openstack/charm-neutron-openvswitch
Code Issues Proposed changes

Add config flag to disable security groups, tidy relation usage from neutron-api

Browse Source
This commit is contained in:
James Page 2014-10-10 10:55:20 +01:00
parent fe4e70f7a4
commit 962e5e9f50
5 changed files with 70 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -6,7 +6,7 @@ lint:
@flake8 --exclude hooks/charmhelpers unit_tests @flake8 --exclude hooks/charmhelpers unit_tests
@charm proof @charm proof
test: unit_test:
@echo Starting tests... @echo Starting tests...
@$(PYTHON) /usr/bin/nosetests --nologcapture unit_tests @$(PYTHON) /usr/bin/nosetests --nologcapture unit_tests
@ -18,6 +18,6 @@ bin/charm_helpers_sync.py:
sync: bin/charm_helpers_sync.py sync: bin/charm_helpers_sync.py
@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-sync.yaml @$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-sync.yaml
publish: lint test publish: lint unit_test
bzr push lp:charms/neutron-openvswitch bzr push lp:charms/neutron-openvswitch
bzr push lp:charms/trusty/neutron-openvswitch bzr push lp:charms/trusty/neutron-openvswitch

9
config.yaml
View File

@ -27,6 +27,15 @@ options:
description: | description: |
The data port will be added to br-data and will allow usage of flat or VLAN The data port will be added to br-data and will allow usage of flat or VLAN
network types network types
disable-security-groups:
type: boolean
default: false
description: |
Disable neutron based security groups - setting this configuration option
will override any settings configured via the neutron-api charm.
.
BE CAREFUL - this option allows you to disable all port level security within
an OpenStack cloud.
# Network configuration options # Network configuration options
# by default all access is over 'private-address' # by default all access is over 'private-address'
os-data-network: os-data-network:

3
hooks/neutron_ovs_context.py
View File

@ -37,6 +37,9 @@ def _neutron_api_settings():
'neutron_security_groups': rdata['neutron-security-groups'], 'neutron_security_groups': rdata['neutron-security-groups'],
'overlay_network_type': rdata['overlay-network-type'], 'overlay_network_type': rdata['overlay-network-type'],
} }
# Override with configuration if set to true
if config('disable-security-groups'):
neutron_settings['neutron_security_groups'] = False
return neutron_settings return neutron_settings
return neutron_settings return neutron_settings

2
templates/icehouse/ml2_conf.ini
View File

@ -31,7 +31,7 @@ tunnel_types = {{ overlay_network_type }}
l2_population = {{ l2_population }} l2_population = {{ l2_population }}
[securitygroup] [securitygroup]
{% if neutron_security_groups == 'True' -%} {% if neutron_security_groups -%}
enable_security_group = True enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
{% else -%} {% else -%}

57
unit_tests/test_neutron_ovs_context.py
View File

@ -88,7 +88,7 @@ class OVSPluginContextTest(CharmTestCase):
_is_clus.return_value = False _is_clus.return_value = False
self.related_units.return_value = ['unit1'] self.related_units.return_value = ['unit1']
self.relation_ids.return_value = ['rid2'] self.relation_ids.return_value = ['rid2']
self.test_relation.set({'neutron-security-groups': 'yes', self.test_relation.set({'neutron-security-groups': True,
'l2-population': True, 'l2-population': True,
'overlay-network-type': 'gre', 'overlay-network-type': 'gre',
}) })
@ -97,7 +97,60 @@ class OVSPluginContextTest(CharmTestCase):
napi_ctxt = context.OVSPluginContext() napi_ctxt = context.OVSPluginContext()
expect = { expect = {
'neutron_alchemy_flags': {}, 'neutron_alchemy_flags': {},
'neutron_security_groups': 'yes', 'neutron_security_groups': True,
'verbose': True,
'local_ip': '127.0.0.15',
'config': 'neutron.randomconfig',
'use_syslog': True,
'network_manager': 'neutron',
'debug': True,
'core_plugin': 'neutron.randomdriver',
'neutron_plugin': 'ovs',
'neutron_url': 'https://127.0.0.13:9696',
'l2_population': True,
'overlay_network_type': 'gre',
}
self.assertEquals(expect, napi_ctxt())
self.service_start.assertCalled()
@patch.object(charmhelpers.contrib.openstack.context, 'config')
@patch.object(charmhelpers.contrib.openstack.context, 'unit_get')
@patch.object(charmhelpers.contrib.openstack.context, 'is_clustered')
@patch.object(charmhelpers.contrib.openstack.context, 'https')
@patch.object(context.OVSPluginContext, '_save_flag_file')
@patch.object(context.OVSPluginContext, '_ensure_packages')
@patch.object(charmhelpers.contrib.openstack.context,
'neutron_plugin_attribute')
@patch.object(charmhelpers.contrib.openstack.context, 'unit_private_ip')
def test_neutroncc_context_api_rel_disable_security(self,
_unit_priv_ip, _npa,
_ens_pkgs, _save_ff,
_https, _is_clus,
_unit_get,
_config):
def mock_npa(plugin, section, manager):
if section == "driver":
return "neutron.randomdriver"
if section == "config":
return "neutron.randomconfig"
_npa.side_effect = mock_npa
_config.return_value = 'ovs'
_unit_get.return_value = '127.0.0.13'
_unit_priv_ip.return_value = '127.0.0.14'
_is_clus.return_value = False
self.test_config.set('disable-security-groups', True)
self.related_units.return_value = ['unit1']
self.relation_ids.return_value = ['rid2']
self.test_relation.set({'neutron-security-groups': True,
'l2-population': True,
'overlay-network-type': 'gre',
})
self.get_host_ip.return_value = '127.0.0.15'
self.service_running.return_value = False
napi_ctxt = context.OVSPluginContext()
expect = {
'neutron_alchemy_flags': {},
'neutron_security_groups': False,
'verbose': True, 'verbose': True,
'local_ip': '127.0.0.15', 'local_ip': '127.0.0.15',
'config': 'neutron.randomconfig', 'config': 'neutron.randomconfig',