Make virt/firewall use objects for Security Groups and Rules

This makes the virt/firewall module use SecurityGroup and SecurityGroupRule objects instead of relying on virtapi and conductor for these operations. Related to blueprint compute-manager-objects Related to blueprint virt-objects Change-Id: I39cb9422cb15e6222f5009f64706f1528035f42d
2013-10-14 17:10:31 -07:00
parent c65a364289
commit b1a27138f6
1 changed files with 15 additions and 4 deletions
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -22,6 +22,9 @@ from oslo.config import cfg
 from nova.compute import utils as compute_utils
 from nova import context
 from nova.network import linux_net
+from nova.objects import instance as instance_obj
+from nova.objects import security_group as security_group_obj
+from nova.objects import security_group_rule as security_group_rule_obj
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
 from nova.openstack.common import log as logging
@@ -336,6 +339,11 @@ class IptablesFirewallDriver(FirewallDriver):

    def instance_rules(self, instance, network_info):
        ctxt = context.get_admin_context()
+        if isinstance(instance, dict):
+            # NOTE(danms): allow old-world instance objects from
+            # unconverted callers; all we need is instance.uuid below
+            instance = instance_obj.Instance._from_db_object(
+                ctxt, instance_obj.Instance(), instance, [])

        ipv4_rules = []
        ipv6_rules = []
@@ -356,13 +364,13 @@ class IptablesFirewallDriver(FirewallDriver):
            # Allow RA responses
            self._do_ra_rules(ipv6_rules, network_info)

-        security_groups = self._virtapi.security_group_get_by_instance(
+        security_groups = security_group_obj.SecurityGroupList.get_by_instance(
            ctxt, instance)

        # then, security group chains and rules
        for security_group in security_groups:
-            rules = self._virtapi.security_group_rule_get_by_security_group(
-                ctxt, security_group)
+            rules_cls = security_group_rule_obj.SecurityGroupRuleList
+            rules = rules_cls.get_by_security_group(ctxt, security_group)

            for rule in rules:
                LOG.debug(_('Adding security group rule: %r'), rule,
@@ -400,7 +408,10 @@ class IptablesFirewallDriver(FirewallDriver):
                    fw_rules += [' '.join(args)]
                else:
                    if rule['grantee_group']:
-                        for instance in rule['grantee_group']['instances']:
+                        insts = (
+                            instance_obj.InstanceList.get_by_security_group(
+                                ctxt, rule['grantee_group']))
+                        for instance in insts:
                            if instance['info_cache']['deleted']:
                                LOG.debug('ignoring deleted cache')
                                continue