Add L2 Agent side handling for non consistent security_group settings

Add setting of the firewall_driver to NoopDriver when firewall_driver is None and
add warning if driver combination is not valid.
Modify is_valid_driver_combination to verify default settings: enable_security_group (True) and firewall_driver (None).

Change-Id: I841f9cf96ac6ee2ad17a4e8908d6c8a96f368cca
Closes-Bug: #1296957
(cherry picked from commit 5c6ff449bbd7386f0f3e41efc524024434f325df)

diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py
index 323924203377635a4abfb20acca8b4da3ecb4d48..e8dc68209b93f401d835cd42967014a9962fb791 100644 (file)
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@@ -44,12 +44,13 @@ cfg.CONF.register_opts(security_group_opts, 'SECURITYGROUP')
 #This is backward compatibility check for Havana
 def _is_valid_driver_combination():
     return ((cfg.CONF.SECURITYGROUP.enable_security_group and
-             cfg.CONF.SECURITYGROUP.firewall_driver !=
-             'neutron.agent.firewall.NoopFirewallDriver') or
+             (cfg.CONF.SECURITYGROUP.firewall_driver and
+              cfg.CONF.SECURITYGROUP.firewall_driver !=
+             'neutron.agent.firewall.NoopFirewallDriver')) or
             (not cfg.CONF.SECURITYGROUP.enable_security_group and
              (cfg.CONF.SECURITYGROUP.firewall_driver ==
              'neutron.agent.firewall.NoopFirewallDriver' or
-              cfg.CONF.SECURITYGROUP.firewall_driver == None)
+              cfg.CONF.SECURITYGROUP.firewall_driver is None)
              ))
 
 
@@ -137,6 +138,11 @@ class SecurityGroupAgentRpcMixin(object):
     def init_firewall(self, defer_refresh_firewall=False):
         firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver
         LOG.debug(_("Init firewall settings (driver=%s)"), firewall_driver)
+        if not _is_valid_driver_combination():
+            LOG.warn("Driver configuration doesn't match "
+                     "with enable_security_group")
+        if not firewall_driver:
+            firewall_driver = 'neutron.agent.firewall.NoopFirewallDriver'
         self.firewall = importutils.import_object(firewall_driver)
         # The following flag will be set to true if port filter must not be
         # applied as soon as a rule or membership notification is received

diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py
index 14e0f1c3905329fcbd82a0dd50ba48e133b88432..b3d71da09b2a4a4323c27d5fbe1a70b0c472ba59 100644 (file)
--- a/neutron/tests/unit/test_security_groups_rpc.py
+++ b/neutron/tests/unit/test_security_groups_rpc.py
@@ -505,6 +505,17 @@ class SGAgentRpcCallBackMixinTestCase(base.BaseTestCase):
             [call.security_groups_provider_updated()])
 
 
+class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase):
+    def test_init_firewall_with_none_driver(self):
+        cfg.CONF.set_override(
+            'enable_security_group', False,
+            group='SECURITYGROUP')
+        agent = sg_rpc.SecurityGroupAgentRpcMixin()
+        agent.init_firewall()
+        self.assertEqual(agent.firewall.__class__.__name__,
+                         'NoopFirewallDriver')
+
+
 class SecurityGroupAgentRpcTestCase(base.BaseTestCase):
     def setUp(self, defer_refresh_firewall=False):
         super(SecurityGroupAgentRpcTestCase, self).setUp()
@@ -1721,6 +1732,15 @@ class TestSecurityGroupExtensionControl(base.BaseTestCase):
             group='SECURITYGROUP')
         self.assertFalse(sg_rpc._is_valid_driver_combination())
 
+    def test_is_invalid_drvier_combination_sg_enabled_with_none(self):
+        cfg.CONF.set_override(
+            'enable_security_group', True,
+            group='SECURITYGROUP')
+        cfg.CONF.set_override(
+            'firewall_driver', None,
+            group='SECURITYGROUP')
+        self.assertFalse(sg_rpc._is_valid_driver_combination())
+
     def test_is_invalid_drvier_combination_sg_disabled(self):
         cfg.CONF.set_override(
             'enable_security_group', False,