diff options
| author | Soren Hansen <soren@linux2go.dk> | 2011-08-14 04:17:48 +0000 |
|---|---|---|
| committer | Tarmac <> | 2011-08-14 04:17:48 +0000 |
| commit | eede601db836643a0fbc6689fb9ee9db15a822bc (patch) | |
| tree | 835bb238ff8018d1490f247f1b378ddde4863cba /nova/compute | |
| parent | a538f400b5ced8357fa0e892fffd5a01b8e63cec (diff) | |
| parent | adc4d2dc71b6dcdad4bca57925f89d7344a613e8 (diff) | |
Add source-group filtering.
Move refresh to be triggered by allocation and deallocation of IP's rather than creation/destruction of instances.
There really needs a way to use ipsets for this, but it's not widely supported yet (went into mainline linux at 2.6.39), so this implementation just uses regular iptables.
Diffstat (limited to 'nova/compute')
| -rw-r--r-- | nova/compute/api.py | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/nova/compute/api.py b/nova/compute/api.py index 91a0c93b2..e909e9959 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -393,10 +393,6 @@ class API(base.Base): updates['hostname'] = self.hostname_factory(instance) instance = self.update(context, instance_id, **updates) - - for group_id in security_groups: - self.trigger_security_group_members_refresh(elevated, group_id) - return instance def _ask_scheduler_to_create_instance(self, context, base_options, @@ -565,18 +561,20 @@ class API(base.Base): {"method": "refresh_security_group_rules", "args": {"security_group_id": security_group.id}}) - def trigger_security_group_members_refresh(self, context, group_id): + def trigger_security_group_members_refresh(self, context, group_ids): """Called when a security group gains a new or loses a member. Sends an update request to each compute node for whom this is relevant. """ - # First, we get the security group rules that reference this group as + # First, we get the security group rules that reference these groups as # the grantee.. - security_group_rules = \ + security_group_rules = set() + for group_id in group_ids: + security_group_rules.update( self.db.security_group_rule_get_by_security_group_grantee( context, - group_id) + group_id)) # ..then we distill the security groups to which they belong.. security_groups = set() |