diff options
| -rw-r--r-- | nova/compute/manager.py | 5 | ||||
| -rw-r--r-- | nova/endpoint/cloud.py | 20 | ||||
| -rw-r--r-- | nova/virt/libvirt_conn.py | 37 |
3 files changed, 46 insertions, 16 deletions
diff --git a/nova/compute/manager.py b/nova/compute/manager.py index 5f7a94106..a00fd9baa 100644 --- a/nova/compute/manager.py +++ b/nova/compute/manager.py @@ -63,6 +63,11 @@ class ComputeManager(manager.Manager): @defer.inlineCallbacks @exception.wrap_exception + def refresh_security_group(self, context, security_group_id, **_kwargs): + self.driver.refresh_security_group(security_group_id) + + @defer.inlineCallbacks + @exception.wrap_exception def run_instance(self, context, instance_id, **_kwargs): """Launch a new instance with specified options.""" instance_ref = self.db.instance_get(context, instance_id) diff --git a/nova/endpoint/cloud.py b/nova/endpoint/cloud.py index 7408e02e9..1403a62f6 100644 --- a/nova/endpoint/cloud.py +++ b/nova/endpoint/cloud.py @@ -93,6 +93,14 @@ class CloudController(object): result[instance['key_name']] = [line] return result + def _refresh_security_group(self, security_group): + nodes = set([instance.host for instance in security_group.instances]) + for node in nodes: + rpc.call('%s.%s' % (FLAGS.compute_topic, node), + { "method": "refresh_security_group", + "args": { "context": None, + "security_group_id": security_group.id}}) + def get_metadata(self, address): instance_ref = db.fixed_ip_get_instance(None, address) if instance_ref is None: @@ -265,12 +273,12 @@ class CloudController(object): if source_security_group_name: source_project_id = self._get_source_project_id(context, source_security_group_owner_id) - + source_security_group = \ db.security_group_get_by_name(context, source_project_id, source_security_group_name) - + criteria['group_id'] = source_security_group.id elif cidr_ip: criteria['cidr'] = cidr_ip @@ -292,6 +300,9 @@ class CloudController(object): break # If we make it here, we have a match db.security_group_rule_destroy(context, rule.id) + + self._refresh_security_group(security_group) + return True @rbac.allow('netadmin') @@ -330,8 +341,11 @@ class CloudController(object): return None security_group_rule = db.security_group_rule_create(context, values) + + self._refresh_security_group(security_group) + return True - + def _get_source_project_id(self, context, source_security_group_owner_id): if source_security_group_owner_id: # Parse user:project for source group. diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 89ede1d1a..a343267dc 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -444,6 +444,12 @@ class LibvirtConnection(object): domain = self._conn.lookupByName(instance_name) return domain.interfaceStats(interface) + + def refresh_security_group(self, security_group_id): + fw = self.NWFilterFirewall(self._conn) + fw.ensure_security_group_filter(security_group_id, override=True) + + class NWFilterFirewall(object): """ This class implements a network filtering mechanism versatile @@ -533,27 +539,32 @@ class NWFilterFirewall(object): return 'nova-secgroup-%d' % (security_group_id,) - def ensure_filter(self, name, xml_generator): - def _already_exists_check(filterlist, filter): - return filter in filterlist - def _define_if_not_exists(exists, xml_generator): - if not exists: - xml = xml_generator() - return threads.deferToThread(self._conn.nwfilterDefineXML, xml) - d = threads.deferToThread(self._conn.listNWFilter) - d.addCallback(_already_exists_check, name) + def define_filter(self, name, xml_generator, override=False): + if not override: + def _already_exists_check(filterlist, filter): + return filter in filterlist + def _define_if_not_exists(exists, xml_generator): + if not exists: + xml = xml_generator() + return threads.deferToThread(self._conn.nwfilterDefineXML, xml) + d = threads.deferToThread(self._conn.listNWFilter) + d.addCallback(_already_exists_check, name) + else: + # Pretend we looked it up and it wasn't defined + d = defer.succeed(False) d.addCallback(_define_if_not_exists, xml_generator) return d def ensure_base_filter(self): - return self.ensure_filter('nova-base-filter', self.nova_base_filter) + return self.define_filter('nova-base-filter', self.nova_base_filter) - def ensure_security_group_filter(self, security_group_id): - return self.ensure_filter( + def ensure_security_group_filter(self, security_group_id, override=False): + return self.define_filter( self._nwfilter_name_for_security_group(security_group_id), - lambda:self.security_group_to_nwfilter_xml(security_group_id)) + lambda:self.security_group_to_nwfilter_xml(security_group_id), + override=override) def security_group_to_nwfilter_xml(self, security_group_id): |
