Make fw driver configurable
The neutron-gateway uses the firewall driver just as other nodes do when running neutron-openvswitch-agent. It is currently hardcoded to the deprecated iptables_hybrid driver. This patch allows the driver to be changed to openvswitch same as with the neutron-openvswitch driver with a firewall-driver config option that defaults to iptables_hybrid so as to maintain backwards compatibility. Change-Id: I4f5482425c91b5ad556c384abba7c27137c1948f
This commit is contained in:
parent
d29d295c32
commit
3de85d46c1
@ -327,6 +327,13 @@ options:
|
|||||||
for Neutron agents (DHCP and L3 agents). This option overrides the
|
for Neutron agents (DHCP and L3 agents). This option overrides the
|
||||||
default-availability-zone charm config setting only when the Juju
|
default-availability-zone charm config setting only when the Juju
|
||||||
provider sets JUJU_AVAILABILITY_ZONE.
|
provider sets JUJU_AVAILABILITY_ZONE.
|
||||||
|
firewall-driver:
|
||||||
|
type: string
|
||||||
|
default:
|
||||||
|
description: |
|
||||||
|
Firewall driver to use to support use of security groups with
|
||||||
|
instances; valid values include iptables_hybrid (default) and
|
||||||
|
openvswitch. This config option is ignored for < Queens.
|
||||||
firewall-group-log-output-base:
|
firewall-group-log-output-base:
|
||||||
type: string
|
type: string
|
||||||
default:
|
default:
|
||||||
|
@ -49,10 +49,28 @@ CORE_PLUGIN = {
|
|||||||
OVS_ODL: NEUTRON_OVS_ODL_PLUGIN,
|
OVS_ODL: NEUTRON_OVS_ODL_PLUGIN,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
IPTABLES_HYBRID = 'iptables_hybrid'
|
||||||
|
OPENVSWITCH = 'openvswitch'
|
||||||
|
VALID_FIREWALL_DRIVERS = (IPTABLES_HYBRID, OPENVSWITCH)
|
||||||
|
|
||||||
NFG_LOG_RATE_LIMIT_MIN = 100
|
NFG_LOG_RATE_LIMIT_MIN = 100
|
||||||
NFG_LOG_BURST_LIMIT_MIN = 25
|
NFG_LOG_BURST_LIMIT_MIN = 25
|
||||||
|
|
||||||
|
|
||||||
|
def _get_firewall_driver():
|
||||||
|
'''
|
||||||
|
Determine the firewall driver to use based on configuration,
|
||||||
|
OpenStack and Ubuntu releases.
|
||||||
|
|
||||||
|
@returns str: firewall driver to use for OpenvSwitch
|
||||||
|
'''
|
||||||
|
driver = config('firewall-driver') or IPTABLES_HYBRID
|
||||||
|
if driver not in VALID_FIREWALL_DRIVERS:
|
||||||
|
return IPTABLES_HYBRID
|
||||||
|
|
||||||
|
return driver
|
||||||
|
|
||||||
|
|
||||||
def get_availability_zone():
|
def get_availability_zone():
|
||||||
use_juju_az = config('customize-failure-domain')
|
use_juju_az = config('customize-failure-domain')
|
||||||
juju_az = os.environ.get('JUJU_AVAILABILITY_ZONE')
|
juju_az = os.environ.get('JUJU_AVAILABILITY_ZONE')
|
||||||
@ -217,6 +235,8 @@ class NeutronGatewayContext(NeutronAPIContext):
|
|||||||
NFG_LOG_BURST_LIMIT_MIN
|
NFG_LOG_BURST_LIMIT_MIN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
ctxt['firewall_driver'] = _get_firewall_driver()
|
||||||
|
|
||||||
return ctxt
|
return ctxt
|
||||||
|
|
||||||
|
|
||||||
|
@ -23,4 +23,4 @@ extensions = {{ extension_drivers }}
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
[securitygroup]
|
[securitygroup]
|
||||||
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
firewall_driver = {{ firewall_driver }}
|
||||||
|
@ -240,6 +240,7 @@ class TestNeutronGatewayContext(CharmTestCase):
|
|||||||
'nfg_log_rate_limit': 100,
|
'nfg_log_rate_limit': 100,
|
||||||
'ovsdb_timeout': 10,
|
'ovsdb_timeout': 10,
|
||||||
'keepalived_healthcheck_interval': 0,
|
'keepalived_healthcheck_interval': 0,
|
||||||
|
'firewall_driver': "iptables_hybrid",
|
||||||
})
|
})
|
||||||
|
|
||||||
@patch.object(neutron_contexts, 'validate_nfg_log_path', lambda x: x)
|
@patch.object(neutron_contexts, 'validate_nfg_log_path', lambda x: x)
|
||||||
@ -303,6 +304,7 @@ class TestNeutronGatewayContext(CharmTestCase):
|
|||||||
'nfg_log_rate_limit': None,
|
'nfg_log_rate_limit': None,
|
||||||
'ovsdb_timeout': 60,
|
'ovsdb_timeout': 60,
|
||||||
'keepalived_healthcheck_interval': 0,
|
'keepalived_healthcheck_interval': 0,
|
||||||
|
'firewall_driver': "iptables_hybrid",
|
||||||
})
|
})
|
||||||
|
|
||||||
@patch('os.environ.get')
|
@patch('os.environ.get')
|
||||||
|
Loading…
Reference in New Issue
Block a user