1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
#
# An abstractions in front of Fog, which is an abstraction in front of
# the AWS api. Oh my!
#
# A Cloud object binds a particular node with particular Fog
# authentication credentials.
#
# NOTE: Possible AWS options for creating instances:
#
# options = {
# 'BlockDeviceMapping' => block_device_mapping,
# 'NetworkInterfaces' => network_interfaces,
# 'ClientToken' => client_token,
# 'DisableApiTermination' => disable_api_termination,
# 'EbsOptimized' => ebs_optimized,
# 'IamInstanceProfile.Arn' => @iam_instance_profile_arn,
# 'IamInstanceProfile.Name' => @iam_instance_profile_name,
# 'InstanceInitiatedShutdownBehavior' => instance_initiated_shutdown_behavior,
# 'InstanceType' => flavor_id,
# 'KernelId' => kernel_id,
# 'KeyName' => key_name,
# 'Monitoring.Enabled' => monitoring,
# 'Placement.AvailabilityZone' => availability_zone,
# 'Placement.GroupName' => placement_group,
# 'Placement.Tenancy' => tenancy,
# 'PrivateIpAddress' => private_ip_address,
# 'RamdiskId' => ramdisk_id,
# 'SecurityGroup' => groups,
# 'SecurityGroupId' => security_group_ids,
# 'SubnetId' => subnet_id,
# 'UserData' => user_data,
# }
#
module LeapCli
class Cloud
LEAP_SG_NAME = 'leap_default'
LEAP_SG_DESC = 'Default security group for LEAP nodes'
include LeapCli::LogCommand
attr_reader :compute # Fog::Compute object
attr_reader :node # Config::Node, if any
attr_reader :options # options for the VMs, if any
attr_reader :image # which vm image to use, if any
attr_reader :name # name of which entry in cloud.json to use
def initialize(name, conf, node=nil)
@node = node
@name = name
@conf = conf
@compute = nil
@options = nil
@image = nil
raise ArgumentError, 'name missing' unless @name
raise ArgumentError, 'config missing' unless @conf
raise ArgumentError, 'config auth missing' unless @conf["auth"]
raise ArgumentError, 'config auth missing' unless @conf["vendor"]
credentials = @conf["auth"].symbolize_keys
credentials[:provider] = @conf["vendor"]
@compute = Fog::Compute.new(credentials)
@options = @conf['default_options'] || {}
@image = @conf['default_image'] || Cloud.aws_image(credentials[:region])
if @node
@options = node.vm.options if node['vm.options']
@image = node.vm.image if node['vm.image']
end
end
#
# fetches or creates a server for this cloud object.
#
def fetch_or_create_server(options)
fetch_server_for_node || create_new_vm_instance(choose_ssh_key: options[:choose_ssh_key])
end
#
# fetches the server for a particular node.
#
# return nil if this cloud object has no node, or there is no corresponding
# server.
#
def fetch_server_for_node(bail_on_failure=false)
server = nil
return nil unless @node
# does an instance exist that matches the node's vm.id?
if @node.vm_id?
instance_id = @node.vm.id
server = @compute.servers.get(instance_id)
end
# does an instance exist that is tagged with this node name?
if server.nil?
response = @compute.describe_instances({"tag:node_name" => @node.name})
# puts JSON.pretty_generate(response.body)
if !response.body["reservationSet"].empty?
instances = response.body["reservationSet"].first["instancesSet"]
if instances.size > 1
bail! "There are multiple VMs with the same node name tag! Manually remove one before continuing."
elsif instances.size == 1
instance_id = instances.first["instanceId"]
server = @compute.servers.get(instance_id)
end
end
end
if server.nil? && bail_on_failure
bail! :error, "A virtual machine could not be found for node `#{@node.name}`. Things to try:" do
log "check the output of `leap vm status`"
log "check the value of `vm.id` in #{@node.name}.json"
log "run `leap vm add #{@node.name}` to create a corresponding virtual machine"
end
end
return server
end
#
# associates a node with a vm
#
def bind_server_to_node(server)
unless @node
raise ArgumentError, 'no node'
end
if server.public_ip_address.nil?
bail! do
log 'The virtual machine `%s` must have an IP address in order to bind it to the configuration `%s`.' % [
server.id, Path.relative_path(Path.named_path([:node_config, @node.name]))]
log 'To fix, run `leap vm start %s`' % server.id
end
end
# assign tag
@compute.create_tags(server.id, {'node_name' => @node.name})
log :created, "association between node '%s' and vm '%s'" % [@node.name, server.id]
# update node json
@node.update_json({
"ip_address" => server.public_ip_address,
"vm"=> {"id"=>server.id}
})
log "done", :color => :green, :style => :bold
end
#
# disassociates a node from a vm
#
def unbind_server_from_node(server)
raise ArgumentError, 'no node' unless @node
# assign tag
@compute.delete_tags(server.id, {'node_name' => @node.name})
log :removed, "association between node '%s' and vm '%s'" % [@node.name, server.id]
# update node json
@node.update_json({
"ip_address" => '0.0.0.0',
"vm"=> {"id" => ""}
})
end
#
# return an AWS KeyPair object, potentially uploading it to the server
# if necessary.
#
# this is used when initially creating the vm. After the first `node init`, then
# all sysadmins should have access to the server.
#
# NOTE: ssh and aws use different types of fingerprint
#
def find_or_create_key_pair(pick_ssh_key_method)
require 'leap_cli/ssh'
key_pair, local_key = match_ssh_key(:user_only => true)
if key_pair
log :using, "SSH key #{local_key.filename}" do
log 'AWS MD5 fingerprint: ' + local_key.fingerprint(:digest => :md5, :type => :der, :encoding => :hex)
log 'SSH MD5 fingerprint: ' + local_key.fingerprint(:digest => :md5, :type => :ssh, :encoding => :hex)
log 'SSH SHA256 fingerprint: ' + local_key.fingerprint(:digest => :sha256, :type => :ssh, :encoding => :base64)
end
elsif key_pair.nil?
username, key = pick_ssh_key_method.call(self)
key_pair = upload_ssh_key(username, key)
end
return key_pair
end
#
# checks if there is a match between a local key and a registered key_pair
#
# options:
# :key_pair -- limit comparisons to this key_pair object.
# :user_only -- limit comparisons to the user's ~/.ssh directory only
#
# returns:
#
# key_pair -- an AWS KeyPair
# local_key -- a LeapCLi::SSH::Key
#
def match_ssh_key(options={})
key_pair = options[:key_pair]
local_keys_to_check = LeapCli::SSH::Key.my_public_keys
unless options[:user_only]
local_keys_to_check += LeapCli::SSH::Key.provider_public_keys
end
fingerprints = Hash[local_keys_to_check.map {|k|
[k.fingerprint(:digest => :md5, :type => :der, :encoding => :hex), k]
}]
key_pair ||= @compute.key_pairs.select {|key_pair|
fingerprints.include?(key_pair.fingerprint)
}.first
if key_pair
local_key = fingerprints[key_pair.fingerprint]
return key_pair, local_key
else
return nil, nil
end
end
private
#
# Every AWS instance requires a security group, which is just a simple firewall.
# In the future, we could create a separate security group for each node,
# and set the rules to match what the rules should be for that node.
#
# However, for now, we just use a security group 'leap_default' that opens
# all the ports.
#
# The default behavior for AWS security groups is:
# all ingress traffic is blocked and all egress traffic is allowed.
#
def find_or_create_security_group
group = @compute.security_groups.get(LEAP_SG_NAME)
if group.nil?
group = @compute.security_groups.create(
:name => LEAP_SG_NAME,
:description => LEAP_SG_DESC
)
group.authorize_port_range(0..65535,
:ip_protocol => 'tcp',
:cidr_ip => '0.0.0.0/0',
)
group.authorize_port_range(0..65535,
:ip_protocol => 'udp',
:cidr_ip => '0.0.0.0/0',
)
end
return group
end
#
# key - a LeapCli::SSH::Key object
# returns -- AWS KeyPair
#
def upload_ssh_key(username, key)
key_name = 'leap_' + username
key_pair = @compute.key_pairs.create(
:name => key_name,
:public_key => key.public_key.to_s
)
log :registered, "public key" do
log 'cloud provider: ' + @name
log 'name: ' + key_name
log 'AWS MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :der, :encoding => :hex)
log 'SSH MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :ssh, :encoding => :hex)
log 'SSH SHA256 fingerprint: ' + key.fingerprint(:digest => :sha256, :type => :ssh, :encoding => :base64)
end
return key_pair
end
def create_new_vm_instance(choose_ssh_key: nil)
log :creating, "new vm instance..."
assert! @image, "No image found. Specify `default_image` in cloud.json or `vm.image` in node's config."
if Fog.mock?
options = @options
else
key_pair = find_or_create_key_pair(choose_ssh_key)
security_group = find_or_create_security_group
options = @options.merge({
'KeyName' => key_pair.name,
'SecurityGroup' => security_group.name
})
end
response = @compute.run_instances(
@image,
1, # min count
1, # max count
options
)
instance_id = response.body["instancesSet"].first["instanceId"]
log :created, "vm with instance id #{instance_id}."
server = @compute.servers.get(instance_id)
if server.nil?
bail! :error, "could not query instance '#{instance_id}'."
end
unless Fog.mock?
tries = 0
server.wait_for {
if tries > 0
LeapCli.log :waiting, "for IP address to be assigned..."
end
tries += 1
!public_ip_address.nil?
}
if options[:wait]
log :waiting, "for vm #{instance_id} to start..."
server.wait_for { ready? }
log :started, "#{instance_id} with #{server.public_ip_address}"
end
end
return server
end
end
end
|