xenapi: enforce filters after live-migration

Currently and network filters, including security groups, are
lost after a server has been live-migrated.

This partially fixes the issue by ensuring that security groups are
re-applied to the VM once it reached the destination, and been started.

This leaves a small amount of time during the live-migrate where the VM
is not protected. There is a further bug raised to close the rest of
this whole, but this helps keep the VM protected for the majority of the
time.

Fixes bug 1202266

(Cherry picked from commit: 5cced7a)

Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a

nova/tests/test_xenapi.py

@@ -2723,7 +2723,27 @@ def test_post_live_migration_at_destination(self):
         # ensure method is present
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
         self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
-        self.conn.post_live_migration_at_destination(None, None, None, None)
+
+        fake_instance = "instance"
+        fake_network_info = "network_info"
+
+        def fake_fw(instance, network_info):
+            self.assertEquals(instance, fake_instance)
+            self.assertEquals(network_info, fake_network_info)
+            fake_fw.called += 1
+
+        fake_fw.called = 0
+        _vmops = self.conn._vmops
+        self.stubs.Set(_vmops.firewall_driver,
+                       'setup_basic_filtering', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'prepare_instance_filter', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'apply_instance_filter', fake_fw)
+
+        self.conn.post_live_migration_at_destination(None, fake_instance,
+                                                     fake_network_info, None)
+        self.assertEqual(fake_fw.called, 3)
 
     def test_check_can_live_migrate_destination_with_block_migration(self):
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)

nova/virt/xenapi/driver.py

@@ -1,4 +1,3 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
 
 # Copyright (c) 2010 Citrix Systems, Inc.
 # Copyright 2010 OpenStack Foundation
@@ -514,7 +513,8 @@ def post_live_migration_at_destination(self, ctxt, instance_ref,
         :params : block_migration: if true, post operation of block_migraiton.
         """
         # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
-        pass
+        self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
+                network_info, block_device_info, block_device_info)
 
     def unfilter_instance(self, instance_ref, network_info):
         """Removes security groups configured for an instance."""

nova/virt/xenapi/vmops.py

@@ -1737,6 +1737,24 @@ def live_migrate(self, context, instance, destination_hostname,
                 recover_method(context, instance, destination_hostname,
                                block_migration)
 
+    def post_live_migration_at_destination(self, context, instance,
+                                           network_info, block_migration,
+                                           block_device_info):
+        # FIXME(johngarbutt): we should block all traffic until we have
+        # applied security groups, however this requires changes to XenServer
+        try:
+            self.firewall_driver.setup_basic_filtering(
+                    instance, network_info)
+        except NotImplementedError:
+            # NOTE(salvatore-orlando): setup_basic_filtering might be
+            # empty or not implemented at all, as basic filter could
+            # be implemented with VIF rules created by xapi plugin
+            pass
+
+        self.firewall_driver.prepare_instance_filter(instance,
+                                                     network_info)
+        self.firewall_driver.apply_instance_filter(instance, network_info)
+
     def get_per_instance_usage(self):
         """Get usage info about each active instance."""
         usage = {}