Introduce "icmp" option for security group rule

This change introduces new datastore option "icmp" to configure whether to permit ICMP. It helps users to check DB instance health in different way from access DB ports. DocImpact Closes-Bug: #1485884 Change-Id: I61edeb38ded5543b7976a01363108a7b5b4fc5b5
2015-08-14 16:45:21 +09:00 · 2015-08-14 16:45:21 +09:00 · 1584f198a5
parent e19876465b
commit 1584f198a5
5 changed files with 57 additions and 11 deletions
--- a/etc/trove/trove-taskmanager.conf.sample
+++ b/etc/trove/trove-taskmanager.conf.sample
@ -216,6 +216,8 @@ rabbit_password=f7999d1955c5014aa32c
 #rabbit_virtual_host=/

 [mysql]
+# Whether to permit ICMP. default is False.
+icmp = True
 # Format (single port or port range): A, B-C
 # where C greater than B
 tcp_ports = 3306
--- a/releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
+++ b/releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Add icmp option for DB security group.
+    if icmp=True, users will be allowed to
+    ping to DB instances.
--- a/trove/common/cfg.py
+++ b/trove/common/cfg.py
@ -480,6 +480,8 @@ mysql_group = cfg.OptGroup(
    'mysql', title='MySQL options',
    help="Oslo option group designed for MySQL datastore")
 mysql_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["3306"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -558,6 +560,8 @@ percona_group = cfg.OptGroup(
    'percona', title='Percona options',
    help="Oslo option group designed for Percona datastore")
 percona_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["3306"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -729,6 +733,8 @@ redis_group = cfg.OptGroup(
    'redis', title='Redis options',
    help="Oslo option group designed for Redis datastore")
 redis_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["6379", "16379"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -804,6 +810,8 @@ cassandra_group = cfg.OptGroup(
    'cassandra', title='Cassandra options',
    help="Oslo option group designed for Cassandra datastore")
 cassandra_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["7000", "7001", "7199", "9042", "9160"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -881,6 +889,8 @@ couchbase_group = cfg.OptGroup(
    'couchbase', title='Couchbase options',
    help="Oslo option group designed for Couchbase datastore")
 couchbase_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports',
                default=["8091", "8092", "4369", "11209-11211",
                         "21100-21199"],
@ -943,6 +953,8 @@ mongodb_group = cfg.OptGroup(
    'mongodb', title='MongoDB options',
    help="Oslo option group designed for MongoDB datastore")
 mongodb_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["2500", "27017", "27019"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -1034,6 +1046,8 @@ postgresql_group = cfg.OptGroup(
    'postgresql', title='PostgreSQL options',
    help="Oslo option group for the PostgreSQL datastore.")
 postgresql_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports', default=["5432"],
                help='List of TCP ports and/or port ranges to open '
                     'in the security group (only applicable '
@ -1098,6 +1112,8 @@ couchdb_group = cfg.OptGroup(
    'couchdb', title='CouchDB options',
    help="Oslo option group designed for CouchDB datastore")
 couchdb_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports',
                default=["5984"],
                help='List of TCP ports and/or port ranges to open '
@ -1158,6 +1174,8 @@ vertica_group = cfg.OptGroup(
    'vertica', title='Vertica options',
    help="Oslo option group designed for Vertica datastore")
 vertica_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports',
                default=["5433", "5434", "22", "5444", "5450", "4803"],
                help='List of TCP ports and/or port ranges to open '
@ -1226,6 +1244,8 @@ db2_group = cfg.OptGroup(
    'db2', title='DB2 options',
    help="Oslo option group designed for DB2 datastore")
 db2_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
    cfg.ListOpt('tcp_ports',
                default=["50000"],
                help='List of TCP ports and/or port ranges to open '
--- a/trove/taskmanager/models.py
+++ b/trove/taskmanager/models.py
@ -1032,8 +1032,11 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
            self.id, self.context)
        tcp_ports = CONF.get(datastore_manager).tcp_ports
        udp_ports = CONF.get(datastore_manager).udp_ports
+        icmp = CONF.get(datastore_manager).icmp
        self._create_rules(security_group, tcp_ports, 'tcp')
        self._create_rules(security_group, udp_ports, 'udp')
+        if icmp:
+            self._create_rules(security_group, None, 'icmp')
        return [security_group["name"]]

    def _create_rules(self, s_group, ports, protocol):
@ -1049,16 +1052,22 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
                             'to': to_port}
            raise MalformedSecurityGroupRuleError(message=msg)

-        for port_or_range in set(ports):
-            try:
-                from_, to_ = (None, None)
-                from_, to_ = utils.gen_ports(port_or_range)
-                cidr = CONF.trove_security_group_rule_cidr
-                SecurityGroupRule.create_sec_group_rule(
-                    s_group, protocol, int(from_), int(to_),
-                    cidr, self.context)
-            except (ValueError, TroveError):
-                set_error_and_raise([from_, to_])
+        cidr = CONF.trove_security_group_rule_cidr
+
+        if protocol == 'icmp':
+            SecurityGroupRule.create_sec_group_rule(
+                s_group, 'icmp', None, None,
+                cidr, self.context)
+        else:
+            for port_or_range in set(ports):
+                try:
+                    from_, to_ = (None, None)
+                    from_, to_ = utils.gen_ports(port_or_range)
+                    SecurityGroupRule.create_sec_group_rule(
+                        s_group, protocol, int(from_), int(to_),
+                        cidr, self.context)
+                except (ValueError, TroveError):
+                    set_error_and_raise([from_, to_])

    def _build_heat_nics(self, nics):
        ifaces = []
--- a/trove/tests/unittests/taskmanager/test_models.py
+++ b/trove/tests/unittests/taskmanager/test_models.py
@ -60,9 +60,10 @@ VOLUME_ID = 'volume-id-1'

 class FakeOptGroup(object):
    def __init__(self, tcp_ports=['3306', '3301-3307'],
-                 udp_ports=[]):
+                 udp_ports=[], icmp=False):
        self.tcp_ports = tcp_ports
        self.udp_ports = udp_ports
+        self.icmp = icmp


 class fake_Server:
@ -368,6 +369,15 @@ class FreshInstanceTasksTest(trove_testtools.TestCase):
                          self.freshinstancetasks._create_secgroup,
                          datastore_manager)

+    def test_create_sg_rules_icmp(self):
+        datastore_manager = 'mysql'
+        self.task_models_conf_mock.get = Mock(
+            return_value=FakeOptGroup(icmp=True))
+        self.freshinstancetasks.update_db = Mock()
+        self.freshinstancetasks._create_secgroup(datastore_manager)
+        self.assertEqual(3, taskmanager_models.SecurityGroupRule.
+                         create_sec_group_rule.call_count)
+
    @patch.object(BaseInstance, 'update_db')
    @patch('trove.taskmanager.models.CONF')
    @patch('trove.taskmanager.models.LOG')