OpenStack Compute (nova)

Merge lp:~soren/nova/iptables-security-groups into lp:~hudson-openstack/nova/trunk

  1. iptables-security-groups
  2. Merge into trunk
Proposed by Soren Hansen
Status: Merged
Approved by: Vish Ishaya
Approved revision: 460
Merged at revision: 561
Proposed branch: lp:~soren/nova/iptables-security-groups
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 118 lines (+32/-12)
1 file modified
nova/virt/libvirt_conn.py (+32/-12)
To merge this branch: bzr merge lp:~soren/nova/iptables-security-groups
Reviewer Review Type Date Requested Status
Vish Ishaya (community) Approve
Eric Day (community) Approve
Thierry Carrez (community) Needs Fixing
Review via email: mp+46134@code.launchpad.net

Description of the change

Add a new method to firewall drivers to tell them to stop filtering a particular instance. Call it when an instance has been destroyed.

Use dict()s (keyed off id's) instead of set()s for keeping track of instances and security groups in the iptables firewall driver. __eq__ for objects from sqlalchemy fetched in different sessions doesn't work as expected, so I needed to explicitly filter on ID.

To post a comment you must log in.
Revision history for this message
Thierry Carrez (ttx) wrote :

Fixes the bug alright.

Why the changes in version.py, though ?

L79: Attempted to untiler --> you mean unfilter ?

review: Needs Fixing
Revision history for this message
Soren Hansen (soren) wrote :

Gah, they werent' supposed to be included in the patch. I just did it locally because the million char wide log lines p'ed me off.

lp:~soren/nova/iptables-security-groups updated
459. By Soren Hansen

Revert changes to version.py

Revision history for this message
Thierry Carrez (ttx) wrote :

You missed this remark:
L79: Attempted to untiler --> you mean unfilter ?

lp:~soren/nova/iptables-security-groups updated
460. By Soren Hansen

Spelling is hard. Typing even moreso.

Revision history for this message
Eric Day (eday) wrote :

lgtm

review: Approve
Revision history for this message
Vish Ishaya (vishvananda) wrote :

lgtm

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/virt/libvirt_conn.py'
2--- nova/virt/libvirt_conn.py 2011-01-13 01:25:08 +0000
3+++ nova/virt/libvirt_conn.py 2011-01-13 17:11:31 +0000
4@@ -214,6 +214,8 @@
5 power_state.SHUTDOWN)
6 break
7
8+ self.firewall_driver.unfilter_instance(instance)
9+
10 if cleanup:
11 self._cleanup(instance)
12
13@@ -774,6 +776,10 @@
14 At this point, the instance isn't running yet."""
15 raise NotImplementedError()
16
17+ def unfilter_instance(self, instance):
18+ """Stop filtering instance"""
19+ raise NotImplementedError()
20+
21 def apply_instance_filter(self, instance):
22 """Apply instance filter.
23
24@@ -964,6 +970,10 @@
25 # execute in a native thread and block current greenthread until done
26 tpool.execute(self._conn.nwfilterDefineXML, xml)
27
28+ def unfilter_instance(self, instance):
29+ # Nothing to do
30+ pass
31+
32 def prepare_instance_filter(self, instance):
33 """
34 Creates an NWFilter for the given instance. In the process,
35@@ -1045,17 +1055,25 @@
36 class IptablesFirewallDriver(FirewallDriver):
37 def __init__(self, execute=None):
38 self.execute = execute or utils.execute
39- self.instances = set()
40+ self.instances = {}
41
42 def apply_instance_filter(self, instance):
43 """No-op. Everything is done in prepare_instance_filter"""
44 pass
45
46 def remove_instance(self, instance):
47- self.instances.remove(instance)
48+ if instance['id'] in self.instances:
49+ del self.instances[instance['id']]
50+ else:
51+ LOG.info(_('Attempted to unfilter instance %s which is not '
52+ 'filtered'), instance['id'])
53
54 def add_instance(self, instance):
55- self.instances.add(instance)
56+ self.instances[instance['id']] = instance
57+
58+ def unfilter_instance(self, instance):
59+ self.remove_instance(instance)
60+ self.apply_ruleset()
61
62 def prepare_instance_filter(self, instance):
63 self.add_instance(instance)
64@@ -1088,10 +1106,11 @@
65 our_chains += [':nova-local - [0:0]']
66 our_rules += ['-A FORWARD -j nova-local']
67
68- security_groups = set()
69+ security_groups = {}
70 # Add our chains
71 # First, we add instance chains and rules
72- for instance in self.instances:
73+ for instance_id in self.instances:
74+ instance = self.instances[instance_id]
75 chain_name = self._instance_chain_name(instance)
76 ip_address = self._ip_for_instance(instance)
77
78@@ -1113,9 +1132,10 @@
79 for security_group in \
80 db.security_group_get_by_instance(ctxt,
81 instance['id']):
82- security_groups.add(security_group)
83+ security_groups[security_group['id']] = security_group
84
85- sg_chain_name = self._security_group_chain_name(security_group)
86+ sg_chain_name = self._security_group_chain_name(
87+ security_group['id'])
88
89 our_rules += ['-A %s -j %s' % (chain_name, sg_chain_name)]
90
91@@ -1128,13 +1148,13 @@
92 our_rules += ['-A %s -j nova-ipv4-fallback' % (chain_name,)]
93
94 # then, security group chains and rules
95- for security_group in security_groups:
96- chain_name = self._security_group_chain_name(security_group)
97+ for security_group_id in security_groups:
98+ chain_name = self._security_group_chain_name(security_group_id)
99 our_chains += [':%s - [0:0]' % chain_name]
100
101 rules = \
102 db.security_group_rule_get_by_security_group(ctxt,
103- security_group['id'])
104+ security_group_id)
105
106 for rule in rules:
107 logging.info('%r', rule)
108@@ -1182,8 +1202,8 @@
109 def refresh_security_group_rules(self, security_group):
110 self.apply_ruleset()
111
112- def _security_group_chain_name(self, security_group):
113- return 'nova-sg-%s' % (security_group['id'],)
114+ def _security_group_chain_name(self, security_group_id):
115+ return 'nova-sg-%s' % (security_group_id,)
116
117 def _instance_chain_name(self, instance):
118 return 'nova-inst-%s' % (instance['id'],)