Set firewall state to CREATED when dealing with DVR

When DVR is enabled as a default option for creating routers, firewall
resources will need to have a new initial state, so that reconciliation
can be done once all L3 agents have processed the firewall rules.

The new state has been introduced to preserve API bw compatibility
with centralized routers.

Partial-bug: #1360351
Supports-blueprint: neutron-dvr-fwaas

Change-Id: I53122570dd3a2311eedb24ccd925bcdc9ad4f70c

diff --git a/neutron/db/firewall/firewall_db.py b/neutron/db/firewall/firewall_db.py
index 3460ea01be86b75c71bf5059cf52a97ae23fa9ab..cdd05d2f59b20c984f8942d9cb565e27bd25116c 100644 (file)
--- a/neutron/db/firewall/firewall_db.py
+++ b/neutron/db/firewall/firewall_db.py
@@ -15,6 +15,8 @@
 #
 # @author: Sumit Naiksatam, sumitnaiksatam@gmail.com, Big Switch Networks, Inc.
 
+from oslo.config import cfg
+
 import sqlalchemy as sa
 from sqlalchemy.ext.orderinglist import ordering_list
 from sqlalchemy import orm
@@ -239,6 +241,11 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
         LOG.debug(_("create_firewall() called"))
         fw = firewall['firewall']
         tenant_id = self._get_tenant_id_for_create(context, fw)
+        # distributed routers may required a more complex state machine;
+        # the introduction of a new 'CREATED' state allows this, whilst
+        # keeping a backward compatible behavior of the logical resource.
+        status = (const.CREATED
+            if cfg.CONF.router_distributed else const.PENDING_CREATE)
         with context.session.begin(subtransactions=True):
             firewall_db = Firewall(id=uuidutils.generate_uuid(),
                                    tenant_id=tenant_id,
@@ -247,7 +254,7 @@ class Firewall_db_mixin(firewall.FirewallPluginBase, base_db.CommonDbMixin):
                                    firewall_policy_id=
                                    fw['firewall_policy_id'],
                                    admin_state_up=fw['admin_state_up'],
-                                   status=const.PENDING_CREATE)
+                                   status=status)
             context.session.add(firewall_db)
         return self._make_firewall_dict(firewall_db)
 

diff --git a/neutron/plugins/common/constants.py b/neutron/plugins/common/constants.py
index 4cd1440996a160a1975d36ccf0305187405825aa..1e56ed1de7522e766a8985f3a46f5a02961ba08e 100644 (file)
--- a/neutron/plugins/common/constants.py
+++ b/neutron/plugins/common/constants.py
@@ -50,6 +50,7 @@ COMMON_PREFIXES = {
 # Service operation status constants
 ACTIVE = "ACTIVE"
 DOWN = "DOWN"
+CREATED = "CREATED"
 PENDING_CREATE = "PENDING_CREATE"
 PENDING_UPDATE = "PENDING_UPDATE"
 PENDING_DELETE = "PENDING_DELETE"

diff --git a/neutron/tests/unit/db/firewall/test_db_firewall.py b/neutron/tests/unit/db/firewall/test_db_firewall.py
index 816d22718001e0e2197334f710ab3dfc0bcc493d..5e27f5fc46c938e0815580b6c70db8250b04e214 100644 (file)
--- a/neutron/tests/unit/db/firewall/test_db_firewall.py
+++ b/neutron/tests/unit/db/firewall/test_db_firewall.py
@@ -15,6 +15,8 @@
 #
 # @author: Sumit Naiksatam, sumitnaiksatam@gmail.com, Big Switch Networks, Inc.
 
+from oslo.config import cfg
+
 import contextlib
 
 import mock
@@ -139,11 +141,12 @@ class FirewallPluginDbTestCase(test_db_plugin.NeutronDbPluginV2TestCase):
                  'audited': audited}
         return attrs
 
-    def _get_test_firewall_attrs(self, name='firewall_1'):
+    def _get_test_firewall_attrs(
+        self, name='firewall_1', status='PENDING_CREATE'):
         attrs = {'name': name,
                  'tenant_id': self._tenant_id,
                  'admin_state_up': ADMIN_STATE_UP,
-                 'status': 'PENDING_CREATE'}
+                 'status': status}
 
         return attrs
 
@@ -761,20 +764,26 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
                 res = req.get_response(self.ext_api)
                 self.assertEqual(res.status_int, 409)
 
-    def test_create_firewall(self):
-        name = "firewall1"
-        attrs = self._get_test_firewall_attrs(name)
-
+    def _test_create_firewall(self, attrs):
         with self.firewall_policy() as fwp:
             fwp_id = fwp['firewall_policy']['id']
             attrs['firewall_policy_id'] = fwp_id
-            with self.firewall(name=name,
+            with self.firewall(name=attrs['name'],
                                firewall_policy_id=fwp_id,
                                admin_state_up=
                                ADMIN_STATE_UP) as firewall:
                 for k, v in attrs.iteritems():
                     self.assertEqual(firewall['firewall'][k], v)
 
+    def test_create_firewall(self):
+        attrs = self._get_test_firewall_attrs("firewall1")
+        self._test_create_firewall(attrs)
+
+    def test_create_firewall_with_dvr(self):
+        cfg.CONF.set_override('router_distributed', True)
+        attrs = self._get_test_firewall_attrs("firewall1", "CREATED")
+        self._test_create_firewall(attrs)
+
     def test_show_firewall(self):
         name = "firewall1"
         attrs = self._get_test_firewall_attrs(name)