From 868b8e1ea069170afa7a4130a0505e9ea18039b0 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Thu, 13 Jan 2011 16:54:20 +0100 Subject: Instead of a set() to keep track of instances and security groups, use a dict(). __eq__ for stuff coming out of sqlalchemy does not do what I expected (probably due to our use of sessions). --- nova/virt/libvirt_conn.py | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index c03046703..5b4ea992a 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -214,6 +214,8 @@ class LibvirtConnection(object): power_state.SHUTDOWN) break + self.firewall_driver.unfilter_instance(instance) + if cleanup: self._cleanup(instance) @@ -1045,17 +1047,25 @@ class NWFilterFirewall(FirewallDriver): class IptablesFirewallDriver(FirewallDriver): def __init__(self, execute=None): self.execute = execute or utils.execute - self.instances = set() + self.instances = {} def apply_instance_filter(self, instance): """No-op. Everything is done in prepare_instance_filter""" pass def remove_instance(self, instance): - self.instances.remove(instance) + if instance['id'] in self.instances: + del self.instances[instance['id']] + else: + LOG.info(_('Attempted to untiler instance %s which is not ' + 'filtered'), instance['id']) def add_instance(self, instance): - self.instances.add(instance) + self.instances[instance['id']] = instance + + def unfilter_instance(self, instance): + self.remove_instance(instance) + self.apply_ruleset() def prepare_instance_filter(self, instance): self.add_instance(instance) @@ -1088,10 +1098,11 @@ class IptablesFirewallDriver(FirewallDriver): our_chains += [':nova-local - [0:0]'] our_rules += ['-A FORWARD -j nova-local'] - security_groups = set() + security_groups = {} # Add our chains # First, we add instance chains and rules - for instance in self.instances: + for instance_id in self.instances: + instance = self.instances[instance_id] chain_name = self._instance_chain_name(instance) ip_address = self._ip_for_instance(instance) @@ -1113,9 +1124,10 @@ class IptablesFirewallDriver(FirewallDriver): for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): - security_groups.add(security_group) + security_groups[security_group['id']] = security_group - sg_chain_name = self._security_group_chain_name(security_group) + sg_chain_name = self._security_group_chain_name( + security_group['id']) our_rules += ['-A %s -j %s' % (chain_name, sg_chain_name)] @@ -1128,13 +1140,13 @@ class IptablesFirewallDriver(FirewallDriver): our_rules += ['-A %s -j nova-ipv4-fallback' % (chain_name,)] # then, security group chains and rules - for security_group in security_groups: - chain_name = self._security_group_chain_name(security_group) + for security_group_id in security_groups: + chain_name = self._security_group_chain_name(security_group_id) our_chains += [':%s - [0:0]' % chain_name] rules = \ db.security_group_rule_get_by_security_group(ctxt, - security_group['id']) + security_group_id) for rule in rules: logging.info('%r', rule) @@ -1182,8 +1194,8 @@ class IptablesFirewallDriver(FirewallDriver): def refresh_security_group_rules(self, security_group): self.apply_ruleset() - def _security_group_chain_name(self, security_group): - return 'nova-sg-%s' % (security_group['id'],) + def _security_group_chain_name(self, security_group_id): + return 'nova-sg-%s' % (security_group_id,) def _instance_chain_name(self, instance): return 'nova-inst-%s' % (instance['id'],) -- cgit From 953f506949951c4aad18c5bdfcb0dc9b82a95c63 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Thu, 13 Jan 2011 16:59:14 +0100 Subject: Bring NWFilter driver up to speed on unfilter_instance. --- nova/version.py | 4 ++++ nova/virt/libvirt_conn.py | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/nova/version.py b/nova/version.py index 7b27acb6a..24af76557 100644 --- a/nova/version.py +++ b/nova/version.py @@ -28,10 +28,12 @@ FINAL = False # This becomes true at Release Candidate time def canonical_version_string(): + return '' return '.'.join([YEAR, COUNT]) def version_string(): + return '' if FINAL: return canonical_version_string() else: @@ -39,8 +41,10 @@ def version_string(): def vcs_version_string(): + return '' return "%s:%s" % (version_info['branch_nick'], version_info['revision_id']) def version_string_with_vcs(): + return '' return "%s-%s" % (canonical_version_string(), vcs_version_string()) diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 5b4ea992a..b832907ce 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -776,6 +776,10 @@ class FirewallDriver(object): At this point, the instance isn't running yet.""" raise NotImplementedError() + def unfilter_instance(self, instance): + """Stop filtering instance""" + raise NotImplementedError() + def apply_instance_filter(self, instance): """Apply instance filter. @@ -966,6 +970,10 @@ class NWFilterFirewall(FirewallDriver): # execute in a native thread and block current greenthread until done tpool.execute(self._conn.nwfilterDefineXML, xml) + def unfilter_instance(self, instance): + # Nothing to do + pass + def prepare_instance_filter(self, instance): """ Creates an NWFilter for the given instance. In the process, -- cgit From 373a0eb1de5f8457d5147f6957dcdd4f940f8943 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Thu, 13 Jan 2011 17:57:06 +0100 Subject: Revert changes to version.py --- nova/version.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nova/version.py b/nova/version.py index 24af76557..7b27acb6a 100644 --- a/nova/version.py +++ b/nova/version.py @@ -28,12 +28,10 @@ FINAL = False # This becomes true at Release Candidate time def canonical_version_string(): - return '' return '.'.join([YEAR, COUNT]) def version_string(): - return '' if FINAL: return canonical_version_string() else: @@ -41,10 +39,8 @@ def version_string(): def vcs_version_string(): - return '' return "%s:%s" % (version_info['branch_nick'], version_info['revision_id']) def version_string_with_vcs(): - return '' return "%s-%s" % (canonical_version_string(), vcs_version_string()) -- cgit From 27480db8f9b9df08b69a00e1155c64e6590d79f3 Mon Sep 17 00:00:00 2001 From: Soren Hansen Date: Thu, 13 Jan 2011 18:08:53 +0100 Subject: Spelling is hard. Typing even moreso. --- nova/virt/libvirt_conn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index b832907ce..f75371a7b 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1065,7 +1065,7 @@ class IptablesFirewallDriver(FirewallDriver): if instance['id'] in self.instances: del self.instances[instance['id']] else: - LOG.info(_('Attempted to untiler instance %s which is not ' + LOG.info(_('Attempted to unfilter instance %s which is not ' 'filtered'), instance['id']) def add_instance(self, instance): -- cgit