XenAPI: Fix netwrap to support security group

This implementation is to give support on neutron security group with
XenServer as compute driver. When using openvswitch, the ovs agent on
compute node cannot execute some linux commands correctly due to
xenserver driver lacking of such support. This change will add some
allowed commands which can be executed in dom0.

Implements: blueprint xenserver-give-support-on-neutron-security-group

Change-Id: I377f8ad51e1d2725c3e0153e64322055fcce7b54

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap b/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
index 67dc111bd10f84fff6da15990bf612b058a63dae..ca5d1c24467b7dc37027dcd4bd799218bb5bfdeb 100644 (file)
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
@@ -34,6 +34,12 @@ import XenAPIPlugin
 
 ALLOWED_CMDS = [
     'ip',
+    'ipset',
+    'iptables-save',
+    'iptables-restore',
+    'ip6tables-save',
+    'ip6tables-restore',
+    'sysctl',
     # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
     'ovs-ofctl',
     'ovs-vsctl',
@@ -56,7 +62,7 @@ def _run_command(cmd, cmd_input):
                             stderr=pipe, close_fds=True)
     (out, err) = proc.communicate(cmd_input)
 
-    if err:
+    if proc.returncode != 0:
         raise PluginError(err)
     return out