make sure security groups come back on restart of nova-compute

nova/compute/manager.py

@@ -170,7 +170,9 @@ class ComputeManager(manager.SchedulerDependentManager):
             elif drv_state == power_state.RUNNING:
                 # Hyper-V and VMWareAPI drivers will raise and exception
                 try:
-                    self.driver.ensure_filtering_rules_for_instance(instance)
+                    net_info = self._get_instance_nw_info(context, instance)
+                    self.driver.ensure_filtering_rules_for_instance(instance,
+                                                                    net_info)
                 except NotImplementedError:
                     LOG.warning(_('Hypervisor driver does not '
                             'support firewall rules'))
@@ -1308,7 +1310,7 @@ class ComputeManager(manager.SchedulerDependentManager):
         # This nwfilter is necessary on the destination host.
         # In addition, this method is creating filtering rule
         # onto destination host.
-        self.driver.ensure_filtering_rules_for_instance(instance_ref)
+        self.driver.ensure_filtering_rules_for_instance(instance_ref, network_info)
 
     def live_migration(self, context, instance_id, dest):
         """Executing live migration.

nova/tests/test_compute.py

@@ -632,7 +632,7 @@ class ComputeTestCase(test.TestCase):
             vid = i_ref['volumes'][i]['id']
             volmock.setup_compute_volume(c, vid).InAnyOrder('g1')
         drivermock.plug_vifs(i_ref, [])
-        drivermock.ensure_filtering_rules_for_instance(i_ref)
+        drivermock.ensure_filtering_rules_for_instance(i_ref, [])
 
         self.compute.db = dbmock
         self.compute.volume_manager = volmock
@@ -657,7 +657,7 @@ class ComputeTestCase(test.TestCase):
         self.mox.StubOutWithMock(compute_manager.LOG, 'info')
         compute_manager.LOG.info(_("%s has no volume."), i_ref['hostname'])
         drivermock.plug_vifs(i_ref, [])
-        drivermock.ensure_filtering_rules_for_instance(i_ref)
+        drivermock.ensure_filtering_rules_for_instance(i_ref, [])
 
         self.compute.db = dbmock
         self.compute.driver = drivermock

nova/tests/test_libvirt.py

@@ -644,6 +644,7 @@ class LibvirtConnTestCase(test.TestCase):
 
         self.create_fake_libvirt_mock()
         instance_ref = db.instance_create(self.context, self.test_instance)
+        network_info = _create_network_info()
 
         # Start test
         self.mox.ReplayAll()
@@ -653,6 +654,7 @@ class LibvirtConnTestCase(test.TestCase):
             conn.firewall_driver.setattr('prepare_instance_filter', fake_none)
             conn.firewall_driver.setattr('instance_filter_exists', fake_none)
             conn.ensure_filtering_rules_for_instance(instance_ref,
+                                                     network_info,
                                                      time=fake_timer)
         except exception.Error, e:
             c1 = (0 <= e.message.find('Timeout migrating for'))

nova/virt/driver.py

@@ -252,7 +252,7 @@ class ComputeDriver(object):
         # TODO(Vek): Need to pass context in for access to auth_token
         pass
 
-    def ensure_filtering_rules_for_instance(self, instance_ref):
+    def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
         """Setting up filtering rules and waiting for its completion.
 
         To migrate an instance, filtering rules to hypervisors

nova/virt/fake.py

@@ -487,7 +487,7 @@ class FakeConnection(driver.ComputeDriver):
         """This method is supported only by libvirt."""
         raise NotImplementedError('This method is supported only by libvirt.')
 
-    def ensure_filtering_rules_for_instance(self, instance_ref):
+    def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
         """This method is supported only by libvirt."""
         raise NotImplementedError('This method is supported only by libvirt.')
 
@@ -496,7 +496,7 @@ class FakeConnection(driver.ComputeDriver):
         """This method is supported only by libvirt."""
         return
 
-    def unfilter_instance(self, instance_ref, network_info=None):
+    def unfilter_instance(self, instance_ref, network_info):
         """This method is supported only by libvirt."""
         raise NotImplementedError('This method is supported only by libvirt.')
 

nova/virt/libvirt/connection.py

@@ -1502,7 +1502,7 @@ class LibvirtConnection(driver.ComputeDriver):
 
         return
 
-    def ensure_filtering_rules_for_instance(self, instance_ref,
+    def ensure_filtering_rules_for_instance(self, instance_ref, network_info,
                                             time=None):
         """Setting up filtering rules and waiting for its completion.
 
@@ -1532,14 +1532,15 @@ class LibvirtConnection(driver.ComputeDriver):
 
         # If any instances never launch at destination host,
         # basic-filtering must be set here.
-        self.firewall_driver.setup_basic_filtering(instance_ref)
+        self.firewall_driver.setup_basic_filtering(instance_ref, network_info)
         # setting up n)ova-instance-instance-xx mainly.
-        self.firewall_driver.prepare_instance_filter(instance_ref)
+        self.firewall_driver.prepare_instance_filter(instance_ref, network_info)
 
         # wait for completion
         timeout_count = range(FLAGS.live_migration_retry_count)
         while timeout_count:
-            if self.firewall_driver.instance_filter_exists(instance_ref):
+            if self.firewall_driver.instance_filter_exists(instance_ref,
+                                                           network_info):
                 break
             timeout_count.pop()
             if len(timeout_count) == 0:

nova/virt/libvirt/firewall.py

@@ -92,7 +92,7 @@ class FirewallDriver(object):
         """
         raise NotImplementedError()
 
-    def instance_filter_exists(self, instance):
+    def instance_filter_exists(self, instance, network_info):
         """Check nova-instance-instance-xxx exists"""
         raise NotImplementedError()
 
@@ -391,9 +391,7 @@ class NWFilterFirewall(FirewallDriver):
         self._define_filter(self._filter_container(filter_name,
                                                    filter_children))
 
-    def refresh_security_group_rules(self,
+    def refresh_security_group_rules(self, security_group_id):
-                                     security_group_id,
-                                     network_info=None):
         return self._define_filter(
                    self.security_group_to_nwfilter_xml(security_group_id))
 
@@ -702,15 +700,15 @@ class IptablesFirewallDriver(FirewallDriver):
 
         return ipv4_rules, ipv6_rules
 
-    def instance_filter_exists(self, instance):
+    def instance_filter_exists(self, instance, network_info):
         """Check nova-instance-instance-xxx exists"""
-        return self.nwfilter.instance_filter_exists(instance)
+        return self.nwfilter.instance_filter_exists(instance, network_info)
 
     def refresh_security_group_members(self, security_group):
         pass
 
-    def refresh_security_group_rules(self, security_group, network_info=None):
+    def refresh_security_group_rules(self, security_group):
-        self.do_refresh_security_group_rules(security_group, network_info)
+        self.do_refresh_security_group_rules(security_group)
         self.iptables.apply()
 
     @utils.synchronized('iptables', external=True)

nova/virt/xenapi_conn.py

@@ -309,7 +309,7 @@ class XenAPIConnection(driver.ComputeDriver):
         """This method is supported only by libvirt."""
         raise NotImplementedError('This method is supported only by libvirt.')
 
-    def ensure_filtering_rules_for_instance(self, instance_ref):
+    def ensure_filtering_rules_for_instance(self, instance_ref, network_info):
         """This method is supported only libvirt."""
         return