From f87e7d964c19cc2be33226df66f0c823af993d49 Mon Sep 17 00:00:00 2001 From: Nachi Ueno Date: Thu, 16 Jan 2014 10:54:26 -0800 Subject: [PATCH] Add enable_security_group option Using noop driver to disable security group is confusing. In this commit, we introduce enable_security_group in server side. DocImpact UpgradeImpact Implements bp: security-group-config-cleanup Related-Bug: 1112912 Change-Id: Ice44a4e2a519c64e613eeb24372de46726473339 --- .../plugins/linuxbridge/linuxbridge_conf.ini | 4 + etc/neutron/plugins/ml2/ml2_conf.ini | 5 ++ etc/neutron/plugins/mlnx/mlnx_conf.ini | 5 ++ etc/neutron/plugins/nec/nec.ini | 4 + .../openvswitch/ovs_neutron_plugin.ini | 4 + etc/neutron/plugins/ryu/ryu.ini | 4 + neutron/agent/securitygroups_rpc.py | 43 ++++++++-- neutron/plugins/bigswitch/plugin.py | 2 +- .../plugins/linuxbridge/lb_neutron_plugin.py | 2 +- neutron/plugins/ml2/plugin.py | 2 +- neutron/plugins/mlnx/mlnx_plugin.py | 2 +- neutron/plugins/nec/nec_plugin.py | 2 +- neutron/plugins/oneconvergence/plugin.py | 2 +- .../plugins/openvswitch/ovs_neutron_plugin.py | 2 +- neutron/plugins/ryu/ryu_neutron_plugin.py | 2 +- .../unit/bigswitch/test_restproxy_plugin.py | 7 ++ .../unit/hyperv/test_hyperv_neutron_agent.py | 4 +- .../unit/linuxbridge/test_lb_neutron_agent.py | 3 + .../linuxbridge/test_linuxbridge_plugin.py | 6 ++ neutron/tests/unit/ml2/test_ml2_plugin.py | 5 ++ .../unit/mlnx/test_mlnx_neutron_agent.py | 3 + neutron/tests/unit/mlnx/test_mlnx_plugin.py | 9 +++ neutron/tests/unit/nec/test_nec_agent.py | 3 + neutron/tests/unit/nec/test_portbindings.py | 6 ++ .../unit/ofagent/test_ofa_neutron_agent.py | 3 + .../unit/oneconvergence/test_nvsd_agent.py | 3 + .../openvswitch/test_openvswitch_plugin.py | 7 ++ .../openvswitch/test_ovs_neutron_agent.py | 6 ++ .../tests/unit/openvswitch/test_ovs_tunnel.py | 3 + .../tests/unit/test_security_groups_rpc.py | 80 +++++++++++++++---- 30 files changed, 202 insertions(+), 31 deletions(-) diff --git a/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini b/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini index 7235476f51f..94fe9803649 100644 --- a/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini +++ b/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini @@ -72,3 +72,7 @@ # Firewall driver for realizing neutron security group function # firewall_driver = neutron.agent.firewall.NoopFirewallDriver # Example: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True diff --git a/etc/neutron/plugins/ml2/ml2_conf.ini b/etc/neutron/plugins/ml2/ml2_conf.ini index b8b766f0d08..3724c7263e4 100644 --- a/etc/neutron/plugins/ml2/ml2_conf.ini +++ b/etc/neutron/plugins/ml2/ml2_conf.ini @@ -55,3 +55,8 @@ # # vxlan_group = # Example: vxlan_group = 239.1.1.1 + +[security_group] +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True diff --git a/etc/neutron/plugins/mlnx/mlnx_conf.ini b/etc/neutron/plugins/mlnx/mlnx_conf.ini index 275b727c130..b122511169d 100644 --- a/etc/neutron/plugins/mlnx/mlnx_conf.ini +++ b/etc/neutron/plugins/mlnx/mlnx_conf.ini @@ -72,3 +72,8 @@ # agents. # # rpc_support_old_agents = False + +[securitygroup] +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True diff --git a/etc/neutron/plugins/nec/nec.ini b/etc/neutron/plugins/nec/nec.ini index 9cbdbe40987..af2d57264f1 100644 --- a/etc/neutron/plugins/nec/nec.ini +++ b/etc/neutron/plugins/nec/nec.ini @@ -16,6 +16,10 @@ # Firewall driver for realizing neutron security group function firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True + [ofc] # Specify OpenFlow Controller Host, Port and Driver to connect. # host = 127.0.0.1 diff --git a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini index 7c68492c518..50ec5565797 100644 --- a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini +++ b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini @@ -133,6 +133,10 @@ # firewall_driver = neutron.agent.firewall.NoopFirewallDriver # Example: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True + #----------------------------------------------------------------------------- # Sample Configurations. #----------------------------------------------------------------------------- diff --git a/etc/neutron/plugins/ryu/ryu.ini b/etc/neutron/plugins/ryu/ryu.ini index 72abffef0dd..9d9cfa2585e 100644 --- a/etc/neutron/plugins/ryu/ryu.ini +++ b/etc/neutron/plugins/ryu/ryu.ini @@ -35,6 +35,10 @@ ovsdb_interface = eth0 # Firewall driver for realizing neutron security group function # firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver +# Controls if neutron security group is enabled or not. +# It should be false when you use nova security group. +# enable_security_group = True + [agent] # Agent's polling interval in seconds # polling_interval = 2 diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py index 8ebf3bfe254..32392420337 100644 --- a/neutron/agent/securitygroups_rpc.py +++ b/neutron/agent/securitygroups_rpc.py @@ -28,22 +28,49 @@ SG_RPC_VERSION = "1.1" security_group_opts = [ cfg.StrOpt( 'firewall_driver', - default='neutron.agent.firewall.NoopFirewallDriver', - help=_('Driver for Security Groups Firewall')) + default=None, + help=_('Driver for security groups firewall in the L2 agent')), + cfg.BoolOpt( + 'enable_security_group', + default=True, + help=_( + 'Controls whether the neutron security group API is enabled ' + 'in the server. It should be false when using no security ' + 'groups or using the nova security group API.')) ] cfg.CONF.register_opts(security_group_opts, 'SECURITYGROUP') +#This is backward compatibility check for Havana +def _is_valid_driver_combination(): + return ((cfg.CONF.SECURITYGROUP.enable_security_group and + cfg.CONF.SECURITYGROUP.firewall_driver != + 'neutron.agent.firewall.NoopFirewallDriver') or + (not cfg.CONF.SECURITYGROUP.enable_security_group and + (cfg.CONF.SECURITYGROUP.firewall_driver == + 'neutron.agent.firewall.NoopFirewallDriver' or + cfg.CONF.SECURITYGROUP.firewall_driver == None) + )) + + def is_firewall_enabled(): - return (cfg.CONF.SECURITYGROUP.firewall_driver != - 'neutron.agent.firewall.NoopFirewallDriver') + if not _is_valid_driver_combination(): + LOG.warn("Driver configuration don't match with enable_security_group") + + return cfg.CONF.SECURITYGROUP.enable_security_group -def disable_security_group_extension_if_noop_driver( - supported_extension_aliases): +def _disable_extension(extension, aliases): + if extension in aliases: + aliases.remove(extension) + + +def disable_security_group_extension_by_config(aliases): if not is_firewall_enabled(): - LOG.debug(_('Disabled security-group extension.')) - supported_extension_aliases.remove('security-group') + LOG.info(_('Disabled security-group extension.')) + _disable_extension('security-group', aliases) + LOG.info(_('Disabled allowed-address-pairs extension.')) + _disable_extension('allowed-address-pairs', aliases) class SecurityGroupServerRpcApiMixin(object): diff --git a/neutron/plugins/bigswitch/plugin.py b/neutron/plugins/bigswitch/plugin.py index 89c4f760e83..7a57fe13aa1 100644 --- a/neutron/plugins/bigswitch/plugin.py +++ b/neutron/plugins/bigswitch/plugin.py @@ -458,7 +458,7 @@ class NeutronRestProxyV2(NeutronRestProxyV2Base, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/linuxbridge/lb_neutron_plugin.py b/neutron/plugins/linuxbridge/lb_neutron_plugin.py index 5b332afafb2..52fbdcaddd3 100644 --- a/neutron/plugins/linuxbridge/lb_neutron_plugin.py +++ b/neutron/plugins/linuxbridge/lb_neutron_plugin.py @@ -247,7 +247,7 @@ class LinuxBridgePluginV2(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/ml2/plugin.py b/neutron/plugins/ml2/plugin.py index 8240e09f6db..6636d779d5c 100644 --- a/neutron/plugins/ml2/plugin.py +++ b/neutron/plugins/ml2/plugin.py @@ -94,7 +94,7 @@ class Ml2Plugin(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/mlnx/mlnx_plugin.py b/neutron/plugins/mlnx/mlnx_plugin.py index 7c04530bdc5..920038f5bc9 100644 --- a/neutron/plugins/mlnx/mlnx_plugin.py +++ b/neutron/plugins/mlnx/mlnx_plugin.py @@ -89,7 +89,7 @@ class MellanoxEswitchPlugin(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/nec/nec_plugin.py b/neutron/plugins/nec/nec_plugin.py index f19781fbbe4..fa2c10c389a 100644 --- a/neutron/plugins/nec/nec_plugin.py +++ b/neutron/plugins/nec/nec_plugin.py @@ -96,7 +96,7 @@ class NECPluginV2(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self.remove_packet_filter_extension_if_disabled(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/oneconvergence/plugin.py b/neutron/plugins/oneconvergence/plugin.py index 41262e74fe0..daf85ee6d92 100644 --- a/neutron/plugins/oneconvergence/plugin.py +++ b/neutron/plugins/oneconvergence/plugin.py @@ -124,7 +124,7 @@ class OneConvergencePluginV2(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/openvswitch/ovs_neutron_plugin.py b/neutron/plugins/openvswitch/ovs_neutron_plugin.py index ff0d3557f14..ec23da0870b 100644 --- a/neutron/plugins/openvswitch/ovs_neutron_plugin.py +++ b/neutron/plugins/openvswitch/ovs_neutron_plugin.py @@ -278,7 +278,7 @@ class OVSNeutronPluginV2(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/plugins/ryu/ryu_neutron_plugin.py b/neutron/plugins/ryu/ryu_neutron_plugin.py index 5eaf2770a02..e2d0ab23545 100644 --- a/neutron/plugins/ryu/ryu_neutron_plugin.py +++ b/neutron/plugins/ryu/ryu_neutron_plugin.py @@ -104,7 +104,7 @@ class RyuNeutronPluginV2(db_base_plugin_v2.NeutronDbPluginV2, def supported_extension_aliases(self): if not hasattr(self, '_aliases'): aliases = self._supported_extension_aliases[:] - sg_rpc.disable_security_group_extension_if_noop_driver(aliases) + sg_rpc.disable_security_group_extension_by_config(aliases) self._aliases = aliases return self._aliases diff --git a/neutron/tests/unit/bigswitch/test_restproxy_plugin.py b/neutron/tests/unit/bigswitch/test_restproxy_plugin.py index 96141c5a369..061ae8960b8 100644 --- a/neutron/tests/unit/bigswitch/test_restproxy_plugin.py +++ b/neutron/tests/unit/bigswitch/test_restproxy_plugin.py @@ -37,6 +37,9 @@ class BigSwitchProxyPluginV2TestCase(test_base.BigSwitchTestBase, test_plugin.NeutronDbPluginV2TestCase): def setUp(self, plugin_name=None): + if hasattr(self, 'HAS_PORT_FILTER'): + cfg.CONF.set_override( + 'enable_security_group', self.HAS_PORT_FILTER, 'SECURITYGROUP') self.setup_config_files() self.setup_patches() if plugin_name: @@ -72,6 +75,10 @@ class TestBigSwitchProxyPortsV2(test_plugin.TestPortsV2, VIF_TYPE = portbindings.VIF_TYPE_OVS HAS_PORT_FILTER = False + def setUp(self, plugin_name=None): + super(TestBigSwitchProxyPortsV2, + self).setUp(self._plugin_name) + def test_update_port_status_build(self): with self.port() as port: self.assertEqual(port['port']['status'], 'BUILD') diff --git a/neutron/tests/unit/hyperv/test_hyperv_neutron_agent.py b/neutron/tests/unit/hyperv/test_hyperv_neutron_agent.py index cee443c9792..d03049879dc 100644 --- a/neutron/tests/unit/hyperv/test_hyperv_neutron_agent.py +++ b/neutron/tests/unit/hyperv/test_hyperv_neutron_agent.py @@ -53,7 +53,9 @@ class TestHyperVNeutronAgent(base.BaseTestCase): mock.patch('neutron.openstack.common.loopingcall.' 'FixedIntervalLoopingCall', new=MockFixedIntervalLoopingCall) - + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') self.agent = hyperv_neutron_agent.HyperVNeutronAgent() self.agent.plugin_rpc = mock.Mock() self.agent.sec_groups_agent = mock.MagicMock() diff --git a/neutron/tests/unit/linuxbridge/test_lb_neutron_agent.py b/neutron/tests/unit/linuxbridge/test_lb_neutron_agent.py index 9ecd7154037..0e21c956196 100644 --- a/neutron/tests/unit/linuxbridge/test_lb_neutron_agent.py +++ b/neutron/tests/unit/linuxbridge/test_lb_neutron_agent.py @@ -98,6 +98,9 @@ class TestLinuxBridgeAgent(base.BaseTestCase): super(TestLinuxBridgeAgent, self).setUp() cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') self.execute_p = mock.patch.object(ip_lib.IPWrapper, '_execute') self.execute = self.execute_p.start() self.addCleanup(self.execute_p.stop) diff --git a/neutron/tests/unit/linuxbridge/test_linuxbridge_plugin.py b/neutron/tests/unit/linuxbridge/test_linuxbridge_plugin.py index 5ef072b1a55..3ff0f7592aa 100644 --- a/neutron/tests/unit/linuxbridge/test_linuxbridge_plugin.py +++ b/neutron/tests/unit/linuxbridge/test_linuxbridge_plugin.py @@ -16,6 +16,7 @@ import contextlib import mock +from oslo.config import cfg from neutron.common import constants as q_const from neutron.extensions import portbindings @@ -65,15 +66,20 @@ class TestLinuxBridgePortBinding(LinuxBridgePluginV2TestCase, test_bindings.PortBindingsTestCase): VIF_TYPE = portbindings.VIF_TYPE_BRIDGE HAS_PORT_FILTER = True + ENABLE_SG = True FIREWALL_DRIVER = test_sg_rpc.FIREWALL_IPTABLES_DRIVER def setUp(self): test_sg_rpc.set_firewall_driver(self.FIREWALL_DRIVER) + cfg.CONF.set_override( + 'enable_security_group', self.ENABLE_SG, + group='SECURITYGROUP') super(TestLinuxBridgePortBinding, self).setUp() class TestLinuxBridgePortBindingNoSG(TestLinuxBridgePortBinding): HAS_PORT_FILTER = False + ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER diff --git a/neutron/tests/unit/ml2/test_ml2_plugin.py b/neutron/tests/unit/ml2/test_ml2_plugin.py index 275bada23b7..2c0c3eceaa2 100644 --- a/neutron/tests/unit/ml2/test_ml2_plugin.py +++ b/neutron/tests/unit/ml2/test_ml2_plugin.py @@ -125,10 +125,14 @@ class TestMl2PortBinding(Ml2PluginV2TestCase, # to bind port VIF_TYPE = portbindings.VIF_TYPE_UNBOUND HAS_PORT_FILTER = False + ENABLE_SG = True FIREWALL_DRIVER = test_sg_rpc.FIREWALL_HYBRID_DRIVER def setUp(self, firewall_driver=None): test_sg_rpc.set_firewall_driver(self.FIREWALL_DRIVER) + config.cfg.CONF.set_override( + 'enable_security_group', self.ENABLE_SG, + group='SECURITYGROUP') super(TestMl2PortBinding, self).setUp() def _check_port_binding_profile(self, port, profile=None): @@ -171,6 +175,7 @@ class TestMl2PortBinding(Ml2PluginV2TestCase, class TestMl2PortBindingNoSG(TestMl2PortBinding): HAS_PORT_FILTER = False + ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER diff --git a/neutron/tests/unit/mlnx/test_mlnx_neutron_agent.py b/neutron/tests/unit/mlnx/test_mlnx_neutron_agent.py index ace306c93e1..a1c60de3c02 100644 --- a/neutron/tests/unit/mlnx/test_mlnx_neutron_agent.py +++ b/neutron/tests/unit/mlnx/test_mlnx_neutron_agent.py @@ -32,6 +32,9 @@ class TestEswitchAgent(base.BaseTestCase): # Avoid rpc initialization for unit tests cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') class MockFixedIntervalLoopingCall(object): def __init__(self, f): diff --git a/neutron/tests/unit/mlnx/test_mlnx_plugin.py b/neutron/tests/unit/mlnx/test_mlnx_plugin.py index ffa541fa36b..f3c83ac8dcb 100644 --- a/neutron/tests/unit/mlnx/test_mlnx_plugin.py +++ b/neutron/tests/unit/mlnx/test_mlnx_plugin.py @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +from oslo.config import cfg from webob import exc from neutron.extensions import portbindings @@ -54,8 +55,15 @@ class TestMlnxNetworksV2(test_plugin.TestNetworksV2, MlnxPluginV2TestCase): class TestMlnxPortBinding(MlnxPluginV2TestCase, test_bindings.PortBindingsTestCase): VIF_TYPE = constants.VIF_TYPE_DIRECT + ENABLE_SG = False HAS_PORT_FILTER = False + def setUp(self, firewall_driver=None): + cfg.CONF.set_override( + 'enable_security_group', self.ENABLE_SG, + group='SECURITYGROUP') + super(TestMlnxPortBinding, self).setUp() + def _check_default_port_binding_profole(self, port, expected_vif_type=None): if expected_vif_type is None: @@ -98,6 +106,7 @@ class TestMlnxPortBinding(MlnxPluginV2TestCase, class TestMlnxPortBindingNoSG(TestMlnxPortBinding): HAS_PORT_FILTER = False + ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER diff --git a/neutron/tests/unit/nec/test_nec_agent.py b/neutron/tests/unit/nec/test_nec_agent.py index 15068845dad..51915df53a0 100644 --- a/neutron/tests/unit/nec/test_nec_agent.py +++ b/neutron/tests/unit/nec/test_nec_agent.py @@ -37,6 +37,9 @@ class TestNecAgentBase(base.BaseTestCase): def setUp(self): super(TestNecAgentBase, self).setUp() + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') cfg.CONF.set_override('host', 'dummy-host') diff --git a/neutron/tests/unit/nec/test_portbindings.py b/neutron/tests/unit/nec/test_portbindings.py index 559f8aa5627..4b13764f8dc 100644 --- a/neutron/tests/unit/nec/test_portbindings.py +++ b/neutron/tests/unit/nec/test_portbindings.py @@ -17,6 +17,7 @@ # # @author: Akihiro Motoki, NEC Corporation +from oslo.config import cfg from testtools import matchers from webob import exc @@ -32,15 +33,20 @@ class TestNecPortBinding(test_bindings.PortBindingsTestCase, test_nec_plugin.NecPluginV2TestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS HAS_PORT_FILTER = True + ENABLE_SG = True FIREWALL_DRIVER = test_sg_rpc.FIREWALL_HYBRID_DRIVER def setUp(self): test_sg_rpc.set_firewall_driver(self.FIREWALL_DRIVER) + cfg.CONF.set_override( + 'enable_security_group', self.ENABLE_SG, + group='SECURITYGROUP') super(TestNecPortBinding, self).setUp() class TestNecPortBindingNoSG(TestNecPortBinding): HAS_PORT_FILTER = False + ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER diff --git a/neutron/tests/unit/ofagent/test_ofa_neutron_agent.py b/neutron/tests/unit/ofagent/test_ofa_neutron_agent.py index 3c3d552d345..ae685a58393 100644 --- a/neutron/tests/unit/ofagent/test_ofa_neutron_agent.py +++ b/neutron/tests/unit/ofagent/test_ofa_neutron_agent.py @@ -41,6 +41,9 @@ class OFAAgentTestCase(base.BaseTestCase): def setUp(self): super(OFAAgentTestCase, self).setUp() + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') self.fake_oflib_of = fake_oflib.patch_fake_oflib_of().start() self.mod_agent = importutils.import_module(self._AGENT_NAME) self.ryuapp = mock.Mock() diff --git a/neutron/tests/unit/oneconvergence/test_nvsd_agent.py b/neutron/tests/unit/oneconvergence/test_nvsd_agent.py index 2559f9ccb77..2243aa6ec5d 100644 --- a/neutron/tests/unit/oneconvergence/test_nvsd_agent.py +++ b/neutron/tests/unit/oneconvergence/test_nvsd_agent.py @@ -33,6 +33,9 @@ class TestOneConvergenceAgentBase(base.BaseTestCase): def setUp(self): super(TestOneConvergenceAgentBase, self).setUp() + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') with contextlib.nested( diff --git a/neutron/tests/unit/openvswitch/test_openvswitch_plugin.py b/neutron/tests/unit/openvswitch/test_openvswitch_plugin.py index 6d76cde9af7..234a8feb82e 100644 --- a/neutron/tests/unit/openvswitch/test_openvswitch_plugin.py +++ b/neutron/tests/unit/openvswitch/test_openvswitch_plugin.py @@ -13,6 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +from oslo.config import cfg + from neutron.extensions import portbindings from neutron.tests.unit import _test_extension_portbindings as test_bindings from neutron.tests.unit import test_db_plugin as test_plugin @@ -58,15 +60,20 @@ class TestOpenvswitchPortBinding(OpenvswitchPluginV2TestCase, test_bindings.PortBindingsTestCase): VIF_TYPE = portbindings.VIF_TYPE_OVS HAS_PORT_FILTER = True + ENABLE_SG = True FIREWALL_DRIVER = test_sg_rpc.FIREWALL_HYBRID_DRIVER def setUp(self, firewall_driver=None): test_sg_rpc.set_firewall_driver(self.FIREWALL_DRIVER) + cfg.CONF.set_override( + 'enable_security_group', self.ENABLE_SG, + group='SECURITYGROUP') super(TestOpenvswitchPortBinding, self).setUp() class TestOpenvswitchPortBindingNoSG(TestOpenvswitchPortBinding): HAS_PORT_FILTER = False + ENABLE_SG = False FIREWALL_DRIVER = test_sg_rpc.FIREWALL_NOOP_DRIVER diff --git a/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py b/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py index dc6723cf646..885c889ec25 100644 --- a/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py +++ b/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py @@ -88,6 +88,9 @@ class TestOvsNeutronAgent(base.BaseTestCase): notifier_cls = notifier_p.start() self.notifier = mock.Mock() notifier_cls.return_value = self.notifier + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') # Avoid rpc initialization for unit tests cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') @@ -786,6 +789,9 @@ class AncillaryBridgesTest(base.BaseTestCase): notifier_cls = notifier_p.start() self.notifier = mock.Mock() notifier_cls.return_value = self.notifier + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') # Avoid rpc initialization for unit tests cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') diff --git a/neutron/tests/unit/openvswitch/test_ovs_tunnel.py b/neutron/tests/unit/openvswitch/test_ovs_tunnel.py index 8de601a047a..0397c5aab68 100644 --- a/neutron/tests/unit/openvswitch/test_ovs_tunnel.py +++ b/neutron/tests/unit/openvswitch/test_ovs_tunnel.py @@ -66,6 +66,9 @@ class TunnelTest(base.BaseTestCase): def setUp(self): super(TunnelTest, self).setUp() + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') cfg.CONF.set_override('rpc_backend', 'neutron.openstack.common.rpc.impl_fake') cfg.CONF.set_override('report_interval', 0, 'AGENT') diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py index 63cbb4a7552..14e0f1c3905 100644 --- a/neutron/tests/unit/test_security_groups_rpc.py +++ b/neutron/tests/unit/test_security_groups_rpc.py @@ -24,6 +24,7 @@ from oslo.config import cfg from testtools import matchers import webob.exc +from neutron.agent.common import config from neutron.agent import firewall as firewall_base from neutron.agent.linux import iptables_manager from neutron.agent import rpc as agent_rpc @@ -53,6 +54,9 @@ class FakeSGCallback(sg_db_rpc.SecurityGroupServerRpcCallbackMixin): class SGServerRpcCallBackMixinTestCase(test_sg.SecurityGroupDBTestCase): def setUp(self, plugin=None): + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') super(SGServerRpcCallBackMixinTestCase, self).setUp(plugin) self.rpc = FakeSGCallback() @@ -504,6 +508,9 @@ class SGAgentRpcCallBackMixinTestCase(base.BaseTestCase): class SecurityGroupAgentRpcTestCase(base.BaseTestCase): def setUp(self, defer_refresh_firewall=False): super(SecurityGroupAgentRpcTestCase, self).setUp() + cfg.CONF.set_default('firewall_driver', + 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') self.agent = sg_rpc.SecurityGroupAgentRpcMixin() self.agent.context = None mock.patch('neutron.agent.linux.iptables_manager').start() @@ -1432,6 +1439,10 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): def setUp(self, defer_refresh_firewall=False): super(TestSecurityGroupAgentWithIptables, self).setUp() + config.register_root_helper(cfg.CONF) + cfg.CONF.set_override( + 'lock_path', + '$state_path/lock') cfg.CONF.set_override( 'firewall_driver', self.FIREWALL_DRIVER, @@ -1683,24 +1694,65 @@ class TestSecurityGroupAgentWithOVSIptables( class TestSecurityGroupExtensionControl(base.BaseTestCase): - def test_firewall_enabled_noop_driver(self): - set_firewall_driver(FIREWALL_NOOP_DRIVER) - self.assertFalse(sg_rpc.is_firewall_enabled()) - - def test_firewall_enabled_iptables_driver(self): - set_firewall_driver(FIREWALL_IPTABLES_DRIVER) - self.assertTrue(sg_rpc.is_firewall_enabled()) - - def test_disable_security_group_extension_noop_driver(self): - set_firewall_driver(FIREWALL_NOOP_DRIVER) + def test_disable_security_group_extension_by_config(self): + cfg.CONF.set_override( + 'enable_security_group', False, + group='SECURITYGROUP') exp_aliases = ['dummy1', 'dummy2'] ext_aliases = ['dummy1', 'security-group', 'dummy2'] - sg_rpc.disable_security_group_extension_if_noop_driver(ext_aliases) + sg_rpc.disable_security_group_extension_by_config(ext_aliases) self.assertEqual(ext_aliases, exp_aliases) - def test_disable_security_group_extension_iptables_driver(self): - set_firewall_driver(FIREWALL_IPTABLES_DRIVER) + def test_enable_security_group_extension_by_config(self): + cfg.CONF.set_override( + 'enable_security_group', True, + group='SECURITYGROUP') exp_aliases = ['dummy1', 'security-group', 'dummy2'] ext_aliases = ['dummy1', 'security-group', 'dummy2'] - sg_rpc.disable_security_group_extension_if_noop_driver(ext_aliases) + sg_rpc.disable_security_group_extension_by_config(ext_aliases) self.assertEqual(ext_aliases, exp_aliases) + + def test_is_invalid_drvier_combination_sg_enabled(self): + cfg.CONF.set_override( + 'enable_security_group', True, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') + self.assertFalse(sg_rpc._is_valid_driver_combination()) + + def test_is_invalid_drvier_combination_sg_disabled(self): + cfg.CONF.set_override( + 'enable_security_group', False, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', 'NonNoopDriver', + group='SECURITYGROUP') + self.assertFalse(sg_rpc._is_valid_driver_combination()) + + def test_is_valid_drvier_combination_sg_enabled(self): + cfg.CONF.set_override( + 'enable_security_group', True, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', 'NonNoopDriver', + group='SECURITYGROUP') + self.assertTrue(sg_rpc._is_valid_driver_combination()) + + def test_is_valid_drvier_combination_sg_disabled(self): + cfg.CONF.set_override( + 'enable_security_group', False, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', 'neutron.agent.firewall.NoopFirewallDriver', + group='SECURITYGROUP') + self.assertTrue(sg_rpc._is_valid_driver_combination()) + + def test_is_valid_drvier_combination_sg_disabled_with_none(self): + cfg.CONF.set_override( + 'enable_security_group', False, + group='SECURITYGROUP') + cfg.CONF.set_override( + 'firewall_driver', None, + group='SECURITYGROUP') + self.assertTrue(sg_rpc._is_valid_driver_combination())