nova锁定云主机的hack

时间 2020-01-15

标签 nova 锁定主机 hack 繁體版

原文原文链接

nova有个有意思的功能，《锁定云主机》，从某种程度上来讲算是对虚拟机的一种保护机制吧。node

社区nova lock server bp （nova api那端） https://review.openstack.org/#/c/58267/python

nova compute端实现的lock instance修饰器，这个修饰器直接加在snapshot、attach/detach interface等虚拟机操做函数前面，就起到锁定云主机的效果。git

nova/compute/api.py
def check_instance_lock(function):
    @functools.wraps(function)
    def inner(self, context, instance, *args, **kwargs):
        if instance.locked and not context.is_admin:        # 这里锁定云主机对admin role的用户无效，这里能够hack下，让管理员也没法操做锁定的云主机
            raise exception.InstanceIsLocked(instance_uuid=instance.uuid)
        return function(self, context, instance, *args, **kwargs)
    return inner

L版nova已经有查询虚拟机是否被lock的api了，不过要求api version大于2.9github

https://github.com/openstack/nova/commit/49a572a043f27623a15af5f1b8e54c3a560b805cvim

下面是个人修改过程（rdo源装出来的OpenStack）：api

[root@node_172_16_214_226 nova(keystone_admin)]# vim /usr/lib/python2.7/site-packages/nova-4.0-py2.7.egg-info/entry_points.txt
extended_status = nova.api.openstack.compute.extended_status:ExtendedStatus
extended_volumes = nova.api.openstack.compute.extended_volumes:ExtendedVolumes
extension_info = nova.api.openstack.compute.extension_info:ExtensionInfo
extended_lock_status = nova.api.openstack.compute.extended_lock_status:Extended_lock_status  # 这个是新加的

须要扩展下nova apipython2.7

[root@node_172_16_214_226 nova(keystone_admin)]# cat /usr/lib/python2.7/site-packages/nova/api/openstack/compute/extended_lock_status.py
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
ALIAS = "os-extended-lock-status"
authorize = extensions.os_compute_soft_authorizer(ALIAS)
PREFIX = "OS-EXT-LS"

class ExtendedLockStatusController(wsgi.Controller):
    def _extend_server(self, server, instance):
        key = "%s:%s" % (PREFIX, 'locked_by')
        server[key] = instance['locked_by']
        
    @wsgi.extends
    def show(self, req, resp_obj, id):
        context = req.environ['nova.context']
        if authorize(context):
            server = resp_obj.obj['server']
            # server['id'] is guaranteed to be in the cache due to
            # the core API adding it in its 'show' method.
            db_instance = req.get_db_instance(server['id'])
            self._extend_server(server, db_instance)
            
    @wsgi.extends
    def detail(self, req, resp_obj):
        context = req.environ['nova.context']
        if authorize(context):
            servers = list(resp_obj.obj['servers'])
            for server in servers:
                # server['id'] is guaranteed to be in the cache due to
                # the core API adding it in its 'detail' method.
                db_instance = req.get_db_instance(server['id'])
                self._extend_server(server, db_instance)
                
                
class Extended_lock_status(extensions.V21APIExtensionBase):
    """Extended lock Status support."""
    name = "ExtendedLockStatus"
    alias = ALIAS
    version = 1
    def get_controller_extensions(self):
        controller = ExtendedLockStatusController()
        extension = extensions.ControllerExtension(self, 'servers', controller)
        return [extension]
        
    def get_resources(self):
        return []

经过nova show看效果ide

[root@node_172_16_214_226 nova(keystone_admin)]# nova show test 函数

+--------------------------------------+----------------------------------------------------------+ui

| Property | Value |

+--------------------------------------+----------------------------------------------------------+

| OS-DCF:diskConfig | MANUAL |

| OS-EXT-AZ:availability_zone | nova |

| OS-EXT-LS:locked_by | - | # 这个是新添加的属性

| OS-EXT-SRV-ATTR:host | node_172_16_214_226 |

| OS-EXT-SRV-ATTR:hostname | test |

| OS-EXT-SRV-ATTR:hypervisor_hostname | node_172_16_214_226 |

| OS-EXT-SRV-ATTR:instance_name | instance-00000046 |

| OS-EXT-SRV-ATTR:kernel_id | |

| OS-EXT-SRV-ATTR:launch_index | 0 |

| OS-EXT-SRV-ATTR:ramdisk_id | |

| OS-EXT-SRV-ATTR:reservation_id | r-kbdl0t6k |

| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |

| OS-EXT-SRV-ATTR:user_data | - |

| OS-EXT-STS:power_state | 1 |

| OS-EXT-STS:task_state | - |

| OS-EXT-STS:vm_state | active |

| OS-SRV-USG:launched_at | 2016-11-22T13:21:58.000000 |

| OS-SRV-USG:terminated_at | - |

| accessIPv4 | |

| accessIPv6 | |

| config_drive | |

| created | 2016-11-22T13:21:52Z |

| flavor | m1.tiny (1) |

| hostId | 29b91781dbeba4710be0f1016c579eac24e8699c1835d19b0ad0ece7 |

| id | c55bebc9-a12c-41f9-aa94-81139dd7214a |

| p_w_picpath | cirros (9799a9f9-2e4b-4151-badc-ab0aba64fef1) |

| key_name | test |

| metadata | {} |

| name | test |

| os-extended-volumes:volumes_attached | [] |

| progress | 0 |

| security_groups | default |

| status | ACTIVE |

| tenant_id | 7d58dea58dd448d4b095da27986176f2 |

| test network | 172.15.7.70 |

| updated | 2016-11-23T03:36:07Z |

| user_id | 97130e6be7b04c61bf59cd13e9ba3b33 |

+--------------------------------------+----------------------------------------------------------+

参考连接

http://int32bit.me/2016/11/09/Openstack%E8%99%9A%E6%8B%9F%E6%9C%BA%E9%98%B2%E6%AD%A2%E8%AF%AF%E5%88%A0%E9%99%A4%E6%93%8D%E4%BD%9C%E7%9A%84%E5%87%A0%E7%A7%8D%E5%AE%9E%E7%8E%B0%E6%96%B9%E6%B3%95/