private function GetServerSecurityGroupsList(DBServer $DBServer, OpenStack $osClient, \Scalr_Governance $governance = null) { $retval = $sgroups = $sgroupIds = $checkGroups = []; $sgGovernance = false; $allowAdditionalSgs = true; if ($governance) { $sgs = $governance->getValue($DBServer->platform, \Scalr_Governance::OPENSTACK_SECURITY_GROUPS); if ($sgs !== null) { $governanceSecurityGroups = @explode(",", $sgs); if (!empty($governanceSecurityGroups)) { foreach ($governanceSecurityGroups as $sg) { if ($sg != '') { array_push($checkGroups, trim($sg)); } } } if (!empty($checkGroups)) { $sgGovernance = true; } $allowAdditionalSgs = $governance->getValue($DBServer->platform, \Scalr_Governance::OPENSTACK_SECURITY_GROUPS, 'allow_additional_sec_groups'); } } if (!$sgGovernance || $allowAdditionalSgs) { if ($DBServer->farmRoleId != 0) { $dbFarmRole = $DBServer->GetFarmRoleObject(); if ($dbFarmRole->GetSetting(Entity\FarmRoleSetting::OPENSTACK_SECURITY_GROUPS_LIST) !== null) { // New SG management $sgs = @json_decode($dbFarmRole->GetSetting(Entity\FarmRoleSetting::OPENSTACK_SECURITY_GROUPS_LIST)); if (!empty($sgs)) { foreach ($sgs as $sg) { array_push($checkGroups, $sg); } } } else { // Old SG management array_push($checkGroups, 'default'); array_push($checkGroups, \Scalr::config('scalr.aws.security_group_name')); } } else { array_push($checkGroups, 'scalr-rb-system'); } } try { $list = $osClient->listSecurityGroups(); do { foreach ($list as $sg) { $sgroups[strtolower($sg->name)] = $sg; $sgroupIds[strtolower($sg->id)] = $sg; } if ($list instanceof PaginationInterface) { $list = $list->getNextPage(); } else { $list = false; } } while ($list !== false); unset($list); } catch (\Exception $e) { throw new \Exception("GetServerSecurityGroupsList failed: {$e->getMessage()}"); } foreach ($checkGroups as $groupName) { if (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i', $groupName)) { if (isset($sgroupIds[strtolower($groupName)])) { $groupName = $sgroupIds[$groupName]->name; } else { throw new \Exception(sprintf(_("Security group '%s' is not found (1)"), $groupName)); } } elseif (preg_match('/^\\d+$/', $groupName)) { // In openstack IceHouse, SG ID is integer and not UUID if (isset($sgroupIds[strtolower($groupName)])) { $groupName = $sgroupIds[$groupName]->name; } else { throw new \Exception(sprintf(_("Security group '%s' is not found (1)"), $groupName)); } } if ($groupName == 'default') { // Check default SG array_push($retval, $groupName); } elseif ($groupName == 'scalr-rb-system' || $groupName == \Scalr::config('scalr.aws.security_group_name')) { // Check Roles builder SG if (!isset($sgroups[strtolower($groupName)])) { try { $group = $osClient->createSecurityGroup($groupName, _("Scalr system security group")); $groupId = $group->id; } catch (\Exception $e) { throw new \Exception("GetServerSecurityGroupsList failed on scalr.ip-pool: {$e->getMessage()}"); } $r = new CreateSecurityGroupRule($groupId); $r->direction = 'ingress'; $r->protocol = 'tcp'; $r->port_range_min = 1; $r->port_range_max = 65535; $r->remote_ip_prefix = "0.0.0.0/0"; $res = $osClient->createSecurityGroupRule($r); $r = new CreateSecurityGroupRule($groupId); $r->direction = 'ingress'; $r->protocol = 'udp'; $r->port_range_min = 1; $r->port_range_max = 65535; $r->remote_ip_prefix = "0.0.0.0/0"; $res = $osClient->createSecurityGroupRule($r); } array_push($retval, $groupName); } else { if (!isset($sgroups[strtolower($groupName)])) { throw new \Exception(sprintf(_("Security group '%s' is not found (2)"), $groupName)); } else { array_push($retval, $groupName); } } } return $retval; }