From 7fb703a03ea7f99c7d4536081cf99dedffb2b813 Mon Sep 17 00:00:00 2001 From: chengyang Date: Tue, 12 Dec 2017 18:59:57 +0800 Subject: [PATCH] Apply security group when attach network When attach new network on a container which has add a security group before, security group doesn't apply on new port. Change-Id: I091a05078001c7e649afdaf21505e1ed2614da6b Closes-bug: #1737693 --- zun/container/docker/driver.py | 6 ++++- .../container/docker/test_docker_driver.py | 23 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/zun/container/docker/driver.py b/zun/container/docker/driver.py index 8bbe25771..0f141e583 100644 --- a/zun/container/docker/driver.py +++ b/zun/container/docker/driver.py @@ -904,6 +904,10 @@ class DockerDriver(driver.ContainerDriver): def network_attach(self, context, container, network): with docker_utils.docker_client() as docker: + security_group_ids = None + if container.security_groups: + security_group_ids = utils.get_security_group_ids( + context, container.security_groups) network_api = zun_network.api(context, docker_api=docker) if network in container.addresses: @@ -920,7 +924,7 @@ class DockerDriver(driver.ContainerDriver): docker_net_name = self._get_docker_network_name(context, network) addrs = network_api.connect_container_to_network( container, docker_net_name, requested_network, - security_groups=None) + security_groups=security_group_ids) if addrs is None: raise exception.ZunException(_( 'Unexpected missing of addresses')) diff --git a/zun/tests/unit/container/docker/test_docker_driver.py b/zun/tests/unit/container/docker/test_docker_driver.py index 93a3481b3..0538759d6 100644 --- a/zun/tests/unit/container/docker/test_docker_driver.py +++ b/zun/tests/unit/container/docker/test_docker_driver.py @@ -590,6 +590,29 @@ class TestDockerDriver(base.DriverTestCase): requested_network[0], security_groups=None) + @mock.patch('zun.common.utils.get_security_group_ids') + @mock.patch('zun.network.kuryr_network.KuryrNetwork' + '.connect_container_to_network') + @mock.patch('zun.network.kuryr_network.KuryrNetwork' + '.list_networks') + def test_network_attach_with_security_group(self, mock_list, + mock_connect, + mock_get_sec_group_id): + test_sec_group_id = '84e3a4c1-c8cd-46b1-a0d9-c8c35f6a32a4' + mock_container = mock.MagicMock() + mock_container.security_groups = ['test_sec_group'] + mock_list.return_value = {'network': 'network'} + mock_get_sec_group_id.return_value = test_sec_group_id + requested_network = [{'network': 'network', + 'port': '', + 'v4-fixed-ip': '', + 'v6-fixed-ip': ''}] + self.driver.network_attach(self.context, mock_container, 'network') + mock_connect.assert_called_once_with(mock_container, + 'network-fake_project', + requested_network[0], + security_groups=test_sec_group_id) + @mock.patch('oslo_concurrency.processutils.execute') @mock.patch('zun.container.driver.ContainerDriver.get_host_mem') @mock.patch(