Rebase

2014-07-25 10:40:47 +01:00 · 2014-07-25 10:40:47 +01:00 · 83c2957bf4
commit 83c2957bf4
parent 2cce31fa2c 945d5591f7
4 changed files with 33 additions and 2 deletions
--- a/config.yaml
+++ b/config.yaml
@ -105,6 +105,14 @@ options:
          juju-myservice-0
      If you're running multiple environments with the same services in them
      this allows you to differentiate between them.
+  disable-neutron-security-groups:
+    type: boolean
+    description: |
+      Disable neutron based security groups - setting this configuration option
+      will override any settings configured via the nova-cloud-controller charm.
+      .
+      BE CAREFUL - this option allows you to disable all port level security within
+      and OpenStack cloud.
  # Network configuration options
  # by default all access is over 'private-address'
  os-data-network:
@ -115,4 +123,3 @@ options:
      .
      This network will be used for tenant network traffic in overlay
      networks.
-
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -348,3 +348,11 @@ class NeutronComputeContext(context.NeutronContext):
            get_address_in_network(config('os-data-network'),
                                   get_host_ip(unit_get('private-address')))
        return ovs_ctxt
+
+    def __call__(self):
+        ctxt = super(NeutronComputeContext, self).__call__()
+        # NOTE(jamespage) support override of neutron security via config
+        if config('disable-neutron-security-groups') is not None:
+            ctxt['disable_neutron_security_groups'] = \
+                config('disable-neutron-security-groups')
+        return ctxt
--- a/templates/icehouse/ml2_conf.ini
+++ b/templates/icehouse/ml2_conf.ini
@ -22,7 +22,7 @@ local_ip = {{ local_ip }}
 tunnel_types = gre

 [securitygroup]
-{% if neutron_security_groups -%}
+{% if neutron_security_groups and not disable_neutron_security_groups -%}
 enable_security_group = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
 {% else -%}
--- a/unit_tests/test_nova_compute_contexts.py
+++ b/unit_tests/test_nova_compute_contexts.py
@ -180,3 +180,19 @@ class NovaComputeContextTests(CharmTestCase):
        libvirt = context.NovaComputeLibvirtContext()
        self.assertEquals(
            {'libvirtd_opts': '-d -l', 'listen_tls': 0}, libvirt())
+
+    @patch.object(context.NeutronComputeContext, 'network_manager')
+    @patch.object(context.NeutronComputeContext, 'plugin')
+    def test_disable_security_groups_true(self, plugin, nm):
+        plugin.return_value = "ovs"
+        nm.return_value = "neutron"
+        self.test_config.set('disable-neutron-security-groups', True)
+        qplugin = context.NeutronComputeContext()
+        with patch.object(qplugin, '_ensure_packages'):
+            self.assertEquals({'disable_neutron_security_groups': True},
+                              qplugin())
+        self.test_config.set('disable-neutron-security-groups', False)
+        qplugin = context.NeutronComputeContext()
+        with patch.object(qplugin, '_ensure_packages'):
+            self.assertEquals({'disable_neutron_security_groups': False},
+                              qplugin())