From 02ca5e114b694b1ba1c789cec406f59bd483bb6d Mon Sep 17 00:00:00 2001 From: Kobi Samoray Date: Wed, 14 Dec 2016 18:11:05 +0200 Subject: [PATCH] NSXv: LBaaS driver should not maintain member FW rule Rule should be applied by the user using security groups. Change-Id: Ib2e85bf8d09b6099b22a26b284c51c629c61ef91 --- .../services/lbaas/nsx_v/lbaas_common.py | 61 ------------------- .../services/lbaas/nsx_v/v2/member_mgr.py | 21 ------- .../nsx_v/test_edge_loadbalancer_driver_v2.py | 11 +--- .../tests/unit/nsx_v/test_lbaas_common.py | 45 -------------- 4 files changed, 1 insertion(+), 137 deletions(-) diff --git a/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py b/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py index dcf4ab0767..26213eb9fc 100644 --- a/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py +++ b/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py @@ -14,17 +14,14 @@ # under the License. import netaddr -import xml.etree.ElementTree as et from neutron_lib import exceptions as n_exc from vmware_nsx._i18n import _ from vmware_nsx.common import locking from vmware_nsx.db import nsxv_db -from vmware_nsx.plugins.nsx_v.vshield import vcns as nsxv_api MEMBER_ID_PFX = 'member-' -LBAAS_FW_SECTION_NAME = 'LBaaS FW Rules' def get_member_id(member_id): @@ -193,64 +190,6 @@ def get_edge_ip_addresses(vcns, edge_id): return edge_ips -def update_pool_fw_rule(vcns, pool_id, edge_id, section_id, member_ips): - edge_ips = get_edge_ip_addresses(vcns, edge_id) - - with locking.LockManager.get_lock('lbaas-fw-section'): - section_uri = '%s/%s/%s' % (nsxv_api.FIREWALL_PREFIX, - 'layer3sections', - section_id) - xml_section = vcns.get_section(section_uri)[1] - section = et.fromstring(xml_section) - pool_rule = None - for rule in section.iter('rule'): - if rule.find('name').text == pool_id: - pool_rule = rule - if member_ips: - pool_rule.find('sources').find('source').find( - 'value').text = (','.join(edge_ips)) - pool_rule.find('destinations').find( - 'destination').find('value').text = ','.join( - member_ips) - else: - section.remove(pool_rule) - break - - if member_ips and pool_rule is None: - pool_rule = et.SubElement(section, 'rule') - et.SubElement(pool_rule, 'name').text = pool_id - et.SubElement(pool_rule, 'action').text = 'allow' - sources = et.SubElement(pool_rule, 'sources') - sources.attrib['excluded'] = 'false' - source = et.SubElement(sources, 'source') - et.SubElement(source, 'type').text = 'Ipv4Address' - et.SubElement(source, 'value').text = ','.join(edge_ips) - - destinations = et.SubElement(pool_rule, 'destinations') - destinations.attrib['excluded'] = 'false' - destination = et.SubElement(destinations, 'destination') - et.SubElement(destination, 'type').text = 'Ipv4Address' - et.SubElement(destination, 'value').text = ','.join(member_ips) - - vcns.update_section(section_uri, - et.tostring(section, encoding="us-ascii"), - None) - - -def get_lbaas_fw_section_id(vcns): - # Avoid concurrent creation of section by multiple neutron - # instances - with locking.LockManager.get_lock('lbaas-fw-section'): - fw_section_id = vcns.get_section_id(LBAAS_FW_SECTION_NAME) - if not fw_section_id: - section = et.Element('section') - section.attrib['name'] = LBAAS_FW_SECTION_NAME - sect = vcns.create_section('ip', et.tostring(section))[1] - fw_section_id = et.fromstring(sect).attrib['id'] - - return fw_section_id - - def enable_edge_acceleration(vcns, edge_id): with locking.LockManager.get_lock(edge_id): # Query the existing load balancer config in case metadata lb is set diff --git a/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py b/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py index 561c449b38..711bc50120 100644 --- a/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py +++ b/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py @@ -33,19 +33,6 @@ class EdgeMemberManager(base_mgr.EdgeLoadbalancerBaseManager): super(EdgeMemberManager, self).__init__(vcns_driver) self._fw_section_id = None - def _get_pool_member_ips(self, pool, operation, address): - member_ips = [member.address for member in pool.members] - if operation == 'add' and address not in member_ips: - member_ips.append(address) - elif operation == 'del' and address in member_ips: - member_ips.remove(address) - return member_ips - - def _get_lbaas_fw_section_id(self): - if not self._fw_section_id: - self._fw_section_id = lb_common.get_lbaas_fw_section_id(self.vcns) - return self._fw_section_id - @log_helpers.log_method_call def create(self, context, member): listener = member.pool.listener @@ -75,14 +62,6 @@ class EdgeMemberManager(base_mgr.EdgeLoadbalancerBaseManager): try: self.vcns.update_pool(edge_id, edge_pool_id, edge_pool) - - member_ips = self._get_pool_member_ips(member.pool, 'add', - member.address) - lb_common.update_pool_fw_rule(self.vcns, member.pool_id, - edge_id, - self._get_lbaas_fw_section_id(), - member_ips) - self.lbv2_driver.member.successful_completion(context, member) except nsxv_exc.VcnsApiException: diff --git a/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py b/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py index e1ea6d5a45..27158c4fa4 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py +++ b/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py @@ -421,16 +421,10 @@ class TestEdgeLbaasV2Member(BaseTestEdgeLbaasV2): mock.patch.object(self.edge_driver.vcns, 'get_pool' ) as mock_get_pool, \ mock.patch.object(self.edge_driver.vcns, 'update_pool' - ) as mock_update_pool, \ - mock.patch.object(self.edge_driver.member, - '_get_lbaas_fw_section_id' - ) as mock_get_sect, \ - mock.patch.object(lb_common, 'update_pool_fw_rule' - ) as mock_upd_fw: + ) as mock_update_pool: mock_get_lb_binding.return_value = LB_BINDING mock_get_pool_binding.return_value = POOL_BINDING mock_get_pool.return_value = (None, EDGE_POOL_DEF.copy()) - mock_get_sect.return_value = POOL_FW_SECT self.edge_driver.member.create(self.context, self.member) @@ -438,9 +432,6 @@ class TestEdgeLbaasV2Member(BaseTestEdgeLbaasV2): edge_pool_def['member'] = [EDGE_MEMBER_DEF] mock_update_pool.assert_called_with( LB_EDGE_ID, EDGE_POOL_ID, edge_pool_def) - mock_upd_fw.assert_called_with(self.edge_driver.vcns, POOL_ID, - LB_EDGE_ID, POOL_FW_SECT, - [MEMBER_ADDRESS]) mock_successful_completion = ( self.lbv2_driver.member.successful_completion) mock_successful_completion.assert_called_with(self.context, diff --git a/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py b/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py index a27f796e66..1a45a82fbf 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py +++ b/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py @@ -91,51 +91,6 @@ class TestLbaasCommon(base.BaseTestCase): def _mock_edge_driver_vcns(self, attr): return mock.patch.object(self.edge_driver.vcns, attr) - def test_update_pool_fw_rule_add(self): - vip_ips = ['10.0.0.1', '11.0.0.1'] - member_ips = ['10.0.0.10', '11.0.0.10'] - edge_fw_section = firewall_section_maker(vip_ips, ['10.0.0.10']) - edge_fw_updated_section = firewall_section_maker(vip_ips, member_ips) - - with self._mock_edge_driver_vcns( - 'get_section') as mock_get_section,\ - self._mock_edge_driver_vcns( - 'update_section') as mock_update_section: - - tmp_get_ips = lb_common.get_edge_ip_addresses - lb_common.get_edge_ip_addresses = mock.Mock() - lb_common.get_edge_ip_addresses.return_value = vip_ips - - mock_get_section.return_value = (None, edge_fw_section) - lb_common.update_pool_fw_rule( - self.edge_driver.vcns, POOL_ID, EDGE_ID, '1111', member_ips) - mock_update_section.assert_called_with( - '/api/4.0/firewall/globalroot-0/config/layer3sections/1111', - edge_fw_updated_section.encode('utf-8'), None) - lb_common.get_edge_ip_addresses = tmp_get_ips - - def test_update_pool_fw_rule_del(self): - vip_ips = ['10.0.0.1', '11.0.0.1'] - member_ips = ['10.0.0.10'] - edge_fw_section = firewall_section_maker(vip_ips, ['10.0.0.10', - '11.0.0.10']) - edge_fw_updated_section = firewall_section_maker(vip_ips, member_ips) - - with self._mock_edge_driver_vcns('get_section') as mock_get_section, \ - self._mock_edge_driver_vcns( - 'update_section') as mock_update_section: - - tmp_get_ips = lb_common.get_edge_ip_addresses - lb_common.get_edge_ip_addresses = mock.Mock() - lb_common.get_edge_ip_addresses.return_value = vip_ips - mock_get_section.return_value = (None, edge_fw_section) - lb_common.update_pool_fw_rule( - self.edge_driver.vcns, POOL_ID, EDGE_ID, '1111', member_ips) - mock_update_section.assert_called_with( - '/api/4.0/firewall/globalroot-0/config/layer3sections/1111', - edge_fw_updated_section.encode('utf-8'), None) - lb_common.get_edge_ip_addresses = tmp_get_ips - def test_add_vip_as_secondary_ip(self): update_if = if_maker(['10.0.0.6', '10.0.0.8'])