Make firewall management optional

Adds configuration option "manage_firewall" that allows disabling firewall management completely. Handy for testing and for future IPA integration work. Change-Id: I8db1d5528650e24336ad87976459c57c753486a7 Closes-Bug: #1400475
2014-12-19 14:14:28 +01:00 · 2014-12-19 14:14:28 +01:00 · cb09de9500
parent a183da302e
commit cb09de9500
6 changed files with 24 additions and 9 deletions
--- a/README.rst
+++ b/README.rst
@ -230,6 +230,8 @@ See `1.0.0 release tracking page`_ for details.
  configuration option to persist this database. Improves performance by
  making less calls to Ironic API.
 * Discovery now times out by default, set ``timeout`` option to alter.
+* Firewall management can be disabled completely via ``manage_firewall``
+  option.

 **Misc**

--- a/example.conf
+++ b/example.conf
@ -18,6 +18,8 @@

 ;; Firewall management settings

+; Whether to manage firewall rules for PXE port.
+;manage_firewall = true
 ; Interface on which dnsmasq listens, the default is for VM's.
 ;dnsmasq_interface = br-ctlplane
 ; Amount of time in seconds, after which repeat periodic update of firewall.
--- a/functest/run.py
+++ b/functest/run.py
@ -28,7 +28,7 @@ import mock
 import requests

 from ironic_discoverd import client
-from ironic_discoverd import firewall
+from ironic_discoverd import conf
 from ironic_discoverd import main
 from ironic_discoverd.test import base
 from ironic_discoverd import utils
@ -40,6 +40,7 @@ os_auth_url = http://url
 os_username = user
 os_password = password
 os_tenant_name = tenant
+manage_firewall = false
 """

 ROOT = './functest/env'
@ -52,6 +53,7 @@ RAMDISK = ("https://raw.githubusercontent.com/openstack/diskimage-builder/"
 class Test(base.NodeTest):
    def setUp(self):
        super(Test, self).setUp()
+        conf.CONF.set('discoverd', 'manage_firewall', 'false')
        self.node.properties.clear()

        self.cli = utils.get_client()
@ -106,17 +108,15 @@ class Test(base.NodeTest):
            node_uuid=self.uuid, address='11:22:33:44:55:66')


-# FIXME(dtantsur): remove once firewall management is optional
-@mock.patch.object(firewall, '_iptables', lambda *_, **__: None)
@mock.patch.object(utils, 'get_keystone')
@mock.patch.object(utils, 'get_client')
 def run(client_mock, keystone_mock):
    d = tempfile.mkdtemp()
    try:
-        conf = os.path.join(d, 'test.conf')
-        with open(conf, 'wb') as fp:
+        conf_file = os.path.join(d, 'test.conf')
+        with open(conf_file, 'wb') as fp:
            fp.write(CONF)
-        sys.argv[1:] = [conf]
+        sys.argv[1:] = [conf_file]

        eventlet.greenthread.spawn_n(main.main)
        eventlet.greenthread.sleep(1)
--- a/ironic_discoverd/conf.py
+++ b/ironic_discoverd/conf.py
@ -20,6 +20,7 @@ DEFAULTS = {
    'ironic_retry_attempts': '5',
    'ironic_retry_period': '5',
    # Firewall management settings
+    'manage_firewall': 'true',
    'dnsmasq_interface': 'br-ctlplane',
    'firewall_update_period': '15',
    # Discovery process settings
--- a/ironic_discoverd/firewall.py
+++ b/ironic_discoverd/firewall.py
@ -48,6 +48,9 @@ def init():

    Must be called one on start-up.
    """
+    if not conf.getboolean('discoverd', 'manage_firewall'):
+        return
+
    global INTERFACE
    INTERFACE = conf.get('discoverd', 'dnsmasq_interface')
    _clean_up(CHAIN)
@ -77,8 +80,13 @@ def update_filters(ironic=None):
    This function is using ``eventlet`` semaphore to serialize access from
    different green threads.

+    Does nothing, if firewall management is disabled in configuration.
+
    :param ironic: Ironic client instance, optional.
    """
+    if not conf.getboolean('discoverd', 'manage_firewall'):
+        return
+
    assert INTERFACE is not None
    ironic = utils.get_client() if ironic is None else ironic

--- a/ironic_discoverd/main.py
+++ b/ironic_discoverd/main.py
@ -135,11 +135,13 @@ def main():
        LOG.warning('Starting unauthenticated, please check configuration')

    node_cache.init()
-    firewall.init()
    check_ironic_available()

-    period = conf.getint('discoverd', 'firewall_update_period')
-    eventlet.greenthread.spawn_n(periodic_update, period)
+    if conf.getboolean('discoverd', 'manage_firewall'):
+        firewall.init()
+        period = conf.getint('discoverd', 'firewall_update_period')
+        eventlet.greenthread.spawn_n(periodic_update, period)
+
    if conf.getint('discoverd', 'timeout') > 0:
        period = conf.getint('discoverd', 'clean_up_period')
        eventlet.greenthread.spawn_n(periodic_clean_up, period)