neutron-l3-agent revision 5403
4049N/A#!/usr/bin/python2.7
2521N/A
5403N/A# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
2521N/A#
2521N/A# Licensed under the Apache License, Version 2.0 (the "License"); you may
2521N/A# not use this file except in compliance with the License. You may obtain
2521N/A# a copy of the License at
2521N/A#
2521N/A# http://www.apache.org/licenses/LICENSE-2.0
2521N/A#
2521N/A# Unless required by applicable law or agreed to in writing, software
2521N/A# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
2521N/A# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
2521N/A# License for the specific language governing permissions and limitations
2521N/A# under the License.
2521N/A
2521N/Aimport os
2892N/Aimport re
2521N/Aimport sys
2521N/A
2892N/Aimport netaddr
2521N/Aimport smf_include
2521N/A
2892N/Afrom subprocess import CalledProcessError, Popen, PIPE, check_call
5403N/Afrom neutron_vpnaas.services.vpn.device_drivers.solaris_ipsec import \
5403N/A get_vpn_interfaces
5403N/Afrom neutron_vpnaas.services.vpn.device_drivers.solaris_ipsec import \
5403N/A shutdown_vpn
2583N/A
2521N/A
3998N/Adef set_hostmodel(value):
3998N/A cmd = ["/usr/sbin/ipadm", "show-prop", "-p", "hostmodel",
3998N/A "-co", "current", "ipv4"]
3998N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
3998N/A output, error = p.communicate()
3998N/A if p.returncode != 0:
3998N/A print "failed to retrieve hostmodel ipadm property"
3998N/A return False
3998N/A if output.strip() == value:
3998N/A return True
3998N/A cmd = ["/usr/sbin/ipadm", "set-prop", "-t", "-p", "hostmodel=%s" % value,
3998N/A "ipv4"]
3998N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
3998N/A output, error = p.communicate()
3998N/A if p.returncode != 0:
3998N/A print "failed to set ipadm hostmodel property to %s" % value
3998N/A return False
3998N/A return True
3998N/A
3998N/A
2521N/Adef start():
2521N/A # verify paths are valid
5403N/A for f in sys.argv[2:5]:
2521N/A if not os.path.exists(f) or not os.access(f, os.R_OK):
2521N/A print '%s does not exist or is not readable' % f
2521N/A return smf_include.SMF_EXIT_ERR_CONFIG
2521N/A
2583N/A # System-wide forwarding (either ipv4 or ipv6 or both) must be enabled
2583N/A # before neutron-l3-agent can be started.
2583N/A cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
2583N/A "-o", "current", "ipv4"]
2583N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
2583N/A output, error = p.communicate()
2583N/A if p.returncode != 0:
2583N/A print "failed to determine if IPv4 forwarding is enabled or not"
2583N/A return smf_include.SMF_EXIT_ERR_FATAL
2583N/A v4fwding = "on" in output
2583N/A
2583N/A cmd = ["/usr/sbin/ipadm", "show-prop", "-c", "-p", "forwarding",
2583N/A "-o", "current", "ipv6"]
2583N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
2583N/A output, error = p.communicate()
2583N/A if p.returncode != 0:
2583N/A print "failed to determine if IPv6 forwarding is enabled or not"
2583N/A return smf_include.SMF_EXIT_ERR_FATAL
2583N/A v6fwding = "on" in output
2583N/A
2583N/A if not any((v4fwding, v6fwding)):
2892N/A print "System-wide IPv4 or IPv6 (or both) forwarding must be " \
2892N/A "enabled before enabling neutron-l3-agent"
2583N/A return smf_include.SMF_EXIT_ERR_CONFIG
2583N/A
5403N/A cmd = "/usr/lib/neutron/neutron-l3-agent --config-file %s " \
5403N/A "--config-file %s --config-file %s" % tuple(sys.argv[2:5])
5403N/A
5403N/A # The VPNaaS shutdown should unplumb all IP tunnels it created. But
5403N/A # be paranoid and check for lingering tunnels created by OpenStack
5403N/A # that may have been left behind if the OpenStack device driver exits
5403N/A # unexpectedly. OpenStack VPN configuration is created when the service
5403N/A # starts. Errors will occur if old IP tunnels still exist.
5403N/A
5403N/A vpn_ifs = get_vpn_interfaces()
5403N/A if vpn_ifs:
5403N/A print "Error: Found existing IP tunnel interface(s)."
5403N/A print "Use ipadm(1M) and dladm(1M) to remove it/them."
5403N/A print "Then use svcadm(1M) to clear the service."
5403N/A print "Use the following commands to remove:"
5403N/A for interface in vpn_ifs:
5403N/A ifn = interface.group(0)
5403N/A print "\t# ipadm delete-ip %s; dladm delete-iptun %s" % (ifn, ifn)
5403N/A
5403N/A return smf_include.SMF_EXIT_ERR_CONFIG
5403N/A
3998N/A # set the hostmodel property if necessary
3998N/A if not set_hostmodel("src-priority"):
3998N/A return smf_include.SMF_EXIT_ERR_FATAL
3998N/A
5403N/A return smf_include.smf_subprocess(cmd)
2521N/A
2892N/A
2944N/Adef remove_ipfilter_rules(version):
2944N/A # remove IP Filter rules added by neutron-l3-agent
2944N/A cmd = ["/usr/bin/pfexec", "/usr/sbin/ipfstat", "-io"]
2944N/A if version == 6:
2944N/A cmd.insert(2, "-6")
2944N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
2944N/A output, error = p.communicate()
2944N/A if p.returncode != 0:
2944N/A print "failed to retrieve IP Filter rules"
2944N/A return smf_include.SMF_EXIT_ERR_FATAL
2944N/A
2944N/A ipfilters = output.splitlines()
2944N/A # L3 agent IP Filter rules are of the form
2944N/A # block in quick on l3i64cbb496_a_0 from ... to pool/15417332
2944N/A prog = re.compile('on l3i[0-9A-Fa-f\_]{10}_0')
2944N/A ippool_names = []
2944N/A for ipf in ipfilters:
2944N/A if not prog.search(ipf):
2944N/A continue
2944N/A # capture the IP pool name
3162N/A if 'pool/' in ipf:
3162N/A ippool_names.append(ipf.split('pool/')[1])
2944N/A
2944N/A try:
2944N/A # remove the IP Filter rule
2944N/A p = Popen(["echo", ipf], stdout=PIPE)
2944N/A cmd = ["/usr/bin/pfexec", "/usr/sbin/ipf", "-r", "-f", "-"]
2944N/A if version == 6:
2944N/A cmd.insert(2, "-6")
2944N/A check_call(cmd, stdin=p.stdout)
2944N/A except CalledProcessError as err:
2944N/A print "failed to remove IP Filter rule %s: %s" % (ipf, err)
2944N/A return smf_include.SMF_EXIT_ERR_FATAL
2944N/A
2944N/A # remove IP Pools added by neutron-l3-agent
2944N/A for ippool_name in ippool_names:
2944N/A try:
2944N/A check_call(["/usr/bin/pfexec", "/usr/sbin/ippool", "-R",
2944N/A "-m", ippool_name, "-t", "tree"])
2944N/A except CalledProcessError as err:
2944N/A print "failed to remove IP Pool %s: %s" % (ippool_name, err)
2944N/A return smf_include.SMF_EXIT_ERR_FATAL
2944N/A return smf_include.SMF_EXIT_OK
2944N/A
2944N/A
2892N/Adef stop():
5403N/A shutdown_vpn()
2892N/A try:
2892N/A # first kill the SMF contract
2892N/A check_call(["/usr/bin/pkill", "-c", sys.argv[2]])
2892N/A except CalledProcessError as err:
2892N/A print "failed to kill the SMF contract: %s" % (err)
2892N/A
3162N/A # We need to first remove the IP filter rules and then remove
3162N/A # the IP interfaces on which the rules were applied.
2892N/A
2944N/A # remove IPv4 Filter rules added by neutron-l3-agent
2944N/A rv = remove_ipfilter_rules(4)
2944N/A if rv != smf_include.SMF_EXIT_OK:
2944N/A return rv
2892N/A
2944N/A # remove IPv6 Filter rules added by neutron-l3-agent
2944N/A rv = remove_ipfilter_rules(6)
2944N/A if rv != smf_include.SMF_EXIT_OK:
2944N/A return rv
2892N/A
2892N/A # remove IP NAT rules added by neutron-l3-agent
2892N/A cmd = ["/usr/bin/pfexec", "/usr/sbin/ipnat", "-lR"]
2892N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
2892N/A output, error = p.communicate()
2892N/A if p.returncode != 0:
2892N/A print "failed to retrieve IP NAT rules"
2892N/A return smf_include.SMF_EXIT_ERR_FATAL
2892N/A
2892N/A ipnat_rules = output.splitlines()
2892N/A # L3 agent IP NAT rules are of the form
3998N/A # bimap l3e64ccc496_a_0 .... OR
3998N/A # rdr l3iedf345cc96_a_0 ....
3998N/A prog = re.compile('l3[ie][0-9A-Fa-f\_]{10}_0')
2892N/A for ipnat_rule in ipnat_rules:
2892N/A if not prog.search(ipnat_rule):
2892N/A continue
2892N/A # remove the IP NAT rule
2892N/A try:
2892N/A p = Popen(["echo", ipnat_rule], stdout=PIPE)
2892N/A check_call(["/usr/bin/pfexec", "/usr/sbin/ipnat", "-r", "-f", "-"],
2892N/A stdin=p.stdout)
2892N/A except CalledProcessError as err:
2892N/A print "failed to remove IP NAT rule %s: %s" % (ipnat_rule, err)
2892N/A return smf_include.SMF_EXIT_ERR_FATAL
2892N/A
3162N/A # remove VNICs associated with L3 agent
3162N/A cmd = ["/usr/sbin/ipadm", "show-if", "-p", "-o", "ifname"]
3162N/A p = Popen(cmd, stdout=PIPE, stderr=PIPE)
3162N/A output, error = p.communicate()
3162N/A if p.returncode != 0:
3162N/A print "failed to retrieve IP interface names"
3162N/A return smf_include.SMF_EXIT_ERR_CONFIG
3162N/A
3162N/A ifnames = output.splitlines()
3162N/A # L3 agent datalinks are always 15 characters in length. They start
3162N/A # with either 'l3i' or 'l3e', end with '_0', and in between they are
3162N/A # hexadecimal digits.
3162N/A prog = re.compile('l3[ie][0-9A-Fa-f\_]{10}_0')
3162N/A for ifname in ifnames:
3162N/A if not prog.search(ifname):
3162N/A continue
3162N/A try:
3162N/A # first remove the IP
3162N/A check_call(["/usr/bin/pfexec", "/usr/sbin/ipadm", "delete-ip",
3162N/A ifname])
3162N/A # next remove the VNIC
3162N/A check_call(["/usr/bin/pfexec", "/usr/sbin/dladm", "delete-vnic",
3162N/A ifname])
3162N/A except CalledProcessError as err:
3162N/A print "failed to remove datalinks used by L3 agent: %s" % (err)
3162N/A return smf_include.SMF_EXIT_ERR_FATAL
3162N/A
3998N/A # finally reset the hostmodel property
3998N/A if not set_hostmodel("weak"):
3998N/A return smf_include.SMF_EXIT_ERR_FATAL
2892N/A return smf_include.SMF_EXIT_OK
2892N/A
2521N/Aif __name__ == "__main__":
2521N/A os.putenv("LC_ALL", "C")
2521N/A smf_include.smf_main()