From 45ee988ffc5abe7ad35d9cd87979f95eb6105ac7 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Tue, 20 Dec 2016 14:48:05 +0200 Subject: [PATCH] NSX|V remove security group from NSX policy before deletion NSX security group should be deleted from the NSX policy, before deletion. Otherwise the security group deletion will fail, or if forced, it may cause sync issues in the future. Change-Id: I070d34e9e55759d55a95c48dc9d5f8e307dc3f9f --- vmware_nsx/db/extended_security_group.py | 5 +++++ vmware_nsx/plugins/nsx_v/plugin.py | 22 ++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/vmware_nsx/db/extended_security_group.py b/vmware_nsx/db/extended_security_group.py index 1338365d59..33c0dcd311 100644 --- a/vmware_nsx/db/extended_security_group.py +++ b/vmware_nsx/db/extended_security_group.py @@ -145,6 +145,11 @@ class ExtendedSecurityGroupPropertiesMixin(object): security_group_id) return True if sg_prop.policy else False + def _get_security_group_policy(self, context, security_group_id): + sg_prop = self._get_security_group_properties(context, + security_group_id) + return sg_prop.policy + def _check_provider_security_group_exists(self, context, security_group_id): # NOTE(roeyc): We want to retrieve the security-group info by calling diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index eb3f0ec395..2fbaeffa86 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -3076,12 +3076,25 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, LOG.error(_LE("Failed to update firewall for router %s"), router_id) - # Security group handling section # - def _delete_nsx_security_group(self, nsx_sg_id): + def _delete_nsx_security_group(self, nsx_sg_id, nsx_policy): """Helper method to delete nsx security group.""" if nsx_sg_id is not None: + if nsx_policy: + # First remove this security group from the NSX policy, + # Or else the delete will fail + try: + with locking.LockManager.get_lock( + 'neutron-security-policy-' + str(nsx_policy)): + self.nsx_sg_utils.del_nsx_security_group_from_policy( + nsx_policy, nsx_sg_id) + except Exception as e: + LOG.warning(_LW("Failed to remove nsx security group " + "%(id)s from policy %(pol)s : %(e)s"), + {'id': nsx_sg_id, 'pol': nsx_policy, 'e': e}) + self.nsx_v.vcns.delete_security_group(nsx_sg_id) + # Security group handling section # def _delete_section(self, section_uri): """Helper method to delete nsx rule section.""" if section_uri is not None: @@ -3162,7 +3175,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, context, securitygroup, nsx_sg_id) except Exception: with excutils.save_and_reraise_exception(): - self._delete_nsx_security_group(nsx_sg_id) + self._delete_nsx_security_group(nsx_sg_id, policy) if not securitygroup[provider_sg.PROVIDER]: # Add Security Group to the Security Groups container in order to @@ -3361,6 +3374,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, """Delete a security group.""" self._prevent_non_admin_delete_provider_sg(context, id) self._prevent_non_admin_delete_policy_sg(context, id) + policy = self._get_security_group_policy(context, id) try: # Find nsx rule sections section_uri = self._get_section_uri(context.session, id) @@ -3375,7 +3389,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, self._delete_section(section_uri) # Delete nsx security group - self._delete_nsx_security_group(nsx_sg_id) + self._delete_nsx_security_group(nsx_sg_id, policy) except Exception: with excutils.save_and_reraise_exception():