OpenStack Compute (nova)

Merge lp:~openstack-gd/nova/libvirt-multinic-nova into lp:~hudson-openstack/nova/trunk

  1. libvirt-multinic-nova
  2. Merge into trunk
Proposed by Ilya Alekseyev
Status: Superseded
Proposed branch: lp:~openstack-gd/nova/libvirt-multinic-nova
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 499 lines (+206/-100)
3 files modified
nova/virt/interfaces.template (+13/-12)
nova/virt/libvirt.xml.template (+12/-9)
nova/virt/libvirt_conn.py (+181/-79)
To merge this branch: bzr merge lp:~openstack-gd/nova/libvirt-multinic-nova
Reviewer Review Type Date Requested Status
Sandy Walsh (community) Needs Fixing
Joshua McKenty Pending
Trey Morris Pending
Review via email: mp+53871@code.launchpad.net

This proposal has been superseded by a proposal from 2011-03-23.

Description of the change

libvirt driver multi_nic support. In this phase libvirt can work with and without multi_nic support, as in multi_nic support for xenapi: https://code.launchpad.net/~tr3buchet/nova/xs_multi_nic/+merge/53458

To post a comment you must log in.
lp:~openstack-gd/nova/libvirt-multinic-nova updated
813. By Eldar Nugaev

merge with trunk

814. By Eldar Nugaev

merge with trunk

815. By Eldar Nugaev

merge with trunk

Revision history for this message
Sandy Walsh (sandy-walsh) wrote :

149 if not network_info:

180 if _m is unused, you can just use _

182 if network_ref['injected']:
if 'injected' in network_ref: might be safer (no KeyError if missing)

or better
if not 'injected' in network_ref:
    continue

and pull the indent in the for rest

183 do we need to make the context inside the loop? can this be done outside?

186-188 can be replaced with ra_server = network_ref.get('ra_server', "fd00::"

The 'eth##' will be incremented each time ... even if injected, is that what you wanted?

253 if not ...

263 commented out code?

264 seems to overwrite 262?

351 353 commented out code?

354 if ra_servers:

398 should be like 416

450, 459, 482 use append()?

review: Needs Fixing
lp:~openstack-gd/nova/libvirt-multinic-nova updated
816. By Ilya Alekseyev

review comments fixed

817. By Ilya Alekseyev

trunk merged

818. By Ilya Alekseyev

pep8 fixed

819. By Ilya Alekseyev

xml template fixed

820. By Ilya Alekseyev

one more minor fix

Revision history for this message
Ilya Alekseyev (ilyaalekseyev) wrote :

Sandy, thank you very much for good review. Please look at my only comment below.

> The 'eth##' will be incremented each time ... even if injected, is that what
> you wanted?
>
yes

lp:~openstack-gd/nova/libvirt-multinic-nova updated
821. By Eldar Nugaev

migration gateway_v6 to network_info

822. By Eldar Nugaev

small fix

823. By Ilya Alekseyev

couple of bugs fixed

824. By Eldar Nugaev

pep8 clearing

825. By Ilya Alekseyev

trunk merged. conflicts resolved

826. By Ilya Alekseyev

style and spacing fixed

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'nova/virt/interfaces.template'
--- nova/virt/interfaces.template 2011-03-02 01:12:47 +0000
+++ nova/virt/interfaces.template 2011-03-23 19:11:11 +0000
@@ -5,19 +5,20 @@
5auto lo5auto lo
6iface lo inet loopback6iface lo inet loopback
77
8# The primary network interface8#for $ifc in $interfaces
9auto eth09auto ${ifc.name}
10iface eth0 inet static10iface ${ifc.name} inet static
11 address ${address}11 address ${ifc.address}
12 netmask ${netmask}12 netmask ${ifc.netmask}
13 broadcast ${broadcast}13 broadcast ${ifc.broadcast}
14 gateway ${gateway}14 gateway ${ifc.gateway}
15 dns-nameservers ${dns}15 dns-nameservers ${ifc.dns}
1616
17#if $use_ipv617#if $use_ipv6
18iface eth0 inet6 static18iface ${ifc.name} inet6 static
19 address ${address_v6}19 address ${ifc.address_v6}
20 netmask ${netmask_v6}20 netmask ${ifc.netmask_v6}
21 gateway ${gateway_v6}21 gateway ${ifc.gateway_v6}
22#end if22#end if
2323
24#end for
2425
=== modified file 'nova/virt/libvirt.xml.template'
--- nova/virt/libvirt.xml.template 2011-03-02 01:12:47 +0000
+++ nova/virt/libvirt.xml.template 2011-03-23 19:11:11 +0000
@@ -69,21 +69,24 @@
69 </disk>69 </disk>
70 #end if70 #end if
71#end if71#end if
72
73#for $nic in $nics
72 <interface type='bridge'>74 <interface type='bridge'>
73 <source bridge='${bridge_name}'/>75 <source bridge='${nic.bridge_name}'/>
74 <mac address='${mac_address}'/>76 <mac address='${nic.mac_address}'/>
75 <!-- <model type='virtio'/> CANT RUN virtio network right now -->77 <!-- <model type='virtio'/> CANT RUN virtio network right now -->
76 <filterref filter="nova-instance-${name}">78 <filterref filter="nova-instance-${name}-${nic.id}">
77 <parameter name="IP" value="${ip_address}" />79 <parameter name="IP" value="${nic.ip_address}" />
78 <parameter name="DHCPSERVER" value="${dhcp_server}" /> 80 <parameter name="DHCPSERVER" value="${nic.dhcp_server}" />
79#if $getVar('extra_params', False)81#if $getVar('nic.extra_params', False)
80 ${extra_params}82 ${nic.extra_params}
81#end if83#end if
82#if $getVar('gateway_v6', False)84#if $getVar('nic.gateway_v6', False)
83 <parameter name="RASERVER" value="${gateway_v6}" />85 <parameter name="RASERVER" value="${nic.gateway_v6}" />
84#end if86#end if
85 </filterref>87 </filterref>
86 </interface>88 </interface>
89#end for
8790
88 <!-- The order is significant here. File must be defined first -->91 <!-- The order is significant here. File must be defined first -->
89 <serial type="file">92 <serial type="file">
9093
=== modified file 'nova/virt/libvirt_conn.py'
--- nova/virt/libvirt_conn.py 2011-03-23 05:29:32 +0000
+++ nova/virt/libvirt_conn.py 2011-03-23 19:11:11 +0000
@@ -153,6 +153,49 @@
153 return int(net.version())153 return int(net.version())
154154
155155
156def _get_network_info(instance):
157 #TODO(ilyaalekseyev) If we will keep this function
158 # we should cache network_info
159 admin_context = context.get_admin_context()
160
161 ip_addresses = db.fixed_ip_get_all_by_instance(admin_context,
162 instance['id'])
163
164 networks = db.network_get_all_by_instance(admin_context,
165 instance['id'])
166 network_info = []
167
168 def ip_dict(ip):
169 return {
170 "ip": ip.address,
171 "netmask": network["netmask"],
172 "enabled": "1"}
173
174 def ip6_dict(ip6):
175 prefix = ip6.network.cidr_v6
176 mac = instance.mac_address
177 return {
178 "ip": utils.to_global_ipv6(prefix, mac),
179 "netmask": ip6.network.netmask_v6,
180 "gateway": ip6.network.gateway_v6,
181 "enabled": "1"}
182
183 for network in networks:
184 network_ips = [ip for ip in ip_addresses
185 if ip.network_id == network.id]
186
187 mapping = {
188 'label': network['label'],
189 'gateway': network['gateway'],
190 'mac': instance.mac_address,
191 'dns': [network['dns']],
192 'ips': [ip_dict(ip) for ip in network_ips],
193 'ip6s': [ip6_dict(ip) for ip in network_ips]}
194
195 network_info.append((network, mapping))
196 return network_info
197
198
156class LibvirtConnection(object):199class LibvirtConnection(object):
157200
158 def __init__(self, read_only):201 def __init__(self, read_only):
@@ -416,16 +459,18 @@
416 # the normal xml file, we can just call reboot here459 # the normal xml file, we can just call reboot here
417 self.reboot(instance)460 self.reboot(instance)
418461
462 # NOTE(ilyaalekseyev): Implementation like in multinics
463 # for xenapi(tr3buchet)
419 @exception.wrap_exception464 @exception.wrap_exception
420 def spawn(self, instance):465 def spawn(self, instance, network_info=None):
421 xml = self.to_xml(instance)466 xml = self.to_xml(instance, network_info)
422 db.instance_set_state(context.get_admin_context(),467 db.instance_set_state(context.get_admin_context(),
423 instance['id'],468 instance['id'],
424 power_state.NOSTATE,469 power_state.NOSTATE,
425 'launching')470 'launching')
426 self.firewall_driver.setup_basic_filtering(instance)471 self.firewall_driver.setup_basic_filtering(instance, network_info)
427 self.firewall_driver.prepare_instance_filter(instance)472 self.firewall_driver.prepare_instance_filter(instance, network_info)
428 self._create_image(instance, xml)473 self._create_image(instance, xml, network_info)
429 self._conn.createXML(xml, 0)474 self._conn.createXML(xml, 0)
430 LOG.debug(_("instance %s: is running"), instance['name'])475 LOG.debug(_("instance %s: is running"), instance['name'])
431 self.firewall_driver.apply_instance_filter(instance)476 self.firewall_driver.apply_instance_filter(instance)
@@ -582,7 +627,11 @@
582 utils.execute('truncate', target, '-s', "%dG" % local_gb)627 utils.execute('truncate', target, '-s', "%dG" % local_gb)
583 # TODO(vish): should we format disk by default?628 # TODO(vish): should we format disk by default?
584629
585 def _create_image(self, inst, libvirt_xml, suffix='', disk_images=None):630 def _create_image(self, inst, libvirt_xml, suffix='', disk_images=None,
631 network_info=None):
632 if not network_info:
633 network_info = _get_network_info(inst)
634
586 # syntactic nicety635 # syntactic nicety
587 def basepath(fname='', suffix=suffix):636 def basepath(fname='', suffix=suffix):
588 return os.path.join(FLAGS.instances_path,637 return os.path.join(FLAGS.instances_path,
@@ -658,28 +707,35 @@
658707
659 key = str(inst['key_data'])708 key = str(inst['key_data'])
660 net = None709 net = None
661 network_ref = db.network_get_by_instance(context.get_admin_context(),710
662 inst['id'])711 nets = []
663 if network_ref['injected']:712 ifc_template = open(FLAGS.injected_network_template).read()
664 admin_context = context.get_admin_context()713 ifc_num = -1
665 address = db.instance_get_fixed_address(admin_context, inst['id'])714 admin_context = context.get_admin_context()
715 for (network_ref, mapping) in network_info:
716 ifc_num += 1
717
718 if not 'injected' in network_ref:
719 continue
720
721 address = mapping['ips'][0]['ip']
666 address_v6 = None722 address_v6 = None
667 if FLAGS.use_ipv6:723 if FLAGS.use_ipv6:
668 address_v6 = db.instance_get_fixed_address_v6(admin_context,724 address_v6 = mapping['ip6s'][0]['ip']
669 inst['id'])725 net_info = {'name': 'eth%d' % ifc_num,
670726 'address': address,
671 interfaces_info = {'address': address,727 'netmask': network_ref['netmask'],
672 'netmask': network_ref['netmask'],728 'gateway': network_ref['gateway'],
673 'gateway': network_ref['gateway'],729 'broadcast': network_ref['broadcast'],
674 'broadcast': network_ref['broadcast'],730 'dns': network_ref['dns'],
675 'dns': network_ref['dns'],731 'address_v6': address_v6,
676 'address_v6': address_v6,732 'gateway_v6': network_ref['gateway_v6'],
677 'gateway_v6': network_ref['gateway_v6'],733 'netmask_v6': network_ref['netmask_v6'],
678 'netmask_v6': network_ref['netmask_v6'],734 'use_ipv6': FLAGS.use_ipv6}
679 'use_ipv6': FLAGS.use_ipv6}735 nets.append(net_info)
680736
681 net = str(Template(self.interfaces_xml,737 net = str(Template(ifc_template, searchList=[{'interfaces': nets}]))
682 searchList=[interfaces_info]))738
683 if key or net:739 if key or net:
684 inst_name = inst['name']740 inst_name = inst['name']
685 img_id = inst.image_id741 img_id = inst.image_id
@@ -701,20 +757,11 @@
701 if FLAGS.libvirt_type == 'uml':757 if FLAGS.libvirt_type == 'uml':
702 utils.execute('sudo', 'chown', 'root', basepath('disk'))758 utils.execute('sudo', 'chown', 'root', basepath('disk'))
703759
704 def to_xml(self, instance, rescue=False):760 def _get_nic_for_xml(self, instance_id, network, mapping):
705 # TODO(termie): cache?
706 LOG.debug(_('instance %s: starting toXML method'), instance['name'])
707 network = db.network_get_by_instance(context.get_admin_context(),
708 instance['id'])
709 # FIXME(vish): stick this in db
710 instance_type = instance['instance_type']
711 # instance_type = test.INSTANCE_TYPES[instance_type]
712 instance_type = instance_types.get_instance_type(instance_type)
713 ip_address = db.instance_get_fixed_address(context.get_admin_context(),
714 instance['id'])
715 # Assume that the gateway also acts as the dhcp server.761 # Assume that the gateway also acts as the dhcp server.
716 dhcp_server = network['gateway']762 dhcp_server = network['gateway']
717 gateway_v6 = network['gateway_v6']763 gateway_v6 = network['gateway_v6']
764 mac_id = mapping['mac'].replace(':', '')
718765
719 if FLAGS.allow_project_net_traffic:766 if FLAGS.allow_project_net_traffic:
720 if FLAGS.use_ipv6:767 if FLAGS.use_ipv6:
@@ -739,6 +786,41 @@
739 (net, mask)786 (net, mask)
740 else:787 else:
741 extra_params = "\n"788 extra_params = "\n"
789
790 result = {
791 'id': mac_id,
792 'bridge_name': network['bridge'],
793 'mac_address': mapping['mac'],
794 'ip_address': mapping['ips'][0]['ip'],
795 'dhcp_server': dhcp_server,
796 'extra_params': extra_params,
797 }
798
799 if gateway_v6:
800 result['gateway_v6'] = gateway_v6 + "/128"
801
802 return result
803
804 def to_xml(self, instance, rescue=False, network_info=None):
805 admin_context = context.get_admin_context()
806
807 # TODO(termie): cache?
808 LOG.debug(_('instance %s: starting toXML method'), instance['name'])
809
810 #TODO(ilyaalekseyev) remove network_info creation code
811 # when multinics will be completed
812 if not network_info:
813 network_info = _get_network_info(instance)
814
815 nics = []
816 for (network, mapping) in network_info:
817 nics.append(self._get_nic_for_xml(instance['id'],
818 network,
819 mapping))
820 # FIXME(vish): stick this in db
821 instance_type_name = instance['instance_type']
822 instance_type = instance_types.get_instance_type(instance_type_name)
823
742 if FLAGS.use_cow_images:824 if FLAGS.use_cow_images:
743 driver_type = 'qcow2'825 driver_type = 'qcow2'
744 else:826 else:
@@ -750,17 +832,11 @@
750 instance['name']),832 instance['name']),
751 'memory_kb': instance_type['memory_mb'] * 1024,833 'memory_kb': instance_type['memory_mb'] * 1024,
752 'vcpus': instance_type['vcpus'],834 'vcpus': instance_type['vcpus'],
753 'bridge_name': network['bridge'],
754 'mac_address': instance['mac_address'],
755 'ip_address': ip_address,
756 'dhcp_server': dhcp_server,
757 'extra_params': extra_params,
758 'rescue': rescue,835 'rescue': rescue,
759 'local': instance_type['local_gb'],836 'local': instance_type['local_gb'],
760 'driver_type': driver_type}837 'driver_type': driver_type,
838 'nics': nics}
761839
762 if gateway_v6:
763 xml_info['gateway_v6'] = gateway_v6 + "/128"
764 if not rescue:840 if not rescue:
765 if instance['kernel_id']:841 if instance['kernel_id']:
766 xml_info['kernel'] = xml_info['basepath'] + "/kernel"842 xml_info['kernel'] = xml_info['basepath'] + "/kernel"
@@ -773,7 +849,6 @@
773 xml = str(Template(self.libvirt_xml, searchList=[xml_info]))849 xml = str(Template(self.libvirt_xml, searchList=[xml_info]))
774 LOG.debug(_('instance %s: finished toXML method'),850 LOG.debug(_('instance %s: finished toXML method'),
775 instance['name'])851 instance['name'])
776
777 return xml852 return xml
778853
779 def get_info(self, instance_name):854 def get_info(self, instance_name):
@@ -1274,7 +1349,7 @@
12741349
12751350
1276class FirewallDriver(object):1351class FirewallDriver(object):
1277 def prepare_instance_filter(self, instance):1352 def prepare_instance_filter(self, instance, network_info=None):
1278 """Prepare filters for the instance.1353 """Prepare filters for the instance.
12791354
1280 At this point, the instance isn't running yet."""1355 At this point, the instance isn't running yet."""
@@ -1308,7 +1383,7 @@
1308 the security group."""1383 the security group."""
1309 raise NotImplementedError()1384 raise NotImplementedError()
13101385
1311 def setup_basic_filtering(self, instance):1386 def setup_basic_filtering(self, instance, network_info=None):
1312 """Create rules to block spoofing and allow dhcp.1387 """Create rules to block spoofing and allow dhcp.
13131388
1314 This gets called when spawning an instance, before1389 This gets called when spawning an instance, before
@@ -1322,6 +1397,11 @@
1322 instance['id'])1397 instance['id'])
1323 return network['gateway_v6']1398 return network['gateway_v6']
13241399
1400 def _all_gateway_v6_for_instance(self, instance):
1401 networks = db.network_get_all_by_instance(context.get_admin_context(),
1402 instance['id'])
1403 return [network['gateway_v6'] for network in networks]
1404
13251405
1326class NWFilterFirewall(FirewallDriver):1406class NWFilterFirewall(FirewallDriver):
1327 """1407 """
@@ -1413,7 +1493,7 @@
1413 </rule>1493 </rule>
1414 </filter>'''1494 </filter>'''
14151495
1416 def setup_basic_filtering(self, instance):1496 def setup_basic_filtering(self, instance, network_info=None):
1417 """Set up basic filtering (MAC, IP, and ARP spoofing protection)"""1497 """Set up basic filtering (MAC, IP, and ARP spoofing protection)"""
1418 logging.info('called setup_basic_filtering in nwfilter')1498 logging.info('called setup_basic_filtering in nwfilter')
14191499
@@ -1518,7 +1598,7 @@
1518 # Nothing to do1598 # Nothing to do
1519 pass1599 pass
15201600
1521 def prepare_instance_filter(self, instance):1601 def prepare_instance_filter(self, instance, network_info=None):
1522 """1602 """
1523 Creates an NWFilter for the given instance. In the process,1603 Creates an NWFilter for the given instance. In the process,
1524 it makes sure the filters for the security groups as well as1604 it makes sure the filters for the security groups as well as
@@ -1536,8 +1616,8 @@
1536 'nova-base-ipv6',1616 'nova-base-ipv6',
1537 'nova-allow-dhcp-server']1617 'nova-allow-dhcp-server']
1538 if FLAGS.use_ipv6:1618 if FLAGS.use_ipv6:
1539 gateway_v6 = self._gateway_v6_for_instance(instance)1619 gateways_v6 = self._all_gateway_v6_for_instance(instance)
1540 if gateway_v6:1620 if gateways_v6:
1541 instance_secgroup_filter_children += ['nova-allow-ra-server']1621 instance_secgroup_filter_children += ['nova-allow-ra-server']
15421622
1543 ctxt = context.get_admin_context()1623 ctxt = context.get_admin_context()
@@ -1623,9 +1703,11 @@
1623 self.iptables.ipv6['filter'].add_chain('sg-fallback')1703 self.iptables.ipv6['filter'].add_chain('sg-fallback')
1624 self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')1704 self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')
16251705
1626 def setup_basic_filtering(self, instance):1706 def setup_basic_filtering(self, instance, network_info=None):
1627 """Use NWFilter from libvirt for this."""1707 """Use NWFilter from libvirt for this."""
1628 return self.nwfilter.setup_basic_filtering(instance)1708 if not network_info:
1709 network_info = _get_network_info(instance)
1710 return self.nwfilter.setup_basic_filtering(instance, network_info)
16291711
1630 def apply_instance_filter(self, instance):1712 def apply_instance_filter(self, instance):
1631 """No-op. Everything is done in prepare_instance_filter"""1713 """No-op. Everything is done in prepare_instance_filter"""
@@ -1639,29 +1721,40 @@
1639 LOG.info(_('Attempted to unfilter instance %s which is not '1721 LOG.info(_('Attempted to unfilter instance %s which is not '
1640 'filtered'), instance['id'])1722 'filtered'), instance['id'])
16411723
1642 def prepare_instance_filter(self, instance):1724 def prepare_instance_filter(self, instance, network_info=None):
1725 if not network_info:
1726 network_info = _get_network_info(instance)
1643 self.instances[instance['id']] = instance1727 self.instances[instance['id']] = instance
1644 self.add_filters_for_instance(instance)1728 self.add_filters_for_instance(instance, network_info)
1645 self.iptables.apply()1729 self.iptables.apply()
16461730
1647 def add_filters_for_instance(self, instance):1731 def add_filters_for_instance(self, instance, network_info=None):
1732 if not network_info:
1733 network_info = _get_network_info(instance)
1648 chain_name = self._instance_chain_name(instance)1734 chain_name = self._instance_chain_name(instance)
16491735
1650 self.iptables.ipv4['filter'].add_chain(chain_name)1736 self.iptables.ipv4['filter'].add_chain(chain_name)
1651 ipv4_address = self._ip_for_instance(instance)1737
1652 self.iptables.ipv4['filter'].add_rule('local',1738 ips_v4 = [ip['ip'] for (_, mapping) in network_info
1653 '-d %s -j $%s' %1739 for ip in mapping['ips']]
1654 (ipv4_address, chain_name))1740
1741 for ipv4_address in ips_v4:
1742 self.iptables.ipv4['filter'].add_rule('local',
1743 '-d %s -j $%s' %
1744 (ipv4_address, chain_name))
16551745
1656 if FLAGS.use_ipv6:1746 if FLAGS.use_ipv6:
1657 self.iptables.ipv6['filter'].add_chain(chain_name)1747 self.iptables.ipv6['filter'].add_chain(chain_name)
1658 ipv6_address = self._ip_for_instance_v6(instance)1748 ips_v6 = [ip['ip'] for (_, mapping) in network_info
1659 self.iptables.ipv6['filter'].add_rule('local',1749 for ip in mapping['ip6s']]
1660 '-d %s -j $%s' %1750
1661 (ipv6_address,1751 for ipv6_address in ips_v6:
1662 chain_name))1752 self.iptables.ipv6['filter'].add_rule('local',
16631753 '-d %s -j $%s' %
1664 ipv4_rules, ipv6_rules = self.instance_rules(instance)1754 (ipv6_address,
1755 chain_name))
1756
1757 ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
16651758
1666 for rule in ipv4_rules:1759 for rule in ipv4_rules:
1667 self.iptables.ipv4['filter'].add_rule(chain_name, rule)1760 self.iptables.ipv4['filter'].add_rule(chain_name, rule)
@@ -1677,7 +1770,9 @@
1677 if FLAGS.use_ipv6:1770 if FLAGS.use_ipv6:
1678 self.iptables.ipv6['filter'].remove_chain(chain_name)1771 self.iptables.ipv6['filter'].remove_chain(chain_name)
16791772
1680 def instance_rules(self, instance):1773 def instance_rules(self, instance, network_info=None):
1774 if not network_info:
1775 network_info = _get_network_info(instance)
1681 ctxt = context.get_admin_context()1776 ctxt = context.get_admin_context()
16821777
1683 ipv4_rules = []1778 ipv4_rules = []
@@ -1691,28 +1786,35 @@
1691 ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']1786 ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
1692 ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']1787 ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
16931788
1694 dhcp_server = self._dhcp_server_for_instance(instance)1789 dhcp_servers = [network['gateway'] for (network, _m) in network_info]
1695 ipv4_rules += ['-s %s -p udp --sport 67 --dport 68 '1790
1696 '-j ACCEPT' % (dhcp_server,)]1791 for dhcp_server in dhcp_servers:
1792 ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
1793 '-j ACCEPT' % (dhcp_server,))
16971794
1698 #Allow project network traffic1795 #Allow project network traffic
1699 if FLAGS.allow_project_net_traffic:1796 if FLAGS.allow_project_net_traffic:
1700 cidr = self._project_cidr_for_instance(instance)1797 cidrs = [network['cidr'] for (network, _m) in network_info]
1701 ipv4_rules += ['-s %s -j ACCEPT' % (cidr,)]1798 for cidr in cidrs:
1799 ipv4_rules.append('-s %s -j ACCEPT' % (cidr,))
17021800
1703 # We wrap these in FLAGS.use_ipv6 because they might cause1801 # We wrap these in FLAGS.use_ipv6 because they might cause
1704 # a DB lookup. The other ones are just list operations, so1802 # a DB lookup. The other ones are just list operations, so
1705 # they're not worth the clutter.1803 # they're not worth the clutter.
1706 if FLAGS.use_ipv6:1804 if FLAGS.use_ipv6:
1707 # Allow RA responses1805 # Allow RA responses
1708 gateway_v6 = self._gateway_v6_for_instance(instance)1806 gateways_v6 = self._all_gateway_v6_for_instance(instance)
1709 if gateway_v6:1807 for gateway_v6 in gateways_v6:
1710 ipv6_rules += ['-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,)]1808 ipv6_rules.append(
1809 '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,))
17111810
1712 #Allow project network traffic1811 #Allow project network traffic
1713 if FLAGS.allow_project_net_traffic:1812 if FLAGS.allow_project_net_traffic:
1714 cidrv6 = self._project_cidrv6_for_instance(instance)1813 cidrv6s = [network['cidr_v6'] for (network, _m)
1715 ipv6_rules += ['-s %s -j ACCEPT' % (cidrv6,)]1814 in network_info]
1815
1816 for cidrv6 in cidrv6s:
1817 ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,))
17161818
1717 security_groups = db.security_group_get_by_instance(ctxt,1819 security_groups = db.security_group_get_by_instance(ctxt,
1718 instance['id'])1820 instance['id'])