// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.security;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.Listener;
import com.cloud.agent.api.AgentControlAnswer;
import com.cloud.agent.api.AgentControlCommand;
import com.cloud.agent.api.Answer;
import com.cloud.agent.api.CleanupNetworkRulesCmd;
import com.cloud.agent.api.Command;
import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
import com.cloud.agent.api.SecurityGroupRuleAnswer;
import com.cloud.agent.api.SecurityGroupRuleAnswer.FailureReason;
import com.cloud.agent.api.StartupCommand;
import com.cloud.agent.api.StartupRoutingCommand;
import com.cloud.agent.manager.Commands;
import com.cloud.exception.AgentUnavailableException;
import com.cloud.host.Host;
import com.cloud.host.Status;
import com.cloud.network.security.SecurityGroupWork.Step;
import com.cloud.network.security.dao.SecurityGroupWorkDao;
/**
* Listens for answers to ingress rules modification commands
*
*/
public class SecurityGroupListener implements Listener {
public static final Logger s_logger = Logger.getLogger(SecurityGroupListener.class.getName());
private static final int MAX_RETRIES_ON_FAILURE = 3;
private static final int MIN_TIME_BETWEEN_CLEANUPS = 30 * 60;//30 minutes
private final Random _cleanupRandom = new Random();
SecurityGroupManagerImpl _securityGroupManager;
AgentManager _agentMgr;
SecurityGroupWorkDao _workDao;
Map<Long, Integer> _vmFailureCounts = new ConcurrentHashMap<Long, Integer>();
private SecurityGroupWorkTracker _workTracker;
public SecurityGroupListener(SecurityGroupManagerImpl securityGroupManager, AgentManager agentMgr, SecurityGroupWorkDao workDao) {
super();
_securityGroupManager = securityGroupManager;
_agentMgr = agentMgr;
_workDao = workDao;
}
@Override
public int getTimeout() {
return -1;
}
@Override
public boolean isRecurring() {
return true;
}
@Override
public boolean processAnswers(long agentId, long seq, Answer[] answers) {
List<Long> affectedVms = new ArrayList<Long>();
for (Answer ans : answers) {
if (ans instanceof SecurityGroupRuleAnswer) {
SecurityGroupRuleAnswer ruleAnswer = (SecurityGroupRuleAnswer)ans;
if (ans.getResult()) {
s_logger.debug("Successfully programmed rule " + ruleAnswer.toString() + " into host " + agentId);
_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Done);
recordSuccess(ruleAnswer.getVmId());
} else {
_workDao.updateStep(ruleAnswer.getVmId(), ruleAnswer.getLogSequenceNumber(), Step.Error);
;
s_logger.debug("Failed to program rule " + ruleAnswer.toString() + " into host " + agentId + " due to " + ruleAnswer.getDetails() +
" and updated jobs");
if (ruleAnswer.getReason() == FailureReason.CANNOT_BRIDGE_FIREWALL) {
s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure since host " + agentId +
" cannot do bridge firewalling");
} else if (ruleAnswer.getReason() == FailureReason.PROGRAMMING_FAILED) {
if (checkShouldRetryOnFailure(ruleAnswer.getVmId())) {
s_logger.debug("Retrying security group rules on failure for vm " + ruleAnswer.getVmId());
affectedVms.add(ruleAnswer.getVmId());
} else {
s_logger.debug("Not retrying security group rules for vm " + ruleAnswer.getVmId() + " on failure: too many retries");
}
}
}
if (_workTracker != null)
_workTracker.processAnswers(agentId, seq, answers);
}
}
if (affectedVms.size() > 0) {
_securityGroupManager.scheduleRulesetUpdateToHosts(affectedVms, false, new Long(10 * 1000l));
}
return true;
}
protected boolean checkShouldRetryOnFailure(long vmId) {
Integer currCount = _vmFailureCounts.get(vmId);
if (currCount == null)
currCount = 0;
if (currCount.intValue() < MAX_RETRIES_ON_FAILURE) {
_vmFailureCounts.put(vmId, ++currCount);
return true;
}
return false;
}
protected void recordSuccess(long vmId) {
_vmFailureCounts.remove(vmId);
}
@Override
public boolean processCommands(long agentId, long seq, Command[] commands) {
boolean processed = false;
for (Command cmd : commands) {
if (cmd instanceof PingRoutingWithNwGroupsCommand) {
PingRoutingWithNwGroupsCommand ping = (PingRoutingWithNwGroupsCommand)cmd;
if (ping.getNewGroupStates().size() > 0) {
_securityGroupManager.fullSync(agentId, ping.getNewGroupStates());
}
processed = true;
}
}
return processed;
}
@Override
public void processHostAdded(long hostId) {
}
@Override
public void processConnect(Host host, StartupCommand cmd, boolean forRebalance) {
if (s_logger.isInfoEnabled())
s_logger.info("Received a host startup notification");
if (cmd instanceof StartupRoutingCommand) {
//if (Boolean.toString(true).equals(host.getDetail("can_bridge_firewall"))) {
try {
int interval = MIN_TIME_BETWEEN_CLEANUPS + _cleanupRandom.nextInt(MIN_TIME_BETWEEN_CLEANUPS / 2);
CleanupNetworkRulesCmd cleanupCmd = new CleanupNetworkRulesCmd(interval);
Commands c = new Commands(cleanupCmd);
_agentMgr.send(host.getId(), c, this);
if (s_logger.isInfoEnabled())
s_logger.info("Scheduled network rules cleanup, interval=" + cleanupCmd.getInterval());
} catch (AgentUnavailableException e) {
//usually hypervisors that do not understand sec group rules.
s_logger.debug("Unable to schedule network rules cleanup for host " + host.getId(), e);
}
if (_workTracker != null) {
_workTracker.processConnect(host.getId());
}
}
}
@Override
public AgentControlAnswer processControlCommand(long agentId, AgentControlCommand cmd) {
return null;
}
@Override
public boolean processDisconnect(long agentId, Status state) {
if (_workTracker != null) {
_workTracker.processDisconnect(agentId);
}
return true;
}
@Override
public void processHostAboutToBeRemoved(long hostId) {
}
@Override
public void processHostRemoved(long hostId, long clusterId) {
}
@Override
public boolean processTimeout(long agentId, long seq) {
if (_workTracker != null) {
_workTracker.processTimeout(agentId, seq);
}
return true;
}
public void setWorkDispatcher(SecurityGroupWorkTracker workDispatcher) {
this._workTracker = workDispatcher;
}
}