Disable creation of nwfilters by default

- Add environment variable ENABLE_LIBVIRT_NWFILTERS, default=False. It will enable creation of nwfilters for network and interfaces. Change-Id: I9d7596927933b0bc3597633d86093c3d1e417314 Closes-Bug: #1578280
2016-06-27 14:32:17 +03:00
parent bd036d66f0
commit 56d265181d
6 changed files with 49 additions and 8 deletions
--- a/devops/driver/libvirt/libvirt_driver.py
+++ b/devops/driver/libvirt/libvirt_driver.py
@@ -202,6 +202,7 @@ class LibvirtDriver(Driver):
    hpet = ParamField(default=True)
    use_host_cpu = ParamField(default=True)
    enable_acpi = ParamField(default=False)
+    enable_nwfilters = ParamField(default=False)
    reboot_timeout = ParamField()
    use_hugepages = ParamField(default=False)
    vnc_password = ParamField()
@@ -444,9 +445,10 @@ class LibvirtL2NetworkDevice(L2NetworkDevice):
    @retry()
    def define(self):
        # define filter first
-        filter_xml = LibvirtXMLBuilder.build_network_filter(
-            name=self.network_name)
-        self.driver.conn.nwfilterDefineXML(filter_xml)
+        if self.driver.enable_nwfilters:
+            filter_xml = LibvirtXMLBuilder.build_network_filter(
+                name=self.network_name)
+            self.driver.conn.nwfilterDefineXML(filter_xml)

        if self.forward.mode == 'bridge':
            bridge_name = self.parent_iface.phys_dev
@@ -627,11 +629,19 @@ class LibvirtL2NetworkDevice(L2NetworkDevice):
    @property
    def is_blocked(self):
        """Returns state of network"""
+        if not self._nwfilter:
+            return False
+
        filter_xml = ET.fromstring(self._nwfilter.XMLDesc())
        return filter_xml.find('./rule') is not None

    def block(self):
        """Block all traffic in network"""
+        if not self._nwfilter:
+            raise DevopsError(
+                'Unable to block network {0}: nwfilter not found!'
+                ''.format(self.network_name))
+
        filter_xml = LibvirtXMLBuilder.build_network_filter(
            name=self.network_name,
            uuid=self._nwfilter.UUIDString(),
@@ -642,6 +652,11 @@ class LibvirtL2NetworkDevice(L2NetworkDevice):

    def unblock(self):
        """Unblock all traffic in network"""
+        if not self._nwfilter:
+            raise DevopsError(
+                'Unable to unblock network {0}: nwfilter not found!'
+                ''.format(self.network_name))
+
        filter_xml = LibvirtXMLBuilder.build_network_filter(
            name=self.network_name,
            uuid=self._nwfilter.UUIDString())
@@ -1461,10 +1476,11 @@ class LibvirtNode(Node):
 class LibvirtInterface(Interface):

    def define(self):
-        filter_xml = LibvirtXMLBuilder.build_interface_filter(
-            name=self.nwfilter_name,
-            filterref=self.l2_network_device.network_name)
-        self.driver.conn.nwfilterDefineXML(filter_xml)
+        if self.driver.enable_nwfilters:
+            filter_xml = LibvirtXMLBuilder.build_interface_filter(
+                name=self.nwfilter_name,
+                filterref=self.l2_network_device.network_name)
+            self.driver.conn.nwfilterDefineXML(filter_xml)

        super(LibvirtInterface, self).define()

@@ -1491,11 +1507,19 @@ class LibvirtInterface(Interface):
    @property
    def is_blocked(self):
        """Show state of interface"""
+        if not self._nwfilter:
+            return False
+
        filter_xml = ET.fromstring(self._nwfilter.XMLDesc())
        return filter_xml.find('./rule') is not None

    def block(self):
        """Block traffic on interface"""
+        if not self._nwfilter:
+            raise DevopsError(
+                "Unable to block interface {} on node {}: nwfilter not"
+                " found!".format(self.label, self.node.name))
+
        filter_xml = LibvirtXMLBuilder.build_interface_filter(
            name=self.nwfilter_name,
            filterref=self.l2_network_device.network_name,
@@ -1508,6 +1532,11 @@ class LibvirtInterface(Interface):

    def unblock(self):
        """Unblock traffic on interface"""
+        if not self._nwfilter:
+            raise DevopsError(
+                "Unable to unblock interface {} on node {}: nwfilter not"
+                " found!".format(self.label, self.node.name))
+
        filter_xml = LibvirtXMLBuilder.build_interface_filter(
            name=self.nwfilter_name,
            filterref=self.l2_network_device.network_name,
--- a/devops/helpers/templates.py
+++ b/devops/helpers/templates.py
@@ -446,7 +446,9 @@ def create_devops_config(boot_from,
                         networks_pools,
                         networks_forwarding,
                         networks_dhcp,
-                         driver_enable_acpi):
+                         driver_enable_acpi,
+                         driver_enable_nwfilers,
+                         ):
    """Creates devops config object

    This method is used for backward compatibility with old-style
@@ -541,6 +543,7 @@ def create_devops_config(boot_from,
                                'hpet': False,
                                'use_host_cpu': True,
                                'enable_acpi': driver_enable_acpi,
+                                'enable_nwfilters': driver_enable_nwfilers,
                            },
                        },
                        'name': 'default',
--- a/devops/models/environment.py
+++ b/devops/models/environment.py
@@ -287,6 +287,7 @@ class Environment(BaseModel):
                networks_forwarding=settings.FORWARDING,
                networks_dhcp=settings.DHCP,
                driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'],
+                driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS,
            )

        environment = cls.create_environment(config)
--- a/devops/settings.py
+++ b/devops/settings.py
@@ -289,3 +289,6 @@ SNAPSHOTS_EXTERNAL_DIR = os.environ.get("SNAPSHOTS_EXTERNAL_DIR",
                                        os.path.expanduser("~/.devops/snap"))
 CLOUD_IMAGE_DIR = os.environ.get(
    'CLOUD_IMAGE_DIR', os.path.expanduser('~/.devops/cloud_image_settings'))
+
+# Enable creating nwfilters for libvirt networks and interfaces
+ENABLE_LIBVIRT_NWFILTERS = get_var_as_bool('ENABLE_LIBVIRT_NWFILTERS', False)
--- a/devops/shell.py
+++ b/devops/shell.py
@@ -211,6 +211,7 @@ class Shell(object):
            networks_forwarding=settings.FORWARDING,
            networks_dhcp=settings.DHCP,
            driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'],
+            driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS,
        )
        self._create_env_from_config(config)

--- a/devops/tests/test_generated_template.py
+++ b/devops/tests/test_generated_template.py
@@ -52,6 +52,7 @@ class TestDefaultTemplate(TestCase):
            networks_forwarding=settings.FORWARDING,
            networks_dhcp=settings.DHCP,
            driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'],
+            driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS,
        )
        r = yaml.dump(config, indent=2, default_flow_style=False)
        assert r == """template:
@@ -117,6 +118,7 @@ class TestDefaultTemplate(TestCase):
        params:
          connection_string: qemu:///system
          enable_acpi: false
+          enable_nwfilters: false
          hpet: false
          storage_pool_name: default
          stp: true
@@ -285,6 +287,7 @@ class TestDefaultTemplate(TestCase):
            networks_forwarding=settings.FORWARDING,
            networks_dhcp=settings.DHCP,
            driver_enable_acpi=True,
+            driver_enable_nwfilers=True,
        )
        r = yaml.dump(config, indent=2, default_flow_style=False)
        assert r == """template:
@@ -350,6 +353,7 @@ class TestDefaultTemplate(TestCase):
        params:
          connection_string: qemu:///system
          enable_acpi: true
+          enable_nwfilters: true
          hpet: false
          storage_pool_name: default
          stp: true