diff --git a/doc/source/contributor/testing/libvirt-numa.rst b/doc/source/contributor/testing/libvirt-numa.rst index f5827ac1d974..5a4db1805ff1 100644 --- a/doc/source/contributor/testing/libvirt-numa.rst +++ b/doc/source/contributor/testing/libvirt-numa.rst @@ -133,9 +133,6 @@ For example: RABBIT_PASSWORD=123456 [[post-config|$NOVA_CONF]] - [DEFAULT] - firewall_driver=nova.virt.firewall.NoopFirewallDriver - [filter_scheduler] enabled_filters=ComputeFilter,AvailabilityZoneFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,PciPassthroughFilter,NUMATopologyFilter EOF diff --git a/nova/network/os_vif_util.py b/nova/network/os_vif_util.py index 9b76ef3c8132..0bfd87bb1e59 100644 --- a/nova/network/os_vif_util.py +++ b/nova/network/os_vif_util.py @@ -68,21 +68,6 @@ def _get_hybrid_bridge_name(vif): return ('qbr' + vif['id'])[:model.NIC_NAME_LEN] -def _is_firewall_required(vif): - """Check if local firewall is required - - :param vif: the nova.network.model.VIF instance - - :returns: True if local firewall is required - """ - - if vif.is_neutron_filtering_enabled(): - return False - if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver": - return True - return False - - def _set_vhostuser_settings(vif, obj): """Set vhostuser socket mode and path @@ -353,7 +338,7 @@ def _nova_to_osvif_vif_ovs(vif): port_profile=_get_ovs_representor_port_profile(vif), plugin="ovs") _set_representor_datapath_offload_settings(vif, obj) - elif _is_firewall_required(vif) or vif.is_hybrid_plug_enabled(): + elif vif.is_hybrid_plug_enabled(): obj = _get_vif_instance( vif, objects.vif.VIFBridge, @@ -407,7 +392,7 @@ def _nova_to_osvif_vif_vhostuser(vif): interface_id=vif.get('ovs_interfaceid') or vif['id'], datapath_type=vif['details'].get( model.VIF_DETAILS_OVS_DATAPATH_TYPE)) - if _is_firewall_required(vif) or vif.is_hybrid_plug_enabled(): + if vif.is_hybrid_plug_enabled(): profile.bridge_name = _get_hybrid_bridge_name(vif) profile.hybrid_plug = True else: @@ -453,7 +438,7 @@ def _nova_to_osvif_vif_vhostuser(vif): # VIF_TYPE_IVS = 'ivs' def _nova_to_osvif_vif_ivs(vif): - if _is_firewall_required(vif) or vif.is_hybrid_plug_enabled(): + if vif.is_hybrid_plug_enabled(): obj = _get_vif_instance( vif, objects.vif.VIFBridge, diff --git a/nova/tests/unit/network/test_os_vif_util.py b/nova/tests/unit/network/test_os_vif_util.py index 90466e09cc40..c96fca51bbc6 100644 --- a/nova/tests/unit/network/test_os_vif_util.py +++ b/nova/tests/unit/network/test_os_vif_util.py @@ -38,35 +38,6 @@ class OSVIFUtilTestCase(test.NoDBTestCase): self.assertEqual(expect.obj_to_primitive(), actual.obj_to_primitive()) - def _test_is_firewall_required(self, port_filter, driver, expect): - vif = model.VIF( - id="dc065497-3c8d-4f44-8fb4-e1d33c16a536", - type=model.VIF_TYPE_BRIDGE, - address="22:52:25:62:e2:aa", - network=model.Network( - id="b82c1929-051e-481d-8110-4669916c7915", - label="Demo Net", - subnets=[]), - details={ - model.VIF_DETAILS_PORT_FILTER: port_filter, - } - ) - self.flags(firewall_driver=driver) - - self.assertEqual(expect, os_vif_util._is_firewall_required(vif)) - - def test_is_firewall_required_via_vif(self): - self._test_is_firewall_required( - True, "nova.virt.libvirt.firewall.IptablesFirewallDriver", False) - - def test_is_firewall_required_via_driver(self): - self._test_is_firewall_required( - False, "nova.virt.libvirt.firewall.IptablesFirewallDriver", True) - - def test_is_firewall_required_not(self): - self._test_is_firewall_required( - False, "nova.virt.firewall.NoopFirewallDriver", False) - def test_nova_to_osvif_instance(self): inst = objects.Instance( id="1242", @@ -643,7 +614,6 @@ class OSVIFUtilTestCase(test.NoDBTestCase): self.assertObjEqual(expect, actual) def test_nova_to_osvif_vif_ovs_hybrid(self): - self.flags(firewall_driver=None) vif = model.VIF( id="dc065497-3c8d-4f44-8fb4-e1d33c16a536", type=model.VIF_TYPE_OVS, @@ -654,6 +624,7 @@ class OSVIFUtilTestCase(test.NoDBTestCase): subnets=[]), details={ model.VIF_DETAILS_PORT_FILTER: False, + model.VIF_DETAILS_OVS_HYBRID_PLUG: True, model.VIF_DETAILS_OVS_DATAPATH_TYPE: model.VIF_DETAILS_OVS_DATAPATH_SYSTEM }, diff --git a/nova/tests/unit/virt/hyperv/test_driver.py b/nova/tests/unit/virt/hyperv/test_driver.py index 5a61ad5dbc1d..7d01f38c52da 100644 --- a/nova/tests/unit/virt/hyperv/test_driver.py +++ b/nova/tests/unit/virt/hyperv/test_driver.py @@ -386,11 +386,6 @@ class HyperVDriverTestCase(test_base.HyperVBaseTestCase): self.driver._vmops.unplug_vifs.assert_called_once_with( mock.sentinel.instance, mock.sentinel.network_info) - def test_refresh_instance_security_rules(self): - self.assertRaises(NotImplementedError, - self.driver.refresh_instance_security_rules, - instance=mock.sentinel.instance) - def test_migrate_disk_and_power_off(self): self.driver.migrate_disk_and_power_off( mock.sentinel.context, mock.sentinel.instance, mock.sentinel.dest, diff --git a/nova/tests/unit/virt/ironic/test_driver.py b/nova/tests/unit/virt/ironic/test_driver.py index b5a4fc09afee..724c4e769b2e 100644 --- a/nova/tests/unit/virt/ironic/test_driver.py +++ b/nova/tests/unit/virt/ironic/test_driver.py @@ -52,7 +52,6 @@ from nova.virt import block_device as driver_block_device from nova.virt import configdrive from nova.virt import driver from nova.virt import fake -from nova.virt import firewall from nova.virt import hardware from nova.virt.ironic import client_wrapper as cw from nova.virt.ironic import driver as ironic_driver @@ -522,29 +521,6 @@ class IronicDriverTestCase(test.NoDBTestCase): # correct self.assertFalse(mock_warning.called) - @mock.patch.object(firewall.NoopFirewallDriver, 'prepare_instance_filter', - create=True) - @mock.patch.object(firewall.NoopFirewallDriver, 'setup_basic_filtering', - create=True) - @mock.patch.object(firewall.NoopFirewallDriver, 'apply_instance_filter', - create=True) - def test__start_firewall(self, mock_aif, mock_sbf, mock_pif): - fake_inst = 'fake-inst' - fake_net_info = utils.get_test_network_info() - self.driver._start_firewall(fake_inst, fake_net_info) - - mock_aif.assert_called_once_with(fake_inst, fake_net_info) - mock_sbf.assert_called_once_with(fake_inst, fake_net_info) - mock_pif.assert_called_once_with(fake_inst, fake_net_info) - - @mock.patch.object(firewall.NoopFirewallDriver, 'unfilter_instance', - create=True) - def test__stop_firewall(self, mock_ui): - fake_inst = 'fake-inst' - fake_net_info = utils.get_test_network_info() - self.driver._stop_firewall(fake_inst, fake_net_info) - mock_ui.assert_called_once_with(fake_inst, fake_net_info) - def test_instance_exists(self): instance = fake_instance.fake_instance_obj(self.ctx, uuid=self.instance_id) @@ -1261,8 +1237,7 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(ironic_driver.IronicDriver, '_wait_for_active') @mock.patch.object(ironic_driver.IronicDriver, '_add_instance_info_to_node') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') - def _test_spawn(self, mock_sf, mock_aiitn, mock_wait_active, + def _test_spawn(self, mock_aiitn, mock_wait_active, mock_avti, mock_node, mock_looping, mock_save): node_id = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' node = _get_cached_node(driver='fake', id=node_id) @@ -1289,7 +1264,6 @@ class IronicDriverTestCase(test.NoDBTestCase): test.MatchType(objects.ImageMeta), fake_flavor, block_device_info=None) mock_avti.assert_called_once_with(self.ctx, instance, None) - mock_sf.assert_called_once_with(instance, None) mock_node.set_provision_state.assert_called_once_with( node_id, 'active', configdrive=mock.ANY) @@ -1328,8 +1302,7 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(ironic_driver.IronicDriver, '_wait_for_active') @mock.patch.object(ironic_driver.IronicDriver, '_add_instance_info_to_node') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') - def test_spawn_destroyed_after_failure(self, mock_sf, mock_aiitn, + def test_spawn_destroyed_after_failure(self, mock_aiitn, mock_wait_active, mock_avti, mock_destroy, mock_node, mock_looping, mock_required_by): @@ -1578,41 +1551,13 @@ class IronicDriverTestCase(test.NoDBTestCase): mock_avti.assert_called_once_with(self.ctx, instance, None) mock_node.validate.assert_called_once_with(node_id) - @mock.patch.object(configdrive, 'required_by') - @mock.patch.object(FAKE_CLIENT, 'node') - @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') - @mock.patch.object(ironic_driver.IronicDriver, '_cleanup_deploy') - def test_spawn_node_prepare_for_deploy_fail(self, mock_cleanup_deploy, - mock_sf, mock_avti, - mock_node, mock_required_by): - mock_required_by.return_value = False - node_id = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' - node = _get_cached_node(driver='fake', id=node_id) - flavor = ironic_utils.get_test_flavor() - instance = fake_instance.fake_instance_obj(self.ctx, node=node_id) - instance.flavor = flavor - self.mock_conn.get_node.return_value = node - mock_node.validate.return_value = ironic_utils.get_test_validation() - image_meta = ironic_utils.get_test_image_meta() - - mock_sf.side_effect = test.TestingException() - self.assertRaises(test.TestingException, self.driver.spawn, - self.ctx, instance, image_meta, [], None, {}) - - self.mock_conn.get_node.assert_called_once_with( - node_id, fields=ironic_driver._NODE_FIELDS) - mock_node.validate.assert_called_once_with(node_id) - mock_cleanup_deploy.assert_called_with(node, instance, None) - @mock.patch.object(configdrive, 'required_by') @mock.patch.object(objects.Instance, 'save') @mock.patch.object(FAKE_CLIENT, 'node') @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') @mock.patch.object(ironic_driver.IronicDriver, '_generate_configdrive') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') def test_spawn_node_configdrive_fail(self, - mock_sf, mock_configdrive, + mock_configdrive, mock_avti, mock_node, mock_save, mock_required_by): mock_required_by.return_value = True @@ -1639,10 +1584,9 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(configdrive, 'required_by') @mock.patch.object(FAKE_CLIENT, 'node') @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') @mock.patch.object(ironic_driver.IronicDriver, '_cleanup_deploy') def test_spawn_node_trigger_deploy_fail(self, mock_cleanup_deploy, - mock_sf, mock_avti, + mock_avti, mock_node, mock_required_by): mock_required_by.return_value = False node_id = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' @@ -1667,10 +1611,9 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(configdrive, 'required_by') @mock.patch.object(FAKE_CLIENT, 'node') @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') @mock.patch.object(ironic_driver.IronicDriver, '_cleanup_deploy') def test_spawn_node_trigger_deploy_fail2(self, mock_cleanup_deploy, - mock_sf, mock_avti, + mock_avti, mock_node, mock_required_by): mock_required_by.return_value = False node_id = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' @@ -1696,10 +1639,9 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(loopingcall, 'FixedIntervalLoopingCall') @mock.patch.object(FAKE_CLIENT, 'node') @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') @mock.patch.object(ironic_driver.IronicDriver, 'destroy') def test_spawn_node_trigger_deploy_fail3(self, mock_destroy, - mock_sf, mock_avti, + mock_avti, mock_node, mock_looping, mock_required_by): mock_required_by.return_value = False @@ -1729,8 +1671,7 @@ class IronicDriverTestCase(test.NoDBTestCase): @mock.patch.object(FAKE_CLIENT, 'node') @mock.patch.object(ironic_driver.IronicDriver, '_add_volume_target_info') @mock.patch.object(ironic_driver.IronicDriver, '_wait_for_active') - @mock.patch.object(ironic_driver.IronicDriver, '_start_firewall') - def test_spawn_sets_default_ephemeral_device(self, mock_sf, + def test_spawn_sets_default_ephemeral_device(self, mock_wait, mock_avti, mock_node, mock_save, mock_looping, @@ -2233,40 +2174,6 @@ class IronicDriverTestCase(test.NoDBTestCase): 'fake_vif') mock_uv.assert_called_once_with('fake_instance', ['fake_vif']) - @mock.patch.object(firewall.NoopFirewallDriver, 'unfilter_instance', - create=True) - def test_unfilter_instance(self, mock_ui): - instance = fake_instance.fake_instance_obj(self.ctx) - network_info = utils.get_test_network_info() - self.driver.unfilter_instance(instance, network_info) - mock_ui.assert_called_once_with(instance, network_info) - - @mock.patch.object(firewall.NoopFirewallDriver, 'setup_basic_filtering', - create=True) - @mock.patch.object(firewall.NoopFirewallDriver, 'prepare_instance_filter', - create=True) - def test_ensure_filtering_rules_for_instance(self, mock_pif, mock_sbf): - instance = fake_instance.fake_instance_obj(self.ctx) - network_info = utils.get_test_network_info() - self.driver.ensure_filtering_rules_for_instance(instance, - network_info) - mock_sbf.assert_called_once_with(instance, network_info) - mock_pif.assert_called_once_with(instance, network_info) - - @mock.patch.object(firewall.NoopFirewallDriver, - 'refresh_instance_security_rules', create=True) - def test_refresh_instance_security_rules(self, mock_risr): - instance = fake_instance.fake_instance_obj(self.ctx) - self.driver.refresh_instance_security_rules(instance) - mock_risr.assert_called_once_with(instance) - - @mock.patch.object(firewall.NoopFirewallDriver, - 'refresh_instance_security_rules', create=True) - def test_refresh_security_group_rules(self, mock_risr): - fake_group = 'fake-security-group-members' - self.driver.refresh_instance_security_rules(fake_group) - mock_risr.assert_called_once_with(fake_group) - @mock.patch.object(ironic_driver.IronicDriver, '_wait_for_active') @mock.patch.object(loopingcall, 'FixedIntervalLoopingCall') @mock.patch.object(FAKE_CLIENT.node, 'set_provision_state') @@ -2658,13 +2565,11 @@ class IronicDriverTestCase(test.NoDBTestCase): fields=ironic_driver._NODE_FIELDS) self.assertEqual(1, mock_cleanup.call_count) - @mock.patch.object(ironic_driver.IronicDriver, '_stop_firewall') @mock.patch.object(ironic_driver.IronicDriver, '_unplug_vifs') @mock.patch.object(ironic_driver.IronicDriver, '_cleanup_volume_target_info') @mock.patch.object(cw.IronicClientWrapper, 'call') - def test__cleanup_deploy(self, mock_call, mock_vol, mock_unvif, - mock_stop_fw): + def test__cleanup_deploy(self, mock_call, mock_vol, mock_unvif): # TODO(TheJulia): This REALLY should be updated to cover all of the # calls that take place. node = ironic_utils.get_test_node(driver='fake') @@ -2673,19 +2578,17 @@ class IronicDriverTestCase(test.NoDBTestCase): self.driver._cleanup_deploy(node, instance) mock_vol.assert_called_once_with(instance) mock_unvif.assert_called_once_with(node, instance, None) - mock_stop_fw.assert_called_once_with(instance, None) expected_patch = [{'path': '/instance_info', 'op': 'remove'}, {'path': '/instance_uuid', 'op': 'remove'}] mock_call.assert_called_once_with('node.update', node.uuid, expected_patch) - @mock.patch.object(ironic_driver.IronicDriver, '_stop_firewall') @mock.patch.object(ironic_driver.IronicDriver, '_unplug_vifs') @mock.patch.object(ironic_driver.IronicDriver, '_cleanup_volume_target_info') @mock.patch.object(cw.IronicClientWrapper, 'call') def test__cleanup_deploy_no_remove_ii(self, mock_call, mock_vol, - mock_unvif, mock_stop_fw): + mock_unvif): # TODO(TheJulia): This REALLY should be updated to cover all of the # calls that take place. node = ironic_utils.get_test_node(driver='fake') @@ -2694,7 +2597,6 @@ class IronicDriverTestCase(test.NoDBTestCase): self.driver._cleanup_deploy(node, instance, remove_instance_info=False) mock_vol.assert_called_once_with(instance) mock_unvif.assert_called_once_with(node, instance, None) - mock_stop_fw.assert_called_once_with(instance, None) self.assertFalse(mock_call.called) diff --git a/nova/tests/unit/virt/libvirt/fakelibvirt.py b/nova/tests/unit/virt/libvirt/fakelibvirt.py index 34fc2643c7c2..6091f5ac77ff 100644 --- a/nova/tests/unit/virt/libvirt/fakelibvirt.py +++ b/nova/tests/unit/virt/libvirt/fakelibvirt.py @@ -1670,7 +1670,7 @@ class FakeLibvirtFixture(fixtures.Fixture): super(FakeLibvirtFixture, self).setUp() # Some modules load the libvirt library in a strange way - for module in ('driver', 'host', 'guest', 'firewall', 'migration'): + for module in ('driver', 'host', 'guest', 'migration'): i = 'nova.virt.libvirt.{module}.libvirt'.format(module=module) # NOTE(mdbooth): The strange incantation below means 'this module' self.useFixture(fixtures.MonkeyPatch(i, sys.modules[__name__])) diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py index 78c143bbae4c..bff2064a6fa8 100644 --- a/nova/tests/unit/virt/libvirt/test_driver.py +++ b/nova/tests/unit/virt/libvirt/test_driver.py @@ -103,7 +103,6 @@ from nova import version from nova.virt import block_device as driver_block_device from nova.virt import driver from nova.virt import fake -from nova.virt import firewall as base_firewall from nova.virt import hardware from nova.virt.image import model as imgmodel from nova.virt import images @@ -111,7 +110,6 @@ from nova.virt.libvirt import blockinfo from nova.virt.libvirt import config as vconfig from nova.virt.libvirt import designer from nova.virt.libvirt import driver as libvirt_driver -from nova.virt.libvirt import firewall from nova.virt.libvirt import guest as libvirt_guest from nova.virt.libvirt import host from nova.virt.libvirt.host import SEV_KERNEL_PARAM_FILE @@ -937,8 +935,7 @@ class LibvirtConnTestCase(test.NoDBTestCase, self.project_id = 'fake' self.context = context.get_admin_context() temp_dir = self.useFixture(fixtures.TempDir()).path - self.flags(instances_path=temp_dir, - firewall_driver=None) + self.flags(instances_path=temp_dir) self.flags(snapshots_directory=temp_dir, group='libvirt') self.flags(sysinfo_serial="hardware", group="libvirt") @@ -6163,7 +6160,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, mock.patch.object(drvr, '_is_booted_from_volume', return_value=False), mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr, 'firewall_driver'), mock.patch.object(drvr, 'cleanup')): self.assertRaises(ValueError, drvr._create_domain_and_network, @@ -9863,15 +9859,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, '%s != %s failed common check %d' % (check(tree), expected_result, i)) - filterref = './devices/interface/filterref' - vif = network_info[0] - nic_id = vif['address'].lower().replace(':', '') - fw = firewall.NWFilterFirewall(drvr) - instance_filter_name = fw._instance_filter_name(instance_ref, - nic_id) - self.assertEqual(tree.find(filterref).get('filter'), - instance_filter_name) - # This test is supposed to make sure we don't # override a specifically set uri # @@ -9885,47 +9872,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True) self.assertEqual(drvr._uri(), testuri) - def test_ensure_filtering_rules_for_instance_timeout(self): - # ensure_filtering_fules_for_instance() finishes with timeout. - # Preparing mocks - class FakeTime(object): - def __init__(self): - self.counter = 0 - - def sleep(self, t): - self.counter += t - - fake_timer = FakeTime() - - # _fake_network_info must be called before create_fake_libvirt_mock(), - # as _fake_network_info calls importutils.import_class() and - # create_fake_libvirt_mock() mocks importutils.import_class(). - network_info = _fake_network_info(self, 1) - self.create_fake_libvirt_mock() - instance_ref = objects.Instance(**self.test_instance) - - # Start test - try: - drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False) - self.stub_out('nova.virt.libvirt.firewall.IptablesFirewallDriver.' - 'setup_basic_filtering', lambda *a: None) - self.stub_out('nova.virt.libvirt.firewall.IptablesFirewallDriver.' - 'prepare_instance_filter', lambda *a: None) - self.stub_out('nova.virt.libvirt.firewall.IptablesFirewallDriver.' - 'instance_filter_exists', lambda *a: None) - self.stub_out('eventlet.greenthread.sleep', - lambda t: fake_timer.sleep(t)) - drvr.ensure_filtering_rules_for_instance(instance_ref, - network_info) - except exception.NovaException as e: - msg = ('The firewall filter for %s does not exist' % - instance_ref['name']) - c1 = (0 <= six.text_type(e).find(msg)) - self.assertTrue(c1) - - self.assertEqual(29, fake_timer.counter, "Didn't wait the expected " - "amount of time") - @mock.patch.object(libvirt_driver.LibvirtDriver, '_create_shared_storage_test_file') @mock.patch.object(fakelibvirt.Connection, 'compareCPU') @@ -13461,12 +13407,9 @@ class LibvirtConnTestCase(test.NoDBTestCase, with test.nested( mock.patch.object(drvr, '_create_images_and_backing'), - mock.patch.object(drvr, - 'ensure_filtering_rules_for_instance'), mock.patch.object(drvr, 'plug_vifs'), ) as ( create_image_mock, - rules_mock, plug_mock, ): disk_info_json = jsonutils.dumps({}) @@ -13503,12 +13446,9 @@ class LibvirtConnTestCase(test.NoDBTestCase, mock.patch.object(drvr, '_create_images_and_backing', side_effect=check_instance_dir), - mock.patch.object(drvr, - 'ensure_filtering_rules_for_instance'), mock.patch.object(drvr, 'plug_vifs'), ) as ( create_image_mock, - rules_mock, plug_mock, ): disk_info_json = jsonutils.dumps({}) @@ -13919,14 +13859,11 @@ class LibvirtConnTestCase(test.NoDBTestCase, mock.patch('nova.virt.libvirt.driver.libvirt'), mock.patch.object(drvr, '_build_device_metadata'), mock.patch.object(drvr, 'get_info'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, 'prepare_instance_filter') ) as ( tmpdir, mock_orig_libvirt, mock_build_device_metadata, mock_get_info, - mock_ignored, mock_ignored ): self.flags(instances_path=tmpdir) @@ -14153,9 +14090,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False) with test.nested( mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, 'prepare_instance_filter'), - mock.patch.object(drvr.firewall_driver, 'apply_instance_filter'), mock.patch.object(drvr, '_create_domain'), mock.patch.object(drvr, '_connect_volume', side_effect=_connect_volume_side_effect), @@ -17733,13 +17667,10 @@ class LibvirtConnTestCase(test.NoDBTestCase, state=power_state.RUNNING) with test.nested( - mock.patch.object(drvr, '_is_booted_from_volume', - return_value=False), - mock.patch.object(drvr, '_create_domain'), - mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, 'prepare_instance_filter'), - mock.patch.object(drvr.firewall_driver, 'apply_instance_filter')): + mock.patch.object(drvr, '_is_booted_from_volume', + return_value=False), + mock.patch.object(drvr, '_create_domain'), + mock.patch.object(drvr, 'plug_vifs')): drvr._create_domain_and_network(self.context, 'xml', mock_instance, []) @@ -17800,13 +17731,8 @@ class LibvirtConnTestCase(test.NoDBTestCase, return_value=False), mock.patch.object(drvr, '_create_domain'), mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, 'prepare_instance_filter'), - mock.patch.object(drvr.firewall_driver, 'apply_instance_filter') ) as ( mock_is_booted_from_volume, mock_create_domain, mock_plug_vifs, - mock_setup_basic_filtering, mock_prepare_instance_filter, - mock_apply_instance_filter ): drvr._create_domain_and_network(self.context, 'xml', mock_instance, []) @@ -17850,13 +17776,10 @@ class LibvirtConnTestCase(test.NoDBTestCase, state=power_state.SHUTDOWN) with test.nested( - mock.patch.object(drvr, '_is_booted_from_volume', - return_value=False), - mock.patch.object(drvr, '_create_domain'), - mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, 'prepare_instance_filter'), - mock.patch.object(drvr.firewall_driver, 'apply_instance_filter')): + mock.patch.object(drvr, '_is_booted_from_volume', + return_value=False), + mock.patch.object(drvr, '_create_domain'), + mock.patch.object(drvr, 'plug_vifs')): drvr._create_domain_and_network(self.context, 'xml', mock_instance, []) @@ -18049,8 +17972,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, {'id': instance['image_ref']}) if method_name == "attach_interface": - mock_setup = self.useFixture(fixtures.MockPatchObject( - drvr.firewall_driver, 'setup_basic_filtering')).mock mock_build = self.useFixture(fixtures.MockPatchObject( drvr, '_build_device_metadata')).mock mock_build.return_value = objects.InstanceDeviceMetadata() @@ -18069,7 +17990,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, if method_name == "attach_interface": drvr.attach_interface(self.context, instance, fake_image_meta, network_info[0]) - mock_setup.assert_called_once_with(instance, network_info) mock_build.assert_called_once_with(self.context, instance) mock_save.assert_called_once_with() elif method_name == "detach_interface": @@ -18270,7 +18190,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, mock.patch.object(drvr, '_is_booted_from_volume', return_value=False), mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr, 'firewall_driver'), mock.patch.object(drvr, '_create_domain', side_effect=exception.NovaException), mock.patch.object(drvr, 'cleanup')): @@ -18294,10 +18213,9 @@ class LibvirtConnTestCase(test.NoDBTestCase, mock.patch.object(drvr, '_lxc_disk_handler', side_effect=fake_lxc_disk_handler), mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr, 'firewall_driver'), mock.patch.object(drvr, '_create_domain'), mock.patch.object(drvr, 'cleanup')) as ( - _handler, cleanup, firewall_driver, create, plug_vifs): + _handler, cleanup, create, plug_vifs): domain = drvr._create_domain_and_network(self.context, 'xml', instance, None) self.assertEqual(0, create.call_args_list[0][1]['pause']) @@ -18338,10 +18256,9 @@ class LibvirtConnTestCase(test.NoDBTestCase, {'id': uuids.vif_2, 'active': False}] @mock.patch.object(drvr, 'plug_vifs') - @mock.patch.object(drvr, 'firewall_driver') @mock.patch.object(drvr, '_create_domain') @mock.patch.object(drvr, 'cleanup') - def test_create(cleanup, create, fw_driver, plug_vifs): + def test_create(cleanup, create, plug_vifs): domain = drvr._create_domain_and_network(self.context, 'xml', instance, vifs, power_on=power_on, @@ -18417,10 +18334,9 @@ class LibvirtConnTestCase(test.NoDBTestCase, drvr = libvirt_driver.LibvirtDriver(mock.MagicMock(), False) @mock.patch.object(drvr, 'plug_vifs') - @mock.patch.object(drvr, 'firewall_driver') @mock.patch.object(drvr, '_create_domain') @mock.patch.object(drvr, '_cleanup_failed_start') - def the_test(mock_cleanup, mock_create, mock_fw, mock_plug): + def the_test(mock_cleanup, mock_create, mock_plug): instance = objects.Instance(**self.test_instance) mock_create.side_effect = test.TestingException self.assertRaises(test.TestingException, @@ -18529,13 +18445,8 @@ class LibvirtConnTestCase(test.NoDBTestCase, with test.nested( mock.patch.object(drvr, 'plug_vifs'), - mock.patch.object(drvr.firewall_driver, 'setup_basic_filtering'), - mock.patch.object(drvr.firewall_driver, - 'prepare_instance_filter'), mock.patch.object(drvr, '_create_domain'), - mock.patch.object(drvr.firewall_driver, 'apply_instance_filter'), - ) as (plug_vifs, setup_basic_filtering, prepare_instance_filter, - create_domain, apply_instance_filter): + ) as (plug_vifs, create_domain): create_domain.return_value = libvirt_guest.Guest(mock_dom) guest = drvr._create_domain_and_network( @@ -18543,10 +18454,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, block_device_info=block_device_info) plug_vifs.assert_called_once_with(instance, network_info) - setup_basic_filtering.assert_called_once_with(instance, - network_info) - prepare_instance_filter.assert_called_once_with(instance, - network_info) pause = self._get_pause_flag(drvr, network_info) create_domain.assert_called_once_with( fake_xml, pause=pause, power_on=True, post_xml_callback=None) @@ -18625,7 +18532,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._undefine_domain') def test_cleanup_pass_with_no_mount_device(self, undefine, unplug): drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI()) - drvr.firewall_driver = mock.Mock() drvr._disconnect_volume = mock.Mock() fake_inst = objects.Instance(**self.test_instance) fake_bdms = [{'connection_info': 'foo', @@ -18650,7 +18556,6 @@ class LibvirtConnTestCase(test.NoDBTestCase, drvr.cleanup, 'ctxt', fake_inst, 'netinfo') unplug.assert_called_once_with(fake_inst, 'netinfo', True) - @mock.patch.object(libvirt_driver.LibvirtDriver, 'unfilter_instance') @mock.patch.object(libvirt_driver.LibvirtDriver, 'delete_instance_files', return_value=True) @mock.patch.object(objects.Instance, 'save') @@ -18658,8 +18563,7 @@ class LibvirtConnTestCase(test.NoDBTestCase, def test_cleanup_migrate_data_shared_block_storage(self, _undefine_domain, save, - delete_instance_files, - unfilter_instance): + delete_instance_files): # Tests the cleanup method when migrate_data has # is_shared_block_storage=True and destroy_disks=False. instance = objects.Instance(self.context, **self.test_instance) @@ -18674,13 +18578,12 @@ class LibvirtConnTestCase(test.NoDBTestCase, self.assertTrue(instance.cleaned) save.assert_called_once_with() - @mock.patch.object(libvirt_driver.LibvirtDriver, 'unfilter_instance') @mock.patch.object(libvirt_driver.LibvirtDriver, 'delete_instance_files', return_value=True) @mock.patch.object(objects.Instance, 'save') @mock.patch.object(libvirt_driver.LibvirtDriver, '_undefine_domain') def test_cleanup_instance_dir_with_rbd_workaround(self, - _undefine_domain, save, delete_instance_files, unfilter_instance): + _undefine_domain, save, delete_instance_files): self.flags(images_type='rbd', group='libvirt') self.flags(ensure_libvirt_rbd_instance_dir_cleanup=True, group='workarounds') @@ -21032,9 +20935,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): self.stub_out('nova.virt.libvirt.driver.LibvirtDriver.plug_vifs', fake_plug_vifs) self.stub_out('oslo_concurrency.processutils.execute', fake_execute) - fw = base_firewall.NoopFirewallDriver() - self.stub_out('nova.virt.libvirt.driver.LibvirtDriver.firewall_driver', - fw) self.stub_out('nova.virt.libvirt.driver.LibvirtDriver.' '_create_domain_and_network', fake_create_domain) self.stub_out('nova.virt.libvirt.driver.LibvirtDriver.get_info', @@ -21287,10 +21187,8 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): new_callable=mock.NonCallableMock), mock.patch.object(drvr, '_undefine_domain'), mock.patch.object(drvr, 'unplug_vifs'), - mock.patch.object(drvr, 'unfilter_instance') ) as (mock_volume_backed, mock_exists, mock_get_path, - mock_rmtree, mock_image_by_name, mock_undef, mock_unplug, - mock_unfilter): + mock_rmtree, mock_image_by_name, mock_undef, mock_unplug): mock_exists.return_value = True mock_get_path.return_value = '/fake/inst' @@ -21299,7 +21197,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): self.assertEqual(5, mock_rmtree.call_count) mock_undef.assert_called_once_with(ins_ref) mock_unplug.assert_called_once_with(ins_ref, fake_net) - mock_unfilter.assert_called_once_with(ins_ref, fake_net) @mock.patch('time.sleep', new=mock.Mock()) def test_cleanup_resize_not_same_host_volume_backed(self): @@ -21325,9 +21222,8 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): mock.patch.object(shutil, 'rmtree'), mock.patch.object(drvr, '_undefine_domain'), mock.patch.object(drvr, 'unplug_vifs'), - mock.patch.object(drvr, 'unfilter_instance') ) as (mock_volume_backed, mock_exists, mock_get_path, - mock_rmtree, mock_undef, mock_unplug, mock_unfilter): + mock_rmtree, mock_undef, mock_unplug): mock_exists.return_value = True mock_get_path.return_value = '/fake/inst' @@ -21336,7 +21232,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): self.assertEqual(5, mock_rmtree.call_count) mock_undef.assert_called_once_with(ins_ref) mock_unplug.assert_called_once_with(ins_ref, fake_net) - mock_unfilter.assert_called_once_with(ins_ref, fake_net) @mock.patch('time.sleep', new=mock.Mock()) def test_cleanup_resize_snap_backend(self): @@ -21683,8 +21578,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): CONF.libvirt.virt_type, self.drvr._host) with test.nested( mock.patch.object(host.Host, '_get_domain', return_value=domain), - mock.patch.object(self.drvr.firewall_driver, - 'setup_basic_filtering'), mock.patch.object(domain, 'attachDeviceFlags'), mock.patch.object(domain, 'info', return_value=[power_state.RUNNING, 1, 2, 3, 4]), @@ -21694,7 +21587,7 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): side_effect=exception.NovaException), mock.patch.object(self.drvr, 'detach_interface'), ) as ( - mock_get_domain, mock_setup_basic_filtering, + mock_get_domain, mock_attach_device_flags, mock_info, mock_get_config, mock_build_device_metadata, mock_detach_interface ): @@ -21703,8 +21596,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): instance, fake_image_meta, network_info[0]) mock_get_domain.assert_called_with(instance) mock_info.assert_called_with() - mock_setup_basic_filtering.assert_called_with( - instance, [network_info[0]]) mock_get_config.assert_called_with( instance, network_info[0], fake_image_meta, instance.flavor, CONF.libvirt.virt_type, self.drvr._host) @@ -21753,9 +21644,7 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): with test.nested( mock.patch.object(self.drvr.vif_driver, 'get_config', return_value=expected), - mock.patch.object(self.drvr.firewall_driver, - 'setup_basic_filtering') - ) as (mock_get_config, mock_setup): + ) as (mock_get_config,): self.drvr.attach_interface( self.context, instance, fake_image_meta, network_info[0]) @@ -21765,7 +21654,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): self.drvr._host) mock_get_domain.assert_called_once_with(instance) mock_info.assert_called_once_with() - mock_setup.assert_called_once_with(instance, [network_info[0]]) mock_build.assert_called_once_with(self.context, instance) mock_save.assert_called_once_with() mock_attach.assert_called_once_with(expected.to_xml(), @@ -21952,9 +21840,7 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): side_effect=[expected, expected, None, None]), mock.patch.object(self.drvr.vif_driver, 'get_config', return_value=expected), - mock.patch.object(self.drvr.firewall_driver, - 'setup_basic_filtering') - ) as (mock_get_interface, mock_get_config, mock_setup): + ) as (mock_get_interface, mock_get_config): self.drvr.detach_interface(self.context, instance, network_info[0]) mock_get_interface.assert_has_calls([mock.call(expected)] * 3) @@ -21963,7 +21849,6 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): instance, network_info[0], test.MatchType(objects.ImageMeta), test.MatchType(objects.Flavor), CONF.libvirt.virt_type, self.drvr._host) - mock_setup.assert_not_called() mock_get_domain.assert_called_once_with(instance) mock_info.assert_called_once_with() mock_detach.assert_called_once_with(expected.to_xml(), @@ -22525,11 +22410,10 @@ class LibvirtDriverTestCase(test.NoDBTestCase, TraitsComparisonMixin): @mock.patch.object(lvm, 'get_volume_size', return_value=10) @mock.patch.object(host.Host, "get_guest") @mock.patch.object(dmcrypt, 'delete_volume') - @mock.patch('nova.virt.libvirt.driver.LibvirtDriver.unfilter_instance') @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._undefine_domain') @mock.patch.object(objects.Instance, 'save') def test_cleanup_lvm_encrypted(self, mock_save, mock_undefine_domain, - mock_unfilter, mock_delete_volume, + mock_delete_volume, mock_get_guest, mock_get_lvm_size, mock_get_size): drv = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True) diff --git a/nova/tests/unit/virt/libvirt/test_vif.py b/nova/tests/unit/virt/libvirt/test_vif.py index b66b4e5bd06b..d117ce7b3e72 100644 --- a/nova/tests/unit/virt/libvirt/test_vif.py +++ b/nova/tests/unit/virt/libvirt/test_vif.py @@ -515,21 +515,14 @@ class LibvirtVifTestCase(test.NoDBTestCase): mac = node.find("mac").get("address") self.assertEqual(mac, vif['address']) - def _assertTypeEquals(self, node, type, attr, source, br_want, - prefix=None): + def _assertTypeEquals(self, node, type, attr, source, br_want): self.assertEqual(node.get("type"), type) br_name = node.find(attr).get(source) - if prefix is None: - self.assertEqual(br_name, br_want) - else: - self.assertTrue(br_name.startswith(prefix)) + self.assertEqual(br_name, br_want) def _assertTypeAndMacEquals(self, node, type, attr, source, vif, - br_want=None, size=0, prefix=None): - ret = node.findall("filterref") - self.assertEqual(len(ret), size) - self._assertTypeEquals(node, type, attr, source, br_want, - prefix) + br_want=None): + self._assertTypeEquals(node, type, attr, source, br_want) self._assertMacEquals(node, vif) def _assertModel(self, xml, model_want=None, driver_want=None): @@ -901,16 +894,20 @@ class LibvirtVifTestCase(test.NoDBTestCase): self.assertIsNone(conf.driver_name) self.assertIsNone(conf.model) - def _test_model_qemu(self, *vif_objs, **kw): - libvirt_version = kw.get('libvirt_version') + def test_model_qemu(self): + vif_objs = [ + self.vif_bridge, + self.vif_8021qbg, + self.vif_iovisor, + self.vif_ovs, + ] + self.flags(use_virtio_for_bridges=True, virt_type='qemu', group='libvirt') for vif_obj in vif_objs: d = vif.LibvirtGenericVIFDriver() - if libvirt_version is not None: - d.libvirt_version = libvirt_version xml = self._get_instance_xml(d, vif_obj) @@ -937,23 +934,6 @@ class LibvirtVifTestCase(test.NoDBTestCase): self._assertModel(xml, network_model.VIF_MODEL_VIRTIO, "qemu") - def test_model_qemu_no_firewall(self): - self._test_model_qemu( - self.vif_bridge, - self.vif_8021qbg, - self.vif_iovisor, - self.vif_ovs, - ) - - def test_model_qemu_iptables(self): - self.flags(firewall_driver="nova.virt.firewall.IptablesFirewallDriver") - self._test_model_qemu( - self.vif_bridge, - self.vif_ovs, - self.vif_8021qbg, - self.vif_iovisor - ) - def test_model_xen(self): self.flags(use_virtio_for_bridges=True, virt_type='xen', @@ -1083,29 +1063,6 @@ class LibvirtVifTestCase(test.NoDBTestCase): self._assertTypeAndMacEquals(node, "bridge", "target", "dev", self.vif_ovs_filter_cap, br_want) - def _check_neutron_hybrid_driver(self, d, vif, br_want): - self.flags(firewall_driver="nova.virt.firewall.IptablesFirewallDriver") - xml = self._get_instance_xml(d, vif) - node = self._get_node(xml) - self._assertTypeAndMacEquals(node, "bridge", "source", "bridge", - vif, br_want, 1) - - def test_ivs_hybrid_driver(self): - d = vif.LibvirtGenericVIFDriver() - br_want = "qbr" + self.vif_ivs['id'] - br_want = br_want[:network_model.NIC_NAME_LEN] - self._check_neutron_hybrid_driver(d, - self.vif_ivs, - br_want) - - def test_generic_hybrid_driver(self): - d = vif.LibvirtGenericVIFDriver() - br_want = "qbr" + self.vif_ovs['id'] - br_want = br_want[:network_model.NIC_NAME_LEN] - self._check_neutron_hybrid_driver(d, - self.vif_ovs, - br_want) - def test_ib_hostdev_driver(self): d = vif.LibvirtGenericVIFDriver() xml = self._get_instance_xml(d, self.vif_ib_hostdev) diff --git a/nova/tests/unit/virt/test_virt_drivers.py b/nova/tests/unit/virt/test_virt_drivers.py index 4520bece42ba..4e3b3f9b1456 100644 --- a/nova/tests/unit/virt/test_virt_drivers.py +++ b/nova/tests/unit/virt/test_virt_drivers.py @@ -592,31 +592,6 @@ class _VirtDriverTestCase(_FakeDriverBackendTestCase): self.assertIn('username', console_pool) self.assertIn('password', console_pool) - @catch_notimplementederror - def test_refresh_security_group_rules(self): - # FIXME: Create security group and add the instance to it - instance_ref, network_info = self._get_running_instance() - self.connection.refresh_security_group_rules(1) - - @catch_notimplementederror - def test_refresh_instance_security_rules(self): - # FIXME: Create security group and add the instance to it - instance_ref, network_info = self._get_running_instance() - self.connection.refresh_instance_security_rules(instance_ref) - - @catch_notimplementederror - def test_ensure_filtering_for_instance(self): - instance = test_utils.get_test_instance(obj=True) - network_info = test_utils.get_test_network_info() - self.connection.ensure_filtering_rules_for_instance(instance, - network_info) - - @catch_notimplementederror - def test_unfilter_instance(self): - instance_ref = test_utils.get_test_instance() - network_info = test_utils.get_test_network_info() - self.connection.unfilter_instance(instance_ref, network_info) - def test_live_migration(self): instance_ref, network_info = self._get_running_instance() fake_context = context.RequestContext('fake', 'fake') diff --git a/nova/tests/unit/virt/vmwareapi/test_driver_api.py b/nova/tests/unit/virt/vmwareapi/test_driver_api.py index 9ebd132f3505..314f576b7bd1 100644 --- a/nova/tests/unit/virt/vmwareapi/test_driver_api.py +++ b/nova/tests/unit/virt/vmwareapi/test_driver_api.py @@ -1944,11 +1944,6 @@ class VMwareAPIVMTestCase(test.NoDBTestCase, self.assertEqual('iscsi-name', connector['initiator']) self.assertNotIn('instance', connector) - def test_refresh_instance_security_rules(self): - self.assertRaises(NotImplementedError, - self.conn.refresh_instance_security_rules, - instance=None) - @mock.patch.object(objects.block_device.BlockDeviceMappingList, 'get_by_instance_uuids') def test_image_aging_image_used(self, mock_get_by_inst): diff --git a/nova/tests/unit/virt/xenapi/stubs.py b/nova/tests/unit/virt/xenapi/stubs.py index ace30720c0f1..2d0d985e36d2 100644 --- a/nova/tests/unit/virt/xenapi/stubs.py +++ b/nova/tests/unit/virt/xenapi/stubs.py @@ -21,7 +21,6 @@ import fixtures import mock from os_xenapi.client import session from os_xenapi.client import XenAPI -from oslo_serialization import jsonutils from nova import test from nova.virt.xenapi import fake @@ -51,24 +50,12 @@ def _make_fake_vdi(): class FakeSessionForVMTests(fake.SessionBase): """Stubs out a XenAPISession for VM tests.""" - _fake_iptables_save_output = ("# Generated by iptables-save v1.4.10 on " - "Sun Nov 6 22:49:02 2011\n" - "*filter\n" - ":INPUT ACCEPT [0:0]\n" - ":FORWARD ACCEPT [0:0]\n" - ":OUTPUT ACCEPT [0:0]\n" - "COMMIT\n" - "# Completed on Sun Nov 6 22:49:02 2011\n") - def host_call_plugin(self, _1, _2, plugin, method, _5): plugin = plugin.rstrip('.py') if plugin == 'glance' and method == 'download_vhd2': root_uuid = _make_fake_vdi() return pickle.dumps(dict(root=dict(uuid=root_uuid))) - elif (plugin, method) == ('xenhost', 'iptables_config'): - return fake.as_json(out=self._fake_iptables_save_output, - err='') else: return (super(FakeSessionForVMTests, self). host_call_plugin(_1, _2, plugin, method, _5)) @@ -96,54 +83,6 @@ class FakeSessionForVMTests(fake.SessionBase): pass -class FakeSessionForFirewallTests(FakeSessionForVMTests): - """Stubs out a XenApi Session for doing IPTable Firewall tests.""" - - def __init__(self, uri, test_case=None): - super(FakeSessionForFirewallTests, self).__init__(uri) - if hasattr(test_case, '_in_rules'): - self._in_rules = test_case._in_rules - if hasattr(test_case, '_in6_filter_rules'): - self._in6_filter_rules = test_case._in6_filter_rules - self._test_case = test_case - - def host_call_plugin(self, _1, _2, plugin, method, args): - """Mock method for host_call_plugin to be used in unit tests - for the dom0 iptables Firewall drivers for XenAPI - - """ - plugin = plugin.rstrip('.py') - - if plugin == 'xenhost' and method == 'iptables_config': - # The command to execute is a json-encoded list - cmd_args = args.get('cmd_args', None) - cmd = jsonutils.loads(cmd_args) - if not cmd: - ret_str = '' - else: - output = '' - process_input = args.get('process_input', None) - if cmd == ['ip6tables-save', '-c']: - output = '\n'.join(self._in6_filter_rules) - if cmd == ['iptables-save', '-c']: - output = '\n'.join(self._in_rules) - if cmd == ['iptables-restore', '-c', ]: - lines = process_input.split('\n') - if '*filter' in lines: - if self._test_case is not None: - self._test_case._out_rules = lines - output = '\n'.join(lines) - if cmd == ['ip6tables-restore', '-c', ]: - lines = process_input.split('\n') - if '*filter' in lines: - output = '\n'.join(lines) - ret_str = fake.as_json(out=output, err='') - return ret_str - else: - return (super(FakeSessionForVMTests, self). - host_call_plugin(_1, _2, plugin, method, args)) - - class ReplaceModule(fixtures.Fixture): """Replace a module with a fake module.""" diff --git a/nova/tests/unit/virt/xenapi/test_vm_utils.py b/nova/tests/unit/virt/xenapi/test_vm_utils.py index ef2d687e8f82..ede85da08b08 100644 --- a/nova/tests/unit/virt/xenapi/test_vm_utils.py +++ b/nova/tests/unit/virt/xenapi/test_vm_utils.py @@ -472,9 +472,7 @@ class GetInstanceForVdisForSrTestCase(VMUtilsTestBase): self.fixture = self.useFixture(config_fixture.Config(lockutils.CONF)) self.fixture.config(disable_process_locking=True, group='oslo_concurrency') - self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') + self.flags(instance_name_template='%d') self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') @@ -1239,9 +1237,7 @@ class VMUtilsSRPath(VMUtilsTestBase): self.fixture = self.useFixture(config_fixture.Config(lockutils.CONF)) self.fixture.config(disable_process_locking=True, group='oslo_concurrency') - self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') + self.flags(instance_name_template='%d') self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') @@ -2171,9 +2167,7 @@ class CreateVmRecordTestCase(VMUtilsTestBase): self.fixture = self.useFixture(config_fixture.Config(lockutils.CONF)) self.fixture.config(disable_process_locking=True, group='oslo_concurrency') - self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') + self.flags(instance_name_template='%d') self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') diff --git a/nova/tests/unit/virt/xenapi/test_vmops.py b/nova/tests/unit/virt/xenapi/test_vmops.py index 22bbf67359d6..e1b6a6beae71 100644 --- a/nova/tests/unit/virt/xenapi/test_vmops.py +++ b/nova/tests/unit/virt/xenapi/test_vmops.py @@ -446,12 +446,6 @@ class SpawnTestCase(VMOpsTestBase): self.vmops, '_file_inject_vm_settings')).mock self.mock_create_vifs = self.useFixture( fixtures.MockPatchObject(self.vmops, '_create_vifs')).mock - self.mock_setup_basic_filtering = self.useFixture( - fixtures.MockPatchObject( - self.vmops.firewall_driver, 'setup_basic_filtering')).mock - self.mock_prepare_instance_filter = self.useFixture( - fixtures.MockPatchObject( - self.vmops.firewall_driver, 'prepare_instance_filter')).mock self.mock_start = self.useFixture( fixtures.MockPatchObject(self.vmops, '_start')).mock self.mock_wait_for_instance_to_start = self.useFixture( @@ -462,9 +456,6 @@ class SpawnTestCase(VMOpsTestBase): self.vmops, '_configure_new_instance_with_agent')).mock self.mock_remove_hostname = self.useFixture( fixtures.MockPatchObject(self.vmops, '_remove_hostname')).mock - self.mock_apply_instance_filter = self.useFixture( - fixtures.MockPatchObject( - self.vmops.firewall_driver, 'apply_instance_filter')).mock self.mock_update_last_dom_id = self.useFixture( fixtures.MockPatchObject(self.vmops, '_update_last_dom_id')).mock self.mock_call_xenapi = self.useFixture( @@ -498,7 +489,7 @@ class SpawnTestCase(VMOpsTestBase): admin_password = "password" if network_info is None: network_info = [] - steps = 10 + steps = 9 if rescue: steps += 1 @@ -564,10 +555,6 @@ class SpawnTestCase(VMOpsTestBase): expected_update_instance_progress_calls.append( mock.call(context, instance, step, steps)) - step += 1 - expected_update_instance_progress_calls.append( - mock.call(context, instance, step, steps)) - if neutron_exception: events = [('network-vif-plugged', 1)] self.stub_out('nova.virt.xenapi.vmops.VMOps.' @@ -583,7 +570,6 @@ class SpawnTestCase(VMOpsTestBase): side_effect=( exception.VirtualInterfaceCreateException))).mock else: - self.mock_setup_basic_filtering.side_effect = NotImplementedError step += 1 expected_update_instance_progress_calls.append( mock.call(context, instance, step, steps)) @@ -605,7 +591,7 @@ class SpawnTestCase(VMOpsTestBase): if throw_exception: self.mock_update_instance_progress.side_effect = [ - None, None, None, None, None, None, None, None, None, + None, None, None, None, None, None, None, None, throw_exception] self.vmops.spawn(context, instance, image_meta, injected_files, @@ -669,18 +655,12 @@ class SpawnTestCase(VMOpsTestBase): else: self.mock_create_vifs.assert_called_once_with(instance, vm_ref, network_info) - self.mock_setup_basic_filtering.assert_called_once_with( - instance, network_info) - self.mock_prepare_instance_filter.assert_called_once_with( - instance, network_info) self.mock_wait_for_instance_to_start.assert_called_once_with( instance, vm_ref) self.mock_configure_new_instance_w_agent.assert_called_once_with( instance, vm_ref, injected_files, admin_password) self.mock_remove_hostname.assert_called_once_with( instance, vm_ref) - self.mock_apply_instance_filter.assert_called_once_with( - instance, network_info) self.mock_update_last_dom_id.assert_called_once_with(vm_ref) self.mock_call_xenapi.assert_called_once_with('VM.unpause', vm_ref) @@ -898,7 +878,6 @@ class SpawnTestCase(VMOpsTestBase): rescue = False self.mock_create_vm_record.return_value = vm_ref self.mock_get_instance_pci_devs.return_value = [] - self.mock_setup_basic_filtering.side_effect = NotImplementedError if power_on: expected_call_xenapi.append(mock.call('VM.unpause', vm_ref)) @@ -937,12 +916,6 @@ class SpawnTestCase(VMOpsTestBase): instance, vm_ref, vdis, network_info) self.mock_create_vifs.assert_called_once_with( instance, vm_ref, network_info) - self.mock_setup_basic_filtering.assert_called_once_with(instance, - network_info) - self.mock_prepare_instance_filter.assert_called_once_with( - instance, network_info) - self.mock_apply_instance_filter.assert_called_once_with( - instance, network_info) self.mock_attach_vgpu.assert_called_once_with(vm_ref, vgpu_info, instance) mock_import_all_migrated_disks.assert_called_once_with( diff --git a/nova/tests/unit/virt/xenapi/test_xenapi.py b/nova/tests/unit/virt/xenapi/test_xenapi.py index 27d65fff586f..8bc1e2b1e34c 100644 --- a/nova/tests/unit/virt/xenapi/test_xenapi.py +++ b/nova/tests/unit/virt/xenapi/test_xenapi.py @@ -232,8 +232,6 @@ class XenAPIVolumeTestCase(stubs.XenAPITestBaseNoDB): self.fixture = self.useFixture(config_fixture.Config(lockutils.CONF)) self.fixture.config(disable_process_locking=True, group='oslo_concurrency') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') @@ -289,9 +287,7 @@ class XenAPIVMTestCase(stubs.XenAPITestBase, self.fixture = self.useFixture(config_fixture.Config(lockutils.CONF)) self.fixture.config(disable_process_locking=True, group='oslo_concurrency') - self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') + self.flags(instance_name_template='%d') self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') @@ -334,12 +330,6 @@ class XenAPIVMTestCase(stubs.XenAPITestBase, fake_image.FakeImageService_reset() super(XenAPIVMTestCase, self).tearDown() - def stubout_firewall_driver(self): - self.stub_out('nova.virt.firewall.IptablesFirewallDriver.' - 'prepare_instance_filter', lambda *args: None) - self.stub_out('nova.virt.firewall.IptablesFirewallDriver.' - 'instance_filter_exists', lambda *args: None) - def stubout_instance_snapshot(self): self.stub_out('nova.virt.xenapi.vm_utils._fetch_image', lambda context, session, instance, name_label, @@ -610,9 +600,6 @@ class XenAPIVMTestCase(stubs.XenAPITestBase, mock_create_vbd.side_effect = create_bad_vbd self.stubout_instance_snapshot() - # Stubbing out firewall driver as previous stub sets alters - # xml rpc result parsing - self.stubout_firewall_driver() instance = self._create_instance() image_id = "my_snapshot_id" @@ -635,9 +622,6 @@ class XenAPIVMTestCase(stubs.XenAPITestBase, self.stubout_instance_snapshot() self.stubout_is_snapshot() - # Stubbing out firewall driver as previous stub sets alters - # xml rpc result parsing - self.stubout_firewall_driver() instance = self._create_instance() @@ -1670,8 +1654,6 @@ class XenAPIMigrateInstance(stubs.XenAPITestBase): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') stubs.stubout_session(self, stubs.FakeSessionForVMTests) db_fakes.stub_out_db_instance_api(self) xenapi_fake.create_network('fake', 'fake_br1') @@ -2469,8 +2451,6 @@ class XenAPIAutoDiskConfigTestCase(stubs.XenAPITestBase): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') stubs.stubout_session(self, stubs.FakeSessionForVMTests) self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) @@ -2582,8 +2562,6 @@ class XenAPIGenerateLocal(stubs.XenAPITestBase): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') stubs.stubout_session(self, stubs.FakeSessionForVMTests) db_fakes.stub_out_db_instance_api(self) self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) @@ -2693,8 +2671,6 @@ class XenAPIBWCountersTestCase(stubs.XenAPITestBaseNoDB): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') stubs.stubout_session(self, stubs.FakeSessionForVMTests) self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) @@ -2755,282 +2731,6 @@ class XenAPIBWCountersTestCase(stubs.XenAPITestBaseNoDB): self.assertEqual(result, []) -# TODO(salvatore-orlando): this class and -# nova.tests.unit.virt.test_libvirt.IPTablesFirewallDriverTestCase -# share a lot of code. Consider abstracting common code in a base -# class for firewall driver testing. -# -# FIXME(sirp): convert this to use XenAPITestBaseNoDB -class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): - - REQUIRES_LOCKING = True - - _in_rules = [ - '# Generated by iptables-save v1.4.10 on Sat Feb 19 00:03:19 2011', - '*nat', - ':PREROUTING ACCEPT [1170:189210]', - ':INPUT ACCEPT [844:71028]', - ':OUTPUT ACCEPT [5149:405186]', - ':POSTROUTING ACCEPT [5063:386098]', - '# Completed on Mon Dec 6 11:54:13 2010', - '# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010', - '*mangle', - ':INPUT ACCEPT [969615:281627771]', - ':FORWARD ACCEPT [0:0]', - ':OUTPUT ACCEPT [915599:63811649]', - ':nova-block-ipv4 - [0:0]', - '[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ', - '[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED' - ',ESTABLISHED -j ACCEPT ', - '[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT ', - '[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT ', - '[0:0] -A FORWARD -o virbr0 -j REJECT ' - '--reject-with icmp-port-unreachable ', - '[0:0] -A FORWARD -i virbr0 -j REJECT ' - '--reject-with icmp-port-unreachable ', - 'COMMIT', - '# Completed on Mon Dec 6 11:54:13 2010', - '# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010', - '*filter', - ':INPUT ACCEPT [969615:281627771]', - ':FORWARD ACCEPT [0:0]', - ':OUTPUT ACCEPT [915599:63811649]', - ':nova-block-ipv4 - [0:0]', - '[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ', - '[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED' - ',ESTABLISHED -j ACCEPT ', - '[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT ', - '[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT ', - '[0:0] -A FORWARD -o virbr0 -j REJECT ' - '--reject-with icmp-port-unreachable ', - '[0:0] -A FORWARD -i virbr0 -j REJECT ' - '--reject-with icmp-port-unreachable ', - 'COMMIT', - '# Completed on Mon Dec 6 11:54:13 2010', - ] - - _in6_filter_rules = [ - '# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011', - '*filter', - ':INPUT ACCEPT [349155:75810423]', - ':FORWARD ACCEPT [0:0]', - ':OUTPUT ACCEPT [349256:75777230]', - 'COMMIT', - '# Completed on Tue Jan 18 23:47:56 2011', - ] - - def setUp(self): - super(XenAPIDom0IptablesFirewallTestCase, self).setUp() - self.flags(connection_url='http://localhost', - connection_password='test_pass', - group='xenserver') - self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') - self.user_id = 'mappin' - self.project_id = 'fake' - stubs.stubout_session(self, stubs.FakeSessionForFirewallTests, - test_case=self) - self.context = context.RequestContext(self.user_id, self.project_id) - self.network = importutils.import_object(CONF.network_manager) - self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) - self.fw = self.conn._vmops.firewall_driver - - def _create_instance_ref(self): - return db.instance_create(self.context, - {'user_id': self.user_id, - 'project_id': self.project_id, - 'instance_type_id': 1}) - - def _create_test_security_group(self): - admin_ctxt = context.get_admin_context() - secgroup = db.security_group_create(admin_ctxt, - {'user_id': self.user_id, - 'project_id': self.project_id, - 'name': 'testgroup', - 'description': 'test group'}) - db.security_group_rule_create(admin_ctxt, - {'parent_group_id': secgroup['id'], - 'protocol': 'icmp', - 'from_port': -1, - 'to_port': -1, - 'cidr': '192.168.11.0/24'}) - - db.security_group_rule_create(admin_ctxt, - {'parent_group_id': secgroup['id'], - 'protocol': 'icmp', - 'from_port': 8, - 'to_port': -1, - 'cidr': '192.168.11.0/24'}) - - db.security_group_rule_create(admin_ctxt, - {'parent_group_id': secgroup['id'], - 'protocol': 'tcp', - 'from_port': 80, - 'to_port': 81, - 'cidr': '192.168.10.0/24'}) - return secgroup - - def _validate_security_group(self): - in_rules = [l for l in self._in_rules if not l.startswith('#')] - for rule in in_rules: - if 'nova' not in rule: - self.assertIn(rule, self._out_rules, - 'Rule went missing: %s' % rule) - - instance_chain = None - for rule in self._out_rules: - # This is pretty crude, but it'll do for now - # last two octets change - if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): - instance_chain = rule.split(' ')[-1] - break - self.assertTrue(instance_chain, "The instance chain wasn't added") - security_group_chain = None - for rule in self._out_rules: - # This is pretty crude, but it'll do for now - if '-A %s -j' % instance_chain in rule: - security_group_chain = rule.split(' ')[-1] - break - self.assertTrue(security_group_chain, - "The security group chain wasn't added") - - regex = re.compile(r'\[0\:0\] -A .* -j ACCEPT -p icmp' - ' -s 192.168.11.0/24') - match_rules = [rule for rule in self._out_rules if regex.match(rule)] - self.assertGreater(len(match_rules), 0, - "ICMP acceptance rule wasn't added") - - regex = re.compile(r'\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp' - ' --icmp-type 8 -s 192.168.11.0/24') - match_rules = [rule for rule in self._out_rules if regex.match(rule)] - self.assertGreater(len(match_rules), 0, - "ICMP Echo Request acceptance rule wasn't added") - - regex = re.compile(r'\[0\:0\] -A .* -j ACCEPT -p tcp --dport 80:81' - ' -s 192.168.10.0/24') - match_rules = [rule for rule in self._out_rules if regex.match(rule)] - self.assertGreater(len(match_rules), 0, - "TCP port 80/81 acceptance rule wasn't added") - - def test_static_filters(self): - instance_ref = self._create_instance_ref() - src_instance_ref = self._create_instance_ref() - admin_ctxt = context.get_admin_context() - secgroup = self._create_test_security_group() - - src_secgroup = db.security_group_create(admin_ctxt, - {'user_id': self.user_id, - 'project_id': self.project_id, - 'name': 'testsourcegroup', - 'description': 'src group'}) - db.security_group_rule_create(admin_ctxt, - {'parent_group_id': secgroup['id'], - 'protocol': 'tcp', - 'from_port': 80, - 'to_port': 81, - 'group_id': src_secgroup['id']}) - - db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], - secgroup['id']) - db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], - src_secgroup['id']) - instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) - src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id']) - - network_model = fake_network.fake_get_instance_nw_info(self, 1) - - self.stub_out('nova.objects.Instance.get_network_info', - lambda instance: network_model) - - self.fw.prepare_instance_filter(instance_ref, network_model) - self.fw.apply_instance_filter(instance_ref, network_model) - - self._validate_security_group() - # Extra test for TCP acceptance rules - for ip in network_model.fixed_ips(): - if ip['version'] != 4: - continue - regex = re.compile(r'\[0\:0\] -A .* -j ACCEPT -p tcp' - ' --dport 80:81 -s %s' % ip['address']) - match_rules = [rule for rule in self._out_rules - if regex.match(rule)] - self.assertGreater(len(match_rules), 0, - "TCP port 80/81 acceptance rule wasn't added") - - db.instance_destroy(admin_ctxt, instance_ref['uuid']) - - def test_filters_for_instance_with_ip_v6(self): - self.flags(use_ipv6=True) - network_info = fake_network.fake_get_instance_nw_info(self, 1) - rulesv4, rulesv6 = self.fw._filters_for_instance("fake", network_info) - self.assertEqual(len(rulesv4), 2) - self.assertEqual(len(rulesv6), 1) - - def test_filters_for_instance_without_ip_v6(self): - self.flags(use_ipv6=False) - network_info = fake_network.fake_get_instance_nw_info(self, 1) - rulesv4, rulesv6 = self.fw._filters_for_instance("fake", network_info) - self.assertEqual(len(rulesv4), 2) - self.assertEqual(len(rulesv6), 0) - - def test_multinic_iptables(self): - ipv4_rules_per_addr = 1 - ipv4_addr_per_network = 2 - ipv6_rules_per_addr = 1 - ipv6_addr_per_network = 1 - networks_count = 5 - instance_ref = self._create_instance_ref() - _get_instance_nw_info = fake_network.fake_get_instance_nw_info - network_info = _get_instance_nw_info(self, - networks_count, - ipv4_addr_per_network) - network_info[0]['network']['subnets'][0]['meta']['dhcp_server'] = \ - '1.1.1.1' - ipv4_len = len(self.fw.iptables.ipv4['filter'].rules) - ipv6_len = len(self.fw.iptables.ipv6['filter'].rules) - inst_ipv4, inst_ipv6 = self.fw.instance_rules(instance_ref, - network_info) - self.fw.prepare_instance_filter(instance_ref, network_info) - ipv4 = self.fw.iptables.ipv4['filter'].rules - ipv6 = self.fw.iptables.ipv6['filter'].rules - ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len - ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len - # Extra rules are for the DHCP request - rules = (ipv4_rules_per_addr * ipv4_addr_per_network * - networks_count) + 2 - self.assertEqual(ipv4_network_rules, rules) - self.assertEqual(ipv6_network_rules, - ipv6_rules_per_addr * ipv6_addr_per_network * networks_count) - - def test_do_refresh_security_group_rules(self): - admin_ctxt = context.get_admin_context() - instance_ref = self._create_instance_ref() - network_info = fake_network.fake_get_instance_nw_info(self, 1, 1) - secgroup = self._create_test_security_group() - db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], - secgroup['id']) - self.fw.prepare_instance_filter(instance_ref, network_info) - self.fw.instance_info[instance_ref['id']] = (instance_ref, - network_info) - self._validate_security_group() - # add a rule to the security group - db.security_group_rule_create(admin_ctxt, - {'parent_group_id': secgroup['id'], - 'protocol': 'udp', - 'from_port': 200, - 'to_port': 299, - 'cidr': '192.168.99.0/24'}) - # validate the extra rule - self.fw.refresh_security_group_rules(secgroup) - regex = re.compile(r'\[0\:0\] -A .* -j ACCEPT -p udp --dport 200:299' - ' -s 192.168.99.0/24') - match_rules = [rule for rule in self._out_rules if regex.match(rule)] - self.assertGreater(len(match_rules), 0, - "Rules were not updated properly. " - "The rule for UDP acceptance is missing") - - class XenAPISRSelectionTestCase(stubs.XenAPITestBaseNoDB): """Unit tests for testing we find the right SR.""" def test_safe_find_sr_raise_exception(self): @@ -3110,8 +2810,6 @@ class XenAPIAggregateTestCase(stubs.XenAPITestBase): connection_password='test_pass', group='xenserver') self.flags(instance_name_template='%d', - firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver', host='host', compute_driver='xenapi.XenAPIDriver', default_availability_zone='avail_zone1') @@ -3466,9 +3164,7 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBaseNoDB): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver', - host='host') + self.flags(host='host') db_fakes.stub_out_db_instance_api(self) self.context = context.get_admin_context() @@ -3492,12 +3188,6 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBaseNoDB): self.assertTrue(result) pre.assert_called_with("ctx", "inst", "bdi", "nw", "di", "data") - @mock.patch('nova.virt.firewall.IptablesFirewallDriver.' - 'apply_instance_filter') - @mock.patch('nova.virt.firewall.IptablesFirewallDriver.' - 'prepare_instance_filter') - @mock.patch('nova.virt.firewall.IptablesFirewallDriver.' - 'setup_basic_filtering') @mock.patch.object(vm_utils, 'create_kernel_and_ramdisk', return_value=('fake-kernel-file', 'fake-ramdisk-file')) @mock.patch.object(vm_utils, 'strip_base_mirror_from_vdis') @@ -3505,9 +3195,7 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBaseNoDB): @mock.patch.object(vmops.VMOps, '_post_start_actions') def test_post_live_migration_at_destination( self, mock_post_action, mock_get_vm_opaque_ref, - mock_strip_base_mirror_from_vdis, mock_create_kernel_and_ramdisk, - mock_setup_basic_filtering, mock_prepare_instance_filter, - mock_apply_instance_filter): + mock_strip_base_mirror_from_vdis, mock_create_kernel_and_ramdisk): # ensure method is present stubs.stubout_session(self, stubs.FakeSessionForVMTests) self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) @@ -3523,12 +3211,6 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBaseNoDB): mock_create_kernel_and_ramdisk.assert_called_once_with( self.context, self.conn._session, fake_instance, fake_instance['name']) - mock_setup_basic_filtering.assert_called_once_with(fake_instance, - fake_network_info) - mock_prepare_instance_filter.assert_called_once_with(fake_instance, - fake_network_info) - mock_apply_instance_filter.assert_called_once_with(fake_instance, - fake_network_info) @mock.patch.object(vm_utils, 'host_in_this_pool') def test_check_can_live_migrate_destination_with_block_migration( @@ -3968,8 +3650,6 @@ class XenAPIInjectMetadataTestCase(stubs.XenAPITestBaseNoDB): self.flags(connection_url='http://localhost', connection_password='test_pass', group='xenserver') - self.flags(firewall_driver='nova.virt.xenapi.firewall.' - 'Dom0IptablesFirewallDriver') stubs.stubout_session(self, stubs.FakeSessionForVMTests) self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) diff --git a/nova/virt/driver.py b/nova/virt/driver.py index a8740cae086e..718c13a87fca 100644 --- a/nova/virt/driver.py +++ b/nova/virt/driver.py @@ -1301,68 +1301,11 @@ class ComputeDriver(object): """ raise NotImplementedError() - def refresh_security_group_rules(self, security_group_id): - """This method is called after a change to security groups. - - All security groups and their associated rules live in the datastore, - and calling this method should apply the updated rules to instances - running the specified security group. - - An error should be raised if the operation cannot complete. - - """ - # TODO(Vek): Need to pass context in for access to auth_token - raise NotImplementedError() - - def refresh_instance_security_rules(self, instance): - """Refresh security group rules - - Gets called when an instance gets added to or removed from - the security group the instance is a member of or if the - group gains or loses a rule. - """ - raise NotImplementedError() - def reset_network(self, instance): """reset networking for specified instance.""" # TODO(Vek): Need to pass context in for access to auth_token pass - def ensure_filtering_rules_for_instance(self, instance, network_info): - """Setting up filtering rules and waiting for its completion. - - To migrate an instance, filtering rules to hypervisors - and firewalls are inevitable on destination host. - ( Waiting only for filtering rules to hypervisor, - since filtering rules to firewall rules can be set faster). - - Concretely, the below method must be called. - - setup_basic_filtering (for nova-basic, etc.) - - prepare_instance_filter(for nova-instance-instance-xxx, etc.) - - Don't use thread for this method since migration should - not be started when setting-up filtering rules operations - are not completed. - - :param instance: nova.objects.instance.Instance object - - """ - # TODO(Vek): Need to pass context in for access to auth_token - raise NotImplementedError() - - def filter_defer_apply_on(self): - """Defer application of IPTables rules.""" - pass - - def filter_defer_apply_off(self): - """Turn off deferral of IPTables rules and apply the rules now.""" - pass - - def unfilter_instance(self, instance, network_info): - """Stop filtering instance.""" - # TODO(Vek): Need to pass context in for access to auth_token - raise NotImplementedError() - def set_admin_password(self, instance, new_pass): """Set the root password on the specified instance. diff --git a/nova/virt/fake.py b/nova/virt/fake.py index 69a97b311e1c..54231d1ce529 100644 --- a/nova/virt/fake.py +++ b/nova/virt/fake.py @@ -487,12 +487,6 @@ class FakeDriver(driver.ComputeDriver): 'username': 'fakeuser', 'password': 'fakepassword'} - def refresh_security_group_rules(self, security_group_id): - return True - - def refresh_instance_security_rules(self, instance): - return True - def get_available_resource(self, nodename): """Updates compute manager resource info on ComputeNode table. @@ -556,9 +550,6 @@ class FakeDriver(driver.ComputeDriver): } provider_tree.update_inventory(nodename, inventory) - def ensure_filtering_rules_for_instance(self, instance, network_info): - return - def get_instance_disk_info(self, instance, block_device_info=None): return @@ -634,9 +625,6 @@ class FakeDriver(driver.ComputeDriver): migrate_data=None): return - def unfilter_instance(self, instance, network_info): - return - def _test_remove_vm(self, instance_uuid): """Removes the named VM, as if it crashed. For testing.""" self.instances.pop(instance_uuid) diff --git a/nova/virt/hyperv/driver.py b/nova/virt/hyperv/driver.py index f86a3dd40914..6385ad692c90 100644 --- a/nova/virt/hyperv/driver.py +++ b/nova/virt/hyperv/driver.py @@ -299,13 +299,6 @@ class HyperVDriver(driver.ComputeDriver): """Unplug VIFs from networks.""" self._vmops.unplug_vifs(instance, network_info) - def ensure_filtering_rules_for_instance(self, instance, network_info): - LOG.debug("ensure_filtering_rules_for_instance called", - instance=instance) - - def unfilter_instance(self, instance, network_info): - LOG.debug("unfilter_instance called", instance=instance) - def migrate_disk_and_power_off(self, context, instance, dest, flavor, network_info, block_device_info=None, diff --git a/nova/virt/ironic/driver.py b/nova/virt/ironic/driver.py index ae7d925c0f81..502daa36541b 100644 --- a/nova/virt/ironic/driver.py +++ b/nova/virt/ironic/driver.py @@ -52,7 +52,6 @@ from nova import servicegroup from nova import utils from nova.virt import configdrive from nova.virt import driver as virt_driver -from nova.virt import firewall from nova.virt import hardware from nova.virt.ironic import client_wrapper from nova.virt.ironic import ironic_states @@ -194,8 +193,6 @@ class IronicDriver(virt_driver.ComputeDriver): ironic.client = importutils.import_module( 'ironicclient.client') - self.firewall_driver = firewall.load_driver( - default='nova.virt.firewall.NoopFirewallDriver') self.node_cache = {} self.node_cache_time = 0 self.servicegroup_api = servicegroup.API() @@ -381,14 +378,6 @@ class IronicDriver(virt_driver.ComputeDriver): } return dic - def _start_firewall(self, instance, network_info): - self.firewall_driver.setup_basic_filtering(instance, network_info) - self.firewall_driver.prepare_instance_filter(instance, network_info) - self.firewall_driver.apply_instance_filter(instance, network_info) - - def _stop_firewall(self, instance, network_info): - self.firewall_driver.unfilter_instance(instance, network_info) - def _set_instance_id(self, node, instance): try: # NOTE(TheJulia): Assert an instance ID to lock the node @@ -521,7 +510,6 @@ class IronicDriver(virt_driver.ComputeDriver): remove_instance_info=True): self._cleanup_volume_target_info(instance) self._unplug_vifs(node, instance, network_info) - self._stop_firewall(instance, network_info) if remove_instance_info: self._remove_instance_info_from_node(node, instance) @@ -1229,17 +1217,6 @@ class IronicDriver(virt_driver.ComputeDriver): 'power': validate_chk.power, 'storage': validate_chk.storage}) - # prepare for the deploy - try: - self._start_firewall(instance, network_info) - except Exception: - with excutils.save_and_reraise_exception(): - LOG.error("Error preparing deploy for instance " - "%(instance)s on baremetal node %(node)s.", - {'instance': instance.uuid, - 'node': node_uuid}) - self._cleanup_deploy(node, instance, network_info) - # Config drive configdrive_value = None if configdrive.required_by(instance): @@ -1563,47 +1540,6 @@ class IronicDriver(virt_driver.ComputeDriver): LOG.info('Successfully triggered crash dump into Ironic node %s', node.uuid, instance=instance) - def refresh_security_group_rules(self, security_group_id): - """Refresh security group rules from data store. - - Invoked when security group rules are updated. - - :param security_group_id: The security group id. - - """ - self.firewall_driver.refresh_security_group_rules(security_group_id) - - def refresh_instance_security_rules(self, instance): - """Refresh security group rules from data store. - - Gets called when an instance gets added to or removed from - the security group the instance is a member of or if the - group gains or loses a rule. - - :param instance: The instance object. - - """ - self.firewall_driver.refresh_instance_security_rules(instance) - - def ensure_filtering_rules_for_instance(self, instance, network_info): - """Set up filtering rules. - - :param instance: The instance object. - :param network_info: Instance network information. - - """ - self.firewall_driver.setup_basic_filtering(instance, network_info) - self.firewall_driver.prepare_instance_filter(instance, network_info) - - def unfilter_instance(self, instance, network_info): - """Stop filtering instance. - - :param instance: The instance object. - :param network_info: Instance network information. - - """ - self.firewall_driver.unfilter_instance(instance, network_info) - def _plug_vif(self, node, port_id): last_attempt = 5 for attempt in range(0, last_attempt + 1): diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py index bd52286c6f5c..da6a4fbc6d5a 100644 --- a/nova/virt/libvirt/driver.py +++ b/nova/virt/libvirt/driver.py @@ -104,14 +104,12 @@ from nova.virt import configdrive from nova.virt.disk import api as disk_api from nova.virt.disk.vfs import guestfs from nova.virt import driver -from nova.virt import firewall from nova.virt import hardware from nova.virt.image import model as imgmodel from nova.virt import images from nova.virt.libvirt import blockinfo from nova.virt.libvirt import config as vconfig from nova.virt.libvirt import designer -from nova.virt.libvirt import firewall as libvirt_firewall from nova.virt.libvirt import guest as libvirt_guest from nova.virt.libvirt import host from nova.virt.libvirt import imagebackend @@ -136,10 +134,6 @@ LOG = logging.getLogger(__name__) CONF = nova.conf.CONF -DEFAULT_FIREWALL_DRIVER = "%s.%s" % ( - libvirt_firewall.__name__, - libvirt_firewall.IptablesFirewallDriver.__name__) - DEFAULT_UEFI_LOADER_PATH = { "x86_64": ['/usr/share/OVMF/OVMF_CODE.fd', '/usr/share/OVMF/OVMF_CODE.secboot.fd', @@ -358,9 +352,6 @@ class LibvirtDriver(driver.ComputeDriver): self._fc_wwpns = None self._supported_perf_events = [] self.__has_hyperthreading = None - self.firewall_driver = firewall.load_driver( - DEFAULT_FIREWALL_DRIVER, - host=self._host) self.vif_driver = libvirt_vif.LibvirtGenericVIFDriver() @@ -1339,35 +1330,6 @@ class LibvirtDriver(driver.ComputeDriver): if destroy_vifs: self._unplug_vifs(instance, network_info, True) - # Continue attempting to remove firewall filters for the instance - # until it's done or there is a failure to remove the filters. If - # unfilter fails because the instance is not yet shutdown, try to - # destroy the guest again and then retry the unfilter. - while True: - try: - self.unfilter_instance(instance, network_info) - break - except libvirt.libvirtError as e: - try: - state = self.get_info(instance).state - except exception.InstanceNotFound: - state = power_state.SHUTDOWN - - if state != power_state.SHUTDOWN: - LOG.warning("Instance may be still running, destroy " - "it again.", instance=instance) - self._destroy(instance) - else: - errcode = e.get_error_code() - LOG.exception(_('Error from libvirt during unfilter. ' - 'Code=%(errcode)s Error=%(e)s'), - {'errcode': errcode, 'e': e}, - instance=instance) - reason = _("Error unfiltering instance.") - raise exception.InstanceTerminationFailure(reason=reason) - except Exception: - raise - # FIXME(wangpan): if the instance is booted again here, such as the # soft reboot operation boot it here, it will become # "running deleted", should we check and destroy it @@ -1561,7 +1523,6 @@ class LibvirtDriver(driver.ComputeDriver): if instance.host != CONF.host: self._undefine_domain(instance) self.unplug_vifs(instance, network_info) - self.unfilter_instance(instance, network_info) def _get_volume_driver(self, connection_info): driver_type = connection_info.get('driver_volume_type') @@ -2048,7 +2009,6 @@ class LibvirtDriver(driver.ComputeDriver): guest = self._host.get_guest(instance) self.vif_driver.plug(instance, vif) - self.firewall_driver.setup_basic_filtering(instance, [vif]) cfg = self.vif_driver.get_config(instance, vif, image_meta, instance.flavor, CONF.libvirt.virt_type, @@ -6213,19 +6173,12 @@ class LibvirtDriver(driver.ComputeDriver): instance, events, deadline=timeout, error_callback=self._neutron_failed_callback): self.plug_vifs(instance, network_info) - self.firewall_driver.setup_basic_filtering(instance, - network_info) - self.firewall_driver.prepare_instance_filter(instance, - network_info) with self._lxc_disk_handler(context, instance, instance.image_meta, block_device_info): guest = self._create_domain( xml, pause=pause, power_on=power_on, post_xml_callback=post_xml_callback) - - self.firewall_driver.apply_instance_filter(instance, - network_info) except exception.VirtualInterfaceCreateException: # Neutron reported failure and we didn't swallow it, so # bail here @@ -7169,12 +7122,6 @@ class LibvirtDriver(driver.ComputeDriver): 'username': 'fakeuser', 'password': 'fakepassword'} - def refresh_security_group_rules(self, security_group_id): - self.firewall_driver.refresh_security_group_rules(security_group_id) - - def refresh_instance_security_rules(self, instance): - self.firewall_driver.refresh_instance_security_rules(instance) - def update_provider_tree(self, provider_tree, nodename, allocations=None): """Update a ProviderTree object with current resource provider, inventory information and CPU traits. @@ -8337,40 +8284,6 @@ class LibvirtDriver(driver.ComputeDriver): tmp_file = os.path.join(CONF.instances_path, filename) os.remove(tmp_file) - def ensure_filtering_rules_for_instance(self, instance, network_info): - """Ensure that an instance's filtering rules are enabled. - - When migrating an instance, we need the filtering rules to - be configured on the destination host before starting the - migration. - - Also, when restarting the compute service, we need to ensure - that filtering rules exist for all running services. - """ - - self.firewall_driver.setup_basic_filtering(instance, network_info) - self.firewall_driver.prepare_instance_filter(instance, - network_info) - - # nwfilters may be defined in a separate thread in the case - # of libvirt non-blocking mode, so we wait for completion - timeout_count = list(range(CONF.live_migration_retry_count)) - while timeout_count: - if self.firewall_driver.instance_filter_exists(instance, - network_info): - break - timeout_count.pop() - if len(timeout_count) == 0: - msg = _('The firewall filter for %s does not exist') - raise exception.InternalError(msg % instance.name) - greenthread.sleep(1) - - def filter_defer_apply_on(self): - self.firewall_driver.filter_defer_apply_on() - - def filter_defer_apply_off(self): - self.firewall_driver.filter_defer_apply_off() - def live_migration(self, context, instance, dest, post_method, recover_method, block_migration=False, migrate_data=None): @@ -9621,11 +9534,6 @@ class LibvirtDriver(driver.ComputeDriver): greenthread.sleep(0) return disk_over_committed_size - def unfilter_instance(self, instance, network_info): - """See comments of same method in firewall_driver.""" - self.firewall_driver.unfilter_instance(instance, - network_info=network_info) - def get_available_nodes(self, refresh=False): return [self._host.get_hostname()] @@ -10335,7 +10243,7 @@ class LibvirtDriver(driver.ComputeDriver): return shared_instance_path or shared_block_storage def inject_network_info(self, instance, nw_info): - self.firewall_driver.setup_basic_filtering(instance, nw_info) + pass def delete_instance_files(self, instance): target = libvirt_utils.get_instance_path(instance) diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py index 4bfc9d7240a4..fa81760e67dc 100644 --- a/nova/virt/libvirt/vif.py +++ b/nova/virt/libvirt/vif.py @@ -254,17 +254,6 @@ class LibvirtGenericVIFDriver(object): return (("qvb%s" % iface_id)[:network_model.NIC_NAME_LEN], ("qvo%s" % iface_id)[:network_model.NIC_NAME_LEN]) - @staticmethod - def is_no_op_firewall(): - return CONF.firewall_driver == "nova.virt.firewall.NoopFirewallDriver" - - def get_firewall_required_os_vif(self, vif): - if vif.has_traffic_filtering: - return False - if self.is_no_op_firewall(): - return False - return True - def get_config_bridge(self, instance, vif, image_meta, inst_type, virt_type, host): """Get VIF configurations for bridge type.""" @@ -276,10 +265,6 @@ class LibvirtGenericVIFDriver(object): conf, self.get_bridge_name(vif), self.get_vif_devname(vif)) - mac_id = vif['address'].replace(':', '') - name = "nova-instance-" + instance.name + "-" + mac_id - if self.get_firewall_required(vif): - conf.filtername = name designer.set_vif_bandwidth_config(conf, inst_type) self._set_mtu_config(vif, host, conf) @@ -467,11 +452,6 @@ class LibvirtGenericVIFDriver(object): conf.source_dev = vif.bridge_name conf.target_dev = vif.vif_name - if self.get_firewall_required_os_vif(vif): - mac_id = vif.address.replace(':', '') - name = "nova-instance-" + instance.name + "-" + mac_id - conf.filtername = name - def _set_config_VIFOpenVSwitch(self, instance, vif, conf, host=None): conf.net_type = "bridge" conf.source_dev = vif.bridge_name diff --git a/nova/virt/vmwareapi/driver.py b/nova/virt/vmwareapi/driver.py index 9676167dfbe8..5c17493dca19 100644 --- a/nova/virt/vmwareapi/driver.py +++ b/nova/virt/vmwareapi/driver.py @@ -285,9 +285,6 @@ class VMwareVCDriver(driver.ComputeDriver): network_info, image_meta, resize_instance, block_device_info, power_on) - def ensure_filtering_rules_for_instance(self, instance, network_info): - pass - def pre_live_migration(self, context, instance, block_device_info, network_info, disk_info, migrate_data): return migrate_data @@ -339,9 +336,6 @@ class VMwareVCDriver(driver.ComputeDriver): data.datastore_regex = CONF.vmware.datastore_regex return data - def unfilter_instance(self, instance, network_info): - pass - def rollback_live_migration_at_destination(self, context, instance, network_info, block_device_info, diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py index fc08c3043263..c57052961e7e 100644 --- a/nova/virt/xenapi/driver.py +++ b/nova/virt/xenapi/driver.py @@ -618,12 +618,6 @@ class XenAPIDriver(driver.ComputeDriver): return dic - def ensure_filtering_rules_for_instance(self, instance, network_info): - # NOTE(salvatore-orlando): it enforces security groups on - # host initialization and live migration. - # In XenAPI we do not assume instances running upon host initialization - return - def check_can_live_migrate_destination(self, context, instance, src_compute_info, dst_compute_info, block_migration=False, disk_over_commit=False): @@ -771,26 +765,6 @@ class XenAPIDriver(driver.ComputeDriver): self._vmops.post_live_migration_at_destination(context, instance, network_info, block_device_info, block_device_info) - def unfilter_instance(self, instance, network_info): - """Removes security groups configured for an instance.""" - return self._vmops.unfilter_instance(instance, network_info) - - def refresh_security_group_rules(self, security_group_id): - """Updates security group rules for all instances associated with a - given security group. - - Invoked when security group rules are updated. - """ - return self._vmops.refresh_security_group_rules(security_group_id) - - def refresh_instance_security_rules(self, instance): - """Updates security group rules for specified instance. - - Invoked when instances are added/removed to a security group - or when a rule is added/removed to a security group. - """ - return self._vmops.refresh_instance_security_rules(instance) - def get_available_nodes(self, refresh=False): stats = self.host_state.get_host_stats(refresh=refresh) return [stats["hypervisor_hostname"]] diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py index f960deab505b..163db947c51a 100644 --- a/nova/virt/xenapi/vmops.py +++ b/nova/virt/xenapi/vmops.py @@ -55,7 +55,6 @@ from nova.pci import manager as pci_manager from nova import utils from nova.virt import configdrive from nova.virt import driver as virt_driver -from nova.virt import firewall from nova.virt.xenapi import agent as xapi_agent from nova.virt.xenapi.image import utils as image_utils from nova.virt.xenapi import vif as xapi_vif @@ -69,10 +68,6 @@ LOG = logging.getLogger(__name__) CONF = nova.conf.CONF -DEFAULT_FIREWALL_DRIVER = "%s.%s" % ( - firewall.__name__, - firewall.IptablesFirewallDriver.__name__) - RESIZE_TOTAL_STEPS = 5 DEVICE_ROOT = '0' @@ -145,9 +140,6 @@ class VMOps(object): self._session = session self._virtapi = virtapi self._volumeops = volumeops.VolumeOps(self._session) - self.firewall_driver = firewall.load_driver( - DEFAULT_FIREWALL_DRIVER, - xenapi_session=self._session) self.vif_driver = xapi_vif.XenAPIOpenVswitchDriver( xenapi_session=self._session) self.default_root_dev = '/dev/sda' @@ -587,7 +579,6 @@ class VMOps(object): @step def setup_network_step(undo_mgr, vm_ref): self._create_vifs(instance, vm_ref, network_info) - self._prepare_instance_filter(instance, network_info) @step def start_paused_step(undo_mgr, vm_ref): @@ -602,10 +593,6 @@ class VMOps(object): injected_files, admin_password) self._remove_hostname(instance, vm_ref) - @step - def apply_security_group_filters_step(undo_mgr): - self.firewall_driver.apply_instance_filter(instance, network_info) - undo_mgr = utils.UndoManager() try: # NOTE(sirp): The create_disks() step will potentially take a @@ -651,7 +638,6 @@ class VMOps(object): except eventlet.timeout.Timeout: self._handle_neutron_event_timeout(instance, undo_mgr) - apply_security_group_filters_step(undo_mgr) boot_and_configure_instance_step(undo_mgr, vm_ref) if completed_callback: completed_callback() @@ -974,19 +960,6 @@ class VMOps(object): agent.resetnetwork() agent.update_if_needed(version) - def _prepare_instance_filter(self, instance, network_info): - try: - self.firewall_driver.setup_basic_filtering( - instance, network_info) - except NotImplementedError: - # NOTE(salvatore-orlando): setup_basic_filtering might be - # empty or not implemented at all, as basic filter could - # be implemented with VIF rules created by xapi plugin - pass - - self.firewall_driver.prepare_instance_filter(instance, - network_info) - def _get_vm_opaque_ref(self, instance, check_rescue=False): """Get xapi OpaqueRef from a db record. :param check_rescue: if True will return the 'name'-rescue vm if it @@ -1766,8 +1739,6 @@ class VMOps(object): self._destroy_kernel_ramdisk(instance, vm_ref) self.unplug_vifs(instance, network_info, vm_ref) - self.firewall_driver.unfilter_instance( - instance, network_info=network_info) vm_utils.destroy_vm(self._session, instance, vm_ref) def pause(self, instance): @@ -2227,19 +2198,6 @@ class VMOps(object): """ self._session.call_xenapi('VM.remove_from_xenstore_data', vm_ref, key) - def refresh_security_group_rules(self, security_group_id): - """recreates security group rules for every instance.""" - self.firewall_driver.refresh_security_group_rules(security_group_id) - - def refresh_instance_security_rules(self, instance): - """recreates security group rules for specified instance.""" - self.firewall_driver.refresh_instance_security_rules(instance) - - def unfilter_instance(self, instance_ref, network_info): - """Removes filters for each VIF of the specified instance.""" - self.firewall_driver.unfilter_instance(instance_ref, - network_info=network_info) - def _get_host_opaque_ref(self, hostname): host_ref_set = self._session.host.get_by_name_label(hostname) # If xenapi can't get host ref by the name label, it means the @@ -2645,11 +2603,6 @@ class VMOps(object): def post_live_migration_at_destination(self, context, instance, network_info, block_migration, block_device_info): - # FIXME(johngarbutt): we should block all traffic until we have - # applied security groups, however this requires changes to XenServer - self._prepare_instance_filter(instance, network_info) - self.firewall_driver.apply_instance_filter(instance, network_info) - # hook linux bridge and ovs bridge at destination self._post_start_actions(instance) vm_utils.create_kernel_and_ramdisk(context, self._session, instance, @@ -2748,8 +2701,6 @@ class VMOps(object): # plug VIF self.vif_driver.plug(instance, vif, vm_ref=vm_ref, device=device) - # set firewall filtering - self.firewall_driver.setup_basic_filtering(instance, [vif]) except exception.NovaException: with excutils.save_and_reraise_exception(): LOG.exception(_('attach network interface %s failed.'),