Fix security_groups_provider_updated for linuxbridge
According to [1], security_groups_provider_updated will get port ids to update the related security groups. However, in the firewall of l2 agent, ports are identified by 'device' attribute. This is fine for ovs agent, because, for ovs agent, port id is the same as 'device' attribute. But for other agent, like linuxbridge agent, the 'device' attribute of port will be the device name. This will make l2 agent can't find port and fail to update the security group of port. The info message at [2] can be observed. The fix is to convert port id list to 'device' list. [1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/securitygroups_rpc_base.py#n157 [2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/agent/linux/iptables_firewall.py#n177 Change-Id: Idf9bd7942ef2063cfbc5e9eeead8d49d09883ea8 Closes-Bug: #1555027
This commit is contained in:
Hong Hui Xiao
Kevin Benton
parent
cffe2cd1ac
commit
42b209a6f9
@ -205,15 +205,26 @@ class SecurityGroupAgentRpc(object):
|
||||
else:
|
||||
self.refresh_firewall(devices)
|
||||
|
||||
def security_groups_provider_updated(self, devices_to_update):
|
||||
def security_groups_provider_updated(self, port_ids_to_update):
|
||||
LOG.info(_LI("Provider rule updated"))
|
||||
if port_ids_to_update is None:
|
||||
# Update all devices
|
||||
if self.defer_refresh_firewall:
|
||||
if devices_to_update is None:
|
||||
self.global_refresh_firewall = True
|
||||
else:
|
||||
self.devices_to_refilter |= set(devices_to_update)
|
||||
self.refresh_firewall()
|
||||
else:
|
||||
self.refresh_firewall(devices_to_update)
|
||||
devices = []
|
||||
for device in self.firewall.ports.values():
|
||||
# neutron server will give port ids for update, However, L2
|
||||
# agent will use device name in firewall. Here change port id
|
||||
# to device name, so that the L2 agent can consume it
|
||||
if device['id'] in port_ids_to_update:
|
||||
devices.append(device['device'])
|
||||
if self.defer_refresh_firewall:
|
||||
self.devices_to_refilter |= set(devices)
|
||||
else:
|
||||
self.refresh_firewall(devices)
|
||||
|
||||
def remove_devices_filter(self, device_ids):
|
||||
if not device_ids:
|
||||
|
||||
@ -1220,7 +1220,7 @@ class SecurityGroupAgentRpcTestCase(BaseSecurityGroupAgentRpcTestCase):
|
||||
self.agent.refresh_firewall = mock.Mock()
|
||||
self.agent.security_groups_provider_updated(None)
|
||||
self.agent.refresh_firewall.assert_has_calls(
|
||||
[mock.call.refresh_firewall(None)])
|
||||
[mock.call.refresh_firewall()])
|
||||
|
||||
def test_refresh_firewall(self):
|
||||
self.agent.prepare_devices_filter(['fake_port_id'])
|
||||
@ -1344,7 +1344,7 @@ class SecurityGroupAgentEnhancedRpcTestCase(
|
||||
self.agent.refresh_firewall = mock.Mock()
|
||||
self.agent.security_groups_provider_updated(None)
|
||||
self.agent.refresh_firewall.assert_has_calls(
|
||||
[mock.call.refresh_firewall(None)])
|
||||
[mock.call.refresh_firewall()])
|
||||
|
||||
def test_refresh_firewall_enhanced_rpc(self):
|
||||
self.agent.prepare_devices_filter(['fake_port_id'])
|
||||
@ -1489,8 +1489,15 @@ class SecurityGroupAgentRpcWithDeferredRefreshTestCase(
|
||||
self.assertTrue(self.agent.global_refresh_firewall)
|
||||
|
||||
def test_security_groups_provider_updated_devices_specified(self):
|
||||
self.agent.firewall.ports = {
|
||||
'fake_device_1': {
|
||||
'id': 'fake_port_id_1',
|
||||
'device': 'fake_device_1'},
|
||||
'fake_device_2': {
|
||||
'id': 'fake_port_id_2',
|
||||
'device': 'fake_device_2'}}
|
||||
self.agent.security_groups_provider_updated(
|
||||
['fake_device_1', 'fake_device_2'])
|
||||
['fake_port_id_1', 'fake_port_id_2'])
|
||||
self.assertFalse(self.agent.global_refresh_firewall)
|
||||
self.assertIn('fake_device_1', self.agent.devices_to_refilter)
|
||||
self.assertIn('fake_device_2', self.agent.devices_to_refilter)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user