Merge "Introduce "icmp" option for security group rule"
This commit is contained in:
commit
97bf01271b
|
@ -216,6 +216,8 @@ rabbit_password=f7999d1955c5014aa32c
|
|||
#rabbit_virtual_host=/
|
||||
|
||||
[mysql]
|
||||
# Whether to permit ICMP. default is False.
|
||||
icmp = True
|
||||
# Format (single port or port range): A, B-C
|
||||
# where C greater than B
|
||||
tcp_ports = 3306
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- Add icmp option for DB security group.
|
||||
if icmp=True, users will be allowed to
|
||||
ping to DB instances.
|
|
@ -480,6 +480,8 @@ mysql_group = cfg.OptGroup(
|
|||
'mysql', title='MySQL options',
|
||||
help="Oslo option group designed for MySQL datastore")
|
||||
mysql_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["3306"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -558,6 +560,8 @@ percona_group = cfg.OptGroup(
|
|||
'percona', title='Percona options',
|
||||
help="Oslo option group designed for Percona datastore")
|
||||
percona_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["3306"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -729,6 +733,8 @@ redis_group = cfg.OptGroup(
|
|||
'redis', title='Redis options',
|
||||
help="Oslo option group designed for Redis datastore")
|
||||
redis_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["6379", "16379"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -804,6 +810,8 @@ cassandra_group = cfg.OptGroup(
|
|||
'cassandra', title='Cassandra options',
|
||||
help="Oslo option group designed for Cassandra datastore")
|
||||
cassandra_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["7000", "7001", "7199", "9042", "9160"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -881,6 +889,8 @@ couchbase_group = cfg.OptGroup(
|
|||
'couchbase', title='Couchbase options',
|
||||
help="Oslo option group designed for Couchbase datastore")
|
||||
couchbase_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["8091", "8092", "4369", "11209-11211",
|
||||
"21100-21199"],
|
||||
|
@ -943,6 +953,8 @@ mongodb_group = cfg.OptGroup(
|
|||
'mongodb', title='MongoDB options',
|
||||
help="Oslo option group designed for MongoDB datastore")
|
||||
mongodb_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["2500", "27017", "27019"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -1034,6 +1046,8 @@ postgresql_group = cfg.OptGroup(
|
|||
'postgresql', title='PostgreSQL options',
|
||||
help="Oslo option group for the PostgreSQL datastore.")
|
||||
postgresql_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["5432"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
|
@ -1098,6 +1112,8 @@ couchdb_group = cfg.OptGroup(
|
|||
'couchdb', title='CouchDB options',
|
||||
help="Oslo option group designed for CouchDB datastore")
|
||||
couchdb_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["5984"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
|
@ -1158,6 +1174,8 @@ vertica_group = cfg.OptGroup(
|
|||
'vertica', title='Vertica options',
|
||||
help="Oslo option group designed for Vertica datastore")
|
||||
vertica_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["5433", "5434", "22", "5444", "5450", "4803"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
|
@ -1226,6 +1244,8 @@ db2_group = cfg.OptGroup(
|
|||
'db2', title='DB2 options',
|
||||
help="Oslo option group designed for DB2 datastore")
|
||||
db2_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["50000"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
|
|
|
@ -1032,8 +1032,11 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
|
|||
self.id, self.context)
|
||||
tcp_ports = CONF.get(datastore_manager).tcp_ports
|
||||
udp_ports = CONF.get(datastore_manager).udp_ports
|
||||
icmp = CONF.get(datastore_manager).icmp
|
||||
self._create_rules(security_group, tcp_ports, 'tcp')
|
||||
self._create_rules(security_group, udp_ports, 'udp')
|
||||
if icmp:
|
||||
self._create_rules(security_group, None, 'icmp')
|
||||
return [security_group["name"]]
|
||||
|
||||
def _create_rules(self, s_group, ports, protocol):
|
||||
|
@ -1049,16 +1052,22 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
|
|||
'to': to_port}
|
||||
raise MalformedSecurityGroupRuleError(message=msg)
|
||||
|
||||
for port_or_range in set(ports):
|
||||
try:
|
||||
from_, to_ = (None, None)
|
||||
from_, to_ = utils.gen_ports(port_or_range)
|
||||
cidr = CONF.trove_security_group_rule_cidr
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, protocol, int(from_), int(to_),
|
||||
cidr, self.context)
|
||||
except (ValueError, TroveError):
|
||||
set_error_and_raise([from_, to_])
|
||||
cidr = CONF.trove_security_group_rule_cidr
|
||||
|
||||
if protocol == 'icmp':
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, 'icmp', None, None,
|
||||
cidr, self.context)
|
||||
else:
|
||||
for port_or_range in set(ports):
|
||||
try:
|
||||
from_, to_ = (None, None)
|
||||
from_, to_ = utils.gen_ports(port_or_range)
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, protocol, int(from_), int(to_),
|
||||
cidr, self.context)
|
||||
except (ValueError, TroveError):
|
||||
set_error_and_raise([from_, to_])
|
||||
|
||||
def _build_heat_nics(self, nics):
|
||||
ifaces = []
|
||||
|
|
|
@ -60,9 +60,10 @@ VOLUME_ID = 'volume-id-1'
|
|||
|
||||
class FakeOptGroup(object):
|
||||
def __init__(self, tcp_ports=['3306', '3301-3307'],
|
||||
udp_ports=[]):
|
||||
udp_ports=[], icmp=False):
|
||||
self.tcp_ports = tcp_ports
|
||||
self.udp_ports = udp_ports
|
||||
self.icmp = icmp
|
||||
|
||||
|
||||
class fake_Server:
|
||||
|
@ -368,6 +369,15 @@ class FreshInstanceTasksTest(trove_testtools.TestCase):
|
|||
self.freshinstancetasks._create_secgroup,
|
||||
datastore_manager)
|
||||
|
||||
def test_create_sg_rules_icmp(self):
|
||||
datastore_manager = 'mysql'
|
||||
self.task_models_conf_mock.get = Mock(
|
||||
return_value=FakeOptGroup(icmp=True))
|
||||
self.freshinstancetasks.update_db = Mock()
|
||||
self.freshinstancetasks._create_secgroup(datastore_manager)
|
||||
self.assertEqual(3, taskmanager_models.SecurityGroupRule.
|
||||
create_sec_group_rule.call_count)
|
||||
|
||||
@patch.object(BaseInstance, 'update_db')
|
||||
@patch('trove.taskmanager.models.CONF')
|
||||
@patch('trove.taskmanager.models.LOG')
|
||||
|
|
Loading…
Reference in New Issue