diff options
| author | hua zhang <zhhuabj@cn.ibm.com> | 2012-05-09 14:11:00 +0800 |
|---|---|---|
| committer | hua zhang <zhhuabj@cn.ibm.com> | 2012-05-14 17:12:29 +0800 |
| commit | 763a3678407b244b680fd0bf2c6bcee60e8352c2 (patch) | |
| tree | 09975f4e0cad91c5b27acf601c1fd370304fc083 /nova | |
| parent | 2c7e0d1e63cae7aaa38095439843c9a2abb0382b (diff) | |
Avoid setting up DHCP firewall rules with FlatManager
Fixes bug #704737
With FlatManager, ensure that the network info's dhcp_server value is not set
and use that key to decide in the compute service whether DHCP firewall rules should be added.
Change-Id: I8183a6fa3881adea1a09f3f1a29442e6b7a919ce
Diffstat (limited to 'nova')
| -rw-r--r-- | nova/compute/utils.py | 2 | ||||
| -rw-r--r-- | nova/tests/network/test_manager.py | 2 | ||||
| -rw-r--r-- | nova/tests/test_libvirt.py | 22 | ||||
| -rw-r--r-- | nova/virt/libvirt/firewall.py | 13 | ||||
| -rw-r--r-- | nova/virt/libvirt/vif.py | 3 |
5 files changed, 28 insertions, 14 deletions
diff --git a/nova/compute/utils.py b/nova/compute/utils.py index c00626129..7a6ac8671 100644 --- a/nova/compute/utils.py +++ b/nova/compute/utils.py @@ -186,7 +186,7 @@ def legacy_network_info(network_model): False) should_create_vlan = get_meta(network, 'should_create_vlan', False) gateway = get_ip(subnet_v4['gateway']) - dhcp_server = get_meta(subnet_v4, 'dhcp_server', gateway) + dhcp_server = get_meta(subnet_v4, 'dhcp_server') network_dict = dict(bridge=network['bridge'], id=network['id'], cidr=subnet_v4['cidr'], diff --git a/nova/tests/network/test_manager.py b/nova/tests/network/test_manager.py index da892eddd..2158ea566 100644 --- a/nova/tests/network/test_manager.py +++ b/nova/tests/network/test_manager.py @@ -166,7 +166,7 @@ class FlatNetworkTestCase(test.TestCase): self.assertDictMatch(nw, check) check = {'broadcast': '192.168.%d.255' % nid, - 'dhcp_server': '192.168.%d.1' % nid, + 'dhcp_server': None, 'dns': ['192.168.%d.3' % nid, '192.168.%d.4' % nid], 'gateway': '192.168.%d.1' % nid, 'gateway_v6': 'fe80::def', diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index 3fdfa120f..b0b165c70 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -956,8 +956,6 @@ class LibvirtConnTestCase(test.TestCase): self.assertEquals(interfaces[0].get('type'), 'bridge') self.assertEquals(parameters[0].get('name'), 'IP') self.assertTrue(_ipv4_like(parameters[0].get('value'), '192.168')) - self.assertEquals(parameters[1].get('name'), 'DHCPSERVER') - self.assertTrue(_ipv4_like(parameters[1].get('value'), '192.168.*.1')) def _check_xml_and_container(self, instance): user_context = context.RequestContext(self.user_id, @@ -1158,9 +1156,6 @@ class LibvirtConnTestCase(test.TestCase): (lambda t: t.find(parameter).get('name'), 'IP'), (lambda t: _ipv4_like(t.find(parameter).get('value'), '192.168'), True), - (lambda t: t.findall(parameter)[1].get('name'), 'DHCPSERVER'), - (lambda t: _ipv4_like(t.findall(parameter)[1].get('value'), - '192.168.*.1'), True), (lambda t: t.find('./memory').text, '2097152')] if rescue: common_checks += [ @@ -2180,12 +2175,14 @@ class NWFilterTestCase(test.TestCase): inst_id = instance_ref['id'] inst_uuid = instance_ref['uuid'] - def _ensure_all_called(mac): + def _ensure_all_called(mac, allow_dhcp): instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'], mac.translate(None, ':')) - for required in ['allow-dhcp-server', - 'no-arp-spoofing', 'no-ip-spoofing', - 'no-mac-spoofing']: + requiredlist = ['no-arp-spoofing', 'no-ip-spoofing', + 'no-mac-spoofing'] + if allow_dhcp: + requiredlist.append('allow-dhcp-server') + for required in requiredlist: self.assertTrue(required in self.recursive_depends[instance_filter], "Instance's filter does not include %s" % @@ -2204,7 +2201,12 @@ class NWFilterTestCase(test.TestCase): mac = network_info[0][1]['mac'] self.fw.setup_basic_filtering(instance, network_info) - _ensure_all_called(mac) + allow_dhcp = False + for (network, mapping) in network_info: + if mapping['dhcp_server']: + allow_dhcp = True + break + _ensure_all_called(mac, allow_dhcp) db.instance_remove_security_group(self.context, inst_uuid, self.security_group.id) self.teardown_security_group() diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py index a0644cafc..9cc801cc8 100644 --- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -101,10 +101,17 @@ class NWFilterFirewall(base_firewall.FirewallDriver): LOG.info(_('Ensuring static filters'), instance=instance) self._ensure_static_filters() + allow_dhcp = False + for (network, mapping) in network_info: + if mapping['dhcp_server']: + allow_dhcp = True + break if instance['image_ref'] == str(FLAGS.vpn_image_id): base_filter = 'nova-vpn' - else: + elif allow_dhcp: base_filter = 'nova-base' + else: + base_filter = 'nova-nodhcp' for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') @@ -128,6 +135,10 @@ class NWFilterFirewall(base_firewall.FirewallDriver): 'no-ip-spoofing', 'no-arp-spoofing', 'allow-dhcp-server'])) + self._define_filter(self._filter_container('nova-nodhcp', + ['no-mac-spoofing', + 'no-ip-spoofing', + 'no-arp-spoofing'])) self._define_filter(self._filter_container('nova-vpn', ['allow-dhcp-server'])) self._define_filter(self.nova_dhcp_filter) diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py index 80b34220d..07ac50520 100644 --- a/nova/virt/libvirt/vif.py +++ b/nova/virt/libvirt/vif.py @@ -64,7 +64,8 @@ class LibvirtBridgeDriver(vif.VIFDriver): conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) - conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) + if mapping['dhcp_server']: + conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if FLAGS.use_ipv6: conf.add_filter_param("RASERVER", |