OpenStack Compute (nova)

Merge lp:~soren/nova/iptables-security-groups into lp:~hudson-openstack/nova/trunk

  1. iptables-security-groups
  2. Merge into trunk
Proposed by Soren Hansen
Status: Merged
Approved by: Vish Ishaya
Approved revision: 460
Merged at revision: 561
Proposed branch: lp:~soren/nova/iptables-security-groups
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 118 lines (+32/-12)
1 file modified
nova/virt/libvirt_conn.py (+32/-12)
To merge this branch: bzr merge lp:~soren/nova/iptables-security-groups
Reviewer Review Type Date Requested Status
Vish Ishaya (community) Approve
Eric Day (community) Approve
Thierry Carrez (community) Needs Fixing
Review via email: mp+46134@code.launchpad.net

Description of the change

Add a new method to firewall drivers to tell them to stop filtering a particular instance. Call it when an instance has been destroyed.

Use dict()s (keyed off id's) instead of set()s for keeping track of instances and security groups in the iptables firewall driver. __eq__ for objects from sqlalchemy fetched in different sessions doesn't work as expected, so I needed to explicitly filter on ID.

To post a comment you must log in.
Revision history for this message
Thierry Carrez (ttx) wrote :

Fixes the bug alright.

Why the changes in version.py, though ?

L79: Attempted to untiler --> you mean unfilter ?

review: Needs Fixing
Revision history for this message
Soren Hansen (soren) wrote :

Gah, they werent' supposed to be included in the patch. I just did it locally because the million char wide log lines p'ed me off.

lp:~soren/nova/iptables-security-groups updated
459. By Soren Hansen

Revert changes to version.py

Revision history for this message
Thierry Carrez (ttx) wrote :

You missed this remark:
L79: Attempted to untiler --> you mean unfilter ?

lp:~soren/nova/iptables-security-groups updated
460. By Soren Hansen

Spelling is hard. Typing even moreso.

Revision history for this message
Eric Day (eday) wrote :

lgtm

review: Approve
Revision history for this message
Vish Ishaya (vishvananda) wrote :

lgtm

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'nova/virt/libvirt_conn.py'
--- nova/virt/libvirt_conn.py 2011-01-13 01:25:08 +0000
+++ nova/virt/libvirt_conn.py 2011-01-13 17:11:31 +0000
@@ -214,6 +214,8 @@
214 power_state.SHUTDOWN)214 power_state.SHUTDOWN)
215 break215 break
216216
217 self.firewall_driver.unfilter_instance(instance)
218
217 if cleanup:219 if cleanup:
218 self._cleanup(instance)220 self._cleanup(instance)
219221
@@ -774,6 +776,10 @@
774 At this point, the instance isn't running yet."""776 At this point, the instance isn't running yet."""
775 raise NotImplementedError()777 raise NotImplementedError()
776778
779 def unfilter_instance(self, instance):
780 """Stop filtering instance"""
781 raise NotImplementedError()
782
777 def apply_instance_filter(self, instance):783 def apply_instance_filter(self, instance):
778 """Apply instance filter.784 """Apply instance filter.
779785
@@ -964,6 +970,10 @@
964 # execute in a native thread and block current greenthread until done970 # execute in a native thread and block current greenthread until done
965 tpool.execute(self._conn.nwfilterDefineXML, xml)971 tpool.execute(self._conn.nwfilterDefineXML, xml)
966972
973 def unfilter_instance(self, instance):
974 # Nothing to do
975 pass
976
967 def prepare_instance_filter(self, instance):977 def prepare_instance_filter(self, instance):
968 """978 """
969 Creates an NWFilter for the given instance. In the process,979 Creates an NWFilter for the given instance. In the process,
@@ -1045,17 +1055,25 @@
1045class IptablesFirewallDriver(FirewallDriver):1055class IptablesFirewallDriver(FirewallDriver):
1046 def __init__(self, execute=None):1056 def __init__(self, execute=None):
1047 self.execute = execute or utils.execute1057 self.execute = execute or utils.execute
1048 self.instances = set()1058 self.instances = {}
10491059
1050 def apply_instance_filter(self, instance):1060 def apply_instance_filter(self, instance):
1051 """No-op. Everything is done in prepare_instance_filter"""1061 """No-op. Everything is done in prepare_instance_filter"""
1052 pass1062 pass
10531063
1054 def remove_instance(self, instance):1064 def remove_instance(self, instance):
1055 self.instances.remove(instance)1065 if instance['id'] in self.instances:
1066 del self.instances[instance['id']]
1067 else:
1068 LOG.info(_('Attempted to unfilter instance %s which is not '
1069 'filtered'), instance['id'])
10561070
1057 def add_instance(self, instance):1071 def add_instance(self, instance):
1058 self.instances.add(instance)1072 self.instances[instance['id']] = instance
1073
1074 def unfilter_instance(self, instance):
1075 self.remove_instance(instance)
1076 self.apply_ruleset()
10591077
1060 def prepare_instance_filter(self, instance):1078 def prepare_instance_filter(self, instance):
1061 self.add_instance(instance)1079 self.add_instance(instance)
@@ -1088,10 +1106,11 @@
1088 our_chains += [':nova-local - [0:0]']1106 our_chains += [':nova-local - [0:0]']
1089 our_rules += ['-A FORWARD -j nova-local']1107 our_rules += ['-A FORWARD -j nova-local']
10901108
1091 security_groups = set()1109 security_groups = {}
1092 # Add our chains1110 # Add our chains
1093 # First, we add instance chains and rules1111 # First, we add instance chains and rules
1094 for instance in self.instances:1112 for instance_id in self.instances:
1113 instance = self.instances[instance_id]
1095 chain_name = self._instance_chain_name(instance)1114 chain_name = self._instance_chain_name(instance)
1096 ip_address = self._ip_for_instance(instance)1115 ip_address = self._ip_for_instance(instance)
10971116
@@ -1113,9 +1132,10 @@
1113 for security_group in \1132 for security_group in \
1114 db.security_group_get_by_instance(ctxt,1133 db.security_group_get_by_instance(ctxt,
1115 instance['id']):1134 instance['id']):
1116 security_groups.add(security_group)1135 security_groups[security_group['id']] = security_group
11171136
1118 sg_chain_name = self._security_group_chain_name(security_group)1137 sg_chain_name = self._security_group_chain_name(
1138 security_group['id'])
11191139
1120 our_rules += ['-A %s -j %s' % (chain_name, sg_chain_name)]1140 our_rules += ['-A %s -j %s' % (chain_name, sg_chain_name)]
11211141
@@ -1128,13 +1148,13 @@
1128 our_rules += ['-A %s -j nova-ipv4-fallback' % (chain_name,)]1148 our_rules += ['-A %s -j nova-ipv4-fallback' % (chain_name,)]
11291149
1130 # then, security group chains and rules1150 # then, security group chains and rules
1131 for security_group in security_groups:1151 for security_group_id in security_groups:
1132 chain_name = self._security_group_chain_name(security_group)1152 chain_name = self._security_group_chain_name(security_group_id)
1133 our_chains += [':%s - [0:0]' % chain_name]1153 our_chains += [':%s - [0:0]' % chain_name]
11341154
1135 rules = \1155 rules = \
1136 db.security_group_rule_get_by_security_group(ctxt,1156 db.security_group_rule_get_by_security_group(ctxt,
1137 security_group['id'])1157 security_group_id)
11381158
1139 for rule in rules:1159 for rule in rules:
1140 logging.info('%r', rule)1160 logging.info('%r', rule)
@@ -1182,8 +1202,8 @@
1182 def refresh_security_group_rules(self, security_group):1202 def refresh_security_group_rules(self, security_group):
1183 self.apply_ruleset()1203 self.apply_ruleset()
11841204
1185 def _security_group_chain_name(self, security_group):1205 def _security_group_chain_name(self, security_group_id):
1186 return 'nova-sg-%s' % (security_group['id'],)1206 return 'nova-sg-%s' % (security_group_id,)
11871207
1188 def _instance_chain_name(self, instance):1208 def _instance_chain_name(self, instance):
1189 return 'nova-inst-%s' % (instance['id'],)1209 return 'nova-inst-%s' % (instance['id'],)