Making security group refresh more specific

Fixes bug 1029495

The trigger_members_refresh method in compute.api.py specifies
a group id in the call to refresh_security_group_members. This
is just the last group id seen and ignores the fact that a
refresh may impact members of multiple groups.

This is masked by the fact that on the host the group id is
ignored and all instances have their security rules refreshed
regardless of if they are part of the changed group or not.

This change modifies the logic surrounding refreshes so we send
a refresh request for each instance which is affected by a
security group change, this ensures we aren't spending time
refreshing unaffected instances and also removes the possibility
of refreshing an instance multiple times if it is a member of
more than one group.

Also changed to be instance-centric is the refresh carried out
when a rule is added/removed to a security group.

Change-Id: Iec98e9aed818fdc4ecc88c8dcdd4ee5fa9386e00

6 files changed, 38 insertions, 0 deletions

diff --git a/nova/virt/baremetal/driver.py b/nova/virt/baremetal/driver.py
index 5bbb23995..3da59e929 100644
--- a/nova/virt/baremetal/driver.py
+++ b/nova/virt/baremetal/driver.py
@@ -655,6 +655,10 @@ class BareMetalDriver(driver.ComputeDriver):
         # Bare metal doesn't currently support security groups
         pass
 
+    def refresh_instance_security_rules(self, instance):
+        # Bare metal doesn't currently support security groups
+        pass
+
     def update_available_resource(self, ctxt, host):
         """Updates compute manager resource info on ComputeNode table.
 
diff --git a/nova/virt/fake.py b/nova/virt/fake.py
index f87e78af4..178bfb066 100644
--- a/nova/virt/fake.py
+++ b/nova/virt/fake.py
@@ -213,6 +213,9 @@ class FakeDriver(driver.ComputeDriver):
     def refresh_security_group_members(self, security_group_id):
         return True
 
+    def refresh_instance_security_rules(self, instance):
+        return True
+
     def refresh_provider_fw_rules(self):
         pass
 
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index 2afb8b6cf..20f23906f 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -75,6 +75,14 @@ class FirewallDriver(object):
         the security group."""
         raise NotImplementedError()
 
+    def refresh_instance_security_rules(self, instance):
+        """Refresh security group rules from data store
+
+        Gets called when an instance gets added to or removed from
+        the security group the instance is a member of or if the
+        group gains or looses a rule."""
+        raise NotImplementedError()
+
     def refresh_provider_fw_rules(self):
         """Refresh common rules for all hosts/instances from data store.
 
@@ -391,12 +399,21 @@ class IptablesFirewallDriver(FirewallDriver):
         self.do_refresh_security_group_rules(security_group)
         self.iptables.apply()
 
+    def refresh_instance_security_rules(self, instance):
+        self.do_refresh_instance_rules(instance)
+        self.iptables.apply()
+
     @utils.synchronized('iptables', external=True)
     def do_refresh_security_group_rules(self, security_group):
         for instance in self.instances.values():
             self.remove_filters_for_instance(instance)
             self.add_filters_for_instance(instance)
 
+    @utils.synchronized('iptables', external=True)
+    def do_refresh_instance_rules(self, instance):
+        self.remove_filters_for_instance(instance)
+        self.add_filters_for_instance(instance)
+
     def refresh_provider_fw_rules(self):
         """See :class:`FirewallDriver` docs."""
         self._do_refresh_provider_fw_rules()
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index 57459b0c0..ba04dd70d 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -2173,6 +2173,9 @@ class LibvirtDriver(driver.ComputeDriver):
     def refresh_security_group_members(self, security_group_id):
         self.firewall_driver.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        self.firewall_driver.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         self.firewall_driver.refresh_provider_fw_rules()
 
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index ac4547166..8891e9106 100644
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -516,6 +516,13 @@ class XenAPIDriver(driver.ComputeDriver):
         """
         return self._vmops.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        """ Updates security group rules for specified instance
+            Invoked when instances are added/removed to a security group
+            or when a rule is added/removed to a security group
+        """
+        return self._vmops.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         return self._vmops.refresh_provider_fw_rules()
 
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index 39c0f994e..9f00dc75e 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -1456,6 +1456,10 @@ class VMOps(object):
         """ recreates security group rules for every instance """
         self.firewall_driver.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        """ recreates security group rules for specified instance """
+        self.firewall_driver.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         self.firewall_driver.refresh_provider_fw_rules()