Add L2 Agent side handling for non consistent security_group settings

Add setting of the firewall_driver to NoopDriver when firewall_driver is None and add warning if driver combination is not valid. Modify is_valid_driver_combination to verify default settings: enable_security_group (True) and firewall_driver (None). Change-Id: I841f9cf96ac6ee2ad17a4e8908d6c8a96f368cca Closes-Bug: #1296957
2014-03-25 09:30:17 +02:00 · 2014-03-25 09:30:17 +02:00 · 4a6e5bc75b
commit 4a6e5bc75b
parent d3cb1aa547
2 changed files with 29 additions and 3 deletions
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@ -44,12 +44,13 @@ cfg.CONF.register_opts(security_group_opts, 'SECURITYGROUP')
 #This is backward compatibility check for Havana
 def _is_valid_driver_combination():
    return ((cfg.CONF.SECURITYGROUP.enable_security_group and
-             cfg.CONF.SECURITYGROUP.firewall_driver !=
-             'neutron.agent.firewall.NoopFirewallDriver') or
+             (cfg.CONF.SECURITYGROUP.firewall_driver and
+              cfg.CONF.SECURITYGROUP.firewall_driver !=
+             'neutron.agent.firewall.NoopFirewallDriver')) or
            (not cfg.CONF.SECURITYGROUP.enable_security_group and
             (cfg.CONF.SECURITYGROUP.firewall_driver ==
             'neutron.agent.firewall.NoopFirewallDriver' or
-              cfg.CONF.SECURITYGROUP.firewall_driver == None)
+              cfg.CONF.SECURITYGROUP.firewall_driver is None)
             ))


@ -137,6 +138,11 @@ class SecurityGroupAgentRpcMixin(object):
    def init_firewall(self, defer_refresh_firewall=False):
        firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver
        LOG.debug(_("Init firewall settings (driver=%s)"), firewall_driver)
+        if not _is_valid_driver_combination():
+            LOG.warn("Driver configuration doesn't match "
+                     "with enable_security_group")
+        if not firewall_driver:
+            firewall_driver = 'neutron.agent.firewall.NoopFirewallDriver'
        self.firewall = importutils.import_object(firewall_driver)
        # The following flag will be set to true if port filter must not be
        # applied as soon as a rule or membership notification is received
--- a/neutron/tests/unit/test_security_groups_rpc.py
+++ b/neutron/tests/unit/test_security_groups_rpc.py
@ -773,6 +773,17 @@ class SGAgentRpcCallBackMixinTestCase(base.BaseTestCase):
            [call.security_groups_provider_updated()])


+class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase):
+    def test_init_firewall_with_none_driver(self):
+        cfg.CONF.set_override(
+            'enable_security_group', False,
+            group='SECURITYGROUP')
+        agent = sg_rpc.SecurityGroupAgentRpcMixin()
+        agent.init_firewall()
+        self.assertEqual(agent.firewall.__class__.__name__,
+                         'NoopFirewallDriver')
+
+
 class SecurityGroupAgentRpcTestCase(base.BaseTestCase):
    def setUp(self, defer_refresh_firewall=False):
        super(SecurityGroupAgentRpcTestCase, self).setUp()
@ -1986,6 +1997,15 @@ class TestSecurityGroupExtensionControl(base.BaseTestCase):
            group='SECURITYGROUP')
        self.assertFalse(sg_rpc._is_valid_driver_combination())

+    def test_is_invalid_drvier_combination_sg_enabled_with_none(self):
+        cfg.CONF.set_override(
+            'enable_security_group', True,
+            group='SECURITYGROUP')
+        cfg.CONF.set_override(
+            'firewall_driver', None,
+            group='SECURITYGROUP')
+        self.assertFalse(sg_rpc._is_valid_driver_combination())
+
    def test_is_invalid_drvier_combination_sg_disabled(self):
        cfg.CONF.set_override(
            'enable_security_group', False,