Adapted default security group to work for Kilo.

Kilo forbids additional security groups to be created with the name Default. Now we use vpc ID for names of VPC default security groups in OpenStack but they are converted into EC2 compatible "default" when reported back to EC2 API client. Change-Id: I9b1cc8551f3e6d55fab9132934f59bb1bd16a006
2015-02-09 17:18:29 +04:00 · 2015-02-09 17:18:29 +04:00 · c116351a17
parent e4f264e6af
commit c116351a17
5 changed files with 19 additions and 9 deletions
--- a/ec2api/api/instance.py
+++ b/ec2api/api/instance.py
@ -1056,7 +1056,7 @@ class InstanceEngineNeutron(object):
        default_groups = security_group_api.describe_security_groups(
            context,
            filter=[{'name': 'vpc-id', 'value': [vpc_id]},
-                    {'name': 'group-name', 'value': ['Default']}]
+                    {'name': 'group-name', 'value': ['default']}]
            )['securityGroupInfo']
        security_groups = [ec2utils.get_db_item(context, 'sg',
                                                default_group['groupId'])
--- a/ec2api/api/network_interface.py
+++ b/ec2api/api/network_interface.py
@ -98,7 +98,7 @@ def create_network_interface(context, subnet_id,
        default_groups = security_group_api.describe_security_groups(
            context,
            filter=[{'name': 'vpc-id', 'value': [vpc_id]},
-                    {'name': 'group-name', 'value': ['Default']}]
+                    {'name': 'group-name', 'value': ['default']}]
            )['securityGroupInfo']
        security_group_id = [default_group['groupId']
                             for default_group in default_groups]
--- a/ec2api/api/security_group.py
+++ b/ec2api/api/security_group.py
@ -61,6 +61,8 @@ def create_security_group(context, group_name, group_description,
    nova = clients.nova(context)
    with common.OnCrashCleaner() as cleaner:
        try:
+            # TODO(Alex): Shouldn't allow creation of groups with existing
+            # name if in the same VPC or in EC2-Classic.
            os_security_group = nova.security_groups.create(group_name,
                                                            group_description)
        except nova_exception.OverLimit:
@ -80,8 +82,8 @@ def create_security_group(context, group_name, group_description,

 def _create_default_security_group(context, vpc):
    # NOTE(Alex): OpenStack doesn't allow creation of another group
-    # named 'default' hence 'Default' is used.
-    return create_security_group(context, 'Default',
+    # named 'default' hence vpc-id is used.
+    return create_security_group(context, vpc['id'],
                                 'Default VPC security group', vpc['id'])


@ -104,13 +106,19 @@ class SecurityGroupDescriber(common.TaggableItemsDescriber):
        self.all_db_items = None

    def format(self, item=None, os_item=None):
-        if self.all_db_items is None:
-            self.all_db_items = ec2utils.get_db_items(self.context, 'sg', None)
        return _format_security_group(item, os_item,
                                      self.all_db_items, self.os_items)

    def get_os_items(self):
-        return security_group_engine.get_os_groups(self.context)
+        if self.all_db_items == None:
+            self.all_db_items = ec2utils.get_db_items(self.context, 'sg', None)
+            self.os_ids_in_db = set(g['os_id'] for g in self.all_db_items)
+        os_groups = security_group_engine.get_os_groups(self.context)
+        for os_group in os_groups:
+            if (os_group['name'].startswith('vpc-') and
+                    os_group['id'] in self.os_ids_in_db):
+                os_group['name'] = 'default'
+        return os_groups


 def describe_security_groups(context, group_name=None, group_id=None,
--- a/ec2api/api/vpc.py
+++ b/ec2api/api/vpc.py
@ -89,6 +89,8 @@ def delete_vpc(context, vpc_id):
        cleaner.addCleanup(db_api.restore_item, context, 'vpc', vpc)
        route_table_api._delete_route_table(context, vpc['route_table_id'],
                                            cleaner=cleaner)
+        # TODO(Alex): Check that only the default security group is left
+        # in this VPC, otherwise DependencyViolation.
        security_groups = security_group_api.describe_security_groups(
            context,
            filter=[{'name': 'vpc-id',
--- a/ec2api/tests/unit/test_instance.py
+++ b/ec2api/tests/unit/test_instance.py
@ -340,7 +340,7 @@ class InstanceTestCase(base.ApiTestCase):
                 'MinCount': '1', 'MaxCount': '1',
                 'KernelId': fakes.ID_EC2_IMAGE_AKI_1,
                 'RamdiskId': fakes.ID_EC2_IMAGE_ARI_1,
-                 'SecurityGroup.1': 'Default',
+                 'SecurityGroup.1': 'default',
                 'Placement.AvailabilityZone': 'fake_zone',
                 'ClientToken': 'fake_client_token',
                 'BlockDeviceMapping.1.DeviceName': '/dev/vdd',
@ -354,7 +354,7 @@ class InstanceTestCase(base.ApiTestCase):
                userdata=None, kernel_id=fakes.ID_OS_IMAGE_AKI_1,
                ramdisk_id=fakes.ID_OS_IMAGE_ARI_1, key_name=None,
                block_device_mapping='fake_bdm',
-                availability_zone='fake_zone', security_groups=['Default'],
+                availability_zone='fake_zone', security_groups=['default'],
                **extra_kwargs)
            self.nova_servers.reset_mock()
            db_instance = {'os_id': mock.ANY,