Merge lp:~vishvananda/nova/fix-network-info into lp:~hudson-openstack/nova/trunk
- fix-network-info
- Merge into trunk
Proposed by
Vish Ishaya
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | Devin Carlen | ||||||||
Approved revision: | 1423 | ||||||||
Merged at revision: | 1435 | ||||||||
Proposed branch: | lp:~vishvananda/nova/fix-network-info | ||||||||
Merge into: | lp:~hudson-openstack/nova/trunk | ||||||||
Diff against target: |
850 lines (+116/-192) 10 files modified
nova/compute/manager.py (+4/-2) nova/tests/test_compute.py (+2/-2) nova/tests/test_libvirt.py (+49/-39) nova/virt/driver.py (+1/-1) nova/virt/fake.py (+2/-2) nova/virt/libvirt/connection.py (+21/-24) nova/virt/libvirt/firewall.py (+35/-53) nova/virt/libvirt/netutils.py (+0/-67) nova/virt/libvirt/vif.py (+1/-1) nova/virt/xenapi_conn.py (+1/-1) |
||||||||
To merge this branch: | bzr merge lp:~vishvananda/nova/fix-network-info | ||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Devin Carlen (community) | Approve | ||
Matt Dietz (community) | Approve | ||
Jason Kölker (community) | Approve | ||
Review via email: mp+71441@code.launchpad.net |
Commit message
Description of the change
Libvirt has some autogenerated network info that is breaking ha network.
* pases network info from manager wherever it is needed
* fixes libvirt tests
* renames allow_project_
* makes firewall driver use dhcp_server instead of gateway for dhcp exception.
To post a comment you must log in.
Revision history for this message
Trey Morris (tr3buchet) wrote : | # |
203 + network_info = _create_
looks wrong, what's going on here?
Revision history for this message
Vish Ishaya (vishvananda) wrote : | # |
an nice one. I forgot some of the libvirt tests are silently skipped if libvirt isn't installed. Let me rerun on linux system.
Revision history for this message
Vish Ishaya (vishvananda) wrote : | # |
Trey, fixed that issue.
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : | # |
There are additional revisions which have not been approved in review. Please seek review and approval of these new revisions.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'nova/compute/manager.py' |
2 | --- nova/compute/manager.py 2011-08-09 09:54:51 +0000 |
3 | +++ nova/compute/manager.py 2011-08-15 18:13:25 +0000 |
4 | @@ -170,7 +170,9 @@ |
5 | elif drv_state == power_state.RUNNING: |
6 | # Hyper-V and VMWareAPI drivers will raise and exception |
7 | try: |
8 | - self.driver.ensure_filtering_rules_for_instance(instance) |
9 | + net_info = self._get_instance_nw_info(context, instance) |
10 | + self.driver.ensure_filtering_rules_for_instance(instance, |
11 | + net_info) |
12 | except NotImplementedError: |
13 | LOG.warning(_('Hypervisor driver does not ' |
14 | 'support firewall rules')) |
15 | @@ -1308,7 +1310,7 @@ |
16 | # This nwfilter is necessary on the destination host. |
17 | # In addition, this method is creating filtering rule |
18 | # onto destination host. |
19 | - self.driver.ensure_filtering_rules_for_instance(instance_ref) |
20 | + self.driver.ensure_filtering_rules_for_instance(instance_ref, network_info) |
21 | |
22 | def live_migration(self, context, instance_id, dest): |
23 | """Executing live migration. |
24 | |
25 | === modified file 'nova/tests/test_compute.py' |
26 | --- nova/tests/test_compute.py 2011-08-09 22:46:57 +0000 |
27 | +++ nova/tests/test_compute.py 2011-08-15 18:13:25 +0000 |
28 | @@ -632,7 +632,7 @@ |
29 | vid = i_ref['volumes'][i]['id'] |
30 | volmock.setup_compute_volume(c, vid).InAnyOrder('g1') |
31 | drivermock.plug_vifs(i_ref, []) |
32 | - drivermock.ensure_filtering_rules_for_instance(i_ref) |
33 | + drivermock.ensure_filtering_rules_for_instance(i_ref, []) |
34 | |
35 | self.compute.db = dbmock |
36 | self.compute.volume_manager = volmock |
37 | @@ -657,7 +657,7 @@ |
38 | self.mox.StubOutWithMock(compute_manager.LOG, 'info') |
39 | compute_manager.LOG.info(_("%s has no volume."), i_ref['hostname']) |
40 | drivermock.plug_vifs(i_ref, []) |
41 | - drivermock.ensure_filtering_rules_for_instance(i_ref) |
42 | + drivermock.ensure_filtering_rules_for_instance(i_ref, []) |
43 | |
44 | self.compute.db = dbmock |
45 | self.compute.driver = drivermock |
46 | |
47 | === modified file 'nova/tests/test_libvirt.py' |
48 | --- nova/tests/test_libvirt.py 2011-08-14 04:17:48 +0000 |
49 | +++ nova/tests/test_libvirt.py 2011-08-15 18:13:25 +0000 |
50 | @@ -49,18 +49,19 @@ |
51 | if ipv6 is None: |
52 | ipv6 = FLAGS.use_ipv6 |
53 | fake = 'fake' |
54 | - fake_ip = '0.0.0.0/0' |
55 | - fake_ip_2 = '0.0.0.1/0' |
56 | - fake_ip_3 = '0.0.0.1/0' |
57 | + fake_ip = '10.11.12.13' |
58 | + fake_ip_2 = '0.0.0.1' |
59 | + fake_ip_3 = '0.0.0.1' |
60 | fake_vlan = 100 |
61 | fake_bridge_interface = 'eth0' |
62 | network = {'bridge': fake, |
63 | 'cidr': fake_ip, |
64 | 'cidr_v6': fake_ip, |
65 | + 'gateway_v6': fake, |
66 | 'vlan': fake_vlan, |
67 | 'bridge_interface': fake_bridge_interface} |
68 | mapping = {'mac': fake, |
69 | - 'dhcp_server': fake, |
70 | + 'dhcp_server': '10.0.0.1', |
71 | 'gateway': fake, |
72 | 'gateway6': fake, |
73 | 'ips': [{'ip': fake_ip}, {'ip': fake_ip}]} |
74 | @@ -273,15 +274,14 @@ |
75 | conn = connection.LibvirtConnection(True) |
76 | instance_ref = db.instance_create(self.context, self.test_instance) |
77 | |
78 | - result = conn._prepare_xml_info(instance_ref, False) |
79 | - self.assertFalse(result['nics']) |
80 | - |
81 | - result = conn._prepare_xml_info(instance_ref, False, |
82 | - _create_network_info()) |
83 | + result = conn._prepare_xml_info(instance_ref, |
84 | + _create_network_info(), |
85 | + False) |
86 | self.assertTrue(len(result['nics']) == 1) |
87 | |
88 | - result = conn._prepare_xml_info(instance_ref, False, |
89 | - _create_network_info(2)) |
90 | + result = conn._prepare_xml_info(instance_ref, |
91 | + _create_network_info(2), |
92 | + False) |
93 | self.assertTrue(len(result['nics']) == 2) |
94 | |
95 | def test_xml_and_uri_no_ramdisk_no_kernel(self): |
96 | @@ -408,16 +408,16 @@ |
97 | network_info = _create_network_info(2) |
98 | conn = connection.LibvirtConnection(True) |
99 | instance_ref = db.instance_create(self.context, instance_data) |
100 | - xml = conn.to_xml(instance_ref, False, network_info) |
101 | + xml = conn.to_xml(instance_ref, network_info, False) |
102 | tree = xml_to_tree(xml) |
103 | interfaces = tree.findall("./devices/interface") |
104 | self.assertEquals(len(interfaces), 2) |
105 | parameters = interfaces[0].findall('./filterref/parameter') |
106 | self.assertEquals(interfaces[0].get('type'), 'bridge') |
107 | self.assertEquals(parameters[0].get('name'), 'IP') |
108 | - self.assertEquals(parameters[0].get('value'), '0.0.0.0/0') |
109 | + self.assertEquals(parameters[0].get('value'), '10.11.12.13') |
110 | self.assertEquals(parameters[1].get('name'), 'DHCPSERVER') |
111 | - self.assertEquals(parameters[1].get('value'), 'fake') |
112 | + self.assertEquals(parameters[1].get('value'), '10.0.0.1') |
113 | |
114 | def _check_xml_and_container(self, instance): |
115 | user_context = context.RequestContext(self.user_id, |
116 | @@ -431,7 +431,8 @@ |
117 | uri = conn.get_uri() |
118 | self.assertEquals(uri, 'lxc:///') |
119 | |
120 | - xml = conn.to_xml(instance_ref) |
121 | + network_info = _create_network_info() |
122 | + xml = conn.to_xml(instance_ref, network_info) |
123 | tree = xml_to_tree(xml) |
124 | |
125 | check = [ |
126 | @@ -528,17 +529,20 @@ |
127 | uri = conn.get_uri() |
128 | self.assertEquals(uri, expected_uri) |
129 | |
130 | - xml = conn.to_xml(instance_ref, rescue) |
131 | + network_info = _create_network_info() |
132 | + xml = conn.to_xml(instance_ref, network_info, rescue) |
133 | tree = xml_to_tree(xml) |
134 | for i, (check, expected_result) in enumerate(checks): |
135 | self.assertEqual(check(tree), |
136 | expected_result, |
137 | - '%s failed check %d' % (xml, i)) |
138 | + '%s != %s failed check %d' % |
139 | + (check(tree), expected_result, i)) |
140 | |
141 | for i, (check, expected_result) in enumerate(common_checks): |
142 | self.assertEqual(check(tree), |
143 | expected_result, |
144 | - '%s failed common check %d' % (xml, i)) |
145 | + '%s != %s failed common check %d' % |
146 | + (check(tree), expected_result, i)) |
147 | |
148 | # This test is supposed to make sure we don't |
149 | # override a specifically set uri |
150 | @@ -623,7 +627,7 @@ |
151 | return |
152 | |
153 | # Preparing mocks |
154 | - def fake_none(self): |
155 | + def fake_none(self, *args): |
156 | return |
157 | |
158 | def fake_raise(self): |
159 | @@ -640,6 +644,7 @@ |
160 | |
161 | self.create_fake_libvirt_mock() |
162 | instance_ref = db.instance_create(self.context, self.test_instance) |
163 | + network_info = _create_network_info() |
164 | |
165 | # Start test |
166 | self.mox.ReplayAll() |
167 | @@ -649,6 +654,7 @@ |
168 | conn.firewall_driver.setattr('prepare_instance_filter', fake_none) |
169 | conn.firewall_driver.setattr('instance_filter_exists', fake_none) |
170 | conn.ensure_filtering_rules_for_instance(instance_ref, |
171 | + network_info, |
172 | time=fake_timer) |
173 | except exception.Error, e: |
174 | c1 = (0 <= e.message.find('Timeout migrating for')) |
175 | @@ -962,8 +968,9 @@ |
176 | from nova.network import linux_net |
177 | linux_net.iptables_manager.execute = fake_iptables_execute |
178 | |
179 | - self.fw.prepare_instance_filter(instance_ref) |
180 | - self.fw.apply_instance_filter(instance_ref) |
181 | + network_info = _create_network_info() |
182 | + self.fw.prepare_instance_filter(instance_ref, network_info) |
183 | + self.fw.apply_instance_filter(instance_ref, network_info) |
184 | |
185 | in_rules = filter(lambda l: not l.startswith('#'), |
186 | self.in_filter_rules) |
187 | @@ -1033,7 +1040,7 @@ |
188 | ipv6_len = len(self.fw.iptables.ipv6['filter'].rules) |
189 | inst_ipv4, inst_ipv6 = self.fw.instance_rules(instance_ref, |
190 | network_info) |
191 | - self.fw.add_filters_for_instance(instance_ref, network_info) |
192 | + self.fw.prepare_instance_filter(instance_ref, network_info) |
193 | ipv4 = self.fw.iptables.ipv4['filter'].rules |
194 | ipv6 = self.fw.iptables.ipv6['filter'].rules |
195 | ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len |
196 | @@ -1048,7 +1055,7 @@ |
197 | self.mox.StubOutWithMock(self.fw, |
198 | 'add_filters_for_instance', |
199 | use_mock_anything=True) |
200 | - self.fw.add_filters_for_instance(instance_ref, mox.IgnoreArg()) |
201 | + self.fw.prepare_instance_filter(instance_ref, mox.IgnoreArg()) |
202 | self.fw.instances[instance_ref['id']] = instance_ref |
203 | self.mox.ReplayAll() |
204 | self.fw.do_refresh_security_group_rules("fake") |
205 | @@ -1068,11 +1075,12 @@ |
206 | instance_ref = self._create_instance_ref() |
207 | |
208 | _setup_networking(instance_ref['id'], self.test_ip) |
209 | - self.fw.setup_basic_filtering(instance_ref) |
210 | - self.fw.prepare_instance_filter(instance_ref) |
211 | - self.fw.apply_instance_filter(instance_ref) |
212 | + network_info = _create_network_info() |
213 | + self.fw.setup_basic_filtering(instance_ref, network_info) |
214 | + self.fw.prepare_instance_filter(instance_ref, network_info) |
215 | + self.fw.apply_instance_filter(instance_ref, network_info) |
216 | original_filter_count = len(fakefilter.filters) |
217 | - self.fw.unfilter_instance(instance_ref) |
218 | + self.fw.unfilter_instance(instance_ref, network_info) |
219 | |
220 | # should undefine just the instance filter |
221 | self.assertEqual(original_filter_count - len(fakefilter.filters), 1) |
222 | @@ -1082,14 +1090,14 @@ |
223 | def test_provider_firewall_rules(self): |
224 | # setup basic instance data |
225 | instance_ref = self._create_instance_ref() |
226 | - nw_info = _create_network_info(1) |
227 | _setup_networking(instance_ref['id'], self.test_ip) |
228 | # FRAGILE: peeks at how the firewall names chains |
229 | chain_name = 'inst-%s' % instance_ref['id'] |
230 | |
231 | # create a firewall via setup_basic_filtering like libvirt_conn.spawn |
232 | # should have a chain with 0 rules |
233 | - self.fw.setup_basic_filtering(instance_ref, network_info=nw_info) |
234 | + network_info = _create_network_info(1) |
235 | + self.fw.setup_basic_filtering(instance_ref, network_info) |
236 | self.assertTrue('provider' in self.fw.iptables.ipv4['filter'].chains) |
237 | rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules |
238 | if rule.chain == 'provider'] |
239 | @@ -1119,8 +1127,8 @@ |
240 | self.assertEqual(2, len(rules)) |
241 | |
242 | # create the instance filter and make sure it has a jump rule |
243 | - self.fw.prepare_instance_filter(instance_ref, network_info=nw_info) |
244 | - self.fw.apply_instance_filter(instance_ref) |
245 | + self.fw.prepare_instance_filter(instance_ref, network_info) |
246 | + self.fw.apply_instance_filter(instance_ref, network_info) |
247 | inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules |
248 | if rule.chain == chain_name] |
249 | jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] |
250 | @@ -1272,7 +1280,7 @@ |
251 | |
252 | def _ensure_all_called(): |
253 | instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'], |
254 | - '561212121212') |
255 | + 'fake') |
256 | secgroup_filter = 'nova-secgroup-%s' % self.security_group['id'] |
257 | for required in [secgroup_filter, 'allow-dhcp-server', |
258 | 'no-arp-spoofing', 'no-ip-spoofing', |
259 | @@ -1288,9 +1296,10 @@ |
260 | self.security_group.id) |
261 | instance = db.instance_get(self.context, inst_id) |
262 | |
263 | - self.fw.setup_basic_filtering(instance) |
264 | - self.fw.prepare_instance_filter(instance) |
265 | - self.fw.apply_instance_filter(instance) |
266 | + network_info = _create_network_info() |
267 | + self.fw.setup_basic_filtering(instance, network_info) |
268 | + self.fw.prepare_instance_filter(instance, network_info) |
269 | + self.fw.apply_instance_filter(instance, network_info) |
270 | _ensure_all_called() |
271 | self.teardown_security_group() |
272 | db.instance_destroy(context.get_admin_context(), instance_ref['id']) |
273 | @@ -1321,11 +1330,12 @@ |
274 | instance = db.instance_get(self.context, inst_id) |
275 | |
276 | _setup_networking(instance_ref['id'], self.test_ip) |
277 | - self.fw.setup_basic_filtering(instance) |
278 | - self.fw.prepare_instance_filter(instance) |
279 | - self.fw.apply_instance_filter(instance) |
280 | + network_info = _create_network_info() |
281 | + self.fw.setup_basic_filtering(instance, network_info) |
282 | + self.fw.prepare_instance_filter(instance, network_info) |
283 | + self.fw.apply_instance_filter(instance, network_info) |
284 | original_filter_count = len(fakefilter.filters) |
285 | - self.fw.unfilter_instance(instance) |
286 | + self.fw.unfilter_instance(instance, network_info) |
287 | |
288 | # should undefine 2 filters: instance and instance-secgroup |
289 | self.assertEqual(original_filter_count - len(fakefilter.filters), 2) |
290 | |
291 | === modified file 'nova/virt/driver.py' |
292 | --- nova/virt/driver.py 2011-08-09 09:54:51 +0000 |
293 | +++ nova/virt/driver.py 2011-08-15 18:13:25 +0000 |
294 | @@ -252,7 +252,7 @@ |
295 | # TODO(Vek): Need to pass context in for access to auth_token |
296 | pass |
297 | |
298 | - def ensure_filtering_rules_for_instance(self, instance_ref): |
299 | + def ensure_filtering_rules_for_instance(self, instance_ref, network_info): |
300 | """Setting up filtering rules and waiting for its completion. |
301 | |
302 | To migrate an instance, filtering rules to hypervisors |
303 | |
304 | === modified file 'nova/virt/fake.py' |
305 | --- nova/virt/fake.py 2011-08-09 22:46:57 +0000 |
306 | +++ nova/virt/fake.py 2011-08-15 18:13:25 +0000 |
307 | @@ -487,7 +487,7 @@ |
308 | """This method is supported only by libvirt.""" |
309 | raise NotImplementedError('This method is supported only by libvirt.') |
310 | |
311 | - def ensure_filtering_rules_for_instance(self, instance_ref): |
312 | + def ensure_filtering_rules_for_instance(self, instance_ref, network_info): |
313 | """This method is supported only by libvirt.""" |
314 | raise NotImplementedError('This method is supported only by libvirt.') |
315 | |
316 | @@ -496,7 +496,7 @@ |
317 | """This method is supported only by libvirt.""" |
318 | return |
319 | |
320 | - def unfilter_instance(self, instance_ref, network_info=None): |
321 | + def unfilter_instance(self, instance_ref, network_info): |
322 | """This method is supported only by libvirt.""" |
323 | raise NotImplementedError('This method is supported only by libvirt.') |
324 | |
325 | |
326 | === modified file 'nova/virt/libvirt/connection.py' |
327 | --- nova/virt/libvirt/connection.py 2011-08-11 12:34:04 +0000 |
328 | +++ nova/virt/libvirt/connection.py 2011-08-15 18:13:25 +0000 |
329 | @@ -32,7 +32,7 @@ |
330 | :rescue_kernel_id: Rescue aki image (default: aki-rescue). |
331 | :rescue_ramdisk_id: Rescue ari image (default: ari-rescue). |
332 | :injected_network_template: Template file for injected network |
333 | -:allow_project_net_traffic: Whether to allow in project network traffic |
334 | +:allow_same_net_traffic: Whether to allow in project network traffic |
335 | |
336 | """ |
337 | |
338 | @@ -96,9 +96,9 @@ |
339 | '', |
340 | 'Override the default libvirt URI (which is dependent' |
341 | ' on libvirt_type)') |
342 | -flags.DEFINE_bool('allow_project_net_traffic', |
343 | +flags.DEFINE_bool('allow_same_net_traffic', |
344 | True, |
345 | - 'Whether to allow in project network traffic') |
346 | + 'Whether to allow network traffic from same network') |
347 | flags.DEFINE_bool('use_cow_images', |
348 | True, |
349 | 'Whether to use cow images') |
350 | @@ -463,18 +463,18 @@ |
351 | """ |
352 | virt_dom = self._conn.lookupByName(instance['name']) |
353 | # NOTE(itoumsn): Use XML delived from the running instance |
354 | - # instead of using to_xml(instance). This is almost the ultimate |
355 | - # stupid workaround. |
356 | + # instead of using to_xml(instance, network_info). This is almost |
357 | + # the ultimate stupid workaround. |
358 | xml = virt_dom.XMLDesc(0) |
359 | # NOTE(itoumsn): self.shutdown() and wait instead of self.destroy() is |
360 | # better because we cannot ensure flushing dirty buffers |
361 | # in the guest OS. But, in case of KVM, shutdown() does not work... |
362 | self.destroy(instance, network_info, cleanup=False) |
363 | self.plug_vifs(instance, network_info) |
364 | - self.firewall_driver.setup_basic_filtering(instance) |
365 | - self.firewall_driver.prepare_instance_filter(instance) |
366 | + self.firewall_driver.setup_basic_filtering(instance, network_info) |
367 | + self.firewall_driver.prepare_instance_filter(instance, network_info) |
368 | self._create_new_domain(xml) |
369 | - self.firewall_driver.apply_instance_filter(instance) |
370 | + self.firewall_driver.apply_instance_filter(instance, network_info) |
371 | |
372 | def _wait_for_reboot(): |
373 | """Called at an interval until the VM is running again.""" |
374 | @@ -531,7 +531,7 @@ |
375 | """ |
376 | self.destroy(instance, network_info, cleanup=False) |
377 | |
378 | - xml = self.to_xml(instance, rescue=True) |
379 | + xml = self.to_xml(instance, network_info, rescue=True) |
380 | rescue_images = {'image_id': FLAGS.rescue_image_id, |
381 | 'kernel_id': FLAGS.rescue_kernel_id, |
382 | 'ramdisk_id': FLAGS.rescue_ramdisk_id} |
383 | @@ -574,9 +574,9 @@ |
384 | # NOTE(ilyaalekseyev): Implementation like in multinics |
385 | # for xenapi(tr3buchet) |
386 | @exception.wrap_exception() |
387 | - def spawn(self, context, instance, |
388 | - network_info=None, block_device_info=None): |
389 | - xml = self.to_xml(instance, False, network_info=network_info, |
390 | + def spawn(self, context, instance, network_info, |
391 | + block_device_info=None): |
392 | + xml = self.to_xml(instance, network_info, False, |
393 | block_device_info=block_device_info) |
394 | self.firewall_driver.setup_basic_filtering(instance, network_info) |
395 | self.firewall_driver.prepare_instance_filter(instance, network_info) |
396 | @@ -584,7 +584,7 @@ |
397 | block_device_info=block_device_info) |
398 | domain = self._create_new_domain(xml) |
399 | LOG.debug(_("instance %s: is running"), instance['name']) |
400 | - self.firewall_driver.apply_instance_filter(instance) |
401 | + self.firewall_driver.apply_instance_filter(instance, network_info) |
402 | |
403 | def _wait_for_boot(): |
404 | """Called at an interval until the VM is running.""" |
405 | @@ -988,14 +988,10 @@ |
406 | else: |
407 | raise exception.InvalidDevicePath(path=device_path) |
408 | |
409 | - def _prepare_xml_info(self, instance, rescue=False, network_info=None, |
410 | + def _prepare_xml_info(self, instance, network_info, rescue, |
411 | block_device_info=None): |
412 | block_device_mapping = driver.block_device_info_get_mapping( |
413 | block_device_info) |
414 | - # TODO(adiantum) remove network_info creation code |
415 | - # when multinics will be completed |
416 | - if not network_info: |
417 | - network_info = netutils.get_network_info(instance) |
418 | |
419 | nics = [] |
420 | for (network, mapping) in network_info: |
421 | @@ -1082,11 +1078,11 @@ |
422 | xml_info['disk'] = xml_info['basepath'] + "/disk" |
423 | return xml_info |
424 | |
425 | - def to_xml(self, instance, rescue=False, network_info=None, |
426 | + def to_xml(self, instance, network_info, rescue=False, |
427 | block_device_info=None): |
428 | # TODO(termie): cache? |
429 | LOG.debug(_('instance %s: starting toXML method'), instance['name']) |
430 | - xml_info = self._prepare_xml_info(instance, rescue, network_info, |
431 | + xml_info = self._prepare_xml_info(instance, network_info, rescue, |
432 | block_device_info) |
433 | xml = str(Template(self.libvirt_xml, searchList=[xml_info])) |
434 | LOG.debug(_('instance %s: finished toXML method'), instance['name']) |
435 | @@ -1506,7 +1502,7 @@ |
436 | |
437 | return |
438 | |
439 | - def ensure_filtering_rules_for_instance(self, instance_ref, |
440 | + def ensure_filtering_rules_for_instance(self, instance_ref, network_info, |
441 | time=None): |
442 | """Setting up filtering rules and waiting for its completion. |
443 | |
444 | @@ -1536,14 +1532,15 @@ |
445 | |
446 | # If any instances never launch at destination host, |
447 | # basic-filtering must be set here. |
448 | - self.firewall_driver.setup_basic_filtering(instance_ref) |
449 | + self.firewall_driver.setup_basic_filtering(instance_ref, network_info) |
450 | # setting up n)ova-instance-instance-xx mainly. |
451 | - self.firewall_driver.prepare_instance_filter(instance_ref) |
452 | + self.firewall_driver.prepare_instance_filter(instance_ref, network_info) |
453 | |
454 | # wait for completion |
455 | timeout_count = range(FLAGS.live_migration_retry_count) |
456 | while timeout_count: |
457 | - if self.firewall_driver.instance_filter_exists(instance_ref): |
458 | + if self.firewall_driver.instance_filter_exists(instance_ref, |
459 | + network_info): |
460 | break |
461 | timeout_count.pop() |
462 | if len(timeout_count) == 0: |
463 | |
464 | === modified file 'nova/virt/libvirt/firewall.py' |
465 | --- nova/virt/libvirt/firewall.py 2011-07-26 21:08:29 +0000 |
466 | +++ nova/virt/libvirt/firewall.py 2011-08-15 18:13:25 +0000 |
467 | @@ -40,17 +40,17 @@ |
468 | |
469 | |
470 | class FirewallDriver(object): |
471 | - def prepare_instance_filter(self, instance, network_info=None): |
472 | + def prepare_instance_filter(self, instance, network_info): |
473 | """Prepare filters for the instance. |
474 | |
475 | At this point, the instance isn't running yet.""" |
476 | raise NotImplementedError() |
477 | |
478 | - def unfilter_instance(self, instance, network_info=None): |
479 | + def unfilter_instance(self, instance, network_info): |
480 | """Stop filtering instance""" |
481 | raise NotImplementedError() |
482 | |
483 | - def apply_instance_filter(self, instance): |
484 | + def apply_instance_filter(self, instance, network_info): |
485 | """Apply instance filter. |
486 | |
487 | Once this method returns, the instance should be firewalled |
488 | @@ -60,9 +60,7 @@ |
489 | """ |
490 | raise NotImplementedError() |
491 | |
492 | - def refresh_security_group_rules(self, |
493 | - security_group_id, |
494 | - network_info=None): |
495 | + def refresh_security_group_rules(self, security_group_id): |
496 | """Refresh security group rules from data store |
497 | |
498 | Gets called when a rule has been added to or removed from |
499 | @@ -85,7 +83,7 @@ |
500 | """ |
501 | raise NotImplementedError() |
502 | |
503 | - def setup_basic_filtering(self, instance, network_info=None): |
504 | + def setup_basic_filtering(self, instance, network_info): |
505 | """Create rules to block spoofing and allow dhcp. |
506 | |
507 | This gets called when spawning an instance, before |
508 | @@ -94,7 +92,7 @@ |
509 | """ |
510 | raise NotImplementedError() |
511 | |
512 | - def instance_filter_exists(self, instance): |
513 | + def instance_filter_exists(self, instance, network_info): |
514 | """Check nova-instance-instance-xxx exists""" |
515 | raise NotImplementedError() |
516 | |
517 | @@ -150,7 +148,7 @@ |
518 | self.static_filters_configured = False |
519 | self.handle_security_groups = False |
520 | |
521 | - def apply_instance_filter(self, instance): |
522 | + def apply_instance_filter(self, instance, network_info): |
523 | """No-op. Everything is done in prepare_instance_filter""" |
524 | pass |
525 | |
526 | @@ -189,13 +187,10 @@ |
527 | </rule> |
528 | </filter>''' |
529 | |
530 | - def setup_basic_filtering(self, instance, network_info=None): |
531 | + def setup_basic_filtering(self, instance, network_info): |
532 | """Set up basic filtering (MAC, IP, and ARP spoofing protection)""" |
533 | logging.info('called setup_basic_filtering in nwfilter') |
534 | |
535 | - if not network_info: |
536 | - network_info = netutils.get_network_info(instance) |
537 | - |
538 | if self.handle_security_groups: |
539 | # No point in setting up a filter set that we'll be overriding |
540 | # anyway. |
541 | @@ -237,7 +232,7 @@ |
542 | self._define_filter(self.nova_base_ipv6_filter) |
543 | self._define_filter(self.nova_dhcp_filter) |
544 | self._define_filter(self.nova_ra_filter) |
545 | - if FLAGS.allow_project_net_traffic: |
546 | + if FLAGS.allow_same_net_traffic: |
547 | self._define_filter(self.nova_project_filter) |
548 | if FLAGS.use_ipv6: |
549 | self._define_filter(self.nova_project_filter_v6) |
550 | @@ -300,10 +295,8 @@ |
551 | # execute in a native thread and block current greenthread until done |
552 | tpool.execute(self._conn.nwfilterDefineXML, xml) |
553 | |
554 | - def unfilter_instance(self, instance, network_info=None): |
555 | + def unfilter_instance(self, instance, network_info): |
556 | """Clear out the nwfilter rules.""" |
557 | - if not network_info: |
558 | - network_info = netutils.get_network_info(instance) |
559 | instance_name = instance.name |
560 | for (network, mapping) in network_info: |
561 | nic_id = mapping['mac'].replace(':', '') |
562 | @@ -326,16 +319,13 @@ |
563 | LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) ' |
564 | 'for %(instance_name)s is not found.') % locals()) |
565 | |
566 | - def prepare_instance_filter(self, instance, network_info=None): |
567 | + def prepare_instance_filter(self, instance, network_info): |
568 | """Creates an NWFilter for the given instance. |
569 | |
570 | In the process, it makes sure the filters for the provider blocks, |
571 | security groups, and base filter are all in place. |
572 | |
573 | """ |
574 | - if not network_info: |
575 | - network_info = netutils.get_network_info(instance) |
576 | - |
577 | self.refresh_provider_fw_rules() |
578 | |
579 | ctxt = context.get_admin_context() |
580 | @@ -388,7 +378,7 @@ |
581 | instance_filter_children = [base_filter, 'nova-provider-rules', |
582 | instance_secgroup_filter_name] |
583 | |
584 | - if FLAGS.allow_project_net_traffic: |
585 | + if FLAGS.allow_same_net_traffic: |
586 | instance_filter_children.append('nova-project') |
587 | if FLAGS.use_ipv6: |
588 | instance_filter_children.append('nova-project-v6') |
589 | @@ -401,9 +391,7 @@ |
590 | self._define_filter(self._filter_container(filter_name, |
591 | filter_children)) |
592 | |
593 | - def refresh_security_group_rules(self, |
594 | - security_group_id, |
595 | - network_info=None): |
596 | + def refresh_security_group_rules(self, security_group_id): |
597 | return self._define_filter( |
598 | self.security_group_to_nwfilter_xml(security_group_id)) |
599 | |
600 | @@ -500,9 +488,8 @@ |
601 | return 'nova-instance-%s' % (instance['name']) |
602 | return 'nova-instance-%s-%s' % (instance['name'], nic_id) |
603 | |
604 | - def instance_filter_exists(self, instance): |
605 | + def instance_filter_exists(self, instance, network_info): |
606 | """Check nova-instance-instance-xxx exists""" |
607 | - network_info = netutils.get_network_info(instance) |
608 | for (network, mapping) in network_info: |
609 | nic_id = mapping['mac'].replace(':', '') |
610 | instance_filter_name = self._instance_filter_name(instance, nic_id) |
611 | @@ -521,6 +508,7 @@ |
612 | from nova.network import linux_net |
613 | self.iptables = linux_net.iptables_manager |
614 | self.instances = {} |
615 | + self.network_infos = {} |
616 | self.nwfilter = NWFilterFirewall(kwargs['get_connection']) |
617 | self.basicly_filtered = False |
618 | |
619 | @@ -529,22 +517,22 @@ |
620 | self.iptables.ipv6['filter'].add_chain('sg-fallback') |
621 | self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP') |
622 | |
623 | - def setup_basic_filtering(self, instance, network_info=None): |
624 | + def setup_basic_filtering(self, instance, network_info): |
625 | """Set up provider rules and basic NWFilter.""" |
626 | - if not network_info: |
627 | - network_info = netutils.get_network_info(instance) |
628 | self.nwfilter.setup_basic_filtering(instance, network_info) |
629 | if not self.basicly_filtered: |
630 | LOG.debug(_('iptables firewall: Setup Basic Filtering')) |
631 | self.refresh_provider_fw_rules() |
632 | self.basicly_filtered = True |
633 | |
634 | - def apply_instance_filter(self, instance): |
635 | + def apply_instance_filter(self, instance, network_info): |
636 | """No-op. Everything is done in prepare_instance_filter""" |
637 | pass |
638 | |
639 | - def unfilter_instance(self, instance, network_info=None): |
640 | + def unfilter_instance(self, instance, network_info): |
641 | if self.instances.pop(instance['id'], None): |
642 | + # NOTE(vish): use the passed info instead of the stored info |
643 | + self.network_infos.pop(instance['id']) |
644 | self.remove_filters_for_instance(instance) |
645 | self.iptables.apply() |
646 | self.nwfilter.unfilter_instance(instance, network_info) |
647 | @@ -552,11 +540,10 @@ |
648 | LOG.info(_('Attempted to unfilter instance %s which is not ' |
649 | 'filtered'), instance['id']) |
650 | |
651 | - def prepare_instance_filter(self, instance, network_info=None): |
652 | - if not network_info: |
653 | - network_info = netutils.get_network_info(instance) |
654 | + def prepare_instance_filter(self, instance, network_info): |
655 | self.instances[instance['id']] = instance |
656 | - self.add_filters_for_instance(instance, network_info) |
657 | + self.network_infos[instance['id']] = network_info |
658 | + self.add_filters_for_instance(instance) |
659 | self.iptables.apply() |
660 | |
661 | def _create_filter(self, ips, chain_name): |
662 | @@ -583,7 +570,8 @@ |
663 | for rule in ipv6_rules: |
664 | self.iptables.ipv6['filter'].add_rule(chain_name, rule) |
665 | |
666 | - def add_filters_for_instance(self, instance, network_info=None): |
667 | + def add_filters_for_instance(self, instance): |
668 | + network_info = self.network_infos[instance['id']] |
669 | chain_name = self._instance_chain_name(instance) |
670 | if FLAGS.use_ipv6: |
671 | self.iptables.ipv6['filter'].add_chain(chain_name) |
672 | @@ -601,9 +589,7 @@ |
673 | if FLAGS.use_ipv6: |
674 | self.iptables.ipv6['filter'].remove_chain(chain_name) |
675 | |
676 | - def instance_rules(self, instance, network_info=None): |
677 | - if not network_info: |
678 | - network_info = netutils.get_network_info(instance) |
679 | + def instance_rules(self, instance, network_info): |
680 | ctxt = context.get_admin_context() |
681 | |
682 | ipv4_rules = [] |
683 | @@ -621,14 +607,14 @@ |
684 | ipv4_rules += ['-j $provider'] |
685 | ipv6_rules += ['-j $provider'] |
686 | |
687 | - dhcp_servers = [info['gateway'] for (_n, info) in network_info] |
688 | + dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info] |
689 | |
690 | for dhcp_server in dhcp_servers: |
691 | ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' |
692 | '-j ACCEPT' % (dhcp_server,)) |
693 | |
694 | #Allow project network traffic |
695 | - if FLAGS.allow_project_net_traffic: |
696 | + if FLAGS.allow_same_net_traffic: |
697 | cidrs = [network['cidr'] for (network, _m) in network_info] |
698 | for cidr in cidrs: |
699 | ipv4_rules.append('-s %s -j ACCEPT' % (cidr,)) |
700 | @@ -645,7 +631,7 @@ |
701 | '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,)) |
702 | |
703 | #Allow project network traffic |
704 | - if FLAGS.allow_project_net_traffic: |
705 | + if FLAGS.allow_same_net_traffic: |
706 | cidrv6s = [network['cidr_v6'] for (network, _m) in |
707 | network_info] |
708 | |
709 | @@ -726,27 +712,23 @@ |
710 | |
711 | return ipv4_rules, ipv6_rules |
712 | |
713 | - def instance_filter_exists(self, instance): |
714 | + def instance_filter_exists(self, instance, network_info): |
715 | """Check nova-instance-instance-xxx exists""" |
716 | - return self.nwfilter.instance_filter_exists(instance) |
717 | + return self.nwfilter.instance_filter_exists(instance, network_info) |
718 | |
719 | def refresh_security_group_members(self, security_group): |
720 | self.do_refresh_security_group_rules(security_group) |
721 | self.iptables.apply() |
722 | |
723 | - def refresh_security_group_rules(self, security_group, network_info=None): |
724 | - self.do_refresh_security_group_rules(security_group, network_info) |
725 | + def refresh_security_group_rules(self, security_group): |
726 | + self.do_refresh_security_group_rules(security_group) |
727 | self.iptables.apply() |
728 | |
729 | @utils.synchronized('iptables', external=True) |
730 | - def do_refresh_security_group_rules(self, |
731 | - security_group, |
732 | - network_info=None): |
733 | + def do_refresh_security_group_rules(self, security_group): |
734 | for instance in self.instances.values(): |
735 | self.remove_filters_for_instance(instance) |
736 | - if not network_info: |
737 | - network_info = netutils.get_network_info(instance) |
738 | - self.add_filters_for_instance(instance, network_info) |
739 | + self.add_filters_for_instance(instance) |
740 | |
741 | def refresh_provider_fw_rules(self): |
742 | """See class:FirewallDriver: docs.""" |
743 | |
744 | === modified file 'nova/virt/libvirt/netutils.py' |
745 | --- nova/virt/libvirt/netutils.py 2011-07-27 16:52:28 +0000 |
746 | +++ nova/virt/libvirt/netutils.py 2011-08-15 18:13:25 +0000 |
747 | @@ -23,12 +23,7 @@ |
748 | |
749 | import netaddr |
750 | |
751 | -from nova import context |
752 | -from nova import db |
753 | -from nova import exception |
754 | from nova import flags |
755 | -from nova import ipv6 |
756 | -from nova import utils |
757 | |
758 | |
759 | FLAGS = flags.FLAGS |
760 | @@ -47,65 +42,3 @@ |
761 | def get_ip_version(cidr): |
762 | net = netaddr.IPNetwork(cidr) |
763 | return int(net.version) |
764 | - |
765 | - |
766 | -def get_network_info(instance): |
767 | - # TODO(tr3buchet): this function needs to go away! network info |
768 | - # MUST be passed down from compute |
769 | - # TODO(adiantum) If we will keep this function |
770 | - # we should cache network_info |
771 | - admin_context = context.get_admin_context() |
772 | - |
773 | - try: |
774 | - fixed_ips = db.fixed_ip_get_by_instance(admin_context, instance['id']) |
775 | - except exception.FixedIpNotFoundForInstance: |
776 | - fixed_ips = [] |
777 | - |
778 | - vifs = db.virtual_interface_get_by_instance(admin_context, instance['id']) |
779 | - flavor = db.instance_type_get(admin_context, |
780 | - instance['instance_type_id']) |
781 | - network_info = [] |
782 | - |
783 | - for vif in vifs: |
784 | - network = vif['network'] |
785 | - |
786 | - # determine which of the instance's IPs belong to this network |
787 | - network_ips = [fixed_ip['address'] for fixed_ip in fixed_ips if |
788 | - fixed_ip['network_id'] == network['id']] |
789 | - |
790 | - def ip_dict(ip): |
791 | - return { |
792 | - 'ip': ip, |
793 | - 'netmask': network['netmask'], |
794 | - 'enabled': '1'} |
795 | - |
796 | - def ip6_dict(): |
797 | - prefix = network['cidr_v6'] |
798 | - mac = vif['address'] |
799 | - project_id = instance['project_id'] |
800 | - return { |
801 | - 'ip': ipv6.to_global(prefix, mac, project_id), |
802 | - 'netmask': network['netmask_v6'], |
803 | - 'enabled': '1'} |
804 | - |
805 | - mapping = { |
806 | - 'label': network['label'], |
807 | - 'gateway': network['gateway'], |
808 | - 'broadcast': network['broadcast'], |
809 | - 'dhcp_server': network['gateway'], |
810 | - 'mac': vif['address'], |
811 | - 'rxtx_cap': flavor['rxtx_cap'], |
812 | - 'dns': [], |
813 | - 'ips': [ip_dict(ip) for ip in network_ips]} |
814 | - |
815 | - if network['dns1']: |
816 | - mapping['dns'].append(network['dns1']) |
817 | - if network['dns2']: |
818 | - mapping['dns'].append(network['dns2']) |
819 | - |
820 | - if FLAGS.use_ipv6: |
821 | - mapping['ip6s'] = [ip6_dict()] |
822 | - mapping['gateway6'] = network['gateway_v6'] |
823 | - |
824 | - network_info.append((network, mapping)) |
825 | - return network_info |
826 | |
827 | === modified file 'nova/virt/libvirt/vif.py' |
828 | --- nova/virt/libvirt/vif.py 2011-08-05 14:23:48 +0000 |
829 | +++ nova/virt/libvirt/vif.py 2011-08-15 18:13:25 +0000 |
830 | @@ -44,7 +44,7 @@ |
831 | gateway6 = mapping.get('gateway6') |
832 | mac_id = mapping['mac'].replace(':', '') |
833 | |
834 | - if FLAGS.allow_project_net_traffic: |
835 | + if FLAGS.allow_same_net_traffic: |
836 | template = "<parameter name=\"%s\"value=\"%s\" />\n" |
837 | net, mask = netutils.get_net_and_mask(network['cidr']) |
838 | values = [("PROJNET", net), ("PROJMASK", mask)] |
839 | |
840 | === modified file 'nova/virt/xenapi_conn.py' |
841 | --- nova/virt/xenapi_conn.py 2011-08-09 22:46:57 +0000 |
842 | +++ nova/virt/xenapi_conn.py 2011-08-15 18:13:25 +0000 |
843 | @@ -309,7 +309,7 @@ |
844 | """This method is supported only by libvirt.""" |
845 | raise NotImplementedError('This method is supported only by libvirt.') |
846 | |
847 | - def ensure_filtering_rules_for_instance(self, instance_ref): |
848 | + def ensure_filtering_rules_for_instance(self, instance_ref, network_info): |
849 | """This method is supported only libvirt.""" |
850 | return |
851 |
Sweet! Too slow tr3buchet!
Just FYI, there are a couple of pep8 issues.