Optimize add_security_groups_to_container
The logic to add security groups to container is to search all the neutron ports of the container and update the security_groups fields of those ports. In before, we searched neutron ports by device_id/EndpointID. The problem is EndpointID is not available if the container is not running. This commit retrieves neutron ports from the 'addresses' field of the container instead. Partial-Implements: blueprint make-sandbox-optional Change-Id: I845872665a766cae11528f226350399497d58b64
This commit is contained in:
Hongbin Lu
@@ -233,8 +233,8 @@ class Manager(object):
|
|||||||
LOG.debug('Adding security_group to container: %s', container.uuid)
|
LOG.debug('Adding security_group to container: %s', container.uuid)
|
||||||
try:
|
try:
|
||||||
sandbox_id = self.driver.get_sandbox_id(container)
|
sandbox_id = self.driver.get_sandbox_id(container)
|
||||||
self.driver.add_security_group(context, sandbox_id,
|
self.driver.add_security_group(context, container, security_group,
|
||||||
security_group)
|
sandbox_id=sandbox_id)
|
||||||
container.security_groups += [security_group]
|
container.security_groups += [security_group]
|
||||||
container.save(context)
|
container.save(context)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
|||||||
@@ -666,7 +666,8 @@ class DockerDriver(driver.ContainerDriver):
|
|||||||
cpu_used += float(nanocpus) / 1e9
|
cpu_used += float(nanocpus) / 1e9
|
||||||
return cpu_used
|
return cpu_used
|
||||||
|
|
||||||
def add_security_group(self, context, sandbox_id, security_group):
|
def add_security_group(self, context, container, security_group,
|
||||||
|
sandbox_id=None):
|
||||||
security_group_ids = self._get_security_group_ids(
|
security_group_ids = self._get_security_group_ids(
|
||||||
context, [security_group])
|
context, [security_group])
|
||||||
with docker_utils.docker_client() as docker:
|
with docker_utils.docker_client() as docker:
|
||||||
@@ -674,14 +675,14 @@ class DockerDriver(driver.ContainerDriver):
|
|||||||
sandbox = docker.inspect_container(sandbox_id)
|
sandbox = docker.inspect_container(sandbox_id)
|
||||||
for network in sandbox["NetworkSettings"]["Networks"]:
|
for network in sandbox["NetworkSettings"]["Networks"]:
|
||||||
network_api.add_security_groups_to_ports(
|
network_api.add_security_groups_to_ports(
|
||||||
sandbox, network, security_group_ids)
|
container, security_group_ids, sandbox_id)
|
||||||
|
|
||||||
def get_available_nodes(self):
|
def get_available_nodes(self):
|
||||||
return [self._host.get_hostname()]
|
return [self._host.get_hostname()]
|
||||||
|
|
||||||
|
|
||||||
class NovaDockerDriver(DockerDriver):
|
class NovaDockerDriver(DockerDriver):
|
||||||
def add_security_group(self, context, sandbox_id, security_group):
|
def add_security_group(self, context, container, security_group, **kwargs):
|
||||||
msg = "NovaDockerDriver does not support security_groups"
|
msg = "NovaDockerDriver does not support security_groups"
|
||||||
raise exception.ZunException(msg)
|
raise exception.ZunException(msg)
|
||||||
|
|
||||||
|
|||||||
@@ -200,7 +200,7 @@ class ContainerDriver(object):
|
|||||||
def get_cpu_used(self):
|
def get_cpu_used(self):
|
||||||
raise NotImplementedError()
|
raise NotImplementedError()
|
||||||
|
|
||||||
def add_security_group(self, context, sandbox_id, security_group):
|
def add_security_group(self, context, container, security_group, **kwargs):
|
||||||
raise NotImplementedError()
|
raise NotImplementedError()
|
||||||
|
|
||||||
def get_available_resources(self, node):
|
def get_available_resources(self, node):
|
||||||
|
|||||||
@@ -182,20 +182,16 @@ class KuryrNetwork(network.Network):
|
|||||||
'or neutron tag extension does not supported or'
|
'or neutron tag extension does not supported or'
|
||||||
' not enabled.')
|
' not enabled.')
|
||||||
|
|
||||||
def add_security_groups_to_ports(self, container, network_name,
|
def add_security_groups_to_ports(self, container, security_group_ids,
|
||||||
security_group_ids):
|
sandbox_id=None):
|
||||||
container_id = container['Id']
|
port_ids = set()
|
||||||
neutron_ports = None
|
for addrs_list in container.addresses.values():
|
||||||
if "NetworkSettings" in container:
|
for addr in addrs_list:
|
||||||
network = container["NetworkSettings"]["Networks"][network_name]
|
port_id = addr['port']
|
||||||
endpoint_id = network["EndpointID"]
|
port_ids.add(port_id)
|
||||||
# Kuryr set the port's device_id as endpoint_id so we leverge it
|
|
||||||
neutron_ports = self.neutron.list_ports(device_id=endpoint_id)
|
neutron_ports = self.neutron.list_ports().get('ports', [])
|
||||||
neutron_ports = neutron_ports.get('ports', [])
|
neutron_ports = [p for p in neutron_ports if p['id'] in port_ids]
|
||||||
if not neutron_ports:
|
|
||||||
raise exceptions.ZunException(
|
|
||||||
"Cannot find the neutron port that bind container "
|
|
||||||
"%s to network %s", container_id, network_name)
|
|
||||||
for port in neutron_ports:
|
for port in neutron_ports:
|
||||||
if 'security_groups' not in port:
|
if 'security_groups' not in port:
|
||||||
port['security_groups'] = []
|
port['security_groups'] = []
|
||||||
@@ -203,7 +199,7 @@ class KuryrNetwork(network.Network):
|
|||||||
updated_port = {'security_groups': port['security_groups']}
|
updated_port = {'security_groups': port['security_groups']}
|
||||||
try:
|
try:
|
||||||
LOG.info("Adding security group %(security_group_ids)s "
|
LOG.info("Adding security group %(security_group_ids)s "
|
||||||
"to port %(port_id)s",
|
"to port %(port_id)s" %
|
||||||
{'security_group_ids': security_group_ids,
|
{'security_group_ids': security_group_ids,
|
||||||
'port_id': port['id']})
|
'port_id': port['id']})
|
||||||
self.neutron.update_port(port['id'],
|
self.neutron.update_port(port['id'],
|
||||||
|
|||||||
Reference in New Issue
Block a user