[jamespage,r=gnuoy] Add option to allow the nova-compute charm to override neutron security group configuration provided from the nova-cloud-controller.

2014-07-14 14:46:26 +01:00 · 2014-07-14 14:46:26 +01:00 · 945d5591f7
parent 01fbbe874e 494bf3bc75
commit 945d5591f7
4 changed files with 33 additions and 1 deletions
--- a/config.yaml
+++ b/config.yaml
@ -105,3 +105,11 @@ options:
          juju-myservice-0
      If you're running multiple environments with the same services in them
      this allows you to differentiate between them.
+  disable-neutron-security-groups:
+    type: boolean
+    description: |
+      Disable neutron based security groups - setting this configuration option
+      will override any settings configured via the nova-cloud-controller charm.
+      .
+      BE CAREFUL - this option allows you to disable all port level security within
+      and OpenStack cloud.
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -346,3 +346,11 @@ class NeutronComputeContext(context.NeutronContext):

        ovs_ctxt['local_ip'] = get_host_ip(unit_get('private-address'))
        return ovs_ctxt
+
+    def __call__(self):
+        ctxt = super(NeutronComputeContext, self).__call__()
+        # NOTE(jamespage) support override of neutron security via config
+        if config('disable-neutron-security-groups') is not None:
+            ctxt['disable_neutron_security_groups'] = \
+                config('disable-neutron-security-groups')
+        return ctxt
--- a/templates/icehouse/ml2_conf.ini
+++ b/templates/icehouse/ml2_conf.ini
@ -22,7 +22,7 @@ local_ip = {{ local_ip }}
 tunnel_types = gre

 [securitygroup]
-{% if neutron_security_groups -%}
+{% if neutron_security_groups and not disable_neutron_security_groups -%}
 enable_security_group = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
 {% else -%}
--- a/unit_tests/test_nova_compute_contexts.py
+++ b/unit_tests/test_nova_compute_contexts.py
@ -180,3 +180,19 @@ class NovaComputeContextTests(CharmTestCase):
        libvirt = context.NovaComputeLibvirtContext()
        self.assertEquals(
            {'libvirtd_opts': '-d -l', 'listen_tls': 0}, libvirt())
+
+    @patch.object(context.NeutronComputeContext, 'network_manager')
+    @patch.object(context.NeutronComputeContext, 'plugin')
+    def test_disable_security_groups_true(self, plugin, nm):
+        plugin.return_value = "ovs"
+        nm.return_value = "neutron"
+        self.test_config.set('disable-neutron-security-groups', True)
+        qplugin = context.NeutronComputeContext()
+        with patch.object(qplugin, '_ensure_packages'):
+            self.assertEquals({'disable_neutron_security_groups': True},
+                              qplugin())
+        self.test_config.set('disable-neutron-security-groups', False)
+        qplugin = context.NeutronComputeContext()
+        with patch.object(qplugin, '_ensure_packages'):
+            self.assertEquals({'disable_neutron_security_groups': False},
+                              qplugin())