From: Ryota MIBU Date: Wed, 2 Jul 2014 15:10:32 +0000 (+0900) Subject: Set vif_details to reflect enable_security_group X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=08778910d1cbcd8c923a766d4b03f4d7220245c6;p=openstack-build%2Fneutron-build.git Set vif_details to reflect enable_security_group While plugging vif, VIFDriver in Nova follows "ovs_hybrid_plug" and "port_filter" in "binding:vif_detail" which is passed from Neutron, but those are always true. This patch make ML2 OVS mech driver set those param depends on enable_security_group flag. It enables users to avoid ovs_hybrid plugging. This patch also fixes the same issue in the following plugins/drivers: * NEC Plugin * BigSwitch Plugin * Ryu Plugin * ML2 Plugin - OFAgent Mech Driver Closes-Bug: #1336624 Change-Id: I2b7fb526a6f1b730ad65289307b24fd28b996e1b (cherry picked from commit e73f8da072cb41559ecee7f29f864a10db475444) --- diff --git a/neutron/plugins/bigswitch/plugin.py b/neutron/plugins/bigswitch/plugin.py index e2e051d75..b52dd3bf5 100644 --- a/neutron/plugins/bigswitch/plugin.py +++ b/neutron/plugins/bigswitch/plugin.py @@ -365,11 +365,12 @@ class NeutronRestProxyV2Base(db_base_plugin_v2.NeutronDbPluginV2, cfg_vif_type = override port[portbindings.VIF_TYPE] = cfg_vif_type + sg_enabled = sg_rpc.is_firewall_enabled() port[portbindings.VIF_DETAILS] = { # TODO(rkukura): Replace with new VIF security details portbindings.CAP_PORT_FILTER: 'security-group' in self.supported_extension_aliases, - portbindings.OVS_HYBRID_PLUG: True + portbindings.OVS_HYBRID_PLUG: sg_enabled } return port diff --git a/neutron/plugins/ml2/drivers/mech_ofagent.py b/neutron/plugins/ml2/drivers/mech_ofagent.py index 012800183..3b7b7e27e 100644 --- a/neutron/plugins/ml2/drivers/mech_ofagent.py +++ b/neutron/plugins/ml2/drivers/mech_ofagent.py @@ -19,6 +19,7 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron.agent import securitygroups_rpc from neutron.common import constants from neutron.extensions import portbindings from neutron.openstack.common import log @@ -40,11 +41,13 @@ class OfagentMechanismDriver(mech_agent.SimpleAgentMechanismDriverBase): """ def __init__(self): + sg_enabled = securitygroups_rpc.is_firewall_enabled() + vif_details = {portbindings.CAP_PORT_FILTER: sg_enabled, + portbindings.OVS_HYBRID_PLUG: sg_enabled} super(OfagentMechanismDriver, self).__init__( constants.AGENT_TYPE_OFA, portbindings.VIF_TYPE_OVS, - {portbindings.CAP_PORT_FILTER: True, - portbindings.OVS_HYBRID_PLUG: True}) + vif_details) def check_segment_for_agent(self, segment, agent): bridge_mappings = agent['configurations'].get('bridge_mappings', {}) diff --git a/neutron/plugins/ml2/drivers/mech_openvswitch.py b/neutron/plugins/ml2/drivers/mech_openvswitch.py index 0565b9730..995abb663 100644 --- a/neutron/plugins/ml2/drivers/mech_openvswitch.py +++ b/neutron/plugins/ml2/drivers/mech_openvswitch.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron.agent import securitygroups_rpc from neutron.common import constants from neutron.extensions import portbindings from neutron.openstack.common import log @@ -33,11 +34,13 @@ class OpenvswitchMechanismDriver(mech_agent.SimpleAgentMechanismDriverBase): """ def __init__(self): + sg_enabled = securitygroups_rpc.is_firewall_enabled() + vif_details = {portbindings.CAP_PORT_FILTER: sg_enabled, + portbindings.OVS_HYBRID_PLUG: sg_enabled} super(OpenvswitchMechanismDriver, self).__init__( constants.AGENT_TYPE_OVS, portbindings.VIF_TYPE_OVS, - {portbindings.CAP_PORT_FILTER: True, - portbindings.OVS_HYBRID_PLUG: True}) + vif_details) def check_segment_for_agent(self, segment, agent): mappings = agent['configurations'].get('bridge_mappings', {}) diff --git a/neutron/plugins/nec/nec_plugin.py b/neutron/plugins/nec/nec_plugin.py index 7d26b1b59..373dfdf24 100644 --- a/neutron/plugins/nec/nec_plugin.py +++ b/neutron/plugins/nec/nec_plugin.py @@ -421,15 +421,11 @@ class NECPluginV2(db_base_plugin_v2.NeutronDbPluginV2, self._cleanup_ofc_tenant(context, tenant_id) def _get_base_binding_dict(self): - binding = { - portbindings.VIF_TYPE: portbindings.VIF_TYPE_OVS, - portbindings.VIF_DETAILS: { - # TODO(rkukura): Replace with new VIF security details - portbindings.CAP_PORT_FILTER: - 'security-group' in self.supported_extension_aliases, - portbindings.OVS_HYBRID_PLUG: True - } - } + sg_enabled = sg_rpc.is_firewall_enabled() + vif_details = {portbindings.CAP_PORT_FILTER: sg_enabled, + portbindings.OVS_HYBRID_PLUG: sg_enabled} + binding = {portbindings.VIF_TYPE: portbindings.VIF_TYPE_OVS, + portbindings.VIF_DETAILS: vif_details} return binding def _extend_port_dict_binding_portinfo(self, port_res, portinfo): diff --git a/neutron/plugins/ryu/ryu_neutron_plugin.py b/neutron/plugins/ryu/ryu_neutron_plugin.py index 8a1822836..c387518f8 100644 --- a/neutron/plugins/ryu/ryu_neutron_plugin.py +++ b/neutron/plugins/ryu/ryu_neutron_plugin.py @@ -107,15 +107,7 @@ class RyuNeutronPluginV2(db_base_plugin_v2.NeutronDbPluginV2, def __init__(self, configfile=None): super(RyuNeutronPluginV2, self).__init__() - self.base_binding_dict = { - portbindings.VIF_TYPE: portbindings.VIF_TYPE_OVS, - portbindings.VIF_DETAILS: { - # TODO(rkukura): Replace with new VIF security details - portbindings.CAP_PORT_FILTER: - 'security-group' in self.supported_extension_aliases, - portbindings.OVS_HYBRID_PLUG: True - } - } + self.base_binding_dict = self._get_base_binding_dict() portbindings_base.register_port_dict_function() self.tunnel_key = db_api_v2.TunnelKey( cfg.CONF.OVS.tunnel_key_min, cfg.CONF.OVS.tunnel_key_max) @@ -134,6 +126,14 @@ class RyuNeutronPluginV2(db_base_plugin_v2.NeutronDbPluginV2, # register known all network list on startup self._create_all_tenant_network() + def _get_base_binding_dict(self): + sg_enabled = sg_rpc.is_firewall_enabled() + vif_details = {portbindings.CAP_PORT_FILTER: sg_enabled, + portbindings.OVS_HYBRID_PLUG: sg_enabled} + binding = {portbindings.VIF_TYPE: portbindings.VIF_TYPE_OVS, + portbindings.VIF_DETAILS: vif_details} + return binding + def _setup_rpc(self): self.service_topics = {svc_constants.CORE: topics.PLUGIN, svc_constants.L3_ROUTER_NAT: topics.L3PLUGIN} diff --git a/neutron/tests/unit/_test_extension_portbindings.py b/neutron/tests/unit/_test_extension_portbindings.py index 4f72f5866..54e4c67d7 100644 --- a/neutron/tests/unit/_test_extension_portbindings.py +++ b/neutron/tests/unit/_test_extension_portbindings.py @@ -29,19 +29,27 @@ class PortBindingsTestCase(test_db_plugin.NeutronDbPluginV2TestCase): # VIF_TYPE must be overridden according to plugin vif_type VIF_TYPE = portbindings.VIF_TYPE_OTHER - # The plugin supports the port security feature such as - # security groups and anti spoofing. - HAS_PORT_FILTER = False + # VIF_DETAILS must be overridden according to plugin vif_details + VIF_DETAILS = None def _check_response_portbindings(self, port): self.assertEqual(port[portbindings.VIF_TYPE], self.VIF_TYPE) - vif_details = port[portbindings.VIF_DETAILS] # REVISIT(rkukura): Consider reworking tests to enable ML2 to bind + if self.VIF_TYPE not in [portbindings.VIF_TYPE_UNBOUND, portbindings.VIF_TYPE_BINDING_FAILED]: - # TODO(rkukura): Replace with new VIF security details - self.assertEqual(vif_details[portbindings.CAP_PORT_FILTER], - self.HAS_PORT_FILTER) + # NOTE(r-mibu): The following six lines are just for backward + # compatibility. In this class, HAS_PORT_FILTER has been replaced + # by VIF_DETAILS which can be set expected vif_details to check, + # but all replacement of HAS_PORT_FILTER in successor has not been + # completed. + if self.VIF_DETAILS is None: + expected = getattr(self, 'HAS_PORT_FILTER', False) + vif_details = port[portbindings.VIF_DETAILS] + port_filter = vif_details[portbindings.CAP_PORT_FILTER] + self.assertEqual(expected, port_filter) + return + self.assertEqual(self.VIF_DETAILS, port[portbindings.VIF_DETAILS]) def _check_response_no_portbindings(self, port): self.assertIn('status', port) diff --git a/neutron/tests/unit/ml2/_test_mech_agent.py b/neutron/tests/unit/ml2/_test_mech_agent.py index a42eca0c2..71aeecf13 100644 --- a/neutron/tests/unit/ml2/_test_mech_agent.py +++ b/neutron/tests/unit/ml2/_test_mech_agent.py @@ -120,7 +120,7 @@ class AgentMechanismBaseTestCase(base.BaseTestCase): # The following must be overridden for the specific mechanism # driver being tested: VIF_TYPE = None - CAP_PORT_FILTER = None + VIF_DETAILS = None AGENT_TYPE = None AGENTS = None AGENTS_DEAD = None @@ -136,8 +136,17 @@ class AgentMechanismBaseTestCase(base.BaseTestCase): self.assertEqual(context._bound_vif_type, self.VIF_TYPE) vif_details = context._bound_vif_details self.assertIsNotNone(vif_details) - self.assertEqual(vif_details[portbindings.CAP_PORT_FILTER], - self.CAP_PORT_FILTER) + # NOTE(r-mibu): The following five lines are just for backward + # compatibility. In this class, HAS_PORT_FILTER has been replaced + # by VIF_DETAILS which can be set expected vif_details to check, + # but all replacement of HAS_PORT_FILTER in successor has not been + # completed. + if self.VIF_DETAILS is None: + expected = getattr(self, 'CAP_PORT_FILTER', None) + port_filter = vif_details[portbindings.CAP_PORT_FILTER] + self.assertEqual(expected, port_filter) + return + self.assertEqual(self.VIF_DETAILS, vif_details) class AgentMechanismGenericTestCase(AgentMechanismBaseTestCase): diff --git a/neutron/tests/unit/ml2/drivers/test_ofagent_mech.py b/neutron/tests/unit/ml2/drivers/test_ofagent_mech.py index 3187f296b..8c62e1e79 100644 --- a/neutron/tests/unit/ml2/drivers/test_ofagent_mech.py +++ b/neutron/tests/unit/ml2/drivers/test_ofagent_mech.py @@ -13,6 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.config import cfg + from neutron.common import constants from neutron.extensions import portbindings from neutron.plugins.ml2.drivers import mech_ofagent @@ -21,7 +23,8 @@ from neutron.tests.unit.ml2 import _test_mech_agent as base class OfagentMechanismBaseTestCase(base.AgentMechanismBaseTestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS - CAP_PORT_FILTER = True + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: True, + portbindings.OVS_HYBRID_PLUG: True} AGENT_TYPE = constants.AGENT_TYPE_OFA GOOD_MAPPINGS = {'fake_physical_network': 'fake_interface'} @@ -49,6 +52,17 @@ class OfagentMechanismBaseTestCase(base.AgentMechanismBaseTestCase): self.driver.initialize() +class OfagentMechanismSGDisabledBaseTestCase(OfagentMechanismBaseTestCase): + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: False, + portbindings.OVS_HYBRID_PLUG: False} + + def setUp(self): + cfg.CONF.set_override('enable_security_group', + False, + group='SECURITYGROUP') + super(OfagentMechanismSGDisabledBaseTestCase, self).setUp() + + class OfagentMechanismGenericTestCase(OfagentMechanismBaseTestCase, base.AgentMechanismGenericTestCase): pass @@ -74,12 +88,19 @@ class OfagentMechanismGreTestCase(OfagentMechanismBaseTestCase, pass +class OfagentMechanismSGDisabledLocalTestCase( + OfagentMechanismSGDisabledBaseTestCase, + base.AgentMechanismLocalTestCase): + pass + + # The following tests are for deprecated "bridge_mappings". # TODO(yamamoto): Remove them. class OfagentMechanismPhysBridgeTestCase(base.AgentMechanismBaseTestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS - CAP_PORT_FILTER = True + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: True, + portbindings.OVS_HYBRID_PLUG: True} AGENT_TYPE = constants.AGENT_TYPE_OFA GOOD_MAPPINGS = {'fake_physical_network': 'fake_bridge'} diff --git a/neutron/tests/unit/ml2/test_mech_openvswitch.py b/neutron/tests/unit/ml2/test_mech_openvswitch.py index b1af1b7fa..456d6f02c 100644 --- a/neutron/tests/unit/ml2/test_mech_openvswitch.py +++ b/neutron/tests/unit/ml2/test_mech_openvswitch.py @@ -13,6 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo.config import cfg + from neutron.common import constants from neutron.extensions import portbindings from neutron.plugins.ml2.drivers import mech_openvswitch @@ -21,7 +23,8 @@ from neutron.tests.unit.ml2 import _test_mech_agent as base class OpenvswitchMechanismBaseTestCase(base.AgentMechanismBaseTestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS - CAP_PORT_FILTER = True + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: True, + portbindings.OVS_HYBRID_PLUG: True} AGENT_TYPE = constants.AGENT_TYPE_OVS GOOD_MAPPINGS = {'fake_physical_network': 'fake_bridge'} @@ -49,6 +52,18 @@ class OpenvswitchMechanismBaseTestCase(base.AgentMechanismBaseTestCase): self.driver.initialize() +class OpenvswitchMechanismSGDisabledBaseTestCase( + OpenvswitchMechanismBaseTestCase): + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: False, + portbindings.OVS_HYBRID_PLUG: False} + + def setUp(self): + cfg.CONF.set_override('enable_security_group', + False, + group='SECURITYGROUP') + super(OpenvswitchMechanismSGDisabledBaseTestCase, self).setUp() + + class OpenvswitchMechanismGenericTestCase(OpenvswitchMechanismBaseTestCase, base.AgentMechanismGenericTestCase): pass @@ -72,3 +87,9 @@ class OpenvswitchMechanismVlanTestCase(OpenvswitchMechanismBaseTestCase, class OpenvswitchMechanismGreTestCase(OpenvswitchMechanismBaseTestCase, base.AgentMechanismGreTestCase): pass + + +class OpenvswitchMechanismSGDisabledLocalTestCase( + OpenvswitchMechanismSGDisabledBaseTestCase, + base.AgentMechanismLocalTestCase): + pass diff --git a/neutron/tests/unit/nec/test_portbindings.py b/neutron/tests/unit/nec/test_portbindings.py index 9dc61ed54..a2ceb321b 100644 --- a/neutron/tests/unit/nec/test_portbindings.py +++ b/neutron/tests/unit/nec/test_portbindings.py @@ -28,7 +28,8 @@ from neutron.tests.unit import test_security_groups_rpc as test_sg_rpc class TestNecPortBinding(test_bindings.PortBindingsTestCase, test_nec_plugin.NecPluginV2TestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS - HAS_PORT_FILTER = True + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: True, + portbindings.OVS_HYBRID_PLUG: True} ENABLE_SG = True FIREWALL_DRIVER = test_sg_rpc.FIREWALL_HYBRID_DRIVER @@ -41,7 +42,8 @@ class TestNecPortBinding(test_bindings.PortBindingsTestCase, class TestNecPortBindingNoSG(TestNecPortBinding): - HAS_PORT_FILTER = False + VIF_DETAILS = {portbindings.CAP_PORT_FILTER: False, + portbindings.OVS_HYBRID_PLUG: False} ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER