Networking v2: Port Fixes #510
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit fixes the way security groups are handled during port creation and updating. If no SecurityGroups are specified during Create, then `security_groups` is not passed in the request body. The default behavior for this is to have the default security group applied to the port. If a pointer to an empty string slice is passed, then the port is created with no security groups applied. If no SecurityGroups are specified during Update, then no modification is done to the port's security groups. If a pointer to an empty string slice is passed, then all security groups are removed.
This commit fixes the way Allowed Address Pairs are handled during port updating. If no AllowedAddressPairs are specified during update, then `allowed_address_pairs` is not passed in the request body. Existing address pairs on the port will remain untouched. If a pointer to an empty string slice is passed, then the address pairs are removed from the port.
This was referenced Aug 31, 2017
|
@jrperritt Ping for review. The unit test clutter makes this one a little awkward to review. The cleanup I did in #445 would have helped, but I'd like to make this one a priority since this is more of a bug. |
jrperritt
reviewed
Aug 31, 2017
| FixedIPs interface{} `json:"fixed_ips,omitempty"` | ||
| DeviceID string `json:"device_id,omitempty"` | ||
| DeviceOwner string `json:"device_owner,omitempty"` | ||
| SecurityGroups *[]string `json:"security_groups,omitempty"` |
There was a problem hiding this comment.
👍 exactly the way to fix this
| @@ -81,7 +81,7 @@ type CreateOpts struct { | |||
| DeviceID string `json:"device_id,omitempty"` | |||
| DeviceOwner string `json:"device_owner,omitempty"` | |||
| TenantID string `json:"tenant_id,omitempty"` | |||
| SecurityGroups []string `json:"security_groups,omitempty"` | |||
| SecurityGroups *[]string `json:"security_groups,omitempty"` | |||
There was a problem hiding this comment.
The previous PR only modified the updating of security groups, but while researching this I found that security groups are handled the same way during create. I included it in here hoping to get all port SG/AAP quirks done and over with. If this is too much of a change for a single PR, I can submit this one in a separate one.
The PR description and commit message lay out the details. As for the code to prove this, the same functions are called both on the client and server side to trigger this behavior. You can see that port creation supports this behavior on the client-side here.
I've included unit tests to mimic the create behavior. The acceptance tests were updated as well and my test environment behaves accordingly, though I only added a "warning" instead of a failure because I have heard of some clouds that modify this behavior (to account for the odd case that someone runs the acceptance test in one of these clouds).
There was a problem hiding this comment.
One more note: what might make this ultra-confusing is that the client CreatePort inherits from the UpdatePortSecGroupMixin
|
@jtopjian As a side note, if the commits for a PR are organized (like all yours seem to be), I have recently been (and plan to continue) just merging (instead of squashing and creating a new commit), with the assumption that should help with the hierarchy of "pending" PRs |
|
I like to tell a story with my commits :P Thanks for the quick review and merge! |
dims
added a commit
to dims/kubernetes
that referenced
this pull request
Sep 2, 2017
Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510
k8s-github-robot
pushed a commit
to kubernetes/kubernetes
that referenced
this pull request
Sep 6, 2017
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ```
dims
pushed a commit
to dims/openstack-cloud-controller-manager
that referenced
this pull request
Sep 6, 2017
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ```
dims
pushed a commit
to dims/openstack-cloud-controller-manager
that referenced
this pull request
Jan 13, 2018
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ```
tamalsaha
pushed a commit
to kmodules/shared-informer
that referenced
this pull request
Aug 13, 2020
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ``` Kubernetes-commit: 9a8cb435b77085fa7d518c4428a02eae316b1003
tamalsaha
pushed a commit
to gomodules/jsonpath
that referenced
this pull request
Apr 21, 2021
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ``` Kubernetes-commit: 9a8cb435b77085fa7d518c4428a02eae316b1003
tamalsaha
pushed a commit
to gomodules/jsonpath
that referenced
this pull request
Apr 21, 2021
Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634) Bug Fix - Adding an allowed address pair wipes port security groups **What this PR does / why we need it**: Fix for cloud routes enabled instances will have their security groups removed when the allowed address pair is added to the instance's port. Upstream bug report is in: gophercloud/gophercloud#509 Upstream bug fix is in: gophercloud/gophercloud#510 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes #51755 **Special notes for your reviewer**: Just an fix in vendored code. minimal changes needed in OpenStack cloud provider **Release note**: ```release-note NONE ``` Kubernetes-commit: 9a8cb435b77085fa7d518c4428a02eae316b1003
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Port
SecurityGroupsandAllowedAddressPairshave a tertiary type of behavior.During creation, if
security_groupsis omitted from the request body, then Neutron will apply the default security group. If an empty array is passed, no security groups will be applied to the port. If an array of security groups is passed, those security groups will be applied to the port.For update, if
security_groupsis omitted from the request body, existing security groups on the port are unchanged. If an empty array is passed, all security groups are removed. If an array of security groups is passed, then the port will have those groups applied.allowed_address_pairshas the same behavior, but only for updates.For #509
Amends #236
#236 has the appropriate links to the API code, but the client code is easier to understand for this one:
https://github.com/openstack/python-neutronclient/blob/bc56657633cb7b3938e8a3fedb70dd050e68805c/neutronclient/neutron/v2_0/port.py#L142-L147
https://github.com/openstack/python-neutronclient/blob/bc56657633cb7b3938e8a3fedb70dd050e68805c/neutronclient/neutron/v2_0/port.py#L215-L219
@jrperritt I can split this into 2 PRs, but 99% of this PR is tests. The actual change is quite small (though significant).