FWaaS v1->v2 DB migration

FWaaS V1 is expected to be deleted on the Stein cycle. This patch introduces a new tool the DB migration from FWaaS v1 to FWaaS V2. Run this tool using: neutron-fwaas-migrate-v1-to-v2 --neutron-db-connection=<neutron database connection string> Change-Id: I663c173a594137056c96ad4c4b60e810059fb6fa
2018-11-22 10:57:52 +02:00 · 2018-11-22 10:57:52 +02:00 · e7f2f781ee
parent 0e968fa0c7
commit e7f2f781ee
4 changed files with 140 additions and 1 deletions
--- a/neutron_fwaas/cmd/init.py
+++ b/neutron_fwaas/cmd/init.py
--- a/neutron_fwaas/cmd/v1_to_v2_db_migration.py
+++ b/neutron_fwaas/cmd/v1_to_v2_db_migration.py
@ -0,0 +1,136 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from neutron.common import config
+from neutron.db import models_v2
+from oslo_config import cfg
+from oslo_db.sqlalchemy import enginefacade
+from oslo_log import log as logging
+
+from neutron_fwaas.db.firewall import firewall_db as firewall_db_v1
+from neutron_fwaas.db.firewall.v2 import firewall_db_v2
+
+LOG = logging.getLogger(__name__)
+
+
+def setup_conf():
+    cli_opts = [
+        cfg.StrOpt('neutron-db-connection',
+                   required=True,
+                   help=_('neutron database connection string')),
+    ]
+    conf = cfg.CONF
+    conf.register_cli_opts(cli_opts)
+    conf()
+
+
+def migrate_fwaas_v1_to_v2(db_session):
+    # the entire migration process will be done under the same transaction to
+    # allow full rollback in case of error
+    with db_session.begin(subtransactions=True):
+        # Read all V1 policies
+        v1_policies = db_session.query(firewall_db_v1.FirewallPolicy)
+
+        for v1_pol in v1_policies:
+            LOG.info("Migrating FWaaS V1 policy %s", v1_pol.id)
+            # read the rules of this policy
+            v1_rules = db_session.query(firewall_db_v1.FirewallRule).filter_by(
+                firewall_policy_id=v1_pol.id).all()
+            # Create the V2 policy
+            v2_pol = firewall_db_v2.FirewallPolicy(
+                id=v1_pol.id,
+                tenant_id=v1_pol.tenant_id,
+                name=v1_pol.name,
+                description=v1_pol.description,
+                shared=v1_pol.shared,
+                audited=v1_pol.audited,
+                rule_count=len(v1_rules))
+            db_session.add(v2_pol)
+
+            # Add the rules and associate them with the policy
+            for v1_rule in v1_rules:
+                LOG.info("Migrating FWaaS V1 rule %s", v1_rule.id)
+                v2_rule = firewall_db_v2.FirewallRuleV2(
+                    id=v1_rule.id,
+                    name=v1_rule.name,
+                    description=v1_rule.description,
+                    tenant_id=v1_rule.tenant_id,
+                    shared=v1_rule.shared,
+                    protocol=v1_rule.protocol,
+                    ip_version=v1_rule.ip_version,
+                    source_ip_address=v1_rule.source_ip_address,
+                    destination_ip_address=v1_rule.destination_ip_address,
+                    source_port_range_min=v1_rule.source_port_range_min,
+                    source_port_range_max=v1_rule.source_port_range_max,
+                    destination_port_range_min=(
+                        v1_rule.destination_port_range_min),
+                    destination_port_range_max=(
+                        v1_rule.destination_port_range_max),
+                    action=v1_rule.action,
+                    enabled=v1_rule.enabled)
+                db_session.add(v2_rule)
+                v2_link = firewall_db_v2.FirewallPolicyRuleAssociation(
+                    firewall_policy_id=v1_pol.id,
+                    firewall_rule_id=v1_rule.id,
+                    position=v1_rule.position)
+                db_session.add(v2_link)
+
+        # Read all V1 firewalls
+        v1_fws = db_session.query(firewall_db_v1.Firewall)
+        for v1_fw in v1_fws:
+            LOG.info("Migrating FWaaS V1 firewall %s", v1_fw.id)
+            # create the V2 firewall group
+            v2_fw_group = firewall_db_v2.FirewallGroup(
+                id=v1_fw.id,
+                name=v1_fw.name,
+                description=v1_fw.description,
+                tenant_id=v1_fw.tenant_id,
+                shared=v1_fw.shared,
+                admin_state_up=v1_fw.admin_state_up,
+                status=v1_fw.status,
+                ingress_firewall_policy_id=v1_fw.firewall_policy_id,
+                egress_firewall_policy_id=v1_fw.firewall_policy_id)
+            db_session.add(v2_fw_group)
+
+            # for every router in the V1 Firewall router association, add all
+            # its interface ports to the V2 FirewallGroupPortAssociation
+            v1_routers = db_session.query(
+                firewall_db_v1.FirewallRouterAssociation).filter_by(
+                fw_id=v1_fw.id)
+            for v1_router in v1_routers:
+                rtr_id = v1_router.router_id
+                LOG.info("Migrating FWaaS V1 %s router %s", v1_fw.id, rtr_id)
+                if_ports = db_session.query(models_v2.Port).filter_by(
+                    device_id=rtr_id,
+                    device_owner="network:router_interface")
+                for port in if_ports:
+                    fw_port = firewall_db_v2.FirewallGroupPortAssociation(
+                        firewall_group_id=v2_fw_group.id,
+                        port_id=port.id)
+                    db_session.add(fw_port)
+
+
+def main():
+    # Initialize the cli options
+    setup_conf()
+    config.setup_logging()
+
+    # Get the neutron DB session
+    neutron_context_manager = enginefacade.transaction_context()
+    neutron_context_manager.configure(
+        connection=cfg.CONF.neutron_db_connection)
+    n_session_maker = neutron_context_manager.writer.get_sessionmaker()
+    n_session = n_session_maker(autocommit=True)
+
+    # Run DB migration
+    migrate_fwaas_v1_to_v2(n_session)
+    LOG.info("DB migration done.")
--- a/releasenotes/notes/remove_fwaas_v1-15c6e19484f46d1b.yaml
+++ b/releasenotes/notes/remove_fwaas_v1-15c6e19484f46d1b.yaml
@ -4,4 +4,5 @@ prelude: >
    has been available since the Newton release.
 upgrade:
  - The FWaaS V1 source code will not be available in neutron-fwaas repo from
-    Stein. FWaaS team will provide a migration script to upgrade.
+    Stein.
+    neutron-fwaas-migrate-v1-to-v2 can be used for migrating V1 object to V2 model.
--- a/setup.cfg
+++ b/setup.cfg
@ -60,6 +60,8 @@ neutron.agent.l3.firewall_drivers =
    netlink_conntrack = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.netlink_conntrack:ConntrackNetlink
 neutron.services.logapi.drivers =
    fwaas_v2_log = neutron_fwaas.services.logapi.agents.drivers.iptables.log:IptablesLoggingDriver
+console_scripts =
+    neutron-fwaas-migrate-v1-to-v2 = neutron_fwaas.cmd.v1_to_v2_db_migration:main

 [extract_messages]
 keywords = _ gettext ngettext l_ lazy_gettext