From b1a27138f6e67abbdae02a907658638956fabc2d Mon Sep 17 00:00:00 2001
From: Dan Smith <dansmith@redhat.com>
Date: Mon, 14 Oct 2013 17:10:31 -0700
Subject: [PATCH] Make virt/firewall use objects for Security Groups and Rules

This makes the virt/firewall module use SecurityGroup and
SecurityGroupRule objects instead of relying on virtapi and
conductor for these operations.

Related to blueprint compute-manager-objects
Related to blueprint virt-objects

Change-Id: I39cb9422cb15e6222f5009f64706f1528035f42d
---
 nova/virt/firewall.py | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index 1c1cd0aab13a..3b693b42641c 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -22,6 +22,9 @@ from oslo.config import cfg
 from nova.compute import utils as compute_utils
 from nova import context
 from nova.network import linux_net
+from nova.objects import instance as instance_obj
+from nova.objects import security_group as security_group_obj
+from nova.objects import security_group_rule as security_group_rule_obj
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
 from nova.openstack.common import log as logging
@@ -336,6 +339,11 @@ class IptablesFirewallDriver(FirewallDriver):
 
     def instance_rules(self, instance, network_info):
         ctxt = context.get_admin_context()
+        if isinstance(instance, dict):
+            # NOTE(danms): allow old-world instance objects from
+            # unconverted callers; all we need is instance.uuid below
+            instance = instance_obj.Instance._from_db_object(
+                ctxt, instance_obj.Instance(), instance, [])
 
         ipv4_rules = []
         ipv6_rules = []
@@ -356,13 +364,13 @@ class IptablesFirewallDriver(FirewallDriver):
             # Allow RA responses
             self._do_ra_rules(ipv6_rules, network_info)
 
-        security_groups = self._virtapi.security_group_get_by_instance(
+        security_groups = security_group_obj.SecurityGroupList.get_by_instance(
             ctxt, instance)
 
         # then, security group chains and rules
         for security_group in security_groups:
-            rules = self._virtapi.security_group_rule_get_by_security_group(
-                ctxt, security_group)
+            rules_cls = security_group_rule_obj.SecurityGroupRuleList
+            rules = rules_cls.get_by_security_group(ctxt, security_group)
 
             for rule in rules:
                 LOG.debug(_('Adding security group rule: %r'), rule,
@@ -400,7 +408,10 @@ class IptablesFirewallDriver(FirewallDriver):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        for instance in rule['grantee_group']['instances']:
+                        insts = (
+                            instance_obj.InstanceList.get_by_security_group(
+                                ctxt, rule['grantee_group']))
+                        for instance in insts:
                             if instance['info_cache']['deleted']:
                                 LOG.debug('ignoring deleted cache')
                                 continue