NSX|V remove security group from NSX policy before deletion

NSX security group should be deleted from the NSX policy, before deletion. Otherwise the security group deletion will fail, or if forced, it may cause sync issues in the future. Change-Id: I070d34e9e55759d55a95c48dc9d5f8e307dc3f9f
2016-12-20 14:48:05 +02:00 · 2016-12-20 14:48:05 +02:00 · 45ee988ffc
parent ec41e9b0f3
commit 45ee988ffc
2 changed files with 23 additions and 4 deletions
--- a/vmware_nsx/db/extended_security_group.py
+++ b/vmware_nsx/db/extended_security_group.py
@ -145,6 +145,11 @@ class ExtendedSecurityGroupPropertiesMixin(object):
                                                      security_group_id)
        return True if sg_prop.policy else False

+    def _get_security_group_policy(self, context, security_group_id):
+        sg_prop = self._get_security_group_properties(context,
+                                                      security_group_id)
+        return sg_prop.policy
+
    def _check_provider_security_group_exists(self, context,
                                              security_group_id):
        # NOTE(roeyc): We want to retrieve the security-group info by calling
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -3076,12 +3076,25 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            LOG.error(_LE("Failed to update firewall for router %s"),
                      router_id)

-    # Security group handling section #
-    def _delete_nsx_security_group(self, nsx_sg_id):
+    def _delete_nsx_security_group(self, nsx_sg_id, nsx_policy):
        """Helper method to delete nsx security group."""
        if nsx_sg_id is not None:
+            if nsx_policy:
+                # First remove this security group from the NSX policy,
+                # Or else the delete will fail
+                try:
+                    with locking.LockManager.get_lock(
+                        'neutron-security-policy-' + str(nsx_policy)):
+                        self.nsx_sg_utils.del_nsx_security_group_from_policy(
+                            nsx_policy, nsx_sg_id)
+                except Exception as e:
+                    LOG.warning(_LW("Failed to remove nsx security group "
+                                    "%(id)s from policy %(pol)s : %(e)s"),
+                                {'id': nsx_sg_id, 'pol': nsx_policy, 'e': e})
+
            self.nsx_v.vcns.delete_security_group(nsx_sg_id)

+    # Security group handling section #
    def _delete_section(self, section_uri):
        """Helper method to delete nsx rule section."""
        if section_uri is not None:
@ -3162,7 +3175,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                    context, securitygroup, nsx_sg_id)
            except Exception:
                with excutils.save_and_reraise_exception():
-                    self._delete_nsx_security_group(nsx_sg_id)
+                    self._delete_nsx_security_group(nsx_sg_id, policy)

        if not securitygroup[provider_sg.PROVIDER]:
            # Add Security Group to the Security Groups container in order to
@ -3361,6 +3374,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        """Delete a security group."""
        self._prevent_non_admin_delete_provider_sg(context, id)
        self._prevent_non_admin_delete_policy_sg(context, id)
+        policy = self._get_security_group_policy(context, id)
        try:
            # Find nsx rule sections
            section_uri = self._get_section_uri(context.session, id)
@ -3375,7 +3389,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            self._delete_section(section_uri)

            # Delete nsx security group
-            self._delete_nsx_security_group(nsx_sg_id)
+            self._delete_nsx_security_group(nsx_sg_id, policy)

        except Exception:
            with excutils.save_and_reraise_exception():