x/charm-ovn-central
Code Issues Proposed changes

Do disruptive firewall initialization once

Browse Source 
The UFW default allow calls result in all existing firewall rules
being removed and reinstated.  Due to the side effect of active
connections being terminated we only want to do this once.

Change-Id: I300af4bbfeb6a309d103d00fe3362364a1d7cbb3
Closes-Bug: #1863093
This commit is contained in:
Frode Nordahl 2020-02-14 08:12:04 +01:00
parent ff1673a34b
commit 3f67d9de99
No known key found for this signature in database
GPG Key ID: 6A5D59A3BA48373F
4 changed files with 38 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/lib/charm/openstack/ovn_central.py
View File

@ -299,6 +299,19 @@ class OVNCentralCharm(charms_openstack.charm.OpenStackCharm):
},
})
@staticmethod
def initialize_firewall():
"""Initialize firewall.
Note that this function is disruptive to active connections and should
only be called when necessary.
"""
# set default allow
ch_ufw.enable()
ch_ufw.default_policy('allow', 'incoming')
ch_ufw.default_policy('allow', 'outgoing')
ch_ufw.default_policy('allow', 'routed')
def configure_firewall(self, port_addr_map):
"""Configure firewall.
@ -311,11 +324,6 @@ class OVNCentralCharm(charms_openstack.charm.OpenStackCharm):
"""
ufw_comment = 'charm-' + self.name
# set default allow
ch_ufw.enable()
ch_ufw.default_policy('allow', 'incoming')
ch_ufw.default_policy('allow', 'outgoing')
ch_ufw.default_policy('allow', 'routed')
# reject connection to protected ports
for port in set().union(*port_addr_map.keys()):
ch_ufw.modify_access(src=None, dst='any', port=port,

8
src/reactive/ovn_central_handlers.py
View File

@ -32,6 +32,14 @@ charm.use_defaults(
)
@reactive.when_none('charm.firewall_initialized')
def initialize_firewall():
"""Do one-time initialization of firewall."""
with charm.provide_charm_instance() as ovn_charm:
ovn_charm.initialize_firewall()
reactive.set_flag('charm.firewall_initialized')
@reactive.when_none('leadership.set.nb_cid', 'leadership.set.sb_cid')
@reactive.when('config.rendered',
'certificates.connected',

11
unit_tests/test_lib_charms_ovn_central.py
View File

@ -219,6 +219,16 @@ class TestOVNCentralCharm(Helper):
mock.call('sb', {3: {'inactivity_probe': 42000}}),
])
def test_initialize_firewall(self):
self.patch_object(ovn_central, 'ch_ufw')
self.target.initialize_firewall()
self.ch_ufw.enable.assert_called_once_with()
self.ch_ufw.default_policy.assert_has_calls([
mock.call('allow', 'incoming'),
mock.call('allow', 'outgoing'),
mock.call('allow', 'routed'),
])
def test_configure_firewall(self):
self.patch_object(ovn_central, 'ch_ufw')
self.ch_ufw.status.return_value = [
@ -235,7 +245,6 @@ class TestOVNCentralCharm(Helper):
(1, 2, 3, 4,): ('a.b.c.d', 'e.f.g.h',),
(1, 2,): ('i.j.k.l', 'm.n.o.p',),
})
self.ch_ufw.enable.assert_called_once_with()
self.ch_ufw.modify_access.assert_has_calls([
mock.call(src=None, dst='any', port=1,
proto='tcp', action='reject',

7
unit_tests/test_reactive_ovn_central_handlers.py
View File

@ -35,6 +35,7 @@ class TestRegisteredHooks(test_utils.TestRegisteredHooks):
'configure_firewall': ('run-default-update-status',),
'enable_default_certificates': ('run-default-update-status',
'leadership.is_leader',),
'initialize_firewall': ('charm.firewall_initialized',),
'initialize_ovsdbs': ('run-default-update-status',
'leadership.set.nb_cid',
'leadership.set.sb_cid',),
@ -83,6 +84,12 @@ class TestOvnCentralHandlers(test_utils.PatchHelper):
self.target
self.provide_charm_instance().__exit__.return_value = None
def test_initialize_firewall(self):
self.patch_object(handlers.reactive, 'set_flag')
handlers.initialize_firewall()
self.target.initialize_firewall.assert_called_once_with()
self.set_flag.assert_called_once_with('charm.firewall_initialized')
def test_announce_leader_ready(self):
self.patch_object(handlers.reactive, 'endpoint_from_name')
self.patch_object(handlers.reactive, 'endpoint_from_flag')