OpenStack Compute (nova)

Merge lp:~soren/nova/lp704351 into lp:~hudson-openstack/nova/trunk

  1. lp704351
  2. Merge into trunk
Proposed by Soren Hansen
Status: Merged
Approved by: Soren Hansen
Approved revision: 578
Merged at revision: 583
Proposed branch: lp:~soren/nova/lp704351
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 128 lines (+39/-17)
2 files modified
nova/tests/test_virt.py (+35/-17)
nova/virt/libvirt_conn.py (+4/-0)
To merge this branch: bzr merge lp:~soren/nova/lp704351
Reviewer Review Type Date Requested Status
Vish Ishaya (community) Approve
Devin Carlen (community) Approve
Review via email: mp+46714@code.launchpad.net

Description of the change

Add an apply_instance_filter method to NWFilter driver.

Adjust unit tests for both firewall drivers to actually exercise these
code paths.

To post a comment you must log in.
Revision history for this message
Devin Carlen (devcamcar) wrote :

lgtm

review: Approve
Revision history for this message
Vish Ishaya (vishvananda) wrote :

lgtm

review: Approve
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

The attempt to merge lp:~soren/nova/lp704351 into lp:nova failed. Below is the output from the failed tests.

nova/tests/test_virt.py:356:80: E501 line too long (80 characters)
                        ' 8 -j ACCEPT' % security_group_chain in self.out_rules,
                                                                               ^
    Limit all lines to a maximum of 79 characters.

    There are still many devices around that are limited to 80 character
    lines; plus, limiting windows to 80 characters makes it possible to have
    several windows side-by-side. The default wrapping on such devices looks
    ugly. Therefore, please limit all lines to a maximum of 79 characters.
    For flowing long blocks of text (docstrings or comments), limiting the
    length to 72 characters is recommended.
nova/tests/test_virt.py:499:1: W391 blank line at end of file

^
    JCR: Trailing blank lines are superfluous.

    Okay: spam(1)
    W391: spam(1)\n

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

The attempt to merge lp:~soren/nova/lp704351 into lp:nova failed. Below is the output from the failed tests.

nova/tests/test_virt.py:356:80: E501 line too long (80 characters)
                        ' 8 -j ACCEPT' % security_group_chain in self.out_rules,
                                                                               ^
    Limit all lines to a maximum of 79 characters.

    There are still many devices around that are limited to 80 character
    lines; plus, limiting windows to 80 characters makes it possible to have
    several windows side-by-side. The default wrapping on such devices looks
    ugly. Therefore, please limit all lines to a maximum of 79 characters.
    For flowing long blocks of text (docstrings or comments), limiting the
    length to 72 characters is recommended.
nova/tests/test_virt.py:499:1: W391 blank line at end of file

^
    JCR: Trailing blank lines are superfluous.

    Okay: spam(1)
    W391: spam(1)\n

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/tests/test_virt.py'
2--- nova/tests/test_virt.py 2011-01-18 20:42:20 +0000
3+++ nova/tests/test_virt.py 2011-01-19 09:28:10 +0000
4@@ -228,12 +228,6 @@
5 self.manager.delete_user(self.user)
6 super(IptablesFirewallTestCase, self).tearDown()
7
8- def _p(self, *args, **kwargs):
9- if 'iptables-restore' in args:
10- print ' '.join(args), kwargs['stdin']
11- if 'iptables-save' in args:
12- return
13-
14 in_rules = [
15 '# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010',
16 '*filter',
17@@ -255,11 +249,21 @@
18 '# Completed on Mon Dec 6 11:54:13 2010',
19 ]
20
21+ in6_rules = [
22+ '# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
23+ '*filter',
24+ ':INPUT ACCEPT [349155:75810423]',
25+ ':FORWARD ACCEPT [0:0]',
26+ ':OUTPUT ACCEPT [349256:75777230]',
27+ 'COMMIT',
28+ '# Completed on Tue Jan 18 23:47:56 2011'
29+ ]
30+
31 def test_static_filters(self):
32- self.fw.execute = self._p
33 instance_ref = db.instance_create(self.context,
34 {'user_id': 'fake',
35- 'project_id': 'fake'})
36+ 'project_id': 'fake',
37+ 'mac_address': '56:12:12:12:12:12'})
38 ip = '10.11.12.13'
39
40 network_ref = db.project_get_network(self.context,
41@@ -304,18 +308,31 @@
42 secgroup['id'])
43 instance_ref = db.instance_get(admin_ctxt, instance_ref['id'])
44
45- self.fw.add_instance(instance_ref)
46+# self.fw.add_instance(instance_ref)
47+ def fake_iptables_execute(cmd, process_input=None):
48+ if cmd == 'sudo ip6tables-save -t filter':
49+ return '\n'.join(self.in6_rules), None
50+ if cmd == 'sudo iptables-save -t filter':
51+ return '\n'.join(self.in_rules), None
52+ if cmd == 'sudo iptables-restore':
53+ self.out_rules = process_input.split('\n')
54+ return '', ''
55+ if cmd == 'sudo ip6tables-restore':
56+ self.out6_rules = process_input.split('\n')
57+ return '', ''
58+ self.fw.execute = fake_iptables_execute
59
60- out_rules = self.fw.modify_rules(self.in_rules)
61+ self.fw.prepare_instance_filter(instance_ref)
62+ self.fw.apply_instance_filter(instance_ref)
63
64 in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
65 for rule in in_rules:
66 if not 'nova' in rule:
67- self.assertTrue(rule in out_rules,
68+ self.assertTrue(rule in self.out_rules,
69 'Rule went missing: %s' % rule)
70
71 instance_chain = None
72- for rule in out_rules:
73+ for rule in self.out_rules:
74 # This is pretty crude, but it'll do for now
75 if '-d 10.11.12.13 -j' in rule:
76 instance_chain = rule.split(' ')[-1]
77@@ -323,7 +340,7 @@
78 self.assertTrue(instance_chain, "The instance chain wasn't added")
79
80 security_group_chain = None
81- for rule in out_rules:
82+ for rule in self.out_rules:
83 # This is pretty crude, but it'll do for now
84 if '-A %s -j' % instance_chain in rule:
85 security_group_chain = rule.split(' ')[-1]
86@@ -332,16 +349,16 @@
87 "The security group chain wasn't added")
88
89 self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \
90- security_group_chain in out_rules,
91+ security_group_chain in self.out_rules,
92 "ICMP acceptance rule wasn't added")
93
94- self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type'
95- ' 8 -j ACCEPT' % security_group_chain in out_rules,
96+ self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type '
97+ '8 -j ACCEPT' % security_group_chain in self.out_rules,
98 "ICMP Echo Request acceptance rule wasn't added")
99
100 self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport '
101 '--dports 80:81 -j ACCEPT' % security_group_chain \
102- in out_rules,
103+ in self.out_rules,
104 "TCP port 80/81 acceptance rule wasn't added")
105
106
107@@ -476,5 +493,6 @@
108
109 self.fw.setup_basic_filtering(instance)
110 self.fw.prepare_instance_filter(instance)
111+ self.fw.apply_instance_filter(instance)
112 _ensure_all_called()
113 self.teardown_security_group()
114
115=== modified file 'nova/virt/libvirt_conn.py'
116--- nova/virt/libvirt_conn.py 2011-01-18 22:55:03 +0000
117+++ nova/virt/libvirt_conn.py 2011-01-19 09:28:10 +0000
118@@ -1121,6 +1121,10 @@
119
120 return
121
122+ def apply_instance_filter(self, instance):
123+ """No-op. Everything is done in prepare_instance_filter"""
124+ pass
125+
126 def refresh_security_group_rules(self, security_group_id):
127 return self._define_filter(
128 self.security_group_to_nwfilter_xml(security_group_id))