[GCE] Skip Security group rule verification for egress rules

Neutron by default adds two egress rules to security group creation API calls. If we block egress rules, any type of security group creation fails. So we just log warning in case of neutron egress security group rules being not supported on GCE. Switched to gce beta APIs as firewall group creation calls are deprecated on v1 APIs. Firewall related call report error "feature not supported yet" Change-Id: I7baded2df5b34239e2cf99ca49c9d6c8eba46294 Closes-bug: #1709002
2017-08-10 16:09:54 +05:30 · 2017-08-10 16:09:54 +05:30 · 60e596283c
parent 8241e8da95
commit 60e596283c
2 changed files with 19 additions and 14 deletions
--- a/neutron/neutron/common/gceutils.py
+++ b/neutron/neutron/common/gceutils.py
@ -160,7 +160,7 @@ def get_gce_service(service_key):
        raise GceServiceKeyNotFound(path=service_key)

    credentials = GoogleCredentials.from_stream(service_key)
-    service = build('compute', 'v1', credentials=credentials)
+    service = build('compute', 'beta', credentials=credentials)
    return service


--- a/neutron/neutron/plugins/ml2/drivers/gce/mech_gce.py
+++ b/neutron/neutron/plugins/ml2/drivers/gce/mech_gce.py
@ -158,32 +158,31 @@ class GceMechanismDriver(api.MechanismDriver):
        return "secgrp-" + openstack_id

    def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False):
-        if rule['ethertype'] != 'IPv4':
-            raise sg.SecurityGroupRuleInvalidEtherType(
-                ethertype=rule['ethertype'], values=('IPv4', ))
-
        gce_rule = {
            'sourceRanges': [],
-            'sourceTags': [],
            'targetTags': [],
            'allowed': [{}],
-            'destinationRanges': [],
+            'priority': 1000
        }
-        if not validate:
-            gce_rule['name'] = self._gce_secgrp_id(rule['id'])
-            gce_rule['network'] = network_link
-
        directions = {
            'ingress': 'INGRESS',
        }
-        gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
-
        if rule['direction'] in directions:
            gce_rule['direction'] = directions[rule['direction']]
        else:
            raise SecurityGroupInvalidDirection(direction=rule['direction'],
                                                values=directions.keys())

+        if rule['ethertype'] != 'IPv4':
+            raise sg.SecurityGroupRuleInvalidEtherType(
+                ethertype=rule['ethertype'], values=('IPv4', ))
+
+        if not validate:
+            gce_rule['name'] = self._gce_secgrp_id(rule['id'])
+            gce_rule['network'] = network_link
+
+        gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
+
        protocol = rule['protocol']
        if protocol is None:
            gce_rule['allowed'][0]['IPProtocol'] = 'all'
@ -215,10 +214,13 @@ class GceMechanismDriver(api.MechanismDriver):
        compute, project = self.gce_svc, self.gce_project
        try:
            gce_rule = self._convert_secgrp_rule_to_gce(rule, network_link)
+        except SecurityGroupInvalidDirection:
+            LOG.warn("Egress rules are not supported on GCE.")
+            return
        except Exception as e:
            LOG.exception(
                "An error occured while creating security group: %s" % e)
-            return
+            raise e
        LOG.info("Create GCE firewall rule %s" % gce_rule)
        operation = gceutils.create_firewall_rule(compute, project, gce_rule)
        gceutils.wait_for_operation(compute, project, operation)
@ -227,6 +229,9 @@ class GceMechanismDriver(api.MechanismDriver):
        try:
            self._convert_secgrp_rule_to_gce(
                rule, network_link=None, validate=True)
+        except SecurityGroupInvalidDirection:
+            LOG.warn("Egress rules are not supported on GCE.")
+            return
        except Exception as e:
            LOG.exception("An error occurred while creating security "
                          "group: %s" % e)