Make firewall management optional
Adds configuration option "manage_firewall" that allows disabling firewall management completely. Handy for testing and for future IPA integration work. Change-Id: I8db1d5528650e24336ad87976459c57c753486a7 Closes-Bug: #1400475
This commit is contained in:
parent
a183da302e
commit
cb09de9500
|
@ -230,6 +230,8 @@ See `1.0.0 release tracking page`_ for details.
|
|||
configuration option to persist this database. Improves performance by
|
||||
making less calls to Ironic API.
|
||||
* Discovery now times out by default, set ``timeout`` option to alter.
|
||||
* Firewall management can be disabled completely via ``manage_firewall``
|
||||
option.
|
||||
|
||||
**Misc**
|
||||
|
||||
|
|
|
@ -18,6 +18,8 @@
|
|||
|
||||
;; Firewall management settings
|
||||
|
||||
; Whether to manage firewall rules for PXE port.
|
||||
;manage_firewall = true
|
||||
; Interface on which dnsmasq listens, the default is for VM's.
|
||||
;dnsmasq_interface = br-ctlplane
|
||||
; Amount of time in seconds, after which repeat periodic update of firewall.
|
||||
|
|
|
@ -28,7 +28,7 @@ import mock
|
|||
import requests
|
||||
|
||||
from ironic_discoverd import client
|
||||
from ironic_discoverd import firewall
|
||||
from ironic_discoverd import conf
|
||||
from ironic_discoverd import main
|
||||
from ironic_discoverd.test import base
|
||||
from ironic_discoverd import utils
|
||||
|
@ -40,6 +40,7 @@ os_auth_url = http://url
|
|||
os_username = user
|
||||
os_password = password
|
||||
os_tenant_name = tenant
|
||||
manage_firewall = false
|
||||
"""
|
||||
|
||||
ROOT = './functest/env'
|
||||
|
@ -52,6 +53,7 @@ RAMDISK = ("https://raw.githubusercontent.com/openstack/diskimage-builder/"
|
|||
class Test(base.NodeTest):
|
||||
def setUp(self):
|
||||
super(Test, self).setUp()
|
||||
conf.CONF.set('discoverd', 'manage_firewall', 'false')
|
||||
self.node.properties.clear()
|
||||
|
||||
self.cli = utils.get_client()
|
||||
|
@ -106,17 +108,15 @@ class Test(base.NodeTest):
|
|||
node_uuid=self.uuid, address='11:22:33:44:55:66')
|
||||
|
||||
|
||||
# FIXME(dtantsur): remove once firewall management is optional
|
||||
@mock.patch.object(firewall, '_iptables', lambda *_, **__: None)
|
||||
@mock.patch.object(utils, 'get_keystone')
|
||||
@mock.patch.object(utils, 'get_client')
|
||||
def run(client_mock, keystone_mock):
|
||||
d = tempfile.mkdtemp()
|
||||
try:
|
||||
conf = os.path.join(d, 'test.conf')
|
||||
with open(conf, 'wb') as fp:
|
||||
conf_file = os.path.join(d, 'test.conf')
|
||||
with open(conf_file, 'wb') as fp:
|
||||
fp.write(CONF)
|
||||
sys.argv[1:] = [conf]
|
||||
sys.argv[1:] = [conf_file]
|
||||
|
||||
eventlet.greenthread.spawn_n(main.main)
|
||||
eventlet.greenthread.sleep(1)
|
||||
|
|
|
@ -20,6 +20,7 @@ DEFAULTS = {
|
|||
'ironic_retry_attempts': '5',
|
||||
'ironic_retry_period': '5',
|
||||
# Firewall management settings
|
||||
'manage_firewall': 'true',
|
||||
'dnsmasq_interface': 'br-ctlplane',
|
||||
'firewall_update_period': '15',
|
||||
# Discovery process settings
|
||||
|
|
|
@ -48,6 +48,9 @@ def init():
|
|||
|
||||
Must be called one on start-up.
|
||||
"""
|
||||
if not conf.getboolean('discoverd', 'manage_firewall'):
|
||||
return
|
||||
|
||||
global INTERFACE
|
||||
INTERFACE = conf.get('discoverd', 'dnsmasq_interface')
|
||||
_clean_up(CHAIN)
|
||||
|
@ -77,8 +80,13 @@ def update_filters(ironic=None):
|
|||
This function is using ``eventlet`` semaphore to serialize access from
|
||||
different green threads.
|
||||
|
||||
Does nothing, if firewall management is disabled in configuration.
|
||||
|
||||
:param ironic: Ironic client instance, optional.
|
||||
"""
|
||||
if not conf.getboolean('discoverd', 'manage_firewall'):
|
||||
return
|
||||
|
||||
assert INTERFACE is not None
|
||||
ironic = utils.get_client() if ironic is None else ironic
|
||||
|
||||
|
|
|
@ -135,11 +135,13 @@ def main():
|
|||
LOG.warning('Starting unauthenticated, please check configuration')
|
||||
|
||||
node_cache.init()
|
||||
firewall.init()
|
||||
check_ironic_available()
|
||||
|
||||
period = conf.getint('discoverd', 'firewall_update_period')
|
||||
eventlet.greenthread.spawn_n(periodic_update, period)
|
||||
if conf.getboolean('discoverd', 'manage_firewall'):
|
||||
firewall.init()
|
||||
period = conf.getint('discoverd', 'firewall_update_period')
|
||||
eventlet.greenthread.spawn_n(periodic_update, period)
|
||||
|
||||
if conf.getint('discoverd', 'timeout') > 0:
|
||||
period = conf.getint('discoverd', 'clean_up_period')
|
||||
eventlet.greenthread.spawn_n(periodic_clean_up, period)
|
||||
|
|
Loading…
Reference in New Issue