Firewall support is not needed with neutron, which supports both
security groups for per-port filtering and FWaaS for per-network
filtering. Remove both the generic firewalls and the hypervisor-specific
implementations.
This part focuses on removing the firewall drivers themselves, which are
now unused. It also updates the release note to note the two additional
config options that are removed here, '[DEFAULT] firewall_driver' and
'[DEFAULT] allow_same_net_traffic'.
Change-Id: I2dccf1610d6cbbb076fda393f1ef695d0be84b13
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This patch removes get_nw_info_for_instance(instance) from nova.compute.utils
as it was just a proxy for instance.get_network_info() call.
Change-Id: Iddae8074554995df22b656bb2e9bddaec6d775cc
The i18n team has decided not to translate the logs because it
seems like it not very useful; operators prefer to have them in
English so that they can search for those strings on the internet.
Partially fix on nova/virt other paths will be fixed on next commits
Change-Id: Ie7821aa4a5147cdb0616741bd1a1b1fc22080440
The config options of the section
"nova/netconf" got moved to the
new central location
"nova/conf/netconf.py"
Change-Id: I8a17b6f00b15e03de55385fc0206bdc82441304a
Depends-On: I0da2ad7daa942b85c3395dc4861c6e18368ece88
Implements: blueprint centralize-config-options-newton
Skip creating the formatted log message
if the message is not going to be emitted
because of the log level.
TrivialFix
Change-Id: Iba9f47163a0ac3aca612818272db6d536b238975
Add options from 'virt.firewall'. These options are part of the
'DEFAULT' group but are included in the "nova.conf.virt" file in hope
that they can eventually be moved to their own group.
Change-Id: I54d7bbe416d908edf3447b36e054be189f9d5bf9
Implements: bp centralize-config-options
Provider firewall rules functionality is not in use and hasn't been
for a very long time. The api for this was removed in [1] and db api
methods for adding/removing rows in the associated db table have not
been used since.
Stop refreshing those rules as it is essentially a no-op and indeed a
costly one that includes a rpc round trip to the conductor to get
back an always empty db result. This should have a positive impact on
instance boot performance since the conductor call happens to live
inside an externally syncronized block of code.
Removes related compute rpcapi/manager code that were missed in a
recent cleanup[2]. Since this functionality hasn't been in use since
Havana timeframe(!), it should be fairly safe to remove without first
deprecating it.
Also removes the now unused virtapi method provider_fw_rule_get_all()
and the virtapi itself from virt firewall driver initialization.
[1] Commit: 62d5fae8d1
[2] Commit: e6f7d80417
Change-Id: Ifbb2514b9bc1445eaa07dcfe172c7405fd1a58f7
Partial-Bug: #1016633
Cleanup subclassing on NovaObjectDictCompat and fix subsequent tests
and code associated with nova/objects/security_group_rule.py
Change-Id: Idffd15a6d4ce043d97f9e8ca4ac0f5abe51e5f2c
When getting instance rules in virt/firewall.py a for loop is used to
issue db queries for rules belonging to each individual security group
in a list of security groups that itself is fetched using a separate
query.
This can be made much more efficient by querying all rules in a single
db query joined by instance.
Change-Id: I325f9c71fecde8297842fd608ac3cfd51ea9db71
Closes-Bug: #1528041
This call was replaced with refresh_instance_security_groups() in
compute rpc version 1.41(!) Since we just reached version 4.0 it
should be fairly safe to just remove all traces of this without
backwards compatibility being an issue.
The original change that replaced and made this call no longer being
used was commit 2afbbab23a.
Change-Id: I60d314f68a984fa8e6d36f46b5ae595f0afabe73
Fix virt/fake.py and virt/firewall.py to use instance objects
with the field access dot notation everywhere. Essentially we use
instance.key instead of instance['key']. Needed to rework some of
the test cases to get them working.
Change-Id: I6b8613edcfa0d735008b69824c996dc7e4fd25f7
Convert the use of the incubated version of the log module
to the new oslo.log library.
Sync oslo-incubator modules to update their imports as well.
Co-Authored-By: Doug Hellmann <doug@doughellmann.com>
Change-Id: Ic4932e3f58191869c30bd07a010a6e9fdcb2a12c
The oslo team is recommending everyone to switch to the
non-namespaced versions of libraries. Updating the hacking
rule to include a check to prevent oslo.* import from
creeping back in.
This commit includes:
- using oslo_utils instead of oslo.utils
- using oslo_serialization instead of oslo.serialization
- using oslo_db instead of oslo.db
- using oslo_i18n instead of oslo.i18n
- using oslo_middleware instead of oslo.middleware
- using oslo_config instead of oslo.config
- using oslo_messaging instead of "from oslo import messaging"
- using oslo_vmware instead of oslo.vmware
Change-Id: I3e2eb147b321ce3e928817b62abcb7d023c5f13f
oslo.i18n uses different marker functions to separate the
translatable messages into different catalogs, which the translation
teams can prioritize translating. For details, please refer to:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html#guidelines-for-use-in-openstack
There were not marker fuctions some places in directory network.
This commit makes changes:
* Add missing marker functions
* Use ',' instead of '%' while adding variables to log messages
Added a hacking rule for the log info about checking
translation for it.
Change-Id: I96766d723b01082339876ed94bbaa77783322b8c
oslo.utils library now provides the functionality previously in
oslo-incubator's excutils, importutils, network_utils, strutils
timeutils, units etc. Some modules already moved to oslo.utils
will still be around since other code in nova/openstack/common/
are using it and will be removed in a subsequent commit.
Change-Id: Idc716342535fdfa680963e0e073ddb46f5f1eb34
pep8 E265 makes sure block comment start with '# '. Fix and gate on this
new rule as it helps improve comment readability.
In the few cases where the comment was just commented out code, remove
the comment.
Change-Id: Iea1c445df8ddc2b6c17a4ab697ad756eef2f91fa
This replaces all uses of nova.objects.<module>.<object> with
nova.objects.<object> in the remaining places.
Implements-Blueprint: object-subclassing
Change-Id: Ic7632cca2455a38abcbdb94feb7e39cfb898bb27
oslo.i18n provides the i18n functions that were provided by
oslo-incubator's gettextutils module. Some tests that were
using internal details of the library were removed.
Change-Id: I44cfd5552e0dd86af21073419d31622f5fdb28e0
When we are building rules ensure we log the instance['id'] so
we can actually correlate the iptables output to UUID for the
instance.
Also bundle up the security group to iptables translation to a
final view of the world instead of the piecemeal rule at a time
view.
Display what rules are being skipped in the add process, as the
skips seem to happen a lot. If this is completely normal we should
probably delete the bit entirely at some later point.
Related-Bug: #1298472
Change-Id: I0e90c3af9bf908b733ed895ad7c204b0a95ef786
The remove_filters_for_instance() method fails silently if the
instance's chain is gone (i.e. it's been deleted). If this
happens while we're refreshing security group rules, we will
not notice this case and re-add stale rules for an old instance,
breaking our firewall for new instances.
This adds a quick check after we've captured the lock to see if
the associated chain exists, and bails if it doesn't.
Change-Id: Ic75988939f82de49735d85fe99a9eecd4baf45c9
Related-bug: #1182131
This makes the virt.firewall code cleaner in terms of referencing
the cached instance and network_info code it stores. Before this
patch, concurrent instance operations could modify these two dicts
so that while we're iterating instances, the network_info dict
is suddenly missing information we need.
The right fix for this is to use instance objects and their
associated info_cache objects, but that's a larger fix and one
not as well-suited to backporting to previous releases which
suffer from this as well.
The approach taken here is that we store the instance and
network_info cache together in the same dict that we can pop()
from atomically (this is not really necessary, but helps to
prevent introducing more of these cases). When we iterate over
the contents, we iterate over a copy of the keys, being careful
not to let a suddenly-missing key break us, and passing the
details all the way down the stack instead of having deeper calls
hit the cache dicts again.
Change-Id: I33366f50024a82451842d045b830ab19b59879c3
Closes-bug: #1182131
This switches the remaining occurences of
nova.objects.instance.Instance* to nova.objects.Instance*.
Partial-Blueprint: object-subclassing
Change-Id: I3017c149cc9fbc6b1fbecb003dc55455b1dcd12c
Our translation policy
(https://wiki.openstack.org/wiki/LoggingStandards#Log_Translation) calls
for not translating debug level logs. This is to help prioritize log
translation. Furthermore translation has a performance overhead, even if
the log isn't used (since nova doesn't support lazy translation yet).
Change-Id: I524b48f530d8afd59a067074332e3964426e4d70
We don't need to have the vi modelines in each source file,
it can be set in a user's vimrc if required.
Also a check is added to hacking to detect if they are re-added.
Change-Id: I347307a5145b2760c69085b6ca850d6a9137ffc6
Closes-Bug: #1229324
This makes the CIDR field become the IPNetwork field (and associate
versioned fields). It also uses the netaddr.IPNetwork class, which
is what should have been done in the first place.
Wire format is unchanged, so we can make this without any version
bumps or upgrade impact.
Related to blueprint nova-network-objects
Change-Id: I1a3ab6a5f4c624f3da0ab1c78c75c6f1e474541f
The function _security_group_chain_name in nova/virt/firewall.py is
useless for now, just remove it.
Change-Id: I1ad7050115ad56ce7b152efbcfcc42aff8e6c3ed
This makes the virt/firewall module use SecurityGroup and
SecurityGroupRule objects instead of relying on virtapi and
conductor for these operations.
Related to blueprint compute-manager-objects
Related to blueprint virt-objects
Change-Id: I39cb9422cb15e6222f5009f64706f1528035f42d
Before updating security group rules, we need to make sure that
the info cache is up-to-date. Without this source groups are not
updated properly. This was a regression introduced in commit
85aac04704 which fixed a potential
DOS using source groups.
Fixes bug 1216720
Change-Id: I6b5115df53f2e159ea506ef966cd49cedd35f83d
Update libvirt driver, virt firewall and hypervisor unit tests to
use nova.network.model instead of legacy "network,mapping" tuple.
Partly implement blueprint nova-network-legacy
Co-author: Amir Sadoughi<amir.sadoughi@gmail.com>
Change-Id: I4d38bb81a4f64efdb78f5da52fbbb382981e0b96
This stops a potential DOS with source security groups by using the
db cached version of the network info instead of calling out to
the network api multiple times.
Fixes bug 1184041
Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
Previous _ was monkey patched into builtins whenever
certain modules were imported. This removes that and
simply imports it when it is needed.
Change-Id: I0af2c6d8a230e94440d655d13cab9107ac20d13c
This converts the db.info_cache_update() call in network/api to use
objects. The save() method has been extended to support what we need
for cells.
Converting to the object allows us to ditch the conductor_api kwarg on
some methods.
Related to blueprint unified-object-model
Change-Id: I1722c03d20511d67acc0a8947de1d4273dc78597
The lockfile module has a new convenience API which sets the lockfile prefix.
Using this API, the prefix is not required everytime synchronized is used.
Change-Id: Iac1cfcc83b59108164de924d20127c1cf4dd7dcd
The previous fix only addressed the INPUT rules and not the
FORWARD rule.
Adds FORWARD rule to ensure that DHCP traffic is forwarded correctly.
Fixes bug 1131223
Change-Id: Ie0d365ba1ba1014bdd2bfc944123c17c4e415d6e
When using the firewall driver IptablesFirewallDriver and the
default INPUT and FORWARD rules are DISCARD then the DHCP
request from the VM is discarded prior to getting to the dnsmasq.
A new rule will be added that enables DHCP requests to pass.
This fixes bug 1131223
Change-Id: I50fad5b63c3c4b22a5d828e3e89353c1ed723332
The moving of data around in no-db-compute broke source groups. This
is a combination of a few errors. First, the instance_type data wasn't
being retrieved from system_metadata. Second, the instance_type data
was too deep in the heirarchy and being ignored. Finally, source
groups require a nw info call which causes a db access by
nova-compute.
Fixes bug 1122316
Change-Id: Iccb6e5d336c0b2c8ba41c41ab2e046fc9617835a
The cfg API is now available via the oslo-config library, so switch to
it and remove the copied-and-pasted version.
Add the 2013.1b4 tarball to tools/pip-requires - this will be changed
to 'oslo-config>=2013.1' when oslo-config is published to pypi. This
will happen in time for grizzly final.
Add dependency_links to setup.py so that oslo-config can be installed
from the tarball URL specified in pip-requires.
Remove the 'deps = pep8==1.3.3' from tox.ini as it means all the other
deps get installed with easy_install which can't install oslo-config
from the URL.
Make tools/hacking.py include oslo in IMPORT_EXCEPTIONS like it already
does for paste. It turns out imp.find_module() doesn't correct handle
namespace packages.
Retain dummy cfg.py file until keystoneclient middleware has been
updated (I18c450174277c8e2d15ed93879da6cd92074c27a).
Change-Id: I4815aeb8a9341a31a250e920157f15ee15cfc5bc
The my_ip, host and use_ipv6 options are used all over the codebase
and they're pretty well related to each other. Create a new netconf
module for them to live in.
There are now no options registered globally in nova.config!
blueprint: scope-config-opts
Change-Id: Ifde37839ae6f38e6bf99dff1e80b8e25fd68ed25
Fix N402 errors (single line docstring should end in a period)
for nova/virt, part of a larger attempt to stop ignoring our own
hacking.py tests.
Change-Id: I523ce41bd2b38c73cf3fdb031101ccc0695f2488
We had previously been ignoring all our custom N4xx hacking.py
errors. This fixes all the N401 errors "doc strings
should not start with a space" and reduces the ignore set down
to N402 only "single line docstrings should end with period".
It also fixes the N401 parser to catch only docstrings, and
not tripple quoted string blocks used later on in a function.
Clean up a few of the more crazy uses of """ in our code
Clean up additional funky comments to make indents a bit more
consistent, and pull in lines when possible.
Change-Id: I9040a1d2ca7efda83bd5e425b95d1408b5b63577
This patch adds the following methods to conductor's API and
redirects the use of them in nova-compute to conductor:
security_group_get_by_instance()
security_group_rule_get_by_security_group()
This involved changing the corresponding VirtAPI methods to
accept actual objects instead of IDs, to avoid introducing
additional DB messaging behavior.
Related to blueprint no-db-compute-manager
Change-Id: I14c2bcd181d0e0a1ec17130917c1a7eb0a091cf2