Merge "Avoid setting up DHCP firewall rules with FlatManager"

openstack · May 14, 2012 · b3e2bae · b3e2bae
2 parents 0e09b33 + 763a367
commit b3e2bae
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 14 deletions.
diff --git a/nova/compute/utils.py b/nova/compute/utils.py
@@ -186,7 +186,7 @@ def convert_routes(routes):
                                         False)
         should_create_vlan = get_meta(network, 'should_create_vlan', False)
         gateway = get_ip(subnet_v4['gateway'])
-        dhcp_server = get_meta(subnet_v4, 'dhcp_server', gateway)
+        dhcp_server = get_meta(subnet_v4, 'dhcp_server')
         network_dict = dict(bridge=network['bridge'],
                             id=network['id'],
                             cidr=subnet_v4['cidr'],

diff --git a/nova/tests/network/test_manager.py b/nova/tests/network/test_manager.py
@@ -166,7 +166,7 @@ def test_get_instance_nw_info(self):
             self.assertDictMatch(nw, check)
 
             check = {'broadcast': '192.168.%d.255' % nid,
-                     'dhcp_server': '192.168.%d.1' % nid,
+                     'dhcp_server': None,
                      'dns': ['192.168.%d.3' % nid, '192.168.%d.4' % nid],
                      'gateway': '192.168.%d.1' % nid,
                      'gateway_v6': 'fe80::def',

diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
@@ -956,8 +956,6 @@ def test_multi_nic(self):
         self.assertEquals(interfaces[0].get('type'), 'bridge')
         self.assertEquals(parameters[0].get('name'), 'IP')
         self.assertTrue(_ipv4_like(parameters[0].get('value'), '192.168'))
-        self.assertEquals(parameters[1].get('name'), 'DHCPSERVER')
-        self.assertTrue(_ipv4_like(parameters[1].get('value'), '192.168.*.1'))
 
     def _check_xml_and_container(self, instance):
         user_context = context.RequestContext(self.user_id,
@@ -1158,9 +1156,6 @@ def _check_xml_and_uri(self, instance, expect_ramdisk, expect_kernel,
             (lambda t: t.find(parameter).get('name'), 'IP'),
             (lambda t: _ipv4_like(t.find(parameter).get('value'), '192.168'),
              True),
-            (lambda t: t.findall(parameter)[1].get('name'), 'DHCPSERVER'),
-            (lambda t: _ipv4_like(t.findall(parameter)[1].get('value'),
-                                  '192.168.*.1'), True),
             (lambda t: t.find('./memory').text, '2097152')]
         if rescue:
             common_checks += [
@@ -2180,12 +2175,14 @@ def _filterDefineXMLMock(xml):
         inst_id = instance_ref['id']
         inst_uuid = instance_ref['uuid']
 
-        def _ensure_all_called(mac):
+        def _ensure_all_called(mac, allow_dhcp):
             instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'],
                                                    mac.translate(None, ':'))
-            for required in ['allow-dhcp-server',
-                             'no-arp-spoofing', 'no-ip-spoofing',
-                             'no-mac-spoofing']:
+            requiredlist = ['no-arp-spoofing', 'no-ip-spoofing',
+                             'no-mac-spoofing']
+            if allow_dhcp:
+                requiredlist.append('allow-dhcp-server')
+            for required in requiredlist:
                 self.assertTrue(required in
                                 self.recursive_depends[instance_filter],
                                 "Instance's filter does not include %s" %
@@ -2204,7 +2201,12 @@ def _ensure_all_called(mac):
         mac = network_info[0][1]['mac']
 
         self.fw.setup_basic_filtering(instance, network_info)
-        _ensure_all_called(mac)
+        allow_dhcp = False
+        for (network, mapping) in network_info:
+            if mapping['dhcp_server']:
+                allow_dhcp = True
+                break
+        _ensure_all_called(mac, allow_dhcp)
         db.instance_remove_security_group(self.context, inst_uuid,
                                           self.security_group.id)
         self.teardown_security_group()

diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
@@ -101,10 +101,17 @@ def setup_basic_filtering(self, instance, network_info):
         LOG.info(_('Ensuring static filters'), instance=instance)
         self._ensure_static_filters()
 
+        allow_dhcp = False
+        for (network, mapping) in network_info:
+            if mapping['dhcp_server']:
+                allow_dhcp = True
+                break
         if instance['image_ref'] == str(FLAGS.vpn_image_id):
             base_filter = 'nova-vpn'
-        else:
+        elif allow_dhcp:
             base_filter = 'nova-base'
+        else:
+            base_filter = 'nova-nodhcp'
 
         for (network, mapping) in network_info:
             nic_id = mapping['mac'].replace(':', '')
@@ -128,6 +135,10 @@ def _ensure_static_filters(self):
                                                     'no-ip-spoofing',
                                                     'no-arp-spoofing',
                                                     'allow-dhcp-server']))
+        self._define_filter(self._filter_container('nova-nodhcp',
+                                                   ['no-mac-spoofing',
+                                                    'no-ip-spoofing',
+                                                    'no-arp-spoofing']))
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)

diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py
@@ -64,7 +64,8 @@ def _get_configurations(self, instance, network, mapping):
 
         conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id
         conf.add_filter_param("IP", mapping['ips'][0]['ip'])
-        conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
+        if mapping['dhcp_server']:
+            conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
 
         if FLAGS.use_ipv6:
             conf.add_filter_param("RASERVER",