Add network egress rules for Diego

Michael Fraenkel · Michael Fraenkel · commit b0e4288d4f36 · 2015-01-19T17:13:12.000-08:00
- flow network egress rules for staging and desiring

[#79330234]

Signed-off-by: Hristo Iliev &lt;hsiliev@gmail.com&gt;
Signed-off-by: Atul Kshirsagar &lt;atul.kshirsagar@gmail.com&gt;
diff --git a/lib/cloud_controller/diego/common/protocol.rb b/lib/cloud_controller/diego/common/protocol.rb
@@ -6,6 +6,15 @@ def stop_index_request(app, index)
           ['diego.stop.index', stop_index_message(app, index).to_json]
         end
 
+        def staging_egress_rules
+          staging_security_groups = SecurityGroup.where(staging_default: true).all
+          EgressNetworkRulesPresenter.new(staging_security_groups).to_array.collect { |sg| transform_rule(sg) }.flatten
+        end
+
+        def running_egress_rules(app)
+          EgressNetworkRulesPresenter.new(app.space.security_groups).to_array.collect { |sg| transform_rule(sg) }.flatten
+        end
+
         private
 
         def stop_index_message(app, index)
@@ -14,6 +23,30 @@ def stop_index_message(app, index)
             'index' => index,
           }
         end
+
+        def transform_rule(rule)
+          protocol = rule['protocol']
+          template = {
+            'protocol' => protocol,
+            'destination' => rule['destination'],
+          }
+
+          case protocol
+          when 'icmp'
+            template['icmp_info'] = { 'type' => rule['type'], 'code' => rule['code'] }
+          when 'tcp', 'udp'
+            range = rule['ports'].split('-')
+            if range.size == 1
+              template['ports'] = range[0].split(',').collect(&:to_i)
+            else
+              template['port_range'] = { 'start' => range[0].to_i, 'end' => range[1].to_i }
+            end
+          end
+
+          template['log'] = rule['log'] if rule['log']
+
+          template
+        end
       end
     end
   end
diff --git a/lib/cloud_controller/diego/docker/protocol.rb b/lib/cloud_controller/diego/docker/protocol.rb
@@ -22,6 +22,7 @@ def stage_app_message(app, staging_timeout)
             'file_descriptors' => app.file_descriptors,
             'stack' => app.stack.name,
             'docker_image' => app.docker_image,
+            'egress_rules' => @common_protocol.staging_egress_rules,
             'timeout' => staging_timeout,
           }
         end
@@ -49,6 +50,7 @@ def desire_app_message(app)
             'log_guid' => app.guid,
             'docker_image' => app.docker_image,
             'health_check_type' => app.health_check_type,
+            'egress_rules' => @common_protocol.running_egress_rules(app),
             'etag' => app.updated_at.to_f.to_s
           }
 
diff --git a/lib/cloud_controller/diego/traditional/protocol.rb b/lib/cloud_controller/diego/traditional/protocol.rb
@@ -38,6 +38,7 @@ def stage_app_message(app, staging_timeout)
             'droplet_upload_uri' => @blobstore_url_generator.droplet_upload_url(app),
             'build_artifacts_cache_download_uri' => @blobstore_url_generator.buildpack_cache_download_url(app),
             'build_artifacts_cache_upload_uri' => @blobstore_url_generator.buildpack_cache_upload_url(app),
+            'egress_rules' => @common_protocol.staging_egress_rules,
             'timeout' => staging_timeout,
           }
         end
@@ -57,6 +58,7 @@ def desire_app_message(app)
             'routes' => app.uris,
             'log_guid' => app.guid,
             'health_check_type' => app.health_check_type,
+            'egress_rules' => @common_protocol.running_egress_rules(app),
             'etag' => app.updated_at.to_f.to_s
           }
 
diff --git a/spec/unit/lib/cloud_controller/diego/common/protocol_spec.rb b/spec/unit/lib/cloud_controller/diego/common/protocol_spec.rb
@@ -18,6 +18,46 @@ module Common
             expect(request.last).to match_json({ 'process_guid' => 'guid-versioned', 'index' => 33 })
           end
         end
+
+        describe 'staging_egress_rules' do
+          before do
+            SecurityGroup.make(rules: [{ 'protocol' => 'udp', 'ports' => '8080-9090', 'destination' => '198.41.191.47/1' }], staging_default: true)
+            SecurityGroup.make(rules: [{ 'protocol' => 'tcp', 'ports' => '8080,9090', 'destination' => '198.41.191.48/1', 'log' => true }], staging_default: true)
+            SecurityGroup.make(rules: [{ 'protocol' => 'tcp', 'ports' => '443', 'destination' => '198.41.191.49/1' }], staging_default: true)
+            SecurityGroup.make(rules: [{ 'protocol' => 'icmp', 'destination' => '0.0.0.0/0', 'type' => 0, 'code' => 1 }], staging_default: true)
+            SecurityGroup.make(rules: [{ 'protocol' => 'tcp', 'ports' => '80', 'destination' => '0.0.0.0/0' }], staging_default: false)
+          end
+
+          it 'includes egress security group staging information by aggregating all sg with staging_default=true' do
+            expect(protocol.staging_egress_rules).to match_array([
+              { 'protocol' => 'udp', 'port_range' => { 'start' => 8080, 'end' => 9090 }, 'destination' => '198.41.191.47/1' },
+              { 'protocol' => 'tcp', 'ports' => [8080, 9090], 'destination' => '198.41.191.48/1', 'log' => true },
+              { 'protocol' => 'tcp', 'ports' => [443], 'destination' => '198.41.191.49/1' },
+              { 'protocol' => 'icmp', 'icmp_info' => { 'type' => 0, 'code' => 1 }, 'destination' => '0.0.0.0/0' },
+            ])
+          end
+        end
+
+        describe 'running_egress_rules' do
+          let(:app) { AppFactory.make }
+          let(:sg_default_rules_1) { [{ 'protocol' => 'udp', 'ports' => '8080', 'destination' => '198.41.191.47/1' }] }
+          let(:sg_default_rules_2) { [{ 'protocol' => 'tcp', 'ports' => '9090-9095', 'destination' => '198.41.191.48/1', 'log' => true }] }
+          let(:sg_for_space_rules) { [{ 'protocol' => 'udp', 'ports' => '1010,2020', 'destination' => '198.41.191.49/1' }] }
+
+          before do
+            SecurityGroup.make(rules: sg_default_rules_1, running_default: true)
+            SecurityGroup.make(rules: sg_default_rules_2, running_default: true)
+            app.space.add_security_group(SecurityGroup.make(rules: sg_for_space_rules))
+          end
+
+          it 'should provide the egress rules in the start message' do
+            expect(protocol.running_egress_rules(app)).to match_array([
+              { 'protocol' => 'udp', 'ports' => [8080], 'destination' => '198.41.191.47/1' },
+              { 'protocol' => 'tcp', 'port_range' => { 'start' => 9090, 'end' => 9095 }, 'destination' => '198.41.191.48/1', 'log' => true },
+              { 'protocol' => 'udp', 'ports' => [1010, 2020], 'destination' => '198.41.191.49/1' },
+            ])
+          end
+        end
       end
     end
   end
diff --git a/spec/unit/lib/cloud_controller/diego/docker/protocol_spec.rb b/spec/unit/lib/cloud_controller/diego/docker/protocol_spec.rb
@@ -21,6 +21,11 @@ module Docker
           Protocol.new(common_protocol)
         end
 
+        before do
+          allow(common_protocol).to receive(:staging_egress_rules).and_return(['staging_egress_rule'])
+          allow(common_protocol).to receive(:running_egress_rules).with(app).and_return(['running_egress_rule'])
+        end
+
         describe '#stage_app_request' do
           subject(:request) do
             protocol.stage_app_request(app, 900)
@@ -47,6 +52,7 @@ module Docker
               'file_descriptors' => app.file_descriptors,
               'stack' => app.stack.name,
               'docker_image' => app.docker_image,
+              'egress_rules' => ['staging_egress_rule'],
               'timeout' => 900,
             })
           end
@@ -84,6 +90,7 @@ module Docker
               'log_guid' => app.guid,
               'docker_image' => app.docker_image,
               'health_check_type' => app.health_check_type,
+              'egress_rules' => ['running_egress_rule'],
               'etag' => app.updated_at.to_f.to_s,
             })
           end
diff --git a/spec/unit/lib/cloud_controller/diego/messenger_spec.rb b/spec/unit/lib/cloud_controller/diego/messenger_spec.rb
@@ -50,6 +50,7 @@ module Diego
             'app_bits_download_uri' => 'http://app-package.com',
             'buildpacks' => Traditional::BuildpackEntryGenerator.new(blobstore_url_generator).buildpack_entries(app),
             'droplet_upload_uri' => 'http://droplet-upload-uri',
+            'egress_rules' => [],
             'timeout' => 90,
           }
 
@@ -77,6 +78,7 @@ module Diego
             'health_check_type' => app.health_check_type,
             'health_check_timeout_in_seconds' => 120,
             'log_guid' => app.guid,
+            'egress_rules' => [],
             'etag' => app.updated_at.to_f.to_s,
           }
         end
diff --git a/spec/unit/lib/cloud_controller/diego/traditional/protocol_spec.rb b/spec/unit/lib/cloud_controller/diego/traditional/protocol_spec.rb
@@ -16,18 +16,21 @@ module Traditional
 
         let(:common_protocol) { double(:common_protocol) }
 
+        let(:app) do
+          AppFactory.make
+        end
+
         subject(:protocol) do
           Protocol.new(blobstore_url_generator, common_protocol)
         end
 
-        describe '#stage_app_request' do
-          let(:app) do
-            AppFactory.make
-          end
+        before do
+          allow(common_protocol).to receive(:staging_egress_rules).and_return(['staging_egress_rule'])
+          allow(common_protocol).to receive(:running_egress_rules).with(app).and_return(['running_egress_rule'])
+        end
 
-          subject(:request) do
-            protocol.stage_app_request(app, 900)
-          end
+        describe '#stage_app_request' do
+          let(:request) { protocol.stage_app_request(app, 900) }
 
           it 'returns arguments intended for CfMessageBus::MessageBus#publish' do
             expect(request.size).to eq(2)
@@ -37,37 +40,36 @@ module Traditional
         end
 
         describe '#stage_app_message' do
-          let(:staging_app) { AppFactory.make }
-          subject(:message) { protocol.stage_app_message(staging_app, 900) }
+          let(:message) { protocol.stage_app_message(app, 900) }
 
           before do
-            staging_app.update(staging_task_id: 'fake-staging-task-id') # Mimic Diego::Messenger#send_stage_request
+            app.update(staging_task_id: 'fake-staging-task-id') # Mimic Diego::Messenger#send_stage_request
           end
 
           it 'is a nats message with the appropriate staging subject and payload' do
             buildpack_entry_generator = BuildpackEntryGenerator.new(blobstore_url_generator)
 
             expect(message).to eq(
-              'app_id' => staging_app.guid,
+              'app_id' => app.guid,
               'task_id' => 'fake-staging-task-id',
-              'memory_mb' => staging_app.memory,
-              'disk_mb' => staging_app.disk_quota,
-              'file_descriptors' => staging_app.file_descriptors,
-              'environment' => Environment.new(staging_app).as_json,
-              'stack' => staging_app.stack.name,
+              'memory_mb' => app.memory,
+              'disk_mb' => app.disk_quota,
+              'file_descriptors' => app.file_descriptors,
+              'environment' => Environment.new(app).as_json,
+              'stack' => app.stack.name,
               'build_artifacts_cache_download_uri' => 'http://buildpack-artifacts-cache.com',
               'build_artifacts_cache_upload_uri' => 'http://buildpack-artifacts-cache.up.com',
               'app_bits_download_uri' => 'http://app-package.com',
-              'buildpacks' => buildpack_entry_generator.buildpack_entries(staging_app),
+              'buildpacks' => buildpack_entry_generator.buildpack_entries(app),
               'droplet_upload_uri' => 'http://droplet-upload-uri',
+              'egress_rules' => ['staging_egress_rule'],
               'timeout' => 900,
             )
           end
         end
 
         describe '#desire_app_request' do
-          let(:app) { AppFactory.make }
-          subject(:request) { protocol.desire_app_request(app) }
+          let(:request) { protocol.desire_app_request(app) }
 
           it 'returns arguments intended for CfMessageBus::MessageBus#publish' do
             expect(request.size).to eq(2)
@@ -95,15 +97,13 @@ module Traditional
             )
           end
 
+          let(:message) { protocol.desire_app_message(app) }
+
           before do
             environment = instance_double(Environment, as_json: [{ 'name' => 'fake', 'value' => 'environment' }])
             allow(Environment).to receive(:new).with(app).and_return(environment)
           end
 
-          subject(:message) do
-            protocol.desire_app_message(app)
-          end
-
           it 'is a messsage with the information nsync needs to desire the app' do
             expect(message).to eq(
               'disk_mb' => 222,
@@ -120,6 +120,7 @@ module Traditional
               'start_command' => 'the-custom-command',
               'execution_metadata' => 'staging-metadata',
               'routes' => ['fake-uris'],
+              'egress_rules' => ['running_egress_rule'],
               'etag' => '12345.6789'
             )
           end
@@ -136,14 +137,8 @@ module Traditional
         end
 
         describe '#stop_staging_app_request' do
-          let(:app) do
-            AppFactory.make
-          end
           let(:task_id) { 'staging_task_id' }
-
-          subject(:request) do
-            protocol.stop_staging_app_request(app, task_id)
-          end
+          let(:request) { protocol.stop_staging_app_request(app, task_id) }
 
           it 'returns an array of arguments including the subject and message' do
             expect(request.size).to eq(2)
@@ -153,20 +148,18 @@ module Traditional
         end
 
         describe '#stop_staging_message' do
-          let(:staging_app) { AppFactory.make }
           let(:task_id) { 'staging_task_id' }
-          subject(:message) { protocol.stop_staging_message(staging_app, task_id) }
+          let(:message) { protocol.stop_staging_message(app, task_id) }
 
           it 'is a nats message with the appropriate staging subject and payload' do
             expect(message).to eq(
-              'app_id' => staging_app.guid,
+              'app_id' => app.guid,
               'task_id' => task_id,
             )
           end
         end
 
         describe '#stop_index_request' do
-          let(:app) { AppFactory.make }
           before { allow(common_protocol).to receive(:stop_index_request) }
 
           it 'delegates to the common protocol' do

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ def stage_app_message(app, staging_timeout)`
`22`	`22`	`'file_descriptors' => app.file_descriptors,`
`23`	`23`	`'stack' => app.stack.name,`
`24`	`24`	`'docker_image' => app.docker_image,`
	`25`	`+ 'egress_rules' => @common_protocol.staging_egress_rules,`
`25`	`26`	`'timeout' => staging_timeout,`
`26`	`27`	`}`
`27`	`28`	`end`
`@@ -49,6 +50,7 @@ def desire_app_message(app)`
`49`	`50`	`'log_guid' => app.guid,`
`50`	`51`	`'docker_image' => app.docker_image,`
`51`	`52`	`'health_check_type' => app.health_check_type,`
	`53`	`+ 'egress_rules' => @common_protocol.running_egress_rules(app),`
`52`	`54`	`'etag' => app.updated_at.to_f.to_s`
`53`	`55`	`}`
`54`	`56`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ def stage_app_message(app, staging_timeout)`
`38`	`38`	`'droplet_upload_uri' => @blobstore_url_generator.droplet_upload_url(app),`
`39`	`39`	`'build_artifacts_cache_download_uri' => @blobstore_url_generator.buildpack_cache_download_url(app),`
`40`	`40`	`'build_artifacts_cache_upload_uri' => @blobstore_url_generator.buildpack_cache_upload_url(app),`
	`41`	`+ 'egress_rules' => @common_protocol.staging_egress_rules,`
`41`	`42`	`'timeout' => staging_timeout,`
`42`	`43`	`}`
`43`	`44`	`end`
`@@ -57,6 +58,7 @@ def desire_app_message(app)`
`57`	`58`	`'routes' => app.uris,`
`58`	`59`	`'log_guid' => app.guid,`
`59`	`60`	`'health_check_type' => app.health_check_type,`
	`61`	`+ 'egress_rules' => @common_protocol.running_egress_rules(app),`
`60`	`62`	`'etag' => app.updated_at.to_f.to_s`
`61`	`63`	`}`
`62`	`64`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ module Diego`
`50`	`50`	`'app_bits_download_uri' => 'http://app-package.com',`
`51`	`51`	`'buildpacks' => Traditional::BuildpackEntryGenerator.new(blobstore_url_generator).buildpack_entries(app),`
`52`	`52`	`'droplet_upload_uri' => 'http://droplet-upload-uri',`
	`53`	`+ 'egress_rules' => [],`
`53`	`54`	`'timeout' => 90,`
`54`	`55`	`}`
`55`	`56`
`@@ -77,6 +78,7 @@ module Diego`
`77`	`78`	`'health_check_type' => app.health_check_type,`
`78`	`79`	`'health_check_timeout_in_seconds' => 120,`
`79`	`80`	`'log_guid' => app.guid,`
	`81`	`+ 'egress_rules' => [],`
`80`	`82`	`'etag' => app.updated_at.to_f.to_s,`
`81`	`83`	`}`
`82`	`84`	`end`