@Override
public void allocate(Allocation allocInfo) throws Exception {
try {
final VmInstanceLifecycleHelper helper = VmInstanceLifecycleHelpers.get();
final PrepareNetworkResourcesType request = new PrepareNetworkResourcesType();
request.setAvailabilityZone(allocInfo.getPartition().getName());
request.setVpc(
allocInfo.getSubnet() == null
? null
: CloudMetadatas.toDisplayName().apply(allocInfo.getSubnet().getVpc()));
request.setSubnet(CloudMetadatas.toDisplayName().apply(allocInfo.getSubnet()));
request.setFeatures(Lists.<NetworkFeature>newArrayList(new DnsHostNamesFeature()));
helper.prepareNetworkAllocation(allocInfo, request);
final PrepareNetworkResourcesResultType result = Networking.getInstance().prepare(request);
for (final ResourceToken token : allocInfo.getAllocationTokens()) {
for (final NetworkResource networkResource : result.getResources()) {
if (token.getInstanceId().equals(networkResource.getOwnerId())) {
token
.getAttribute(NetworkResourceVmInstanceLifecycleHelper.NetworkResourcesKey)
.add(networkResource);
}
}
}
} catch (Exception e) {
throw Objects.firstNonNull(Exceptions.findCause(e, NotEnoughResourcesException.class), e);
}
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
Context ctx = allocInfo.getContext();
NetworkGroups.lookup(
ctx.getUserFullName().asAccountFullName(), NetworkGroups.defaultNetworkName());
Set<String> networkNames = Sets.newHashSet(allocInfo.getRequest().getGroupSet());
if (networkNames.isEmpty()) {
networkNames.add(NetworkGroups.defaultNetworkName());
}
Map<String, NetworkGroup> networkRuleGroups = Maps.newHashMap();
for (String groupName : networkNames) {
NetworkGroup group =
NetworkGroups.lookup(ctx.getUserFullName().asAccountFullName(), groupName);
if (!ctx.hasAdministrativePrivileges()
&& !RestrictedTypes.filterPrivileged().apply(group)) {
throw new IllegalMetadataAccessException(
"Not authorized to use network group "
+ groupName
+ " for "
+ ctx.getUser().getName());
}
networkRuleGroups.put(groupName, group);
}
Set<String> missingNets = Sets.difference(networkNames, networkRuleGroups.keySet());
if (!missingNets.isEmpty()) {
throw new NoSuchMetadataException("Failed to find security group info for: " + missingNets);
} else {
allocInfo.setNetworkRules(networkRuleGroups);
}
return true;
}
@SuppressWarnings("unchecked")
@Override
public void allocate(Allocation allocInfo) throws Exception {
RestrictedTypes.allocateNamedUnitlessResources(
allocInfo.getAllocationTokens().size(),
allocInfo.getVmType().allocator(),
(Predicate) Predicates.alwaysTrue());
}
@Override
public boolean apply(Allocation allocInfo)
throws MetadataException, AuthException, VerificationException {
RunInstancesType msg = allocInfo.getRequest();
String imageId = msg.getImageId();
VmType vmType = allocInfo.getVmType();
try {
BootableSet bootSet = Emis.newBootableSet(imageId);
allocInfo.setBootableSet(bootSet);
// Add (1024L * 1024L * 10) to handle NTFS min requirements.
if (!bootSet.isBlockStorage()) {
if (Platform.windows.equals(bootSet.getMachine().getPlatform())
&& bootSet.getMachine().getImageSizeBytes()
> ((1024L * 1024L * 1024L * vmType.getDisk()) + (1024L * 1024L * 10))) {
throw new ImageInstanceTypeVerificationException(
"Unable to run instance "
+ bootSet.getMachine().getDisplayName()
+ " in which the size "
+ bootSet.getMachine().getImageSizeBytes()
+ " bytes of the instance is greater than the vmType "
+ vmType.getDisplayName()
+ " size "
+ vmType.getDisk()
+ " GB.");
} else if (bootSet.getMachine().getImageSizeBytes()
> ((1024L * 1024L * 1024L * vmType.getDisk()))) {
throw new ImageInstanceTypeVerificationException(
"Unable to run instance "
+ bootSet.getMachine().getDisplayName()
+ " in which the size "
+ bootSet.getMachine().getImageSizeBytes()
+ " bytes of the instance is greater than the vmType "
+ vmType.getDisplayName()
+ " size "
+ vmType.getDisk()
+ " GB.");
}
}
} catch (VerificationException e) {
throw e;
} catch (MetadataException ex) {
LOG.error(ex);
throw ex;
} catch (RuntimeException ex) {
LOG.error(ex);
throw new VerificationException(
"Failed to verify references for request: "
+ msg.toSimpleString()
+ " because of: "
+ ex.getMessage(),
ex);
}
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
Context ctx = allocInfo.getContext();
User user = ctx.getUser();
String instanceType = allocInfo.getRequest().getInstanceType();
VmType vmType = VmTypes.lookup(instanceType);
if (!ctx.hasAdministrativePrivileges() && !RestrictedTypes.filterPrivileged().apply(vmType)) {
throw new IllegalMetadataAccessException(
"Not authorized to allocate vm type " + instanceType + " for " + ctx.getUserFullName());
}
allocInfo.setVmType(vmType);
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
if (allocInfo.getRequest().getKeyName() == null
|| "".equals(allocInfo.getRequest().getKeyName())) {
if (ImageMetadata.Platform.windows.equals(
allocInfo.getBootSet().getMachine().getPlatform())) {
throw new InvalidMetadataException(
"You must specify a keypair when running a windows vm: "
+ allocInfo.getRequest().getImageId());
} else {
allocInfo.setSshKeyPair(KeyPairs.noKey());
return true;
}
}
Context ctx = allocInfo.getContext();
RunInstancesType request = allocInfo.getRequest();
String keyName = request.getKeyName();
SshKeyPair key = KeyPairs.lookup(ctx.getUserFullName().asAccountFullName(), keyName);
if (!ctx.hasAdministrativePrivileges() && !RestrictedTypes.filterPrivileged().apply(key)) {
throw new IllegalMetadataAccessException(
"Not authorized to use keypair " + keyName + " by " + ctx.getUser().getName());
}
allocInfo.setSshKeyPair(key);
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
String instanceType = allocInfo.getRequest().getInstanceType();
VmType vmType = VmTypes.lookup(instanceType);
if (!RestrictedTypes.filterPrivileged().apply(vmType)) {
throw new IllegalMetadataAccessException(
"Not authorized to allocate vm type "
+ instanceType
+ " for "
+ allocInfo.getOwnerFullName());
}
allocInfo.setVmType(vmType);
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
byte[] userData = allocInfo.getUserData();
if (userData != null
&& userData.length > Integer.parseInt(VmInstances.USER_DATA_MAX_SIZE_KB) * 1024) {
throw new InvalidMetadataException(
"User data may not exceed " + VmInstances.USER_DATA_MAX_SIZE_KB + " KB");
}
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
RunInstancesType request = allocInfo.getRequest();
String zoneName = request.getAvailabilityZone();
if (Clusters.getInstance().listValues().isEmpty()) {
LOG.debug("enabled values: " + Joiner.on("\n").join(Clusters.getInstance().listValues()));
LOG.debug("disabled values: " + Joiner.on("\n").join(Clusters.getInstance().listValues()));
throw new VerificationException(
"Not enough resources: no cluster controller is currently available to run instances.");
} else if (Partitions.exists(zoneName)) {
Partition partition = Partitions.lookupByName(zoneName);
allocInfo.setPartition(partition);
} else if (Partition.DEFAULT_NAME.equals(zoneName)) {
Partition partition = Partition.DEFAULT;
allocInfo.setPartition(partition);
} else {
throw new VerificationException(
"Not enough resources: no cluster controller is currently available to run instances.");
}
return true;
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
if (allocInfo.getRequest().getKeyName() == null
|| "".equals(allocInfo.getRequest().getKeyName())) {
allocInfo.setSshKeyPair(KeyPairs.noKey());
return true;
}
UserFullName ownerFullName = allocInfo.getOwnerFullName();
RunInstancesType request = allocInfo.getRequest();
String keyName = request.getKeyName();
SshKeyPair key = KeyPairs.lookup(ownerFullName.asAccountFullName(), keyName);
if (!RestrictedTypes.filterPrivileged().apply(key)) {
throw new IllegalMetadataAccessException(
"Not authorized to use keypair " + keyName + " by " + ownerFullName.getUserName());
}
allocInfo.setSshKeyPair(key);
return true;
}
@Override
public void fail(Allocation allocInfo, Throwable t) {
allocInfo.abort();
}
@Override
public void allocate(Allocation allocInfo) throws Exception {
Partition reqPartition = allocInfo.getPartition();
String zoneName = reqPartition.getName();
String vmTypeName = allocInfo.getVmType().getName();
/* Validate min and max amount */
final int minAmount = allocInfo.getMinCount();
final int maxAmount = allocInfo.getMaxCount();
if (minAmount > maxAmount)
throw new RuntimeException(
"Maximum instance count must not be smaller than minimum instance count");
/* Retrieve our context and list of clusters associated with this zone */
List<Cluster> authorizedClusters = this.doPrivilegedLookup(zoneName, vmTypeName);
int remaining = maxAmount;
int allocated = 0;
int available;
LOG.info(
"Found authorized clusters: "
+ Iterables.transform(authorizedClusters, HasName.GET_NAME));
/* Do we have any VM available throughout our clusters? */
if ((available = checkAvailability(vmTypeName, authorizedClusters)) < minAmount) {
throw new NotEnoughResourcesException(
"Not enough resources ("
+ available
+ " in "
+ zoneName
+ " < "
+ minAmount
+ "): vm instances.");
} else {
for (Cluster cluster : authorizedClusters) {
if (remaining <= 0) {
break;
} else {
ResourceState state = cluster.getNodeState();
Partition partition = cluster.getConfiguration().lookupPartition();
/* Has a partition been set if the AZ was not specified? */
if (allocInfo.getPartition().equals(Partition.DEFAULT)) {
/*
* Ok, do we have enough slots in this partition to support our request? We should have at least
* the minimum. The list is sorted in order of resource availability from the cluster with the most
* available to the cluster with the least amount available. This is why we don't check against the
* maxAmount value since its a best effort at this point. If we select the partition here and we
* can't fit maxAmount, based on the sorting order, the next partition will not fit maxAmount anyway.
*/
int zoneAvailable = checkZoneAvailability(vmTypeName, partition, authorizedClusters);
if (zoneAvailable < minAmount) continue;
/* Lets use this partition */
allocInfo.setPartition(partition);
} else if (!allocInfo.getPartition().equals(partition)) {
/* We should only pick clusters that are part of the selected AZ */
continue;
}
if (allocInfo.getBootSet().getMachine() instanceof BlockStorageImageInfo) {
try {
Topology.lookup(Storage.class, partition);
} catch (Exception ex) {
allocInfo.abort();
allocInfo.setPartition(reqPartition);
throw new NotEnoughResourcesException(
"Not enough resources: Cannot run EBS instances in partition w/o a storage controller: "
+ ex.getMessage(),
ex);
}
}
try {
int tryAmount =
(remaining > state.getAvailability(vmTypeName).getAvailable())
? state.getAvailability(vmTypeName).getAvailable()
: remaining;
List<ResourceToken> tokens =
this.requestResourceToken(allocInfo, tryAmount, maxAmount);
remaining -= tokens.size();
allocated += tokens.size();
} catch (Exception t) {
LOG.error(t);
Logs.extreme().error(t, t);
allocInfo.abort();
allocInfo.setPartition(reqPartition);
/* if we still have some allocation remaining AND no more resources are available */
if (((available = checkZoneAvailability(vmTypeName, partition, authorizedClusters))
< remaining)
&& (remaining > 0)) {
throw new NotEnoughResourcesException(
"Not enough resources ("
+ available
+ " in "
+ zoneName
+ " < "
+ minAmount
+ "): vm instances.",
t);
} else {
throw new NotEnoughResourcesException(t.getMessage(), t);
}
}
}
}
/* Were we able to meet our minimum requirements? */
if ((allocated < minAmount) && (remaining > 0)) {
allocInfo.abort();
allocInfo.setPartition(reqPartition);
if (reqPartition.equals(Partition.DEFAULT)) {
throw new NotEnoughResourcesException(
"Not enough resources available in all zone for " + minAmount + "): vm instances.");
} else {
available = checkZoneAvailability(vmTypeName, reqPartition, authorizedClusters);
throw new NotEnoughResourcesException(
"Not enough resources ("
+ available
+ " in "
+ zoneName
+ " < "
+ minAmount
+ "): vm instances.");
}
}
}
}
private List<ResourceToken> requestResourceToken(
final Allocation allocInfo, final int tryAmount, final int maxAmount) throws Exception {
ServiceConfiguration config =
Topology.lookup(ClusterController.class, allocInfo.getPartition());
Cluster cluster = Clusters.lookup(config);
/**
* TODO:GRZE: this is the call path which needs to trigger gating.
* It shouldn't be handled directly here, but instead be handled in {@link ResourceState#requestResourceAllocation().
*
*/
if (cluster.getGateLock().readLock().tryLock(60, TimeUnit.SECONDS)) {
try {
final ResourceState state = cluster.getNodeState();
/**
* NOTE: If the defined instance type has an ordering conflict w/ some other type then it
* isn't safe to service TWO requests which use differing types during the same resource
* refresh duty cycle. This determines whether or not an asynchronous allocation is safe
* to do for the request instance type or whether a synchronous resource availability
* refresh is needed.
*/
boolean unorderedType = VmTypes.isUnorderedType(allocInfo.getVmType());
boolean forceResourceRefresh = state.hasUnorderedTokens() || unorderedType;
/**
* GRZE: if the vm type is not "nicely" ordered then we force a refresh of the actual
* cluster state. Note: we already hold the cluster gating lock here so this update will
* be mutual exclusive wrt both resource allocations and cluster state updates.
*/
if (forceResourceRefresh) {
cluster.refreshResources();
}
final List<ResourceToken> tokens =
state.requestResourceAllocation(allocInfo, tryAmount, maxAmount);
final Iterator<ResourceToken> tokenIterator = tokens.iterator();
try {
final Supplier<ResourceToken> allocator =
new Supplier<ResourceToken>() {
@Override
public ResourceToken get() {
final ResourceToken ret = tokenIterator.next();
allocInfo.getAllocationTokens().add(ret);
return ret;
}
};
RestrictedTypes.allocateUnitlessResources(tokens.size(), allocator);
} finally {
// release any tokens that were not allocated
Iterators.all(
tokenIterator,
new Predicate<ResourceToken>() {
@Override
public boolean apply(final ResourceToken resourceToken) {
state.releaseToken(resourceToken);
return true;
}
});
}
return allocInfo.getAllocationTokens();
} finally {
cluster.getGateLock().readLock().unlock();
}
} else {
throw new ServiceStateException(
"Failed to allocate resources in the zone "
+ cluster.getPartition()
+ ", it is currently locked for maintenance.");
}
}
@Override
public boolean apply(Allocation allocInfo) throws MetadataException {
BootableImageInfo imageInfo = allocInfo.getBootSet().getMachine();
final ArrayList<BlockDeviceMappingItemType> instanceMappings =
allocInfo.getRequest().getBlockDeviceMapping() != null
? allocInfo.getRequest().getBlockDeviceMapping()
: new ArrayList<BlockDeviceMappingItemType>();
List<DeviceMapping> imageMappings =
new ArrayList<DeviceMapping>(((ImageInfo) imageInfo).getDeviceMappings());
// Figure out the final set of mappings for this instance and add it to the request before
// verifying the mappings.
// for ( DeviceMapping imageMapping : imageMappings ) {
// if( !Iterables.any( instanceMappings, Images.findBlockDeviceMappingItempType(
// imageMapping.getDeviceName() ) ) ) {
// instanceMappings.add(Images.DeviceMappingDetails.INSTANCE.apply(imageMapping));
// }
// }
// Is this an overkill?? Should I rather go with the above logic. Damn complexity seems
// same...
// probably m * n where m is the number of image mappings and n is the number of instance
// mappings
instanceMappings.addAll(
Lists.transform(
Lists.newArrayList(
Iterables.filter(
imageMappings,
new Predicate<DeviceMapping>() {
@Override
public boolean apply(DeviceMapping arg0) {
return !Iterables.any(
instanceMappings,
Images.findBlockDeviceMappingItempType(arg0.getDeviceName()));
}
})),
Images.DeviceMappingDetails.INSTANCE));
if (imageInfo instanceof BlockStorageImageInfo) { // bfebs image
if (!instanceMappings.isEmpty()) {
// Verify all block device mappings. Dont fuss if both snapshot id and volume size are
// left blank
Images.isDeviceMappingListValid(instanceMappings, Boolean.TRUE, Boolean.TRUE);
BlockStorageImageInfo bfebsImage = (BlockStorageImageInfo) imageInfo;
Integer imageSizeGB = (int) (bfebsImage.getImageSizeBytes() / BYTES_PER_GB);
Integer userRequestedSizeGB = null;
// Find the root block device mapping in the run instance request. Validate it
BlockDeviceMappingItemType rootBlockDevice =
Iterables.find(
instanceMappings,
Images.findEbsRootOptionalSnapshot(bfebsImage.getRootDeviceName()),
null);
if (rootBlockDevice != null) {
// Ensure that root device is not mapped to a different snapshot, logical device or
// suppressed.
// Verify that the root device size is not smaller than the image size
if (StringUtils.isNotBlank(rootBlockDevice.getEbs().getSnapshotId())
&& !StringUtils.equals(
rootBlockDevice.getEbs().getSnapshotId(), bfebsImage.getSnapshotId())) {
throw new InvalidMetadataException(
"Snapshot ID cannot be modified for the root device. "
+ "Source snapshot from the image registration will be used for creating the root device");
} else if (StringUtils.isNotBlank(rootBlockDevice.getVirtualName())) {
throw new InvalidMetadataException(
"Logical type cannot be modified for the root device. "
+ "Source snapshot from the image registration will be used for creating the root device");
} else if (rootBlockDevice.getNoDevice() != null && rootBlockDevice.getNoDevice()) {
throw new InvalidMetadataException(
"Root device cannot be suppressed. "
+ "Source snapshot from the image registration will be used for creating the root device");
} else if ((userRequestedSizeGB = rootBlockDevice.getEbs().getVolumeSize()) != null
&& userRequestedSizeGB < imageSizeGB) {
throw new InvalidMetadataException(
"Root device volume cannot be smaller than the image size");
}
// Gather all the information for the root device mapping and populate it in the run
// instance request
if (rootBlockDevice.getEbs().getSnapshotId() == null) {
rootBlockDevice.getEbs().setSnapshotId(bfebsImage.getSnapshotId());
}
if (rootBlockDevice.getEbs().getVolumeSize() == null) {
rootBlockDevice.getEbs().setVolumeSize(imageSizeGB);
}
if (rootBlockDevice.getEbs().getDeleteOnTermination() == null) {
rootBlockDevice.getEbs().setDeleteOnTermination(bfebsImage.getDeleteOnTerminate());
}
} else {
// This should never happen. Root device mapping will always exist in the block storage
// image and or run instance request
throw new InvalidMetadataException("Root block device mapping not found\n");
}
}
} else { // Instance store image
// Verify all block device mappings. EBS mappings must be considered invalid since AWS
// doesn't support it
Images.isDeviceMappingListValid(instanceMappings, Boolean.TRUE, Boolean.FALSE);
}
// Set the final list of block device mappings in the run instance request (necessary if the
// instance mappings were null). Checked with grze that its okay
allocInfo.getRequest().setBlockDeviceMapping(instanceMappings);
return true;
}
@Override
public boolean apply(final Allocation allocInfo) throws MetadataException {
final UserFullName ownerFullName = allocInfo.getOwnerFullName();
final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn();
final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName();
if (!Strings.isNullOrEmpty(instanceProfileArn)
|| !Strings.isNullOrEmpty(instanceProfileName)) {
final String profileAccount;
final String profileName;
if (!Strings.isNullOrEmpty(instanceProfileArn))
try {
final Ern name = Ern.parse(instanceProfileArn);
if (!(name instanceof EuareResourceName)) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn);
}
profileAccount = name.getAccount();
profileName = ((EuareResourceName) name).getName();
} catch (JSONException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn, e);
}
else {
profileAccount = ownerFullName.getAccountNumber();
profileName = instanceProfileName;
}
final InstanceProfile profile;
try {
profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName);
} catch (AuthException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile: " + profileAccount + "/" + profileName, e);
}
if (!Strings.isNullOrEmpty(instanceProfileName)
&& !instanceProfileName.equals(profile.getName())) {
throw new InvalidInstanceProfileMetadataException(
String.format(
"Invalid IAM instance profile name '%s' for ARN: %s",
profileName, instanceProfileArn));
}
try {
final AuthContextSupplier user = allocInfo.getAuthContext();
if (!Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE,
Accounts.getInstanceProfileFullName(profile),
AccountFullName.getInstance(profile.getAccountNumber()),
PolicySpec.IAM_LISTINSTANCEPROFILES,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to access instance profile with ARN %s for %s",
profile.getInstanceProfileArn(), ownerFullName));
}
final Role role = profile.getRole();
if (role != null
&& !Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_ROLE,
Accounts.getRoleFullName(role),
AccountFullName.getInstance(role.getAccountNumber()),
PolicySpec.IAM_PASSROLE,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to pass role with ARN %s for %s",
role.getRoleArn(), ownerFullName));
}
if (role != null) {
allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn());
allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId());
allocInfo.setIamRoleArn(role.getRoleArn());
} else {
throw new InvalidInstanceProfileMetadataException(
"Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn());
}
} catch (AuthException e) {
throw new MetadataException("IAM instance profile error", e);
}
}
return true;
}
