Use IptablesManager.semapahore from securitygroups driver to ensure we don't apply half a rule set.

author: Soren Hansen <soren@linux2go.dk> 2011-03-07 21:59:05 +0100
committer: Soren Hansen <soren@linux2go.dk> 2011-03-07 21:59:05 +0100
commit: 4e9c570fbf8b3987d556da085b61f159f32c16f1 (patch)
tree: d70073c963208d6bf98fa5efb9a6b3d4c3811eab
parent: 7b7abe7e7a25c0cd07c64c34f69ce050c669cfc3 (diff)
download: nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.tar.gz
nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.tar.xz
nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index b900cb8eb..825bcb0d7 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -1372,8 +1372,12 @@ class IptablesFirewallDriver(FirewallDriver):
 
     def refresh_security_group_rules(self, security_group):
         for instance in self.instances.values():
-            self.remove_filters_for_instance(instance)
-            self.add_filters_for_instance(instance)
+            # We use the semaphore to make sure noone applies the rule set
+            # after we've yanked the existing rules but before we've put in
+            # the new ones.
+            with self.iptables.semaphore:
+                self.remove_filters_for_instance(instance)
+                self.add_filters_for_instance(instance)
         self.iptables.apply()
 
     def _security_group_chain_name(self, security_group_id):
author	Soren Hansen <soren@linux2go.dk>	2011-03-07 21:59:05 +0100
committer	Soren Hansen <soren@linux2go.dk>	2011-03-07 21:59:05 +0100
commit	4e9c570fbf8b3987d556da085b61f159f32c16f1 (patch)
tree	d70073c963208d6bf98fa5efb9a6b3d4c3811eab
parent	7b7abe7e7a25c0cd07c64c34f69ce050c669cfc3 (diff)
download	nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.tar.gz nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.tar.xz nova-4e9c570fbf8b3987d556da085b61f159f32c16f1.zip