Cross Reference: /solaris-userland/components/openstack/neutron/files/neutron-l3-agent

	neutron-l3-agent revision 2944
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#!/usr/bin/python2.6
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    Licensed under the Apache License, Version 2.0 (the "License"); you may
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    not use this file except in compliance with the License. You may obtain
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    a copy of the License at
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#         http://www.apache.org/licenses/LICENSE-2.0
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    Unless required by applicable law or agreed to in writing, software
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    License for the specific language governing permissions and limitations
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#    under the License.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanoimport os
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanoimport re
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanoimport sys
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanoimport netaddr
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanoimport smf_include
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanofrom subprocess import CalledProcessError, Popen, PIPE, check_call
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normanddef start():
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand    # verify paths are valid
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand    for f in sys.argv[2:4]:
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand        if not os.path.exists(f) or not os.access(f, os.R_OK):
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand            print '%s does not exist or is not readable' % f
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            return smf_include.SMF_EXIT_ERR_CONFIG
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # System-wide forwarding (either ipv4 or ipv6 or both) must be enabled
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # before neutron-l3-agent can be started.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano           "-o", "current", "ipv4"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    output, error = p.communicate()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if p.returncode != 0:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "failed to determine if IPv4 forwarding is enabled or not"
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    v4fwding = "on" in output
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano           "-o", "current", "ipv6"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    output, error = p.communicate()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if p.returncode != 0:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "failed to determine if IPv6 forwarding is enabled or not"
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_FATAL
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen    v6fwding = "on" in output
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen    if not any((v4fwding, v6fwding)):
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "System-wide IPv4 or IPv6 (or both) forwarding must be " \
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano              "enabled before enabling neutron-l3-agent"
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_CONFIG
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = "/usr/lib/neutron/neutron-l3-agent --config-file %s " \
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        "--config-file %s" % tuple(sys.argv[2:4])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    smf_include.smf_subprocess(cmd)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanodef remove_ipfilter_rules(version):
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove IP Filter rules added by neutron-l3-agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = ["/usr/bin/pfexec", "/usr/sbin/ipfstat", "-io"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if version == 6:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        cmd.insert(2, "-6")
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    output, error = p.communicate()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if p.returncode != 0:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "failed to retrieve IP Filter rules"
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    ipfilters = output.splitlines()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # L3 agent IP Filter rules are of the form
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # block in quick on l3i64cbb496_a_0 from ... to pool/15417332
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    prog = re.compile('on l3i[0-9A-Fa-f\_]{10}_0')
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    ippool_names = []
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    for ipf in ipfilters:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        if not prog.search(ipf):
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            continue
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        # capture the IP pool name
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        ippool_names.append(ipf.split('pool/')[1])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand        try:
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand            # remove the IP Filter rule
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            p = Popen(["echo", ipf], stdout=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            cmd = ["/usr/bin/pfexec", "/usr/sbin/ipf", "-r", "-f", "-"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            if version == 6:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano                cmd.insert(2, "-6")
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            check_call(cmd, stdin=p.stdout)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        except CalledProcessError as err:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            print "failed to remove IP Filter rule %s: %s" % (ipf, err)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove IP Pools added by neutron-l3-agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    for ippool_name in ippool_names:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        try:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            check_call(["/usr/bin/pfexec", "/usr/sbin/ippool", "-R",
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand                        "-m", ippool_name, "-t", "tree"])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        except CalledProcessError as err:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            print "failed to remove IP Pool %s: %s" % (ippool_name, err)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    return smf_include.SMF_EXIT_OK
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcanodef stop():
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    try:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        # first kill the SMF contract
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        check_call(["/usr/bin/pkill", "-c", sys.argv[2]])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    except CalledProcessError as err:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "failed to kill the SMF contract: %s" % (err)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove VNICs associated with L3 agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = ["/usr/sbin/ipadm", "show-if", "-p", "-o", "ifname"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    output, error = p.communicate()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if p.returncode != 0:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        print "failed to retrieve IP interface names"
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return smf_include.SMF_EXIT_ERR_CONFIG
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    ifnames = output.splitlines()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # L3 agent datalinks are always 15 characters in length. They start
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # with either 'l3i' or 'l3e', end with '_0', and in between they are
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # hexadecimal digits.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    prog = re.compile('l3[ie][0-9A-Fa-f\_]{10}_0')
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    for ifname in ifnames:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        if not prog.search(ifname):
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            continue
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        try:
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand            # first remove the IP
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            check_call(["/usr/bin/pfexec", "/usr/sbin/ipadm", "delete-ip",
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano                        ifname])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            # next remove the VNIC
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            check_call(["/usr/bin/pfexec", "/usr/sbin/dladm", "delete-vnic",
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano                        ifname])
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        except CalledProcessError as err:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            print "failed to remove datalinks used by L3 agent: %s" % (err)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano            return smf_include.SMF_EXIT_ERR_FATAL
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove IPv4 Filter rules added by neutron-l3-agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    rv = remove_ipfilter_rules(4)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if rv != smf_include.SMF_EXIT_OK:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return rv
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove IPv6 Filter rules added by neutron-l3-agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    rv = remove_ipfilter_rules(6)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if rv != smf_include.SMF_EXIT_OK:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano        return rv
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    # remove IP NAT rules added by neutron-l3-agent
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    cmd = ["/usr/bin/pfexec", "/usr/sbin/ipnat", "-lR"]
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    output, error = p.communicate()
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano    if p.returncode != 0:
        print "failed to retrieve IP NAT rules"
        return smf_include.SMF_EXIT_ERR_FATAL

    ipnat_rules = output.splitlines()
    # L3 agent IP NAT rules are of the form
    # bimap l3e64ccc496_a_0 192.168.1.3/32 -> 172.16.10.3/32
    prog = re.compile('l3e[0-9A-Fa-f\_]{10}_0')
    for ipnat_rule in ipnat_rules:
        if not prog.search(ipnat_rule):
            continue
        # remove the IP NAT rule
        try:
            p = Popen(["echo", ipnat_rule], stdout=PIPE)
            check_call(["/usr/bin/pfexec", "/usr/sbin/ipnat", "-r", "-f", "-"],
                       stdin=p.stdout)
        except CalledProcessError as err:
            print "failed to remove IP NAT rule %s: %s" % (ipnat_rule, err)
            return smf_include.SMF_EXIT_ERR_FATAL

    return smf_include.SMF_EXIT_OK

if __name__ == "__main__":
    os.putenv("LC_ALL", "C")
    smf_include.smf_main()