nova鎖定雲主機的hack

時間 2020-01-15

標籤 nova 鎖定主機 hack 简体版

原文原文鏈接

nova有個有意思的功能，《鎖定雲主機》，從某種程度上來講算是對虛擬機的一種保護機制吧。node

社區nova lock server bp （nova api那端） https://review.openstack.org/#/c/58267/python

nova compute端實現的lock instance修飾器，這個修飾器直接加在snapshot、attach/detach interface等虛擬機操做函數前面，就起到鎖定雲主機的效果。git

nova/compute/api.py
def check_instance_lock(function):
    @functools.wraps(function)
    def inner(self, context, instance, *args, **kwargs):
        if instance.locked and not context.is_admin:        # 這裏鎖定雲主機對admin role的用戶無效，這裏能夠hack下，讓管理員也沒法操做鎖定的雲主機
            raise exception.InstanceIsLocked(instance_uuid=instance.uuid)
        return function(self, context, instance, *args, **kwargs)
    return inner

L版nova已經有查詢虛擬機是否被lock的api了，不過要求api version大於2.9github

https://github.com/openstack/nova/commit/49a572a043f27623a15af5f1b8e54c3a560b805cvim

下面是個人修改過程（rdo源裝出來的OpenStack）：api

[root@node_172_16_214_226 nova(keystone_admin)]# vim /usr/lib/python2.7/site-packages/nova-4.0-py2.7.egg-info/entry_points.txt
extended_status = nova.api.openstack.compute.extended_status:ExtendedStatus
extended_volumes = nova.api.openstack.compute.extended_volumes:ExtendedVolumes
extension_info = nova.api.openstack.compute.extension_info:ExtensionInfo
extended_lock_status = nova.api.openstack.compute.extended_lock_status:Extended_lock_status  # 這個是新加的

須要擴展下nova apipython2.7

[root@node_172_16_214_226 nova(keystone_admin)]# cat /usr/lib/python2.7/site-packages/nova/api/openstack/compute/extended_lock_status.py
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
ALIAS = "os-extended-lock-status"
authorize = extensions.os_compute_soft_authorizer(ALIAS)
PREFIX = "OS-EXT-LS"

class ExtendedLockStatusController(wsgi.Controller):
    def _extend_server(self, server, instance):
        key = "%s:%s" % (PREFIX, 'locked_by')
        server[key] = instance['locked_by']
        
    @wsgi.extends
    def show(self, req, resp_obj, id):
        context = req.environ['nova.context']
        if authorize(context):
            server = resp_obj.obj['server']
            # server['id'] is guaranteed to be in the cache due to
            # the core API adding it in its 'show' method.
            db_instance = req.get_db_instance(server['id'])
            self._extend_server(server, db_instance)
            
    @wsgi.extends
    def detail(self, req, resp_obj):
        context = req.environ['nova.context']
        if authorize(context):
            servers = list(resp_obj.obj['servers'])
            for server in servers:
                # server['id'] is guaranteed to be in the cache due to
                # the core API adding it in its 'detail' method.
                db_instance = req.get_db_instance(server['id'])
                self._extend_server(server, db_instance)
                
                
class Extended_lock_status(extensions.V21APIExtensionBase):
    """Extended lock Status support."""
    name = "ExtendedLockStatus"
    alias = ALIAS
    version = 1
    def get_controller_extensions(self):
        controller = ExtendedLockStatusController()
        extension = extensions.ControllerExtension(self, 'servers', controller)
        return [extension]
        
    def get_resources(self):
        return []

經過nova show看效果ide

[root@node_172_16_214_226 nova(keystone_admin)]# nova show test 函數

+--------------------------------------+----------------------------------------------------------+ui

| Property | Value |

+--------------------------------------+----------------------------------------------------------+

| OS-DCF:diskConfig | MANUAL |

| OS-EXT-AZ:availability_zone | nova |

| OS-EXT-LS:locked_by | - | # 這個是新添加的屬性

| OS-EXT-SRV-ATTR:host | node_172_16_214_226 |

| OS-EXT-SRV-ATTR:hostname | test |

| OS-EXT-SRV-ATTR:hypervisor_hostname | node_172_16_214_226 |

| OS-EXT-SRV-ATTR:instance_name | instance-00000046 |