Make virt/firewall use objects for Security Groups and Rules
This makes the virt/firewall module use SecurityGroup and SecurityGroupRule objects instead of relying on virtapi and conductor for these operations. Related to blueprint compute-manager-objects Related to blueprint virt-objects Change-Id: I39cb9422cb15e6222f5009f64706f1528035f42d
This commit is contained in:
Dan Smith
@@ -22,6 +22,9 @@ from oslo.config import cfg
|
|||||||
from nova.compute import utils as compute_utils
|
from nova.compute import utils as compute_utils
|
||||||
from nova import context
|
from nova import context
|
||||||
from nova.network import linux_net
|
from nova.network import linux_net
|
||||||
|
from nova.objects import instance as instance_obj
|
||||||
|
from nova.objects import security_group as security_group_obj
|
||||||
|
from nova.objects import security_group_rule as security_group_rule_obj
|
||||||
from nova.openstack.common.gettextutils import _
|
from nova.openstack.common.gettextutils import _
|
||||||
from nova.openstack.common import importutils
|
from nova.openstack.common import importutils
|
||||||
from nova.openstack.common import log as logging
|
from nova.openstack.common import log as logging
|
||||||
@@ -336,6 +339,11 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||||||
|
|
||||||
def instance_rules(self, instance, network_info):
|
def instance_rules(self, instance, network_info):
|
||||||
ctxt = context.get_admin_context()
|
ctxt = context.get_admin_context()
|
||||||
|
if isinstance(instance, dict):
|
||||||
|
# NOTE(danms): allow old-world instance objects from
|
||||||
|
# unconverted callers; all we need is instance.uuid below
|
||||||
|
instance = instance_obj.Instance._from_db_object(
|
||||||
|
ctxt, instance_obj.Instance(), instance, [])
|
||||||
|
|
||||||
ipv4_rules = []
|
ipv4_rules = []
|
||||||
ipv6_rules = []
|
ipv6_rules = []
|
||||||
@@ -356,13 +364,13 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||||||
# Allow RA responses
|
# Allow RA responses
|
||||||
self._do_ra_rules(ipv6_rules, network_info)
|
self._do_ra_rules(ipv6_rules, network_info)
|
||||||
|
|
||||||
security_groups = self._virtapi.security_group_get_by_instance(
|
security_groups = security_group_obj.SecurityGroupList.get_by_instance(
|
||||||
ctxt, instance)
|
ctxt, instance)
|
||||||
|
|
||||||
# then, security group chains and rules
|
# then, security group chains and rules
|
||||||
for security_group in security_groups:
|
for security_group in security_groups:
|
||||||
rules = self._virtapi.security_group_rule_get_by_security_group(
|
rules_cls = security_group_rule_obj.SecurityGroupRuleList
|
||||||
ctxt, security_group)
|
rules = rules_cls.get_by_security_group(ctxt, security_group)
|
||||||
|
|
||||||
for rule in rules:
|
for rule in rules:
|
||||||
LOG.debug(_('Adding security group rule: %r'), rule,
|
LOG.debug(_('Adding security group rule: %r'), rule,
|
||||||
@@ -400,7 +408,10 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||||||
fw_rules += [' '.join(args)]
|
fw_rules += [' '.join(args)]
|
||||||
else:
|
else:
|
||||||
if rule['grantee_group']:
|
if rule['grantee_group']:
|
||||||
for instance in rule['grantee_group']['instances']:
|
insts = (
|
||||||
|
instance_obj.InstanceList.get_by_security_group(
|
||||||
|
ctxt, rule['grantee_group']))
|
||||||
|
for instance in insts:
|
||||||
if instance['info_cache']['deleted']:
|
if instance['info_cache']['deleted']:
|
||||||
LOG.debug('ignoring deleted cache')
|
LOG.debug('ignoring deleted cache')
|
||||||
continue
|
continue
|
||||||
|
|||||||
Reference in New Issue
Block a user