort: port,
IPProtocol: "TCP",
CIDR: "0.0.0.0/0", // FromGroupID: group.ID if we were creating a head node and then wanted a rule for all worker nodes...
}).Extract()
if err != nil {
return
}
}
// ICMP may help networking work as expected
_, err = secgroups.CreateRule(p.computeClient, secgroups.CreateRuleOpts{
ParentGroupID: group.ID,
FromPort: 0,
ToPort: 0, // *** results in a port of '0', which is not the same as "ALL ICMP" which then says "Any" in the web interface
IPProtocol: "ICMP",
CIDR: "0.0.0.0/0",
}).Extract()
if err != nil {
return
}
}
resources.Details["secgroup"] = group.ID
p.securityGroup = resources.ResourceName
// get/create network
var network *networks.Network
networkID, err := networks.IDFromName(p.networkClient, resources.ResourceName)
if err != nil {
if _, notfound := err.(gophercloud.ErrResourceNotFound); notfound {
// create a network for ourselves
network, err = networks.Create(p.networkClient, networks.CreateOpts{Name: resources.ResourceName, AdminStateUp: gophercloud.Enabled}).Extract()
if err != nil {
return
}
networkID = network.ID
} else {
return
}
} else {
network, err = networks.Get(p.networkClient, networkID).Extract()
if err != nil {
return
}
}
resources.Details["network"] = networkID
p.networkName = resources.ResourceName
p.networkUUID = networkID
// get/create subnet
var subnetID string
if len(network.Subnets) == 1 {
subnetID = network.Subnets[0]
// *** check it's valid? could we end up with more than 1 subnet?
} else {
// add a big enough subnet
var gip = new(string)
*gip = "192.168.0.1"
var subnet *subnets.Subnet
subnet, err = subnets.Create(p.networkClient, subnets.CreateOpts{
NetworkID: networkID,
CIDR: "192.168.0.0/16",
GatewayIP: gip,
DNSNameservers: dnsNameServers[:], // this is critical, or servers on new networks can't be ssh'd to for many minutes
IPVersion: 4,
Name: resources.ResourceName,
}).Extract()
if err != nil {
return
}
subnetID = subnet.ID
}
resources.Details["subnet"] = subnetID
// get/create router
var routerID string
pager = routers.List(p.networkClient, routers.ListOpts{Name: resources.ResourceName})
err = pager.EachPage(func(page pagination.Page) (bool, error) {
routerList, err := routers.ExtractRouters(page)
if err != nil {
return false, err
}
routerID = routerList[0].ID
// *** check it's valid? could we end up with more than 1 router?
return false, nil
})
if err != nil {
return
}
if routerID == "" {
var router *routers.Router
router, err = routers.Create(p.networkClient, routers.CreateOpts{
Name: resources.ResourceName,
GatewayInfo: &routers.GatewayInfo{NetworkID: p.externalNetworkID},
AdminStateUp: gophercloud.Enabled,
}).Extract()
if err != nil {
return
}
routerID = router.ID
// add our subnet
_, err = routers.AddInterface(p.networkClient, routerID, routers.AddInterfaceOpts{SubnetID: subnetID}).Extract()
if err != nil {
// if this fails, we'd be stuck with a useless router, so we try and
// delete it
routers.Delete(p.networkClient, router.ID)
return
}
}
resources.Details["router"] = routerID
return
}