diff --git a/Makefile b/Makefile index 126bbf78..5b02fbfa 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ lint: @flake8 --exclude hooks/charmhelpers unit_tests @charm proof -test: +unit_test: @echo Starting tests... @$(PYTHON) /usr/bin/nosetests --nologcapture unit_tests @@ -18,6 +18,6 @@ bin/charm_helpers_sync.py: sync: bin/charm_helpers_sync.py @$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-sync.yaml -publish: lint test +publish: lint unit_test bzr push lp:charms/neutron-openvswitch bzr push lp:charms/trusty/neutron-openvswitch diff --git a/config.yaml b/config.yaml index fde2a455..ea3ed841 100644 --- a/config.yaml +++ b/config.yaml @@ -27,6 +27,15 @@ options: description: | The data port will be added to br-data and will allow usage of flat or VLAN network types + disable-security-groups: + type: boolean + default: false + description: | + Disable neutron based security groups - setting this configuration option + will override any settings configured via the neutron-api charm. + . + BE CAREFUL - this option allows you to disable all port level security within + an OpenStack cloud. # Network configuration options # by default all access is over 'private-address' os-data-network: diff --git a/hooks/neutron_ovs_context.py b/hooks/neutron_ovs_context.py index 9178a35c..7dbf5211 100644 --- a/hooks/neutron_ovs_context.py +++ b/hooks/neutron_ovs_context.py @@ -37,6 +37,9 @@ def _neutron_api_settings(): 'neutron_security_groups': rdata['neutron-security-groups'], 'overlay_network_type': rdata['overlay-network-type'], } + # Override with configuration if set to true + if config('disable-security-groups'): + neutron_settings['neutron_security_groups'] = False return neutron_settings return neutron_settings diff --git a/templates/icehouse/ml2_conf.ini b/templates/icehouse/ml2_conf.ini index 72f0048c..56be2052 100644 --- a/templates/icehouse/ml2_conf.ini +++ b/templates/icehouse/ml2_conf.ini @@ -31,7 +31,7 @@ tunnel_types = {{ overlay_network_type }} l2_population = {{ l2_population }} [securitygroup] -{% if neutron_security_groups == 'True' -%} +{% if neutron_security_groups -%} enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver {% else -%} diff --git a/unit_tests/test_neutron_ovs_context.py b/unit_tests/test_neutron_ovs_context.py index 3f894816..3e2ee906 100644 --- a/unit_tests/test_neutron_ovs_context.py +++ b/unit_tests/test_neutron_ovs_context.py @@ -88,7 +88,7 @@ class OVSPluginContextTest(CharmTestCase): _is_clus.return_value = False self.related_units.return_value = ['unit1'] self.relation_ids.return_value = ['rid2'] - self.test_relation.set({'neutron-security-groups': 'yes', + self.test_relation.set({'neutron-security-groups': True, 'l2-population': True, 'overlay-network-type': 'gre', }) @@ -97,7 +97,60 @@ class OVSPluginContextTest(CharmTestCase): napi_ctxt = context.OVSPluginContext() expect = { 'neutron_alchemy_flags': {}, - 'neutron_security_groups': 'yes', + 'neutron_security_groups': True, + 'verbose': True, + 'local_ip': '127.0.0.15', + 'config': 'neutron.randomconfig', + 'use_syslog': True, + 'network_manager': 'neutron', + 'debug': True, + 'core_plugin': 'neutron.randomdriver', + 'neutron_plugin': 'ovs', + 'neutron_url': 'https://127.0.0.13:9696', + 'l2_population': True, + 'overlay_network_type': 'gre', + } + self.assertEquals(expect, napi_ctxt()) + self.service_start.assertCalled() + + @patch.object(charmhelpers.contrib.openstack.context, 'config') + @patch.object(charmhelpers.contrib.openstack.context, 'unit_get') + @patch.object(charmhelpers.contrib.openstack.context, 'is_clustered') + @patch.object(charmhelpers.contrib.openstack.context, 'https') + @patch.object(context.OVSPluginContext, '_save_flag_file') + @patch.object(context.OVSPluginContext, '_ensure_packages') + @patch.object(charmhelpers.contrib.openstack.context, + 'neutron_plugin_attribute') + @patch.object(charmhelpers.contrib.openstack.context, 'unit_private_ip') + def test_neutroncc_context_api_rel_disable_security(self, + _unit_priv_ip, _npa, + _ens_pkgs, _save_ff, + _https, _is_clus, + _unit_get, + _config): + def mock_npa(plugin, section, manager): + if section == "driver": + return "neutron.randomdriver" + if section == "config": + return "neutron.randomconfig" + _npa.side_effect = mock_npa + _config.return_value = 'ovs' + _unit_get.return_value = '127.0.0.13' + _unit_priv_ip.return_value = '127.0.0.14' + _is_clus.return_value = False + self.test_config.set('disable-security-groups', True) + self.related_units.return_value = ['unit1'] + self.relation_ids.return_value = ['rid2'] + self.test_relation.set({'neutron-security-groups': True, + 'l2-population': True, + 'overlay-network-type': 'gre', + }) + self.get_host_ip.return_value = '127.0.0.15' + self.service_running.return_value = False + napi_ctxt = context.OVSPluginContext() + expect = { + 'neutron_alchemy_flags': {}, + 'neutron_security_groups': False, 'verbose': True, 'local_ip': '127.0.0.15', 'config': 'neutron.randomconfig',