From: Irena Berezovsky Date: Tue, 25 Mar 2014 07:30:17 +0000 (+0200) Subject: Add L2 Agent side handling for non consistent security_group settings X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=3ac434d8a6c3370181ce2ea1d334da2cfc85629d;p=openstack-build%2Fneutron-build.git Add L2 Agent side handling for non consistent security_group settings Add setting of the firewall_driver to NoopDriver when firewall_driver is None and add warning if driver combination is not valid. Modify is_valid_driver_combination to verify default settings: enable_security_group (True) and firewall_driver (None). Change-Id: I841f9cf96ac6ee2ad17a4e8908d6c8a96f368cca Closes-Bug: #1296957 (cherry picked from commit 5c6ff449bbd7386f0f3e41efc524024434f325df) --- diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py index 323924203..e8dc68209 100644 --- a/neutron/agent/securitygroups_rpc.py +++ b/neutron/agent/securitygroups_rpc.py @@ -44,12 +44,13 @@ cfg.CONF.register_opts(security_group_opts, 'SECURITYGROUP') #This is backward compatibility check for Havana def _is_valid_driver_combination(): return ((cfg.CONF.SECURITYGROUP.enable_security_group and - cfg.CONF.SECURITYGROUP.firewall_driver != - 'neutron.agent.firewall.NoopFirewallDriver') or + (cfg.CONF.SECURITYGROUP.firewall_driver and + cfg.CONF.SECURITYGROUP.firewall_driver != + 'neutron.agent.firewall.NoopFirewallDriver')) or (not cfg.CONF.SECURITYGROUP.enable_security_group and (cfg.CONF.SECURITYGROUP.firewall_driver == 'neutron.agent.firewall.NoopFirewallDriver' or - cfg.CONF.SECURITYGROUP.firewall_driver == None) + cfg.CONF.SECURITYGROUP.firewall_driver is None) )) @@ -137,6 +138,11 @@ class SecurityGroupAgentRpcMixin(object): def init_firewall(self, defer_refresh_firewall=False): firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver LOG.debug(_("Init firewall settings (driver=%s)"), firewall_driver) + if not _is_valid_driver_combination(): + LOG.warn("Driver configuration doesn't match " + "with enable_security_group") + if not firewall_driver: + firewall_driver = 'neutron.agent.firewall.NoopFirewallDriver' self.firewall = importutils.import_object(firewall_driver) # The following flag will be set to true if port filter must not be # applied as soon as a rule or membership notification is received diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py index 14e0f1c39..b3d71da09 100644 --- a/neutron/tests/unit/test_security_groups_rpc.py +++ b/neutron/tests/unit/test_security_groups_rpc.py @@ -505,6 +505,17 @@ class SGAgentRpcCallBackMixinTestCase(base.BaseTestCase): [call.security_groups_provider_updated()]) +class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase): + def test_init_firewall_with_none_driver(self): + cfg.CONF.set_override( + 'enable_security_group', False, + group='SECURITYGROUP') + agent = sg_rpc.SecurityGroupAgentRpcMixin() + agent.init_firewall() + self.assertEqual(agent.firewall.__class__.__name__, + 'NoopFirewallDriver') + + class SecurityGroupAgentRpcTestCase(base.BaseTestCase): def setUp(self, defer_refresh_firewall=False): super(SecurityGroupAgentRpcTestCase, self).setUp() @@ -1721,6 +1732,15 @@ class TestSecurityGroupExtensionControl(base.BaseTestCase): group='SECURITYGROUP') self.assertFalse(sg_rpc._is_valid_driver_combination()) + def test_is_invalid_drvier_combination_sg_enabled_with_none(self): + cfg.CONF.set_override( + 'enable_security_group', True, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', None, + group='SECURITYGROUP') + self.assertFalse(sg_rpc._is_valid_driver_combination()) + def test_is_invalid_drvier_combination_sg_disabled(self): cfg.CONF.set_override( 'enable_security_group', False,