From 1da737512028329b34480713e5ce66c561406258 Mon Sep 17 00:00:00 2001 From: Mark McClain Date: Wed, 7 Oct 2015 15:03:38 -0400 Subject: [PATCH] disable port_security for VRRP ports For tenant networks port_security makes sense, but for the VRRP router case it can get in the way. This change disables it for Akanda managed ports for now. Change-Id: I0fb9fd5253ad0538a35b25d8806323f83cfc48e4 Closes-bug: #1482389 --- akanda/rug/api/neutron.py | 4 ++ .../rug/test/unit/api/test_neutron_wrapper.py | 55 ++++++++++++++++++- etc/rug.ini | 1 + 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/akanda/rug/api/neutron.py b/akanda/rug/api/neutron.py index 231e1df3..4e8792bb 100644 --- a/akanda/rug/api/neutron.py +++ b/akanda/rug/api/neutron.py @@ -49,6 +49,7 @@ neutron_opts = [ cfg.IntOpt('akanda_mgt_service_port', default=5000), cfg.StrOpt('default_instance_flavor', default=1), cfg.StrOpt('interface_driver'), + cfg.BoolOpt('neutron_port_security_extension_enabled', default=True), ] CONF.register_opts(neutron_opts) @@ -662,6 +663,9 @@ class Neutron(object): if label in ['VRRP', 'LB']: port_dict['fixed_ips'] = [] + # disable port_securty on VRRP + if self.conf.neutron_port_security_extension_enabled: + port_dict['port_security_enabled'] = False response = self.api_client.create_port(dict(port=port_dict)) port_data = response.get('port') diff --git a/akanda/rug/test/unit/api/test_neutron_wrapper.py b/akanda/rug/test/unit/api/test_neutron_wrapper.py index 82bb7f30..361e109e 100644 --- a/akanda/rug/test/unit/api/test_neutron_wrapper.py +++ b/akanda/rug/test/unit/api/test_neutron_wrapper.py @@ -245,7 +245,6 @@ class FakeConf: class TestNeutronWrapper(base.RugTestBase): - @mock.patch('akanda.rug.api.neutron.cfg') @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper') @mock.patch('akanda.rug.api.neutron.importutils') @@ -275,6 +274,60 @@ class TestNeutronWrapper(base.RugTestBase): neutron_wrapper = neutron.Neutron(conf) neutron_wrapper.update_router_status('router-id', 'new-status') + @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper') + def _test_create_vrrp_port_success_hlpr(self, ext_enabled, client_wrapper): + conf = mock.Mock() + conf.neutron_port_security_extension_enabled = ext_enabled + + expected_port_data = { + 'port': { + 'name': 'AKANDA:VRRP:obj_id', + 'admin_state_up': True, + 'network_id': 'the_net_id', + 'fixed_ips': [], + 'security_groups': [] + } + } + + if ext_enabled: + expected_port_data['port']['port_security_enabled'] = False + + neutron_wrapper = neutron.Neutron(conf) + api_client = neutron_wrapper.api_client + with mock.patch.object(api_client, 'create_port') as create_port: + with mock.patch.object(neutron.Port, 'from_dict') as port_from_d: + retval = neutron_wrapper.create_vrrp_port( + 'obj_id', + 'the_net_id' + ) + + self.assertIs(retval, port_from_d.return_value) + port_from_d.assert_called_once_with( + create_port.return_value.get() + ) + create_port.assert_called_once_with( + expected_port_data + ) + + def test_create_vrrp_port_success(self): + self._test_create_vrrp_port_success_hlpr(True) + + def test_create_vrrp_port_success_port_security_disabled(self): + self._test_create_vrrp_port_success_hlpr(False) + + @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper') + def test_create_vrrp_port_error(self, client_wrapper): + neutron_wrapper = neutron.Neutron(mock.Mock()) + api_client = neutron_wrapper.api_client + with mock.patch.object(api_client, 'create_port') as create_port: + create_port.return_value.get.return_value = None + self.assertRaises( + ValueError, + neutron_wrapper.create_vrrp_port, + 'obj_id', + 'the_net_id' + ) + class TestExternalPort(base.RugTestBase): diff --git a/etc/rug.ini b/etc/rug.ini index c651afc9..454b8a51 100644 --- a/etc/rug.ini +++ b/etc/rug.ini @@ -31,6 +31,7 @@ rabbit_host = 192.168.57.200 provider_rules_path=/opt/stack/akanda-rug/etc/provider_rules.json control_exchange = quantum +neutron_port_security_extension_enabled = True [AGENT] root_helper=sudo