openstack
/
charm-neutron-api
Code Issues Proposed changes

Add support for FWaaS v2 logging 

Enable support for configuration of FWaaS v2 firewall group
logging. The feature can be enabled or disabled via the
enable-firewall-group-logging flag.

This feature is currently only enabled for FWaaS v2 at Stein
for the charms (but is supported back to Queens in Neutron).

Change-Id: I4c440e233ee16d4e756c575d8db70918ff062f3e
Partial-Bug: 1831972
This commit is contained in:
Liam Young 2019-06-07 13:01:23 +00:00
parent a82b210c47
commit 27b4fb1538
5 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
config.yaml
View File

@ -22,6 +22,14 @@ options:
such as thresholds and a destination log file are available in the neutron-openvswitch charm.
Also, an neutron-openvswitch charm config option "firewall-driver" should be explicitly
set to "openvswitch", since security group logging works only with OVS firewall driver now.
enable-firewall-group-logging:
type: boolean
default: False
description: |
Setting this to True will enable logging for FWaaSv2. (Available from Stein)
WARNING: Enabling this may affect your disk I/O performance since this
may log ALL traffic being passed via gateway. Logging configuration
such as thresholds and a destination log file are available in the neutron-gateway charm.
openstack-origin:
type: string
default: distro

18
hooks/neutron_api_context.py
View File

@ -245,6 +245,22 @@ def is_nsg_logging_enabled():
return False
def is_nfg_logging_enabled():
"""
Check if Neutron firewall groups logging should be enabled.
"""
if config('enable-firewall-group-logging'):
if CompareOpenStackReleases(os_release('neutron-server')) < 'stein':
log("The logging option is only supported on Stein or later",
ERROR)
return False
return True
return False
def is_vlan_trunking_requested_and_valid():
"""Check whether VLAN trunking should be enabled by checking whether
it has been requested and, if it has, is it supported in the current
@ -585,7 +601,7 @@ class NeutronCCContext(context.NeutronContext):
ctxt['service_plugins'] = service_plugins.get(
release, service_plugins['stein'])
if is_nsg_logging_enabled():
if is_nsg_logging_enabled() or is_nfg_logging_enabled():
ctxt['service_plugins'].append('log')
if is_qos_requested_and_valid():

2
hooks/neutron_api_hooks.py
View File

@ -96,6 +96,7 @@ from neutron_api_context import (
IdentityServiceContext,
is_qos_requested_and_valid,
is_vlan_trunking_requested_and_valid,
is_nfg_logging_enabled,
is_nsg_logging_enabled,
EtcdContext,
)
@ -488,6 +489,7 @@ def neutron_plugin_api_relation_joined(rid=None):
'enable-qos': is_qos_requested_and_valid(),
'enable-vlan-trunking': is_vlan_trunking_requested_and_valid(),
'enable-nsg-logging': is_nsg_logging_enabled(),
'enable-nfg-logging': is_nfg_logging_enabled(),
'overlay-network-type': get_overlay_network_type(),
'addr': unit_get('private-address'),
'polling-interval': config('polling-interval'),

11
unit_tests/test_neutron_api_context.py
View File

@ -250,6 +250,17 @@ class GeneralTests(CharmTestCase):
self.assertEqual(context.get_ml2_mechanism_drivers(),
'openvswitch,hyperv,sriovnicswitch')
def test_is_nfg_logging_enabled(self):
self.os_release.return_value = 'stein'
self.test_config.set('enable-firewall-group-logging', True)
self.assertTrue(context.is_nfg_logging_enabled())
self.os_release.return_value = 'stein'
self.test_config.set('enable-firewall-group-logging', False)
self.assertFalse(context.is_nfg_logging_enabled())
self.os_release.return_value = 'queens'
self.test_config.set('enable-firewall-group-logging', True)
self.assertFalse(context.is_nfg_logging_enabled())
class IdentityServiceContext(CharmTestCase):

56
unit_tests/test_neutron_api_hooks.py
View File

@ -87,6 +87,7 @@ TO_PATCH = [
'get_relation_ip',
'generate_ha_relation_data',
'is_nsg_logging_enabled',
'is_nfg_logging_enabled',
'remove_old_packages',
'services',
'service_restart',
@ -135,6 +136,7 @@ class NeutronAPIHooksTests(CharmTestCase):
self.test_config.set('neutron-plugin', 'ovs')
self.neutron_plugin_attribute.side_effect = _mock_nuage_npa
self.is_nsg_logging_enabled.return_value = False
self.is_nfg_logging_enabled.return_value = False
def _fake_relids(self, rel_name):
return [randrange(100) for _count in range(2)]
@ -521,6 +523,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': False,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False
@ -563,6 +566,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': True,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
@ -583,6 +587,54 @@ class NeutronAPIHooksTests(CharmTestCase):
**_relation_data
)
def test_neutron_plugin_api_relation_joined_nfg_logging(self):
self.unit_get.return_value = '172.18.18.18'
self.IdentityServiceContext.return_value = \
DummyContext(return_value={})
_relation_data = {
'neutron-security-groups': False,
'enable-dvr': False,
'enable-l3ha': False,
'enable-qos': False,
'enable-vlan-trunking': False,
'addr': '172.18.18.18',
'polling-interval': 2,
'rpc-response-timeout': 60,
'report-interval': 30,
'l2-population': False,
'overlay-network-type': 'vxlan',
'service_protocol': None,
'auth_protocol': None,
'service_tenant': None,
'service_port': None,
'region': 'RegionOne',
'service_password': None,
'auth_port': None,
'auth_host': None,
'service_username': None,
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': False,
'enable-nfg-logging': True,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False
self.get_dvr.return_value = False
self.get_l3ha.return_value = False
self.get_l2population.return_value = False
self.get_overlay_network_type.return_value = 'vxlan'
self.get_dns_domain.return_value = ''
self.test_config.set('enable-firewall-group-logging', True)
self.is_nfg_logging_enabled.return_value = True
self._call_hook('neutron-plugin-api-relation-joined')
self.relation_set.assert_called_with(
relation_id=None,
**_relation_data)
def test_neutron_plugin_api_relation_joined_dvr(self):
self.unit_get.return_value = '172.18.18.18'
self.IdentityServiceContext.return_value = \
@ -611,6 +663,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': False,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False
@ -653,6 +706,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': False,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False
@ -697,6 +751,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'service_host': None,
'neutron-api-ready': 'no',
'enable-nsg-logging': False,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False
@ -740,6 +795,7 @@ class NeutronAPIHooksTests(CharmTestCase):
'neutron-api-ready': 'no',
'dns-domain': 'openstack.example.',
'enable-nsg-logging': False,
'enable-nfg-logging': False,
}
self.is_qos_requested_and_valid.return_value = False
self.is_vlan_trunking_requested_and_valid.return_value = False