Optimize add_security_groups_to_container

The logic to add security groups to container is to search all
the neutron ports of the container and update the security_groups
fields of those ports. In before, we searched neutron ports
by device_id/EndpointID. The problem is EndpointID is not available
if the container is not running. This commit retrieves neutron ports
from the 'addresses' field of the container instead.

Partial-Implements: blueprint make-sandbox-optional
Change-Id: I845872665a766cae11528f226350399497d58b64

zun/compute/manager.py

@@ -233,8 +233,8 @@ class Manager(object):
         LOG.debug('Adding security_group to container: %s', container.uuid)
         try:
             sandbox_id = self.driver.get_sandbox_id(container)
-            self.driver.add_security_group(context, sandbox_id,
+            self.driver.add_security_group(context, container, security_group,
-                                           security_group)
+                                           sandbox_id=sandbox_id)
             container.security_groups += [security_group]
             container.save(context)
         except Exception as e:

zun/container/docker/driver.py

@@ -666,7 +666,8 @@ class DockerDriver(driver.ContainerDriver):
                         cpu_used += float(nanocpus) / 1e9
             return cpu_used
 
-    def add_security_group(self, context, sandbox_id, security_group):
+    def add_security_group(self, context, container, security_group,
+                           sandbox_id=None):
         security_group_ids = self._get_security_group_ids(
             context, [security_group])
         with docker_utils.docker_client() as docker:
@@ -674,14 +675,14 @@ class DockerDriver(driver.ContainerDriver):
             sandbox = docker.inspect_container(sandbox_id)
             for network in sandbox["NetworkSettings"]["Networks"]:
                 network_api.add_security_groups_to_ports(
-                    sandbox, network, security_group_ids)
+                    container, security_group_ids, sandbox_id)
 
     def get_available_nodes(self):
         return [self._host.get_hostname()]
 
 
 class NovaDockerDriver(DockerDriver):
-    def add_security_group(self, context, sandbox_id, security_group):
+    def add_security_group(self, context, container, security_group, **kwargs):
         msg = "NovaDockerDriver does not support security_groups"
         raise exception.ZunException(msg)
 

zun/container/driver.py

@@ -200,7 +200,7 @@ class ContainerDriver(object):
     def get_cpu_used(self):
         raise NotImplementedError()
 
-    def add_security_group(self, context, sandbox_id, security_group):
+    def add_security_group(self, context, container, security_group, **kwargs):
         raise NotImplementedError()
 
     def get_available_resources(self, node):

zun/network/kuryr_network.py

@@ -182,32 +182,28 @@ class KuryrNetwork(network.Network):
                             'or neutron tag extension does not supported or'
                             ' not enabled.')
 
-    def add_security_groups_to_ports(self, container, network_name,
+    def add_security_groups_to_ports(self, container, security_group_ids,
-                                     security_group_ids):
+                                     sandbox_id=None):
-        container_id = container['Id']
+        port_ids = set()
-        neutron_ports = None
+        for addrs_list in container.addresses.values():
-        if "NetworkSettings" in container:
+            for addr in addrs_list:
-            network = container["NetworkSettings"]["Networks"][network_name]
+                port_id = addr['port']
-            endpoint_id = network["EndpointID"]
+                port_ids.add(port_id)
-            # Kuryr set the port's device_id as endpoint_id so we leverge it
+
-            neutron_ports = self.neutron.list_ports(device_id=endpoint_id)
+        neutron_ports = self.neutron.list_ports().get('ports', [])
-            neutron_ports = neutron_ports.get('ports', [])
+        neutron_ports = [p for p in neutron_ports if p['id'] in port_ids]
-            if not neutron_ports:
+        for port in neutron_ports:
-                raise exceptions.ZunException(
+            if 'security_groups' not in port:
-                    "Cannot find the neutron port that bind container "
+                port['security_groups'] = []
-                    "%s to network %s", container_id, network_name)
+            port['security_groups'].extend(security_group_ids)
-            for port in neutron_ports:
+            updated_port = {'security_groups': port['security_groups']}
-                if 'security_groups' not in port:
+            try:
-                    port['security_groups'] = []
+                LOG.info("Adding security group %(security_group_ids)s "
-                port['security_groups'].extend(security_group_ids)
+                         "to port %(port_id)s" %
-                updated_port = {'security_groups': port['security_groups']}
+                         {'security_group_ids': security_group_ids,
-                try:
+                          'port_id': port['id']})
-                    LOG.info("Adding security group %(security_group_ids)s "
+                self.neutron.update_port(port['id'],
-                             "to port %(port_id)s",
+                                         {'port': updated_port})
-                             {'security_group_ids': security_group_ids,
+            except Exception:
-                              'port_id': port['id']})
+                with excutils.save_and_reraise_exception():
-                    self.neutron.update_port(port['id'],
+                    LOG.exception("Neutron Error:")
-                                             {'port': updated_port})
-                except Exception:
-                    with excutils.save_and_reraise_exception():
-                        LOG.exception("Neutron Error:")