NSX|V: Avoid updating the default section at init
During plugin init the default firewall section is created. If it already exists, it will be updated, which causes race condition in case of multiple controllers. There is no need to update the default section during init, unless the nsx.ini configuration changed, in which case admin utility should be used to update the section: nsxadmin -r firewall-sections -o nsx-update In addition, catch exceptions when creating the section, as there also might be a race condition there. Change-Id: I19b238a561af95e856d9dae32764ce4d484df767
This commit is contained in:
Adit Sarfaty
parent
04bd9c0b55
commit
f9aa6bd805
|
|
@ -492,10 +492,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||
router_type_obj._extend_nsx_router_dict(
|
||||
router_res, router_db, router_type_obj.nsx_attributes)
|
||||
|
||||
def _create_cluster_default_fw_section(self):
|
||||
section_name = 'OS Cluster Security Group section'
|
||||
|
||||
# Default cluster rules
|
||||
def _get_cluster_default_fw_section_rules(self):
|
||||
"""Build Default cluster rules"""
|
||||
rules = [{'name': 'Default DHCP rule for OS Security Groups',
|
||||
'action': 'allow',
|
||||
'services': [('17', '67', None, None),
|
||||
|
|
@ -555,11 +553,20 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||
logged=cfg.CONF.nsxv.log_security_groups_blocked_traffic)
|
||||
rule_list.append(block_rule)
|
||||
|
||||
return rule_list
|
||||
|
||||
def _create_cluster_default_fw_section(self, update_section=False):
|
||||
section_name = 'OS Cluster Security Group section'
|
||||
with locking.LockManager.get_lock('default-section-init'):
|
||||
section_id = self.nsx_v.vcns.get_section_id(section_name)
|
||||
section = (
|
||||
self.nsx_sg_utils.get_section_with_rules(
|
||||
section_name, rule_list, section_id))
|
||||
if section_id and not update_section:
|
||||
# No need to update an existing section, unless the
|
||||
# configuration changed
|
||||
return section_id
|
||||
|
||||
rule_list = self._get_cluster_default_fw_section_rules()
|
||||
section = self.nsx_sg_utils.get_section_with_rules(
|
||||
section_name, rule_list, section_id)
|
||||
section_req_body = self.nsx_sg_utils.to_xml_string(section)
|
||||
if section_id:
|
||||
self.nsx_v.vcns.update_section_by_id(
|
||||
|
|
@ -567,10 +574,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||
else:
|
||||
# cluster section does not exists. Create it above the
|
||||
# default l3 section
|
||||
l3_id = self.nsx_v.vcns.get_default_l3_id()
|
||||
h, c = self.nsx_v.vcns.create_section('ip', section_req_body,
|
||||
insert_before=l3_id)
|
||||
section_id = self.nsx_sg_utils.parse_and_get_section_id(c)
|
||||
try:
|
||||
l3_id = self.nsx_v.vcns.get_default_l3_id()
|
||||
h, c = self.nsx_v.vcns.create_section(
|
||||
'ip', section_req_body, insert_before=l3_id)
|
||||
section_id = self.nsx_sg_utils.parse_and_get_section_id(c)
|
||||
except Exception as e:
|
||||
# another controller might have already created one
|
||||
section_id = self.nsx_v.vcns.get_section_id(section_name)
|
||||
if not section_id:
|
||||
with excutils.save_and_reraise_exception():
|
||||
LOG.error("Failed to create default section: %s",
|
||||
e)
|
||||
return section_id
|
||||
|
||||
def _create_dhcp_static_binding(self, context, neutron_port_db):
|
||||
|
|
|
|||
|
|
@ -461,7 +461,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
|
|||
def firewall_update_cluster_default_fw_section(resource, event, trigger,
|
||||
**kwargs):
|
||||
with utils.NsxVPluginWrapper() as plugin:
|
||||
plugin._create_cluster_default_fw_section()
|
||||
plugin._create_cluster_default_fw_section(update_section=True)
|
||||
LOG.info("Cluster default FW section updated.")
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue