OpenStack Compute (nova)

Merge lp:~vishvananda/nova/fix-network-info into lp:~hudson-openstack/nova/trunk

  1. fix-network-info
  2. Merge into trunk
Proposed by Vish Ishaya
Status: Merged
Approved by: Devin Carlen
Approved revision: 1423
Merged at revision: 1435
Proposed branch: lp:~vishvananda/nova/fix-network-info
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 850 lines (+116/-192)
10 files modified
nova/compute/manager.py (+4/-2)
nova/tests/test_compute.py (+2/-2)
nova/tests/test_libvirt.py (+49/-39)
nova/virt/driver.py (+1/-1)
nova/virt/fake.py (+2/-2)
nova/virt/libvirt/connection.py (+21/-24)
nova/virt/libvirt/firewall.py (+35/-53)
nova/virt/libvirt/netutils.py (+0/-67)
nova/virt/libvirt/vif.py (+1/-1)
nova/virt/xenapi_conn.py (+1/-1)
To merge this branch: bzr merge lp:~vishvananda/nova/fix-network-info
Reviewer Review Type Date Requested Status
Devin Carlen (community) Approve
Matt Dietz (community) Approve
Jason Kölker (community) Approve
Review via email: mp+71441@code.launchpad.net

Description of the change

Libvirt has some autogenerated network info that is breaking ha network.

 * pases network info from manager wherever it is needed
 * fixes libvirt tests
 * renames allow_project_net_traffic to allow_same_net_traffic
 * makes firewall driver use dhcp_server instead of gateway for dhcp exception.

To post a comment you must log in.
Revision history for this message
Jason Kölker (jason-koelker) wrote :

Sweet! Too slow tr3buchet!

Just FYI, there are a couple of pep8 issues.

review: Approve
Revision history for this message
Trey Morris (tr3buchet) wrote :

203 + network_info = _create_network_info

looks wrong, what's going on here?

Revision history for this message
Vish Ishaya (vishvananda) wrote :

an nice one. I forgot some of the libvirt tests are silently skipped if libvirt isn't installed. Let me rerun on linux system.

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Trey, fixed that issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

There are additional revisions which have not been approved in review. Please seek review and approval of these new revisions.

Revision history for this message
Matt Dietz (cerberus) wrote :

Looks good

review: Approve
Revision history for this message
Devin Carlen (devcamcar) wrote :

lgtm

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/compute/manager.py'
2--- nova/compute/manager.py 2011-08-09 09:54:51 +0000
3+++ nova/compute/manager.py 2011-08-15 18:13:25 +0000
4@@ -170,7 +170,9 @@
5 elif drv_state == power_state.RUNNING:
6 # Hyper-V and VMWareAPI drivers will raise and exception
7 try:
8- self.driver.ensure_filtering_rules_for_instance(instance)
9+ net_info = self._get_instance_nw_info(context, instance)
10+ self.driver.ensure_filtering_rules_for_instance(instance,
11+ net_info)
12 except NotImplementedError:
13 LOG.warning(_('Hypervisor driver does not '
14 'support firewall rules'))
15@@ -1308,7 +1310,7 @@
16 # This nwfilter is necessary on the destination host.
17 # In addition, this method is creating filtering rule
18 # onto destination host.
19- self.driver.ensure_filtering_rules_for_instance(instance_ref)
20+ self.driver.ensure_filtering_rules_for_instance(instance_ref, network_info)
21
22 def live_migration(self, context, instance_id, dest):
23 """Executing live migration.
24
25=== modified file 'nova/tests/test_compute.py'
26--- nova/tests/test_compute.py 2011-08-09 22:46:57 +0000
27+++ nova/tests/test_compute.py 2011-08-15 18:13:25 +0000
28@@ -632,7 +632,7 @@
29 vid = i_ref['volumes'][i]['id']
30 volmock.setup_compute_volume(c, vid).InAnyOrder('g1')
31 drivermock.plug_vifs(i_ref, [])
32- drivermock.ensure_filtering_rules_for_instance(i_ref)
33+ drivermock.ensure_filtering_rules_for_instance(i_ref, [])
34
35 self.compute.db = dbmock
36 self.compute.volume_manager = volmock
37@@ -657,7 +657,7 @@
38 self.mox.StubOutWithMock(compute_manager.LOG, 'info')
39 compute_manager.LOG.info(_("%s has no volume."), i_ref['hostname'])
40 drivermock.plug_vifs(i_ref, [])
41- drivermock.ensure_filtering_rules_for_instance(i_ref)
42+ drivermock.ensure_filtering_rules_for_instance(i_ref, [])
43
44 self.compute.db = dbmock
45 self.compute.driver = drivermock
46
47=== modified file 'nova/tests/test_libvirt.py'
48--- nova/tests/test_libvirt.py 2011-08-14 04:17:48 +0000
49+++ nova/tests/test_libvirt.py 2011-08-15 18:13:25 +0000
50@@ -49,18 +49,19 @@
51 if ipv6 is None:
52 ipv6 = FLAGS.use_ipv6
53 fake = 'fake'
54- fake_ip = '0.0.0.0/0'
55- fake_ip_2 = '0.0.0.1/0'
56- fake_ip_3 = '0.0.0.1/0'
57+ fake_ip = '10.11.12.13'
58+ fake_ip_2 = '0.0.0.1'
59+ fake_ip_3 = '0.0.0.1'
60 fake_vlan = 100
61 fake_bridge_interface = 'eth0'
62 network = {'bridge': fake,
63 'cidr': fake_ip,
64 'cidr_v6': fake_ip,
65+ 'gateway_v6': fake,
66 'vlan': fake_vlan,
67 'bridge_interface': fake_bridge_interface}
68 mapping = {'mac': fake,
69- 'dhcp_server': fake,
70+ 'dhcp_server': '10.0.0.1',
71 'gateway': fake,
72 'gateway6': fake,
73 'ips': [{'ip': fake_ip}, {'ip': fake_ip}]}
74@@ -273,15 +274,14 @@
75 conn = connection.LibvirtConnection(True)
76 instance_ref = db.instance_create(self.context, self.test_instance)
77
78- result = conn._prepare_xml_info(instance_ref, False)
79- self.assertFalse(result['nics'])
80-
81- result = conn._prepare_xml_info(instance_ref, False,
82- _create_network_info())
83+ result = conn._prepare_xml_info(instance_ref,
84+ _create_network_info(),
85+ False)
86 self.assertTrue(len(result['nics']) == 1)
87
88- result = conn._prepare_xml_info(instance_ref, False,
89- _create_network_info(2))
90+ result = conn._prepare_xml_info(instance_ref,
91+ _create_network_info(2),
92+ False)
93 self.assertTrue(len(result['nics']) == 2)
94
95 def test_xml_and_uri_no_ramdisk_no_kernel(self):
96@@ -408,16 +408,16 @@
97 network_info = _create_network_info(2)
98 conn = connection.LibvirtConnection(True)
99 instance_ref = db.instance_create(self.context, instance_data)
100- xml = conn.to_xml(instance_ref, False, network_info)
101+ xml = conn.to_xml(instance_ref, network_info, False)
102 tree = xml_to_tree(xml)
103 interfaces = tree.findall("./devices/interface")
104 self.assertEquals(len(interfaces), 2)
105 parameters = interfaces[0].findall('./filterref/parameter')
106 self.assertEquals(interfaces[0].get('type'), 'bridge')
107 self.assertEquals(parameters[0].get('name'), 'IP')
108- self.assertEquals(parameters[0].get('value'), '0.0.0.0/0')
109+ self.assertEquals(parameters[0].get('value'), '10.11.12.13')
110 self.assertEquals(parameters[1].get('name'), 'DHCPSERVER')
111- self.assertEquals(parameters[1].get('value'), 'fake')
112+ self.assertEquals(parameters[1].get('value'), '10.0.0.1')
113
114 def _check_xml_and_container(self, instance):
115 user_context = context.RequestContext(self.user_id,
116@@ -431,7 +431,8 @@
117 uri = conn.get_uri()
118 self.assertEquals(uri, 'lxc:///')
119
120- xml = conn.to_xml(instance_ref)
121+ network_info = _create_network_info()
122+ xml = conn.to_xml(instance_ref, network_info)
123 tree = xml_to_tree(xml)
124
125 check = [
126@@ -528,17 +529,20 @@
127 uri = conn.get_uri()
128 self.assertEquals(uri, expected_uri)
129
130- xml = conn.to_xml(instance_ref, rescue)
131+ network_info = _create_network_info()
132+ xml = conn.to_xml(instance_ref, network_info, rescue)
133 tree = xml_to_tree(xml)
134 for i, (check, expected_result) in enumerate(checks):
135 self.assertEqual(check(tree),
136 expected_result,
137- '%s failed check %d' % (xml, i))
138+ '%s != %s failed check %d' %
139+ (check(tree), expected_result, i))
140
141 for i, (check, expected_result) in enumerate(common_checks):
142 self.assertEqual(check(tree),
143 expected_result,
144- '%s failed common check %d' % (xml, i))
145+ '%s != %s failed common check %d' %
146+ (check(tree), expected_result, i))
147
148 # This test is supposed to make sure we don't
149 # override a specifically set uri
150@@ -623,7 +627,7 @@
151 return
152
153 # Preparing mocks
154- def fake_none(self):
155+ def fake_none(self, *args):
156 return
157
158 def fake_raise(self):
159@@ -640,6 +644,7 @@
160
161 self.create_fake_libvirt_mock()
162 instance_ref = db.instance_create(self.context, self.test_instance)
163+ network_info = _create_network_info()
164
165 # Start test
166 self.mox.ReplayAll()
167@@ -649,6 +654,7 @@
168 conn.firewall_driver.setattr('prepare_instance_filter', fake_none)
169 conn.firewall_driver.setattr('instance_filter_exists', fake_none)
170 conn.ensure_filtering_rules_for_instance(instance_ref,
171+ network_info,
172 time=fake_timer)
173 except exception.Error, e:
174 c1 = (0 <= e.message.find('Timeout migrating for'))
175@@ -962,8 +968,9 @@
176 from nova.network import linux_net
177 linux_net.iptables_manager.execute = fake_iptables_execute
178
179- self.fw.prepare_instance_filter(instance_ref)
180- self.fw.apply_instance_filter(instance_ref)
181+ network_info = _create_network_info()
182+ self.fw.prepare_instance_filter(instance_ref, network_info)
183+ self.fw.apply_instance_filter(instance_ref, network_info)
184
185 in_rules = filter(lambda l: not l.startswith('#'),
186 self.in_filter_rules)
187@@ -1033,7 +1040,7 @@
188 ipv6_len = len(self.fw.iptables.ipv6['filter'].rules)
189 inst_ipv4, inst_ipv6 = self.fw.instance_rules(instance_ref,
190 network_info)
191- self.fw.add_filters_for_instance(instance_ref, network_info)
192+ self.fw.prepare_instance_filter(instance_ref, network_info)
193 ipv4 = self.fw.iptables.ipv4['filter'].rules
194 ipv6 = self.fw.iptables.ipv6['filter'].rules
195 ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
196@@ -1048,7 +1055,7 @@
197 self.mox.StubOutWithMock(self.fw,
198 'add_filters_for_instance',
199 use_mock_anything=True)
200- self.fw.add_filters_for_instance(instance_ref, mox.IgnoreArg())
201+ self.fw.prepare_instance_filter(instance_ref, mox.IgnoreArg())
202 self.fw.instances[instance_ref['id']] = instance_ref
203 self.mox.ReplayAll()
204 self.fw.do_refresh_security_group_rules("fake")
205@@ -1068,11 +1075,12 @@
206 instance_ref = self._create_instance_ref()
207
208 _setup_networking(instance_ref['id'], self.test_ip)
209- self.fw.setup_basic_filtering(instance_ref)
210- self.fw.prepare_instance_filter(instance_ref)
211- self.fw.apply_instance_filter(instance_ref)
212+ network_info = _create_network_info()
213+ self.fw.setup_basic_filtering(instance_ref, network_info)
214+ self.fw.prepare_instance_filter(instance_ref, network_info)
215+ self.fw.apply_instance_filter(instance_ref, network_info)
216 original_filter_count = len(fakefilter.filters)
217- self.fw.unfilter_instance(instance_ref)
218+ self.fw.unfilter_instance(instance_ref, network_info)
219
220 # should undefine just the instance filter
221 self.assertEqual(original_filter_count - len(fakefilter.filters), 1)
222@@ -1082,14 +1090,14 @@
223 def test_provider_firewall_rules(self):
224 # setup basic instance data
225 instance_ref = self._create_instance_ref()
226- nw_info = _create_network_info(1)
227 _setup_networking(instance_ref['id'], self.test_ip)
228 # FRAGILE: peeks at how the firewall names chains
229 chain_name = 'inst-%s' % instance_ref['id']
230
231 # create a firewall via setup_basic_filtering like libvirt_conn.spawn
232 # should have a chain with 0 rules
233- self.fw.setup_basic_filtering(instance_ref, network_info=nw_info)
234+ network_info = _create_network_info(1)
235+ self.fw.setup_basic_filtering(instance_ref, network_info)
236 self.assertTrue('provider' in self.fw.iptables.ipv4['filter'].chains)
237 rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
238 if rule.chain == 'provider']
239@@ -1119,8 +1127,8 @@
240 self.assertEqual(2, len(rules))
241
242 # create the instance filter and make sure it has a jump rule
243- self.fw.prepare_instance_filter(instance_ref, network_info=nw_info)
244- self.fw.apply_instance_filter(instance_ref)
245+ self.fw.prepare_instance_filter(instance_ref, network_info)
246+ self.fw.apply_instance_filter(instance_ref, network_info)
247 inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
248 if rule.chain == chain_name]
249 jump_rules = [rule for rule in inst_rules if '-j' in rule.rule]
250@@ -1272,7 +1280,7 @@
251
252 def _ensure_all_called():
253 instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'],
254- '561212121212')
255+ 'fake')
256 secgroup_filter = 'nova-secgroup-%s' % self.security_group['id']
257 for required in [secgroup_filter, 'allow-dhcp-server',
258 'no-arp-spoofing', 'no-ip-spoofing',
259@@ -1288,9 +1296,10 @@
260 self.security_group.id)
261 instance = db.instance_get(self.context, inst_id)
262
263- self.fw.setup_basic_filtering(instance)
264- self.fw.prepare_instance_filter(instance)
265- self.fw.apply_instance_filter(instance)
266+ network_info = _create_network_info()
267+ self.fw.setup_basic_filtering(instance, network_info)
268+ self.fw.prepare_instance_filter(instance, network_info)
269+ self.fw.apply_instance_filter(instance, network_info)
270 _ensure_all_called()
271 self.teardown_security_group()
272 db.instance_destroy(context.get_admin_context(), instance_ref['id'])
273@@ -1321,11 +1330,12 @@
274 instance = db.instance_get(self.context, inst_id)
275
276 _setup_networking(instance_ref['id'], self.test_ip)
277- self.fw.setup_basic_filtering(instance)
278- self.fw.prepare_instance_filter(instance)
279- self.fw.apply_instance_filter(instance)
280+ network_info = _create_network_info()
281+ self.fw.setup_basic_filtering(instance, network_info)
282+ self.fw.prepare_instance_filter(instance, network_info)
283+ self.fw.apply_instance_filter(instance, network_info)
284 original_filter_count = len(fakefilter.filters)
285- self.fw.unfilter_instance(instance)
286+ self.fw.unfilter_instance(instance, network_info)
287
288 # should undefine 2 filters: instance and instance-secgroup
289 self.assertEqual(original_filter_count - len(fakefilter.filters), 2)
290
291=== modified file 'nova/virt/driver.py'
292--- nova/virt/driver.py 2011-08-09 09:54:51 +0000
293+++ nova/virt/driver.py 2011-08-15 18:13:25 +0000
294@@ -252,7 +252,7 @@
295 # TODO(Vek): Need to pass context in for access to auth_token
296 pass
297
298- def ensure_filtering_rules_for_instance(self, instance_ref):
299+ def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
300 """Setting up filtering rules and waiting for its completion.
301
302 To migrate an instance, filtering rules to hypervisors
303
304=== modified file 'nova/virt/fake.py'
305--- nova/virt/fake.py 2011-08-09 22:46:57 +0000
306+++ nova/virt/fake.py 2011-08-15 18:13:25 +0000
307@@ -487,7 +487,7 @@
308 """This method is supported only by libvirt."""
309 raise NotImplementedError('This method is supported only by libvirt.')
310
311- def ensure_filtering_rules_for_instance(self, instance_ref):
312+ def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
313 """This method is supported only by libvirt."""
314 raise NotImplementedError('This method is supported only by libvirt.')
315
316@@ -496,7 +496,7 @@
317 """This method is supported only by libvirt."""
318 return
319
320- def unfilter_instance(self, instance_ref, network_info=None):
321+ def unfilter_instance(self, instance_ref, network_info):
322 """This method is supported only by libvirt."""
323 raise NotImplementedError('This method is supported only by libvirt.')
324
325
326=== modified file 'nova/virt/libvirt/connection.py'
327--- nova/virt/libvirt/connection.py 2011-08-11 12:34:04 +0000
328+++ nova/virt/libvirt/connection.py 2011-08-15 18:13:25 +0000
329@@ -32,7 +32,7 @@
330 :rescue_kernel_id: Rescue aki image (default: aki-rescue).
331 :rescue_ramdisk_id: Rescue ari image (default: ari-rescue).
332 :injected_network_template: Template file for injected network
333-:allow_project_net_traffic: Whether to allow in project network traffic
334+:allow_same_net_traffic: Whether to allow in project network traffic
335
336 """
337
338@@ -96,9 +96,9 @@
339 '',
340 'Override the default libvirt URI (which is dependent'
341 ' on libvirt_type)')
342-flags.DEFINE_bool('allow_project_net_traffic',
343+flags.DEFINE_bool('allow_same_net_traffic',
344 True,
345- 'Whether to allow in project network traffic')
346+ 'Whether to allow network traffic from same network')
347 flags.DEFINE_bool('use_cow_images',
348 True,
349 'Whether to use cow images')
350@@ -463,18 +463,18 @@
351 """
352 virt_dom = self._conn.lookupByName(instance['name'])
353 # NOTE(itoumsn): Use XML delived from the running instance
354- # instead of using to_xml(instance). This is almost the ultimate
355- # stupid workaround.
356+ # instead of using to_xml(instance, network_info). This is almost
357+ # the ultimate stupid workaround.
358 xml = virt_dom.XMLDesc(0)
359 # NOTE(itoumsn): self.shutdown() and wait instead of self.destroy() is
360 # better because we cannot ensure flushing dirty buffers
361 # in the guest OS. But, in case of KVM, shutdown() does not work...
362 self.destroy(instance, network_info, cleanup=False)
363 self.plug_vifs(instance, network_info)
364- self.firewall_driver.setup_basic_filtering(instance)
365- self.firewall_driver.prepare_instance_filter(instance)
366+ self.firewall_driver.setup_basic_filtering(instance, network_info)
367+ self.firewall_driver.prepare_instance_filter(instance, network_info)
368 self._create_new_domain(xml)
369- self.firewall_driver.apply_instance_filter(instance)
370+ self.firewall_driver.apply_instance_filter(instance, network_info)
371
372 def _wait_for_reboot():
373 """Called at an interval until the VM is running again."""
374@@ -531,7 +531,7 @@
375 """
376 self.destroy(instance, network_info, cleanup=False)
377
378- xml = self.to_xml(instance, rescue=True)
379+ xml = self.to_xml(instance, network_info, rescue=True)
380 rescue_images = {'image_id': FLAGS.rescue_image_id,
381 'kernel_id': FLAGS.rescue_kernel_id,
382 'ramdisk_id': FLAGS.rescue_ramdisk_id}
383@@ -574,9 +574,9 @@
384 # NOTE(ilyaalekseyev): Implementation like in multinics
385 # for xenapi(tr3buchet)
386 @exception.wrap_exception()
387- def spawn(self, context, instance,
388- network_info=None, block_device_info=None):
389- xml = self.to_xml(instance, False, network_info=network_info,
390+ def spawn(self, context, instance, network_info,
391+ block_device_info=None):
392+ xml = self.to_xml(instance, network_info, False,
393 block_device_info=block_device_info)
394 self.firewall_driver.setup_basic_filtering(instance, network_info)
395 self.firewall_driver.prepare_instance_filter(instance, network_info)
396@@ -584,7 +584,7 @@
397 block_device_info=block_device_info)
398 domain = self._create_new_domain(xml)
399 LOG.debug(_("instance %s: is running"), instance['name'])
400- self.firewall_driver.apply_instance_filter(instance)
401+ self.firewall_driver.apply_instance_filter(instance, network_info)
402
403 def _wait_for_boot():
404 """Called at an interval until the VM is running."""
405@@ -988,14 +988,10 @@
406 else:
407 raise exception.InvalidDevicePath(path=device_path)
408
409- def _prepare_xml_info(self, instance, rescue=False, network_info=None,
410+ def _prepare_xml_info(self, instance, network_info, rescue,
411 block_device_info=None):
412 block_device_mapping = driver.block_device_info_get_mapping(
413 block_device_info)
414- # TODO(adiantum) remove network_info creation code
415- # when multinics will be completed
416- if not network_info:
417- network_info = netutils.get_network_info(instance)
418
419 nics = []
420 for (network, mapping) in network_info:
421@@ -1082,11 +1078,11 @@
422 xml_info['disk'] = xml_info['basepath'] + "/disk"
423 return xml_info
424
425- def to_xml(self, instance, rescue=False, network_info=None,
426+ def to_xml(self, instance, network_info, rescue=False,
427 block_device_info=None):
428 # TODO(termie): cache?
429 LOG.debug(_('instance %s: starting toXML method'), instance['name'])
430- xml_info = self._prepare_xml_info(instance, rescue, network_info,
431+ xml_info = self._prepare_xml_info(instance, network_info, rescue,
432 block_device_info)
433 xml = str(Template(self.libvirt_xml, searchList=[xml_info]))
434 LOG.debug(_('instance %s: finished toXML method'), instance['name'])
435@@ -1506,7 +1502,7 @@
436
437 return
438
439- def ensure_filtering_rules_for_instance(self, instance_ref,
440+ def ensure_filtering_rules_for_instance(self, instance_ref, network_info,
441 time=None):
442 """Setting up filtering rules and waiting for its completion.
443
444@@ -1536,14 +1532,15 @@
445
446 # If any instances never launch at destination host,
447 # basic-filtering must be set here.
448- self.firewall_driver.setup_basic_filtering(instance_ref)
449+ self.firewall_driver.setup_basic_filtering(instance_ref, network_info)
450 # setting up n)ova-instance-instance-xx mainly.
451- self.firewall_driver.prepare_instance_filter(instance_ref)
452+ self.firewall_driver.prepare_instance_filter(instance_ref, network_info)
453
454 # wait for completion
455 timeout_count = range(FLAGS.live_migration_retry_count)
456 while timeout_count:
457- if self.firewall_driver.instance_filter_exists(instance_ref):
458+ if self.firewall_driver.instance_filter_exists(instance_ref,
459+ network_info):
460 break
461 timeout_count.pop()
462 if len(timeout_count) == 0:
463
464=== modified file 'nova/virt/libvirt/firewall.py'
465--- nova/virt/libvirt/firewall.py 2011-07-26 21:08:29 +0000
466+++ nova/virt/libvirt/firewall.py 2011-08-15 18:13:25 +0000
467@@ -40,17 +40,17 @@
468
469
470 class FirewallDriver(object):
471- def prepare_instance_filter(self, instance, network_info=None):
472+ def prepare_instance_filter(self, instance, network_info):
473 """Prepare filters for the instance.
474
475 At this point, the instance isn't running yet."""
476 raise NotImplementedError()
477
478- def unfilter_instance(self, instance, network_info=None):
479+ def unfilter_instance(self, instance, network_info):
480 """Stop filtering instance"""
481 raise NotImplementedError()
482
483- def apply_instance_filter(self, instance):
484+ def apply_instance_filter(self, instance, network_info):
485 """Apply instance filter.
486
487 Once this method returns, the instance should be firewalled
488@@ -60,9 +60,7 @@
489 """
490 raise NotImplementedError()
491
492- def refresh_security_group_rules(self,
493- security_group_id,
494- network_info=None):
495+ def refresh_security_group_rules(self, security_group_id):
496 """Refresh security group rules from data store
497
498 Gets called when a rule has been added to or removed from
499@@ -85,7 +83,7 @@
500 """
501 raise NotImplementedError()
502
503- def setup_basic_filtering(self, instance, network_info=None):
504+ def setup_basic_filtering(self, instance, network_info):
505 """Create rules to block spoofing and allow dhcp.
506
507 This gets called when spawning an instance, before
508@@ -94,7 +92,7 @@
509 """
510 raise NotImplementedError()
511
512- def instance_filter_exists(self, instance):
513+ def instance_filter_exists(self, instance, network_info):
514 """Check nova-instance-instance-xxx exists"""
515 raise NotImplementedError()
516
517@@ -150,7 +148,7 @@
518 self.static_filters_configured = False
519 self.handle_security_groups = False
520
521- def apply_instance_filter(self, instance):
522+ def apply_instance_filter(self, instance, network_info):
523 """No-op. Everything is done in prepare_instance_filter"""
524 pass
525
526@@ -189,13 +187,10 @@
527 </rule>
528 </filter>'''
529
530- def setup_basic_filtering(self, instance, network_info=None):
531+ def setup_basic_filtering(self, instance, network_info):
532 """Set up basic filtering (MAC, IP, and ARP spoofing protection)"""
533 logging.info('called setup_basic_filtering in nwfilter')
534
535- if not network_info:
536- network_info = netutils.get_network_info(instance)
537-
538 if self.handle_security_groups:
539 # No point in setting up a filter set that we'll be overriding
540 # anyway.
541@@ -237,7 +232,7 @@
542 self._define_filter(self.nova_base_ipv6_filter)
543 self._define_filter(self.nova_dhcp_filter)
544 self._define_filter(self.nova_ra_filter)
545- if FLAGS.allow_project_net_traffic:
546+ if FLAGS.allow_same_net_traffic:
547 self._define_filter(self.nova_project_filter)
548 if FLAGS.use_ipv6:
549 self._define_filter(self.nova_project_filter_v6)
550@@ -300,10 +295,8 @@
551 # execute in a native thread and block current greenthread until done
552 tpool.execute(self._conn.nwfilterDefineXML, xml)
553
554- def unfilter_instance(self, instance, network_info=None):
555+ def unfilter_instance(self, instance, network_info):
556 """Clear out the nwfilter rules."""
557- if not network_info:
558- network_info = netutils.get_network_info(instance)
559 instance_name = instance.name
560 for (network, mapping) in network_info:
561 nic_id = mapping['mac'].replace(':', '')
562@@ -326,16 +319,13 @@
563 LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) '
564 'for %(instance_name)s is not found.') % locals())
565
566- def prepare_instance_filter(self, instance, network_info=None):
567+ def prepare_instance_filter(self, instance, network_info):
568 """Creates an NWFilter for the given instance.
569
570 In the process, it makes sure the filters for the provider blocks,
571 security groups, and base filter are all in place.
572
573 """
574- if not network_info:
575- network_info = netutils.get_network_info(instance)
576-
577 self.refresh_provider_fw_rules()
578
579 ctxt = context.get_admin_context()
580@@ -388,7 +378,7 @@
581 instance_filter_children = [base_filter, 'nova-provider-rules',
582 instance_secgroup_filter_name]
583
584- if FLAGS.allow_project_net_traffic:
585+ if FLAGS.allow_same_net_traffic:
586 instance_filter_children.append('nova-project')
587 if FLAGS.use_ipv6:
588 instance_filter_children.append('nova-project-v6')
589@@ -401,9 +391,7 @@
590 self._define_filter(self._filter_container(filter_name,
591 filter_children))
592
593- def refresh_security_group_rules(self,
594- security_group_id,
595- network_info=None):
596+ def refresh_security_group_rules(self, security_group_id):
597 return self._define_filter(
598 self.security_group_to_nwfilter_xml(security_group_id))
599
600@@ -500,9 +488,8 @@
601 return 'nova-instance-%s' % (instance['name'])
602 return 'nova-instance-%s-%s' % (instance['name'], nic_id)
603
604- def instance_filter_exists(self, instance):
605+ def instance_filter_exists(self, instance, network_info):
606 """Check nova-instance-instance-xxx exists"""
607- network_info = netutils.get_network_info(instance)
608 for (network, mapping) in network_info:
609 nic_id = mapping['mac'].replace(':', '')
610 instance_filter_name = self._instance_filter_name(instance, nic_id)
611@@ -521,6 +508,7 @@
612 from nova.network import linux_net
613 self.iptables = linux_net.iptables_manager
614 self.instances = {}
615+ self.network_infos = {}
616 self.nwfilter = NWFilterFirewall(kwargs['get_connection'])
617 self.basicly_filtered = False
618
619@@ -529,22 +517,22 @@
620 self.iptables.ipv6['filter'].add_chain('sg-fallback')
621 self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')
622
623- def setup_basic_filtering(self, instance, network_info=None):
624+ def setup_basic_filtering(self, instance, network_info):
625 """Set up provider rules and basic NWFilter."""
626- if not network_info:
627- network_info = netutils.get_network_info(instance)
628 self.nwfilter.setup_basic_filtering(instance, network_info)
629 if not self.basicly_filtered:
630 LOG.debug(_('iptables firewall: Setup Basic Filtering'))
631 self.refresh_provider_fw_rules()
632 self.basicly_filtered = True
633
634- def apply_instance_filter(self, instance):
635+ def apply_instance_filter(self, instance, network_info):
636 """No-op. Everything is done in prepare_instance_filter"""
637 pass
638
639- def unfilter_instance(self, instance, network_info=None):
640+ def unfilter_instance(self, instance, network_info):
641 if self.instances.pop(instance['id'], None):
642+ # NOTE(vish): use the passed info instead of the stored info
643+ self.network_infos.pop(instance['id'])
644 self.remove_filters_for_instance(instance)
645 self.iptables.apply()
646 self.nwfilter.unfilter_instance(instance, network_info)
647@@ -552,11 +540,10 @@
648 LOG.info(_('Attempted to unfilter instance %s which is not '
649 'filtered'), instance['id'])
650
651- def prepare_instance_filter(self, instance, network_info=None):
652- if not network_info:
653- network_info = netutils.get_network_info(instance)
654+ def prepare_instance_filter(self, instance, network_info):
655 self.instances[instance['id']] = instance
656- self.add_filters_for_instance(instance, network_info)
657+ self.network_infos[instance['id']] = network_info
658+ self.add_filters_for_instance(instance)
659 self.iptables.apply()
660
661 def _create_filter(self, ips, chain_name):
662@@ -583,7 +570,8 @@
663 for rule in ipv6_rules:
664 self.iptables.ipv6['filter'].add_rule(chain_name, rule)
665
666- def add_filters_for_instance(self, instance, network_info=None):
667+ def add_filters_for_instance(self, instance):
668+ network_info = self.network_infos[instance['id']]
669 chain_name = self._instance_chain_name(instance)
670 if FLAGS.use_ipv6:
671 self.iptables.ipv6['filter'].add_chain(chain_name)
672@@ -601,9 +589,7 @@
673 if FLAGS.use_ipv6:
674 self.iptables.ipv6['filter'].remove_chain(chain_name)
675
676- def instance_rules(self, instance, network_info=None):
677- if not network_info:
678- network_info = netutils.get_network_info(instance)
679+ def instance_rules(self, instance, network_info):
680 ctxt = context.get_admin_context()
681
682 ipv4_rules = []
683@@ -621,14 +607,14 @@
684 ipv4_rules += ['-j $provider']
685 ipv6_rules += ['-j $provider']
686
687- dhcp_servers = [info['gateway'] for (_n, info) in network_info]
688+ dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info]
689
690 for dhcp_server in dhcp_servers:
691 ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
692 '-j ACCEPT' % (dhcp_server,))
693
694 #Allow project network traffic
695- if FLAGS.allow_project_net_traffic:
696+ if FLAGS.allow_same_net_traffic:
697 cidrs = [network['cidr'] for (network, _m) in network_info]
698 for cidr in cidrs:
699 ipv4_rules.append('-s %s -j ACCEPT' % (cidr,))
700@@ -645,7 +631,7 @@
701 '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,))
702
703 #Allow project network traffic
704- if FLAGS.allow_project_net_traffic:
705+ if FLAGS.allow_same_net_traffic:
706 cidrv6s = [network['cidr_v6'] for (network, _m) in
707 network_info]
708
709@@ -726,27 +712,23 @@
710
711 return ipv4_rules, ipv6_rules
712
713- def instance_filter_exists(self, instance):
714+ def instance_filter_exists(self, instance, network_info):
715 """Check nova-instance-instance-xxx exists"""
716- return self.nwfilter.instance_filter_exists(instance)
717+ return self.nwfilter.instance_filter_exists(instance, network_info)
718
719 def refresh_security_group_members(self, security_group):
720 self.do_refresh_security_group_rules(security_group)
721 self.iptables.apply()
722
723- def refresh_security_group_rules(self, security_group, network_info=None):
724- self.do_refresh_security_group_rules(security_group, network_info)
725+ def refresh_security_group_rules(self, security_group):
726+ self.do_refresh_security_group_rules(security_group)
727 self.iptables.apply()
728
729 @utils.synchronized('iptables', external=True)
730- def do_refresh_security_group_rules(self,
731- security_group,
732- network_info=None):
733+ def do_refresh_security_group_rules(self, security_group):
734 for instance in self.instances.values():
735 self.remove_filters_for_instance(instance)
736- if not network_info:
737- network_info = netutils.get_network_info(instance)
738- self.add_filters_for_instance(instance, network_info)
739+ self.add_filters_for_instance(instance)
740
741 def refresh_provider_fw_rules(self):
742 """See class:FirewallDriver: docs."""
743
744=== modified file 'nova/virt/libvirt/netutils.py'
745--- nova/virt/libvirt/netutils.py 2011-07-27 16:52:28 +0000
746+++ nova/virt/libvirt/netutils.py 2011-08-15 18:13:25 +0000
747@@ -23,12 +23,7 @@
748
749 import netaddr
750
751-from nova import context
752-from nova import db
753-from nova import exception
754 from nova import flags
755-from nova import ipv6
756-from nova import utils
757
758
759 FLAGS = flags.FLAGS
760@@ -47,65 +42,3 @@
761 def get_ip_version(cidr):
762 net = netaddr.IPNetwork(cidr)
763 return int(net.version)
764-
765-
766-def get_network_info(instance):
767- # TODO(tr3buchet): this function needs to go away! network info
768- # MUST be passed down from compute
769- # TODO(adiantum) If we will keep this function
770- # we should cache network_info
771- admin_context = context.get_admin_context()
772-
773- try:
774- fixed_ips = db.fixed_ip_get_by_instance(admin_context, instance['id'])
775- except exception.FixedIpNotFoundForInstance:
776- fixed_ips = []
777-
778- vifs = db.virtual_interface_get_by_instance(admin_context, instance['id'])
779- flavor = db.instance_type_get(admin_context,
780- instance['instance_type_id'])
781- network_info = []
782-
783- for vif in vifs:
784- network = vif['network']
785-
786- # determine which of the instance's IPs belong to this network
787- network_ips = [fixed_ip['address'] for fixed_ip in fixed_ips if
788- fixed_ip['network_id'] == network['id']]
789-
790- def ip_dict(ip):
791- return {
792- 'ip': ip,
793- 'netmask': network['netmask'],
794- 'enabled': '1'}
795-
796- def ip6_dict():
797- prefix = network['cidr_v6']
798- mac = vif['address']
799- project_id = instance['project_id']
800- return {
801- 'ip': ipv6.to_global(prefix, mac, project_id),
802- 'netmask': network['netmask_v6'],
803- 'enabled': '1'}
804-
805- mapping = {
806- 'label': network['label'],
807- 'gateway': network['gateway'],
808- 'broadcast': network['broadcast'],
809- 'dhcp_server': network['gateway'],
810- 'mac': vif['address'],
811- 'rxtx_cap': flavor['rxtx_cap'],
812- 'dns': [],
813- 'ips': [ip_dict(ip) for ip in network_ips]}
814-
815- if network['dns1']:
816- mapping['dns'].append(network['dns1'])
817- if network['dns2']:
818- mapping['dns'].append(network['dns2'])
819-
820- if FLAGS.use_ipv6:
821- mapping['ip6s'] = [ip6_dict()]
822- mapping['gateway6'] = network['gateway_v6']
823-
824- network_info.append((network, mapping))
825- return network_info
826
827=== modified file 'nova/virt/libvirt/vif.py'
828--- nova/virt/libvirt/vif.py 2011-08-05 14:23:48 +0000
829+++ nova/virt/libvirt/vif.py 2011-08-15 18:13:25 +0000
830@@ -44,7 +44,7 @@
831 gateway6 = mapping.get('gateway6')
832 mac_id = mapping['mac'].replace(':', '')
833
834- if FLAGS.allow_project_net_traffic:
835+ if FLAGS.allow_same_net_traffic:
836 template = "<parameter name=\"%s\"value=\"%s\" />\n"
837 net, mask = netutils.get_net_and_mask(network['cidr'])
838 values = [("PROJNET", net), ("PROJMASK", mask)]
839
840=== modified file 'nova/virt/xenapi_conn.py'
841--- nova/virt/xenapi_conn.py 2011-08-09 22:46:57 +0000
842+++ nova/virt/xenapi_conn.py 2011-08-15 18:13:25 +0000
843@@ -309,7 +309,7 @@
844 """This method is supported only by libvirt."""
845 raise NotImplementedError('This method is supported only by libvirt.')
846
847- def ensure_filtering_rules_for_instance(self, instance_ref):
848+ def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
849 """This method is supported only libvirt."""
850 return
851