disable port_security for VRRP ports
For tenant networks port_security makes sense, but for the VRRP router case it can get in the way. This change disables it for Akanda managed ports for now. Change-Id: I0fb9fd5253ad0538a35b25d8806323f83cfc48e4 Closes-bug: #1482389
This commit is contained in:
parent
68150f681f
commit
1da7375120
|
@ -49,6 +49,7 @@ neutron_opts = [
|
|||
cfg.IntOpt('akanda_mgt_service_port', default=5000),
|
||||
cfg.StrOpt('default_instance_flavor', default=1),
|
||||
cfg.StrOpt('interface_driver'),
|
||||
cfg.BoolOpt('neutron_port_security_extension_enabled', default=True),
|
||||
|
||||
]
|
||||
CONF.register_opts(neutron_opts)
|
||||
|
@ -662,6 +663,9 @@ class Neutron(object):
|
|||
|
||||
if label in ['VRRP', 'LB']:
|
||||
port_dict['fixed_ips'] = []
|
||||
# disable port_securty on VRRP
|
||||
if self.conf.neutron_port_security_extension_enabled:
|
||||
port_dict['port_security_enabled'] = False
|
||||
|
||||
response = self.api_client.create_port(dict(port=port_dict))
|
||||
port_data = response.get('port')
|
||||
|
|
|
@ -245,7 +245,6 @@ class FakeConf:
|
|||
|
||||
|
||||
class TestNeutronWrapper(base.RugTestBase):
|
||||
|
||||
@mock.patch('akanda.rug.api.neutron.cfg')
|
||||
@mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
|
||||
@mock.patch('akanda.rug.api.neutron.importutils')
|
||||
|
@ -275,6 +274,60 @@ class TestNeutronWrapper(base.RugTestBase):
|
|||
neutron_wrapper = neutron.Neutron(conf)
|
||||
neutron_wrapper.update_router_status('router-id', 'new-status')
|
||||
|
||||
@mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
|
||||
def _test_create_vrrp_port_success_hlpr(self, ext_enabled, client_wrapper):
|
||||
conf = mock.Mock()
|
||||
conf.neutron_port_security_extension_enabled = ext_enabled
|
||||
|
||||
expected_port_data = {
|
||||
'port': {
|
||||
'name': 'AKANDA:VRRP:obj_id',
|
||||
'admin_state_up': True,
|
||||
'network_id': 'the_net_id',
|
||||
'fixed_ips': [],
|
||||
'security_groups': []
|
||||
}
|
||||
}
|
||||
|
||||
if ext_enabled:
|
||||
expected_port_data['port']['port_security_enabled'] = False
|
||||
|
||||
neutron_wrapper = neutron.Neutron(conf)
|
||||
api_client = neutron_wrapper.api_client
|
||||
with mock.patch.object(api_client, 'create_port') as create_port:
|
||||
with mock.patch.object(neutron.Port, 'from_dict') as port_from_d:
|
||||
retval = neutron_wrapper.create_vrrp_port(
|
||||
'obj_id',
|
||||
'the_net_id'
|
||||
)
|
||||
|
||||
self.assertIs(retval, port_from_d.return_value)
|
||||
port_from_d.assert_called_once_with(
|
||||
create_port.return_value.get()
|
||||
)
|
||||
create_port.assert_called_once_with(
|
||||
expected_port_data
|
||||
)
|
||||
|
||||
def test_create_vrrp_port_success(self):
|
||||
self._test_create_vrrp_port_success_hlpr(True)
|
||||
|
||||
def test_create_vrrp_port_success_port_security_disabled(self):
|
||||
self._test_create_vrrp_port_success_hlpr(False)
|
||||
|
||||
@mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
|
||||
def test_create_vrrp_port_error(self, client_wrapper):
|
||||
neutron_wrapper = neutron.Neutron(mock.Mock())
|
||||
api_client = neutron_wrapper.api_client
|
||||
with mock.patch.object(api_client, 'create_port') as create_port:
|
||||
create_port.return_value.get.return_value = None
|
||||
self.assertRaises(
|
||||
ValueError,
|
||||
neutron_wrapper.create_vrrp_port,
|
||||
'obj_id',
|
||||
'the_net_id'
|
||||
)
|
||||
|
||||
|
||||
class TestExternalPort(base.RugTestBase):
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ rabbit_host = 192.168.57.200
|
|||
|
||||
provider_rules_path=/opt/stack/akanda-rug/etc/provider_rules.json
|
||||
control_exchange = quantum
|
||||
neutron_port_security_extension_enabled = True
|
||||
|
||||
[AGENT]
|
||||
root_helper=sudo
|
||||
|
|
Loading…
Reference in New Issue