server/src/main/java/com/cloud/network/security/SecurityGroupListener.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.network.security;

 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Random;
 import java.util.concurrent.ConcurrentHashMap;

 import org.apache.log4j.Logger;

 import com.cloud.agent.AgentManager;
 import com.cloud.agent.Listener;
 import com.cloud.agent.api.AgentControlAnswer;
 import com.cloud.agent.api.AgentControlCommand;
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.CleanupNetworkRulesCmd;
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
 import com.cloud.agent.api.SecurityGroupRuleAnswer;
 import com.cloud.agent.api.SecurityGroupRuleAnswer.FailureReason;
 import com.cloud.agent.api.StartupCommand;
 import com.cloud.agent.api.StartupRoutingCommand;
 import com.cloud.agent.manager.Commands;
 import com.cloud.exception.AgentUnavailableException;
 import com.cloud.host.Host;
 import com.cloud.host.Status;
 import com.cloud.network.security.SecurityGroupWork.Step;
 import com.cloud.network.security.dao.SecurityGroupWorkDao;

 /**
  * Listens for answers to ingress rules modification commands
  *
  */
 public class SecurityGroupListener implements Listener {
     public static final Logger s_logger = Logger.getLogger(SecurityGroupListener.class.getName());

     private static final int MAX_RETRIES_ON_FAILURE = 3;
     private static final int MIN_TIME_BETWEEN_CLEANUPS = 30 * 60;//30 minutes
     private final Random _cleanupRandom = new Random();

     SecurityGroupManagerImpl _securityGroupManager;
     AgentManager _agentMgr;
     SecurityGroupWorkDao _workDao;
     Map<Long, Integer> _vmFailureCounts = new ConcurrentHashMap<Long, Integer>();

     private SecurityGroupWorkTracker _workTracker;

     public SecurityGroupListener(SecurityGroupManagerImpl securityGroupManager, AgentManager agentMgr, SecurityGroupWorkDao workDao) {
         super();
         _securityGroupManager = securityGroupManager;
         _agentMgr = agentMgr;
         _workDao = workDao;
     }

     @Override
     public int getTimeout() {
         return -1;
     }

     @Override
     public boolean isRecurring() {
         return true;
     }

     @Override
     public boolean processAnswers(long agentId, long seq, Answer[] answers) {
         List<Long> affectedVms = new ArrayList<Long>();

         for (Answer ans : answers) {
             if (ans instanceof SecurityGroupRuleAnswer) {
                 SecurityGroupRuleAnswer ruleAnswer = (SecurityGroupRuleAnswer)ans;
                 if (ans.getResult()) {
                     s_logger.debug("Successfully programmed rule " + ruleAnswer.toString() + " into host " + agentId);
                     _workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Done);
                     recordSuccess(ruleAnswer.getVmId());
                 } else {
                     _workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);
                     ;
                     s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId + " due to " + ruleAnswer.getDetails() +
                         " and updated  jobs");
                     if (ruleAnswer.getReason() == FailureReason.CANNOT_BRIDGE_FIREWALL) {
                         s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure since host " + agentId +
                             " cannot do bridge firewalling");
                     } else if (ruleAnswer.getReason() == FailureReason.PROGRAMMING_FAILED) {
                         if (checkShouldRetryOnFailure(ruleAnswer.getVmId())) {
                             s_logger.debug("Retrying security group rules on failure for vm " + ruleAnswer.getVmId());
                             affectedVms.add(ruleAnswer.getVmId());
                         } else {
                             s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure: too many retries");
                         }
                     }
                 }

                 if (_workTracker != null)
                     _workTracker.processAnswers(agentId, seq, answers);
             }
         }

         if (affectedVms.size() > 0) {
             _securityGroupManager.scheduleRulesetUpdateToHosts(affectedVms, false, new Long(10 * 1000l));
         }

         return true;
     }

     protected boolean checkShouldRetryOnFailure(long vmId) {
         Integer currCount = _vmFailureCounts.get(vmId);
         if (currCount == null)
             currCount = 0;

         if (currCount.intValue() < MAX_RETRIES_ON_FAILURE) {
             _vmFailureCounts.put(vmId, ++currCount);
             return true;
         }

         return false;
     }

     protected void recordSuccess(long vmId) {
         _vmFailureCounts.remove(vmId);
     }

     @Override
     public boolean processCommands(long agentId, long seq, Command[] commands) {
         boolean processed = false;
         for (Command cmd : commands) {
             if (cmd instanceof PingRoutingWithNwGroupsCommand) {
                 PingRoutingWithNwGroupsCommand ping = (PingRoutingWithNwGroupsCommand)cmd;
                 if (ping.getNewGroupStates().size() > 0) {
                     _securityGroupManager.fullSync(agentId, ping.getNewGroupStates());
                 }
                 processed = true;
             }
         }
         return processed;
     }

     @Override
     public void processHostAdded(long hostId) {
     }

     @Override
     public void processConnect(Host host, StartupCommand cmd, boolean forRebalance) {
         if (s_logger.isInfoEnabled())
             s_logger.info("Received a host startup notification");

         if (cmd instanceof StartupRoutingCommand) {
             //if (Boolean.toString(true).equals(host.getDetail("can_bridge_firewall"))) {
             try {
                 int interval = MIN_TIME_BETWEEN_CLEANUPS + _cleanupRandom.nextInt(MIN_TIME_BETWEEN_CLEANUPS / 2);
                 CleanupNetworkRulesCmd cleanupCmd = new CleanupNetworkRulesCmd(interval);
                 Commands c = new Commands(cleanupCmd);
                 _agentMgr.send(host.getId(), c, this);
                 if (s_logger.isInfoEnabled())
                     s_logger.info("Scheduled network rules cleanup, interval=" + cleanupCmd.getInterval());
             } catch (AgentUnavailableException e) {
                 //usually hypervisors that do not understand sec group rules.
                 s_logger.debug("Unable to schedule network rules cleanup for host " + host.getId(), e);
             }
             if (_workTracker != null) {
                 _workTracker.processConnect(host.getId());
             }
         }
     }

     @Override
     public AgentControlAnswer processControlCommand(long agentId, AgentControlCommand cmd) {
         return null;
     }

     @Override
     public boolean processDisconnect(long agentId, Status state) {
         if (_workTracker != null) {
             _workTracker.processDisconnect(agentId);
         }
         return true;
     }

     @Override
     public void processHostAboutToBeRemoved(long hostId) {
     }

     @Override
     public void processHostRemoved(long hostId, long clusterId) {
     }

     @Override
     public boolean processTimeout(long agentId, long seq) {
         if (_workTracker != null) {
             _workTracker.processTimeout(agentId, seq);
         }
         return true;
     }

     public void setWorkDispatcher(SecurityGroupWorkTracker workDispatcher) {
         this._workTracker = workDispatcher;
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.network.security;

	import java.util.ArrayList;
	import java.util.List;
	import java.util.Map;
	import java.util.Random;
	import java.util.concurrent.ConcurrentHashMap;

	import org.apache.log4j.Logger;

	import com.cloud.agent.AgentManager;
	import com.cloud.agent.Listener;
	import com.cloud.agent.api.AgentControlAnswer;
	import com.cloud.agent.api.AgentControlCommand;
	import com.cloud.agent.api.Answer;
	import com.cloud.agent.api.CleanupNetworkRulesCmd;
	import com.cloud.agent.api.Command;
	import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
	import com.cloud.agent.api.SecurityGroupRuleAnswer;
	import com.cloud.agent.api.SecurityGroupRuleAnswer.FailureReason;
	import com.cloud.agent.api.StartupCommand;
	import com.cloud.agent.api.StartupRoutingCommand;
	import com.cloud.agent.manager.Commands;
	import com.cloud.exception.AgentUnavailableException;
	import com.cloud.host.Host;
	import com.cloud.host.Status;
	import com.cloud.network.security.SecurityGroupWork.Step;
	import com.cloud.network.security.dao.SecurityGroupWorkDao;

	/**
	* Listens for answers to ingress rules modification commands
	*
	*/
	public class SecurityGroupListener implements Listener {
	public static final Logger s_logger = Logger.getLogger(SecurityGroupListener.class.getName());

	private static final int MAX_RETRIES_ON_FAILURE = 3;
	private static final int MIN_TIME_BETWEEN_CLEANUPS = 30 * 60;//30 minutes
	private final Random _cleanupRandom = new Random();

	SecurityGroupManagerImpl _securityGroupManager;
	AgentManager _agentMgr;
	SecurityGroupWorkDao _workDao;
	Map<Long, Integer> _vmFailureCounts = new ConcurrentHashMap<Long, Integer>();

	private SecurityGroupWorkTracker _workTracker;

	public SecurityGroupListener(SecurityGroupManagerImpl securityGroupManager, AgentManager agentMgr, SecurityGroupWorkDao workDao) {
	super();
	_securityGroupManager = securityGroupManager;
	_agentMgr = agentMgr;
	_workDao = workDao;
	}

	@Override
	public int getTimeout() {
	return -1;
	}

	@Override
	public boolean isRecurring() {
	return true;
	}

	@Override
	public boolean processAnswers(long agentId, long seq, Answer[] answers) {
	List<Long> affectedVms = new ArrayList<Long>();

	for (Answer ans : answers) {
	if (ans instanceof SecurityGroupRuleAnswer) {
	SecurityGroupRuleAnswer ruleAnswer = (SecurityGroupRuleAnswer)ans;
	if (ans.getResult()) {
	s_logger.debug("Successfully programmed rule " + ruleAnswer.toString() + " into host " + agentId);
	_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Done);
	recordSuccess(ruleAnswer.getVmId());
	} else {
	_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);
	;
	s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId + " due to " + ruleAnswer.getDetails() +
	" and updated jobs");
	if (ruleAnswer.getReason() == FailureReason.CANNOT_BRIDGE_FIREWALL) {
	s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure since host " + agentId +
	" cannot do bridge firewalling");
	} else if (ruleAnswer.getReason() == FailureReason.PROGRAMMING_FAILED) {
	if (checkShouldRetryOnFailure(ruleAnswer.getVmId())) {
	s_logger.debug("Retrying security group rules on failure for vm " + ruleAnswer.getVmId());
	affectedVms.add(ruleAnswer.getVmId());
	} else {
	s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure: too many retries");
	}
	}
	}

	if (_workTracker != null)
	_workTracker.processAnswers(agentId, seq, answers);
	}
	}

	if (affectedVms.size() > 0) {
	_securityGroupManager.scheduleRulesetUpdateToHosts(affectedVms, false, new Long(10 * 1000l));
	}

	return true;
	}

	protected boolean checkShouldRetryOnFailure(long vmId) {
	Integer currCount = _vmFailureCounts.get(vmId);
	if (currCount == null)
	currCount = 0;

	if (currCount.intValue() < MAX_RETRIES_ON_FAILURE) {
	_vmFailureCounts.put(vmId, ++currCount);
	return true;
	}

	return false;
	}

	protected void recordSuccess(long vmId) {
	_vmFailureCounts.remove(vmId);
	}

	@Override
	public boolean processCommands(long agentId, long seq, Command[] commands) {
	boolean processed = false;
	for (Command cmd : commands) {
	if (cmd instanceof PingRoutingWithNwGroupsCommand) {
	PingRoutingWithNwGroupsCommand ping = (PingRoutingWithNwGroupsCommand)cmd;
	if (ping.getNewGroupStates().size() > 0) {
	_securityGroupManager.fullSync(agentId, ping.getNewGroupStates());
	}
	processed = true;
	}
	}
	return processed;
	}

	@Override
	public void processHostAdded(long hostId) {
	}

	@Override
	public void processConnect(Host host, StartupCommand cmd, boolean forRebalance) {
	if (s_logger.isInfoEnabled())
	s_logger.info("Received a host startup notification");

	if (cmd instanceof StartupRoutingCommand) {
	//if (Boolean.toString(true).equals(host.getDetail("can_bridge_firewall"))) {
	try {
	int interval = MIN_TIME_BETWEEN_CLEANUPS + _cleanupRandom.nextInt(MIN_TIME_BETWEEN_CLEANUPS / 2);
	CleanupNetworkRulesCmd cleanupCmd = new CleanupNetworkRulesCmd(interval);
	Commands c = new Commands(cleanupCmd);
	_agentMgr.send(host.getId(), c, this);
	if (s_logger.isInfoEnabled())
	s_logger.info("Scheduled network rules cleanup, interval=" + cleanupCmd.getInterval());
	} catch (AgentUnavailableException e) {
	//usually hypervisors that do not understand sec group rules.
	s_logger.debug("Unable to schedule network rules cleanup for host " + host.getId(), e);
	}
	if (_workTracker != null) {
	_workTracker.processConnect(host.getId());
	}
	}
	}

	@Override
	public AgentControlAnswer processControlCommand(long agentId, AgentControlCommand cmd) {
	return null;
	}

	@Override
	public boolean processDisconnect(long agentId, Status state) {
	if (_workTracker != null) {
	_workTracker.processDisconnect(agentId);
	}
	return true;
	}

	@Override
	public void processHostAboutToBeRemoved(long hostId) {
	}

	@Override
	public void processHostRemoved(long hostId, long clusterId) {
	}

	@Override
	public boolean processTimeout(long agentId, long seq) {
	if (_workTracker != null) {
	_workTracker.processTimeout(agentId, seq);
	}
	return true;
	}

	public void setWorkDispatcher(SecurityGroupWorkTracker workDispatcher) {
	this._workTracker = workDispatcher;
	}
	}