Merge "Add debug option to verify iptables rules"
This commit is contained in:
commit
730da40778
|
@ -64,6 +64,12 @@ IPTABLES_OPTS = [
|
||||||
"generated iptables rules that describe each rule's "
|
"generated iptables rules that describe each rule's "
|
||||||
"purpose. System must support the iptables comments "
|
"purpose. System must support the iptables comments "
|
||||||
"module for addition of comments.")),
|
"module for addition of comments.")),
|
||||||
|
cfg.BoolOpt('debug_iptables_rules', default=False,
|
||||||
|
help=_("Duplicate every iptables difference calculation to "
|
||||||
|
"ensure the format being generated matches the format "
|
||||||
|
"of iptables-save. This option should not be turned "
|
||||||
|
"on for production systems because it imposes a "
|
||||||
|
"performance penalty.")),
|
||||||
]
|
]
|
||||||
|
|
||||||
PROCESS_MONITOR_OPTS = [
|
PROCESS_MONITOR_OPTS = [
|
||||||
|
|
|
@ -412,6 +412,9 @@ class IptablesManager(object):
|
||||||
finally:
|
finally:
|
||||||
try:
|
try:
|
||||||
self.defer_apply_off()
|
self.defer_apply_off()
|
||||||
|
except n_exc.IpTablesApplyException:
|
||||||
|
# already in the format we want, just reraise
|
||||||
|
raise
|
||||||
except Exception:
|
except Exception:
|
||||||
msg = _('Failure applying iptables rules')
|
msg = _('Failure applying iptables rules')
|
||||||
LOG.exception(msg)
|
LOG.exception(msg)
|
||||||
|
@ -436,7 +439,16 @@ class IptablesManager(object):
|
||||||
lock_name += '-' + self.namespace
|
lock_name += '-' + self.namespace
|
||||||
|
|
||||||
with lockutils.lock(lock_name, utils.SYNCHRONIZED_PREFIX, True):
|
with lockutils.lock(lock_name, utils.SYNCHRONIZED_PREFIX, True):
|
||||||
return self._apply_synchronized()
|
first = self._apply_synchronized()
|
||||||
|
if not cfg.CONF.AGENT.debug_iptables_rules:
|
||||||
|
return first
|
||||||
|
second = self._apply_synchronized()
|
||||||
|
if second:
|
||||||
|
msg = (_("IPTables Rules did not converge. Diff: %s") %
|
||||||
|
'\n'.join(second))
|
||||||
|
LOG.error(msg)
|
||||||
|
raise n_exc.IpTablesApplyException(msg)
|
||||||
|
return first
|
||||||
|
|
||||||
def get_rules_for_table(self, table):
|
def get_rules_for_table(self, table):
|
||||||
"""Runs iptables-save on a table and returns the results."""
|
"""Runs iptables-save on a table and returns the results."""
|
||||||
|
|
|
@ -54,6 +54,7 @@ case $VENV in
|
||||||
start_new_ovs
|
start_new_ovs
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
load_conf_hook iptables_verify
|
||||||
# Make the workspace owned by the stack user
|
# Make the workspace owned by the stack user
|
||||||
sudo chown -R $STACK_USER:$STACK_USER $BASE
|
sudo chown -R $STACK_USER:$STACK_USER $BASE
|
||||||
;;
|
;;
|
||||||
|
@ -66,6 +67,9 @@ case $VENV in
|
||||||
load_rc_hook qos
|
load_rc_hook qos
|
||||||
load_rc_hook trunk
|
load_rc_hook trunk
|
||||||
load_conf_hook osprofiler
|
load_conf_hook osprofiler
|
||||||
|
if [[ "$VENV" =~ "dsvm-scenario" ]]; then
|
||||||
|
load_conf_hook iptables_verify
|
||||||
|
fi
|
||||||
if [[ "$VENV" =~ "pecan" ]]; then
|
if [[ "$VENV" =~ "pecan" ]]; then
|
||||||
load_conf_hook pecan
|
load_conf_hook pecan
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
[[post-config|/etc/neutron/neutron.conf]]
|
||||||
|
|
||||||
|
[AGENT]
|
||||||
|
debug_iptables_rules=True
|
Loading…
Reference in New Issue