XenAPI: Fix netwrap to support security group

This implementation is to give support on neutron security group with XenServer as compute driver. When using openvswitch, the ovs agent on compute node cannot execute some linux commands correctly due to xenserver driver lacking of such support. This change will add some allowed commands which can be executed in dom0. Implements: blueprint xenserver-give-support-on-neutron-security-group Change-Id: I377f8ad51e1d2725c3e0153e64322055fcce7b54
2015-11-30 08:26:23 +00:00 · 2015-11-30 08:26:23 +00:00 · b0cef88866
parent 21ca26e50a
commit b0cef88866
1 changed files with 7 additions and 1 deletions
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
@ -34,6 +34,12 @@ import XenAPIPlugin

 ALLOWED_CMDS = [
    'ip',
+    'ipset',
+    'iptables-save',
+    'iptables-restore',
+    'ip6tables-save',
+    'ip6tables-restore',
+    'sysctl',
    # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
    'ovs-ofctl',
    'ovs-vsctl',
@ -56,7 +62,7 @@ def _run_command(cmd, cmd_input):
                            stderr=pipe, close_fds=True)
    (out, err) = proc.communicate(cmd_input)

-    if err:
+    if proc.returncode != 0:
        raise PluginError(err)
    return out