From 56d265181de911ad04c4fd970fd0b8b3f00fad7e Mon Sep 17 00:00:00 2001 From: Anton Studenov Date: Mon, 27 Jun 2016 14:32:17 +0300 Subject: [PATCH] Disable creation of nwfilters by default - Add environment variable ENABLE_LIBVIRT_NWFILTERS, default=False. It will enable creation of nwfilters for network and interfaces. Change-Id: I9d7596927933b0bc3597633d86093c3d1e417314 Closes-Bug: #1578280 --- devops/driver/libvirt/libvirt_driver.py | 43 +++++++++++++++++++++---- devops/helpers/templates.py | 5 ++- devops/models/environment.py | 1 + devops/settings.py | 3 ++ devops/shell.py | 1 + devops/tests/test_generated_template.py | 4 +++ 6 files changed, 49 insertions(+), 8 deletions(-) diff --git a/devops/driver/libvirt/libvirt_driver.py b/devops/driver/libvirt/libvirt_driver.py index 149dbf97..23168c51 100644 --- a/devops/driver/libvirt/libvirt_driver.py +++ b/devops/driver/libvirt/libvirt_driver.py @@ -202,6 +202,7 @@ class LibvirtDriver(Driver): hpet = ParamField(default=True) use_host_cpu = ParamField(default=True) enable_acpi = ParamField(default=False) + enable_nwfilters = ParamField(default=False) reboot_timeout = ParamField() use_hugepages = ParamField(default=False) vnc_password = ParamField() @@ -444,9 +445,10 @@ class LibvirtL2NetworkDevice(L2NetworkDevice): @retry() def define(self): # define filter first - filter_xml = LibvirtXMLBuilder.build_network_filter( - name=self.network_name) - self.driver.conn.nwfilterDefineXML(filter_xml) + if self.driver.enable_nwfilters: + filter_xml = LibvirtXMLBuilder.build_network_filter( + name=self.network_name) + self.driver.conn.nwfilterDefineXML(filter_xml) if self.forward.mode == 'bridge': bridge_name = self.parent_iface.phys_dev @@ -627,11 +629,19 @@ class LibvirtL2NetworkDevice(L2NetworkDevice): @property def is_blocked(self): """Returns state of network""" + if not self._nwfilter: + return False + filter_xml = ET.fromstring(self._nwfilter.XMLDesc()) return filter_xml.find('./rule') is not None def block(self): """Block all traffic in network""" + if not self._nwfilter: + raise DevopsError( + 'Unable to block network {0}: nwfilter not found!' + ''.format(self.network_name)) + filter_xml = LibvirtXMLBuilder.build_network_filter( name=self.network_name, uuid=self._nwfilter.UUIDString(), @@ -642,6 +652,11 @@ class LibvirtL2NetworkDevice(L2NetworkDevice): def unblock(self): """Unblock all traffic in network""" + if not self._nwfilter: + raise DevopsError( + 'Unable to unblock network {0}: nwfilter not found!' + ''.format(self.network_name)) + filter_xml = LibvirtXMLBuilder.build_network_filter( name=self.network_name, uuid=self._nwfilter.UUIDString()) @@ -1461,10 +1476,11 @@ class LibvirtNode(Node): class LibvirtInterface(Interface): def define(self): - filter_xml = LibvirtXMLBuilder.build_interface_filter( - name=self.nwfilter_name, - filterref=self.l2_network_device.network_name) - self.driver.conn.nwfilterDefineXML(filter_xml) + if self.driver.enable_nwfilters: + filter_xml = LibvirtXMLBuilder.build_interface_filter( + name=self.nwfilter_name, + filterref=self.l2_network_device.network_name) + self.driver.conn.nwfilterDefineXML(filter_xml) super(LibvirtInterface, self).define() @@ -1491,11 +1507,19 @@ class LibvirtInterface(Interface): @property def is_blocked(self): """Show state of interface""" + if not self._nwfilter: + return False + filter_xml = ET.fromstring(self._nwfilter.XMLDesc()) return filter_xml.find('./rule') is not None def block(self): """Block traffic on interface""" + if not self._nwfilter: + raise DevopsError( + "Unable to block interface {} on node {}: nwfilter not" + " found!".format(self.label, self.node.name)) + filter_xml = LibvirtXMLBuilder.build_interface_filter( name=self.nwfilter_name, filterref=self.l2_network_device.network_name, @@ -1508,6 +1532,11 @@ class LibvirtInterface(Interface): def unblock(self): """Unblock traffic on interface""" + if not self._nwfilter: + raise DevopsError( + "Unable to unblock interface {} on node {}: nwfilter not" + " found!".format(self.label, self.node.name)) + filter_xml = LibvirtXMLBuilder.build_interface_filter( name=self.nwfilter_name, filterref=self.l2_network_device.network_name, diff --git a/devops/helpers/templates.py b/devops/helpers/templates.py index ef02aacb..4bc7572c 100644 --- a/devops/helpers/templates.py +++ b/devops/helpers/templates.py @@ -446,7 +446,9 @@ def create_devops_config(boot_from, networks_pools, networks_forwarding, networks_dhcp, - driver_enable_acpi): + driver_enable_acpi, + driver_enable_nwfilers, + ): """Creates devops config object This method is used for backward compatibility with old-style @@ -541,6 +543,7 @@ def create_devops_config(boot_from, 'hpet': False, 'use_host_cpu': True, 'enable_acpi': driver_enable_acpi, + 'enable_nwfilters': driver_enable_nwfilers, }, }, 'name': 'default', diff --git a/devops/models/environment.py b/devops/models/environment.py index eae522f4..22464287 100644 --- a/devops/models/environment.py +++ b/devops/models/environment.py @@ -287,6 +287,7 @@ class Environment(BaseModel): networks_forwarding=settings.FORWARDING, networks_dhcp=settings.DHCP, driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'], + driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS, ) environment = cls.create_environment(config) diff --git a/devops/settings.py b/devops/settings.py index 009134a0..face86d1 100644 --- a/devops/settings.py +++ b/devops/settings.py @@ -289,3 +289,6 @@ SNAPSHOTS_EXTERNAL_DIR = os.environ.get("SNAPSHOTS_EXTERNAL_DIR", os.path.expanduser("~/.devops/snap")) CLOUD_IMAGE_DIR = os.environ.get( 'CLOUD_IMAGE_DIR', os.path.expanduser('~/.devops/cloud_image_settings')) + +# Enable creating nwfilters for libvirt networks and interfaces +ENABLE_LIBVIRT_NWFILTERS = get_var_as_bool('ENABLE_LIBVIRT_NWFILTERS', False) diff --git a/devops/shell.py b/devops/shell.py index a55b66d2..019a7363 100644 --- a/devops/shell.py +++ b/devops/shell.py @@ -211,6 +211,7 @@ class Shell(object): networks_forwarding=settings.FORWARDING, networks_dhcp=settings.DHCP, driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'], + driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS, ) self._create_env_from_config(config) diff --git a/devops/tests/test_generated_template.py b/devops/tests/test_generated_template.py index 38ad6d83..08323872 100644 --- a/devops/tests/test_generated_template.py +++ b/devops/tests/test_generated_template.py @@ -52,6 +52,7 @@ class TestDefaultTemplate(TestCase): networks_forwarding=settings.FORWARDING, networks_dhcp=settings.DHCP, driver_enable_acpi=settings.DRIVER_PARAMETERS['enable_acpi'], + driver_enable_nwfilers=settings.ENABLE_LIBVIRT_NWFILTERS, ) r = yaml.dump(config, indent=2, default_flow_style=False) assert r == """template: @@ -117,6 +118,7 @@ class TestDefaultTemplate(TestCase): params: connection_string: qemu:///system enable_acpi: false + enable_nwfilters: false hpet: false storage_pool_name: default stp: true @@ -285,6 +287,7 @@ class TestDefaultTemplate(TestCase): networks_forwarding=settings.FORWARDING, networks_dhcp=settings.DHCP, driver_enable_acpi=True, + driver_enable_nwfilers=True, ) r = yaml.dump(config, indent=2, default_flow_style=False) assert r == """template: @@ -350,6 +353,7 @@ class TestDefaultTemplate(TestCase): params: connection_string: qemu:///system enable_acpi: true + enable_nwfilters: true hpet: false storage_pool_name: default stp: true