Add support for FWaaS v2 logging
Enable support for configuration of FWaaS v2 firewall group logging. The feature can be enabled or disabled via the enable-firewall-group-logging flag. This feature is currently only enabled for FWaaS v2 at Stein for the charms (but is supported back to Queens in Neutron). Change-Id: I4c440e233ee16d4e756c575d8db70918ff062f3e Partial-Bug: 1831972
This commit is contained in:
parent
a82b210c47
commit
27b4fb1538
@ -22,6 +22,14 @@ options:
|
||||
such as thresholds and a destination log file are available in the neutron-openvswitch charm.
|
||||
Also, an neutron-openvswitch charm config option "firewall-driver" should be explicitly
|
||||
set to "openvswitch", since security group logging works only with OVS firewall driver now.
|
||||
enable-firewall-group-logging:
|
||||
type: boolean
|
||||
default: False
|
||||
description: |
|
||||
Setting this to True will enable logging for FWaaSv2. (Available from Stein)
|
||||
WARNING: Enabling this may affect your disk I/O performance since this
|
||||
may log ALL traffic being passed via gateway. Logging configuration
|
||||
such as thresholds and a destination log file are available in the neutron-gateway charm.
|
||||
openstack-origin:
|
||||
type: string
|
||||
default: distro
|
||||
|
@ -245,6 +245,22 @@ def is_nsg_logging_enabled():
|
||||
return False
|
||||
|
||||
|
||||
def is_nfg_logging_enabled():
|
||||
"""
|
||||
Check if Neutron firewall groups logging should be enabled.
|
||||
"""
|
||||
if config('enable-firewall-group-logging'):
|
||||
|
||||
if CompareOpenStackReleases(os_release('neutron-server')) < 'stein':
|
||||
log("The logging option is only supported on Stein or later",
|
||||
ERROR)
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
|
||||
def is_vlan_trunking_requested_and_valid():
|
||||
"""Check whether VLAN trunking should be enabled by checking whether
|
||||
it has been requested and, if it has, is it supported in the current
|
||||
@ -585,7 +601,7 @@ class NeutronCCContext(context.NeutronContext):
|
||||
ctxt['service_plugins'] = service_plugins.get(
|
||||
release, service_plugins['stein'])
|
||||
|
||||
if is_nsg_logging_enabled():
|
||||
if is_nsg_logging_enabled() or is_nfg_logging_enabled():
|
||||
ctxt['service_plugins'].append('log')
|
||||
|
||||
if is_qos_requested_and_valid():
|
||||
|
@ -96,6 +96,7 @@ from neutron_api_context import (
|
||||
IdentityServiceContext,
|
||||
is_qos_requested_and_valid,
|
||||
is_vlan_trunking_requested_and_valid,
|
||||
is_nfg_logging_enabled,
|
||||
is_nsg_logging_enabled,
|
||||
EtcdContext,
|
||||
)
|
||||
@ -488,6 +489,7 @@ def neutron_plugin_api_relation_joined(rid=None):
|
||||
'enable-qos': is_qos_requested_and_valid(),
|
||||
'enable-vlan-trunking': is_vlan_trunking_requested_and_valid(),
|
||||
'enable-nsg-logging': is_nsg_logging_enabled(),
|
||||
'enable-nfg-logging': is_nfg_logging_enabled(),
|
||||
'overlay-network-type': get_overlay_network_type(),
|
||||
'addr': unit_get('private-address'),
|
||||
'polling-interval': config('polling-interval'),
|
||||
|
@ -250,6 +250,17 @@ class GeneralTests(CharmTestCase):
|
||||
self.assertEqual(context.get_ml2_mechanism_drivers(),
|
||||
'openvswitch,hyperv,sriovnicswitch')
|
||||
|
||||
def test_is_nfg_logging_enabled(self):
|
||||
self.os_release.return_value = 'stein'
|
||||
self.test_config.set('enable-firewall-group-logging', True)
|
||||
self.assertTrue(context.is_nfg_logging_enabled())
|
||||
self.os_release.return_value = 'stein'
|
||||
self.test_config.set('enable-firewall-group-logging', False)
|
||||
self.assertFalse(context.is_nfg_logging_enabled())
|
||||
self.os_release.return_value = 'queens'
|
||||
self.test_config.set('enable-firewall-group-logging', True)
|
||||
self.assertFalse(context.is_nfg_logging_enabled())
|
||||
|
||||
|
||||
class IdentityServiceContext(CharmTestCase):
|
||||
|
||||
|
@ -87,6 +87,7 @@ TO_PATCH = [
|
||||
'get_relation_ip',
|
||||
'generate_ha_relation_data',
|
||||
'is_nsg_logging_enabled',
|
||||
'is_nfg_logging_enabled',
|
||||
'remove_old_packages',
|
||||
'services',
|
||||
'service_restart',
|
||||
@ -135,6 +136,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
self.test_config.set('neutron-plugin', 'ovs')
|
||||
self.neutron_plugin_attribute.side_effect = _mock_nuage_npa
|
||||
self.is_nsg_logging_enabled.return_value = False
|
||||
self.is_nfg_logging_enabled.return_value = False
|
||||
|
||||
def _fake_relids(self, rel_name):
|
||||
return [randrange(100) for _count in range(2)]
|
||||
@ -521,6 +523,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
@ -563,6 +566,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': True,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
@ -583,6 +587,54 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
**_relation_data
|
||||
)
|
||||
|
||||
def test_neutron_plugin_api_relation_joined_nfg_logging(self):
|
||||
self.unit_get.return_value = '172.18.18.18'
|
||||
self.IdentityServiceContext.return_value = \
|
||||
DummyContext(return_value={})
|
||||
_relation_data = {
|
||||
'neutron-security-groups': False,
|
||||
'enable-dvr': False,
|
||||
'enable-l3ha': False,
|
||||
'enable-qos': False,
|
||||
'enable-vlan-trunking': False,
|
||||
'addr': '172.18.18.18',
|
||||
'polling-interval': 2,
|
||||
'rpc-response-timeout': 60,
|
||||
'report-interval': 30,
|
||||
'l2-population': False,
|
||||
'overlay-network-type': 'vxlan',
|
||||
'service_protocol': None,
|
||||
'auth_protocol': None,
|
||||
'service_tenant': None,
|
||||
'service_port': None,
|
||||
'region': 'RegionOne',
|
||||
'service_password': None,
|
||||
'auth_port': None,
|
||||
'auth_host': None,
|
||||
'service_username': None,
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': True,
|
||||
}
|
||||
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
self.get_dvr.return_value = False
|
||||
self.get_l3ha.return_value = False
|
||||
self.get_l2population.return_value = False
|
||||
self.get_overlay_network_type.return_value = 'vxlan'
|
||||
self.get_dns_domain.return_value = ''
|
||||
|
||||
self.test_config.set('enable-firewall-group-logging', True)
|
||||
self.is_nfg_logging_enabled.return_value = True
|
||||
|
||||
self._call_hook('neutron-plugin-api-relation-joined')
|
||||
|
||||
self.relation_set.assert_called_with(
|
||||
relation_id=None,
|
||||
**_relation_data)
|
||||
|
||||
def test_neutron_plugin_api_relation_joined_dvr(self):
|
||||
self.unit_get.return_value = '172.18.18.18'
|
||||
self.IdentityServiceContext.return_value = \
|
||||
@ -611,6 +663,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
@ -653,6 +706,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
@ -697,6 +751,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'service_host': None,
|
||||
'neutron-api-ready': 'no',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
@ -740,6 +795,7 @@ class NeutronAPIHooksTests(CharmTestCase):
|
||||
'neutron-api-ready': 'no',
|
||||
'dns-domain': 'openstack.example.',
|
||||
'enable-nsg-logging': False,
|
||||
'enable-nfg-logging': False,
|
||||
}
|
||||
self.is_qos_requested_and_valid.return_value = False
|
||||
self.is_vlan_trunking_requested_and_valid.return_value = False
|
||||
|
Loading…
Reference in New Issue
Block a user