Rule, member updates are missed with enhanced rpc

The procedure to update security group rules and members in firewall driver is called after update_port_filter call. Because of this, new rules and member updates are not applied on the port. With this change the call to update rules and members is moved before the port update call, giving a chance to firewall drivers to update their rule and member caches. Closes Bug: 1511782 Change-Id: I457e17c34b86f861f6e15de7c3adcb3f2b79d14e
2015-10-30 09:31:40 -07:00
parent 755013615c
commit a8e9cc848b
2 changed files with 14 additions and 13 deletions
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@@ -158,13 +158,13 @@ class SecurityGroupAgentRpc(object):
                self.context, list(device_ids))

        with self.firewall.defer_apply():
-            for device in devices.values():
-                self.firewall.prepare_port_filter(device)
            if self.use_enhanced_rpc:
                LOG.debug("Update security group information for ports %s",
                          devices.keys())
                self._update_security_group_info(
                    security_groups, security_group_member_ips)
+            for device in devices.values():
+                self.firewall.prepare_port_filter(device)

    def _update_security_group_info(self, security_groups,
                                    security_group_member_ips):
@@ -247,14 +247,14 @@ class SecurityGroupAgentRpc(object):
                self.context, device_ids)

        with self.firewall.defer_apply():
-            for device in devices.values():
-                LOG.debug("Update port filter for %s", device['device'])
-                self.firewall.update_port_filter(device)
            if self.use_enhanced_rpc:
                LOG.debug("Update security group information for ports %s",
                          devices.keys())
                self._update_security_group_info(
                    security_groups, security_group_member_ips)
+            for device in devices.values():
+                LOG.debug("Update port filter for %s", device['device'])
+                self.firewall.update_port_filter(device)

    def firewall_refresh_needed(self):
        return self.global_refresh_firewall or self.devices_to_refilter
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -1277,12 +1277,12 @@ class SecurityGroupAgentEnhancedRpcTestCase(
            'fake_sgid2', {'IPv4': [], 'IPv6': []})
        # ignore device which is not filtered
        self.firewall.assert_has_calls([mock.call.defer_apply(),
-                                        mock.call.prepare_port_filter(
-                                            self.fake_device),
                                        mock.call.update_security_group_rules(
                                            'fake_sgid2', []),
                                        tmp_mock1,
                                        tmp_mock2,
+                                        mock.call.prepare_port_filter(
+                                            self.fake_device),
                                        mock.call.defer_apply(),
                                        mock.call.remove_port_filter(
                                            self.fake_device),
@@ -1327,39 +1327,40 @@ class SecurityGroupAgentEnhancedRpcTestCase(
        self.agent.prepare_devices_filter(['fake_port_id'])
        self.agent.refresh_firewall()
        calls = [mock.call.defer_apply(),
-                 mock.call.prepare_port_filter(self.fake_device),
                 mock.call.update_security_group_rules('fake_sgid2', []),
                 mock.call.update_security_group_rules(
                     'fake_sgid1', [{'remote_group_id': 'fake_sgid2'}]),
                 mock.call.update_security_group_members(
                     'fake_sgid2', {'IPv4': [], 'IPv6': []}),
+                 mock.call.prepare_port_filter(self.fake_device),
                 mock.call.defer_apply(),
-                 mock.call.update_port_filter(self.fake_device),
                 mock.call.update_security_group_rules('fake_sgid2', []),
                 mock.call.update_security_group_rules(
                     'fake_sgid1', [{'remote_group_id': 'fake_sgid2'}]),
                 mock.call.update_security_group_members(
-                     'fake_sgid2', {'IPv4': [], 'IPv6': []})]
+                     'fake_sgid2', {'IPv4': [], 'IPv6': []}),
+                 mock.call.update_port_filter(self.fake_device)]
+
        self.firewall.assert_has_calls(calls)

    def test_refresh_firewall_devices_enhanced_rpc(self):
        self.agent.prepare_devices_filter(['fake_device'])
        self.agent.refresh_firewall([self.fake_device])
        calls = [mock.call.defer_apply(),
-                 mock.call.prepare_port_filter(self.fake_device),
                 mock.call.update_security_group_rules('fake_sgid2', []),
                 mock.call.update_security_group_rules('fake_sgid1', [
                     {'remote_group_id': 'fake_sgid2'}]),
                 mock.call.update_security_group_members('fake_sgid2', {
                     'IPv4': [], 'IPv6': []
                 }),
+                 mock.call.prepare_port_filter(self.fake_device),
                 mock.call.defer_apply(),
-                 mock.call.update_port_filter(self.fake_device),
                 mock.call.update_security_group_rules('fake_sgid2', []),
                 mock.call.update_security_group_rules('fake_sgid1', [
                     {'remote_group_id': 'fake_sgid2'}]),
                 mock.call.update_security_group_members('fake_sgid2', {
-                     'IPv4': [], 'IPv6': []})
+                     'IPv4': [], 'IPv6': []}),
+                 mock.call.update_port_filter(self.fake_device)
                 ]
        self.firewall.assert_has_calls(calls)