#!/usr/bin/python2.7
# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import ConfigParser
import os
import re
from subprocess import CalledProcessError, Popen, PIPE, check_call
import sys
from openstack_common import kill_contract
import smf_include
from neutron.agent.solaris import packetfilter
from neutron_vpnaas.services.vpn.device_drivers.solaris_ipsec import \
get_vpn_interfaces, shutdown_vpn
def set_hostmodel(value):
cmd = ["/usr/sbin/ipadm", "show-prop", "-p", "hostmodel",
"-co", "current", "ipv4"]
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
output, error = p.communicate()
if p.returncode != 0:
print "failed to retrieve hostmodel ipadm property"
return False
if output.strip() == value:
return True
cmd = ["/usr/bin/pfexec", "/usr/sbin/ipadm", "set-prop", "-t", "-p",
"hostmodel=%s" % value, "ipv4"]
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
output, error = p.communicate()
if p.returncode != 0:
print "failed to set ipadm hostmodel property to %s" % value
return False
return True
def cleanup_l3_agent_datalinks():
cmd = ["/usr/sbin/dladm", "show-link", "-p", "-o", "link"]
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
output, error = p.communicate()
if p.returncode != 0:
print "failed to retrieve datalink names"
return smf_include.SMF_EXIT_ERR_FATAL
dlnames = output.splitlines()
# L3 agent datalinks are always 15 characters in length. They start
# with either 'l3i' or 'l3e', end with '_0', and in between they are
# hexadecimal digits.
prog = re.compile('l3[ie][0-9A-Fa-f\_]{10}_0')
retcode = smf_include.SMF_EXIT_OK
for dlname in dlnames:
if prog.search(dlname) is None:
continue
try:
# first remove the IP
check_call(["/usr/bin/pfexec", "/usr/sbin/ipadm", "delete-ip",
dlname])
except:
# It is possible that the IP was already deleted but not the
# datalink. So we continue and try and delete the datalink.
pass
try:
# next remove the VNIC
check_call(["/usr/bin/pfexec", "/usr/sbin/dladm", "delete-vnic",
dlname])
# remove the OVS Port
ovs_bridge = get_ovs_bridge(dlname)
if ovs_bridge:
check_call(["/usr/bin/pfexec", "/usr/sbin/ovs-vsctl", "--",
"--if-exists", "del-port", ovs_bridge, dlname])
except CalledProcessError as err:
print "failed to remove datalink '%s' used by L3 agent: %s" % \
(dlname, err)
retcode = smf_include.SMF_EXIT_ERR_FATAL
return retcode
def start():
# verify paths are valid
for f in sys.argv[2:6]:
if not os.path.exists(f) or not os.access(f, os.R_OK):
print '%s does not exist or is not readable' % f
return smf_include.SMF_EXIT_ERR_CONFIG
# We need to remove VNICs associated with L3 agent if any were left over.
# Before that, we need to first remove the PF rules added under
# _auto/neutron:l3:agent anchor and then remove the IP interfaces on which
# the rules were applied.
pf = packetfilter.PacketFilter('_auto/neutron:l3:agent')
pf.remove_anchor_recursively()
ret_code = cleanup_l3_agent_datalinks()
if ret_code != smf_include.SMF_EXIT_OK:
return ret_code
# System-wide forwarding (either ipv4 or ipv6 or both) must be enabled
# before neutron-l3-agent can be started.
cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
"-o", "current", "ipv4"]
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
output, error = p.communicate()
if p.returncode != 0:
print "failed to determine if IPv4 forwarding is enabled or not"
return smf_include.SMF_EXIT_ERR_FATAL
v4fwding = "on" in output
cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
"-o", "current", "ipv6"]
p = Popen(cmd, stdout=PIPE, stderr=PIPE)
output, error = p.communicate()
if p.returncode != 0:
print "failed to determine if IPv6 forwarding is enabled or not"
return smf_include.SMF_EXIT_ERR_FATAL
v6fwding = "on" in output
if not any((v4fwding, v6fwding)):
print "System-wide IPv4 or IPv6 (or both) forwarding must be " \
"enabled before enabling neutron-l3-agent"
return smf_include.SMF_EXIT_ERR_CONFIG
cmd = "/usr/bin/pfexec /usr/lib/neutron/neutron-l3-agent " \
"--config-file %s --config-file %s --config-file %s " \
"--config-file %s" % tuple(sys.argv[2:6])
# The VPNaaS shutdown should unplumb all IP tunnels it created. But
# be paranoid and check for lingering tunnels created by OpenStack
# that may have been left behind if the OpenStack device driver exits
# unexpectedly. OpenStack VPN configuration is created when the service
# starts. Errors will occur if old IP tunnels still exist.
vpn_ifs = get_vpn_interfaces()
if vpn_ifs:
print "Error: Found existing IP tunnel interface(s)."
print "Use ipadm(1M) and dladm(1M) to remove it/them."
print "Then use svcadm(1M) to clear the service."
print "Use the following commands to remove:"
for ifn in vpn_ifs:
print "\t# ipadm delete-ip %s; dladm delete-iptun %s" % (ifn, ifn)
return smf_include.SMF_EXIT_ERR_CONFIG
# set the hostmodel property if necessary
if not set_hostmodel("src-priority"):
return smf_include.SMF_EXIT_ERR_FATAL
return smf_include.smf_subprocess(cmd)
def get_ovs_bridge(dlname):
# retrieve the right OVS bridge based on the interface name
if dlname.startswith('l3i'):
config_file = '/etc/neutron/plugins/ml2/openvswitch_agent.ini'
section = "ovs"
option = "integration_bridge"
else:
config_file = '/etc/neutron/l3_agent.ini'
section = "DEFAULT"
option = "external_network_bridge"
parser = ConfigParser.ConfigParser()
parser.read(config_file)
try:
ovs_bridge = parser.get(section, option)
except ConfigParser.NoOptionError:
ovs_bridge = None
return ovs_bridge
def stop():
shutdown_vpn()
# Keep issuing SIGTERM until the contract is empty. This way we will catch
# any child processes missed because they were getting forked.
# 50 attempts will be made at intervals of 2 seconds. Typically, we
# will only need 0 or 1 additional attempt before the contract is empty but
# we chose to err on the side of caution. In the worst case, we will use
# 100 seconds in the below loop which will leave 500 seconds (timeout is
# 600s) for the other cleanup tasks, after which the service will be put to
# maintenance state if the contract was not killed successfully.
if not kill_contract(50, 2, sys.argv[2]):
return smf_include.SMF_EXIT_ERR_FATAL
# We need to first remove the PF rules added under _auto/neutron:l3:agent
# anchor and then remove the IP interfaces on which the rules were applied.
pf = packetfilter.PacketFilter('_auto/neutron:l3:agent')
pf.remove_anchor_recursively()
# remove VNICs associated with L3 agent
ret_code = cleanup_l3_agent_datalinks()
# finally reset the hostmodel property
if not set_hostmodel("weak") or ret_code != smf_include.SMF_EXIT_OK:
return smf_include.SMF_EXIT_ERR_FATAL
return smf_include.SMF_EXIT_OK
if __name__ == "__main__":
os.putenv("LC_ALL", "C")
smf_include.smf_main()