diff options
author | Jenkins <jenkins@review.openstack.org> | 2014-11-14 00:16:22 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2014-11-14 00:16:22 +0000 |
commit | 981af74b16ed4f2785e01479025985fb6a0f8868 (patch) | |
tree | 32a72181c24ffe6ba096397aeff8494c71268c5f | |
parent | c0295bff212623ad7657fec8c497812bb5b48801 (diff) | |
parent | f9f694f95f5338d62f75ce54677dd165dc87a8d5 (diff) | |
download | neutron-981af74b16ed4f2785e01479025985fb6a0f8868.tar.gz |
Merge "Reduce security group db calls to neutron server" into stable/juno
-rw-r--r-- | neutron/agent/securitygroups_rpc.py | 41 | ||||
-rw-r--r-- | neutron/tests/unit/test_security_groups_rpc.py | 45 |
2 files changed, 74 insertions, 12 deletions
diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py index 17b544502e..3da4d347f0 100644 --- a/neutron/agent/securitygroups_rpc.py +++ b/neutron/agent/securitygroups_rpc.py @@ -14,11 +14,14 @@ # under the License. # +import functools + from oslo.config import cfg from oslo import messaging +from neutron.agent import firewall from neutron.common import topics -from neutron.openstack.common.gettextutils import _LW +from neutron.openstack.common.gettextutils import _LI, _LW from neutron.openstack.common import importutils from neutron.openstack.common import log as logging @@ -74,9 +77,9 @@ def _disable_extension(extension, aliases): def disable_security_group_extension_by_config(aliases): if not is_firewall_enabled(): - LOG.info(_('Disabled security-group extension.')) + LOG.info(_LI('Disabled security-group extension.')) _disable_extension('security-group', aliases) - LOG.info(_('Disabled allowed-address-pairs extension.')) + LOG.info(_LI('Disabled allowed-address-pairs extension.')) _disable_extension('allowed-address-pairs', aliases) @@ -187,10 +190,23 @@ class SecurityGroupAgentRpcMixin(object): return False return True + def skip_if_noopfirewall_or_firewall_disabled(func): + @functools.wraps(func) + def decorated_function(self, *args, **kwargs): + if (isinstance(self.firewall, firewall.NoopFirewallDriver) or + not is_firewall_enabled()): + LOG.info(_LI("Skipping method %s as firewall is disabled " + "or configured as NoopFirewallDriver."), + func.__name__) + else: + return func(self, *args, **kwargs) + return decorated_function + + @skip_if_noopfirewall_or_firewall_disabled def prepare_devices_filter(self, device_ids): if not device_ids: return - LOG.info(_("Preparing filters for devices %s"), device_ids) + LOG.info(_LI("Preparing filters for devices %s"), device_ids) if self.use_enhanced_rpc: devices_info = self.plugin_rpc.security_group_info_for_devices( self.context, list(device_ids)) @@ -220,15 +236,15 @@ class SecurityGroupAgentRpcMixin(object): remote_sg_id, member_ips) def security_groups_rule_updated(self, security_groups): - LOG.info(_("Security group " - "rule updated %r"), security_groups) + LOG.info(_LI("Security group " + "rule updated %r"), security_groups) self._security_group_updated( security_groups, 'security_groups') def security_groups_member_updated(self, security_groups): - LOG.info(_("Security group " - "member updated %r"), security_groups) + LOG.info(_LI("Security group " + "member updated %r"), security_groups) self._security_group_updated( security_groups, 'security_group_source_groups') @@ -249,7 +265,7 @@ class SecurityGroupAgentRpcMixin(object): self.refresh_firewall(devices) def security_groups_provider_updated(self): - LOG.info(_("Provider rule updated")) + LOG.info(_LI("Provider rule updated")) if self.defer_refresh_firewall: # NOTE(salv-orlando): A 'global refresh' might not be # necessary if the subnet for which the provider rules @@ -261,7 +277,7 @@ class SecurityGroupAgentRpcMixin(object): def remove_devices_filter(self, device_ids): if not device_ids: return - LOG.info(_("Remove device filter for %r"), device_ids) + LOG.info(_LI("Remove device filter for %r"), device_ids) with self.firewall.defer_apply(): for device_id in device_ids: device = self.firewall.ports.get(device_id) @@ -269,12 +285,13 @@ class SecurityGroupAgentRpcMixin(object): continue self.firewall.remove_port_filter(device) + @skip_if_noopfirewall_or_firewall_disabled def refresh_firewall(self, device_ids=None): - LOG.info(_("Refresh firewall rules")) + LOG.info(_LI("Refresh firewall rules")) if not device_ids: device_ids = self.firewall.ports.keys() if not device_ids: - LOG.info(_("No ports here to refresh firewall")) + LOG.info(_LI("No ports here to refresh firewall")) return if self.use_enhanced_rpc: devices_info = self.plugin_rpc.security_group_info_for_devices( diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py index 7f20c7d9ea..3acc378b1d 100644 --- a/neutron/tests/unit/test_security_groups_rpc.py +++ b/neutron/tests/unit/test_security_groups_rpc.py @@ -1021,6 +1021,7 @@ class BaseSecurityGroupAgentRpcTestCase(base.BaseTestCase): self.agent.root_helper = 'sudo' self.agent.plugin_rpc = mock.Mock() self.agent.init_firewall(defer_refresh_firewall=defer_refresh_firewall) + self.default_firewall = self.agent.firewall self.firewall = mock.Mock() firewall_object = firewall_base.FirewallDriver() self.firewall.defer_apply.side_effect = firewall_object.defer_apply @@ -1057,6 +1058,26 @@ class SecurityGroupAgentRpcTestCase(BaseSecurityGroupAgentRpcTestCase): self.fake_device), ]) + def test_prepare_devices_filter_with_noopfirewall(self): + self.agent.firewall = self.default_firewall + self.agent.plugin_rpc.security_group_info_for_devices = mock.Mock() + self.agent.plugin_rpc.security_group_rules_for_devices = mock.Mock() + self.agent.prepare_devices_filter(['fake_device']) + self.assertFalse(self.agent.plugin_rpc. + security_group_info_for_devices.called) + self.assertFalse(self.agent.plugin_rpc. + security_group_rules_for_devices.called) + + def test_prepare_devices_filter_with_firewall_disabled(self): + cfg.CONF.set_override('enable_security_group', False, 'SECURITYGROUP') + self.agent.plugin_rpc.security_group_info_for_devices = mock.Mock() + self.agent.plugin_rpc.security_group_rules_for_devices = mock.Mock() + self.agent.prepare_devices_filter(['fake_device']) + self.assertFalse(self.agent.plugin_rpc. + security_group_info_for_devices.called) + self.assertFalse(self.agent.plugin_rpc. + security_group_rules_for_devices.called) + def test_security_groups_rule_updated(self): self.agent.refresh_firewall = mock.Mock() self.agent.prepare_devices_filter(['fake_port_id']) @@ -1111,6 +1132,30 @@ class SecurityGroupAgentRpcTestCase(BaseSecurityGroupAgentRpcTestCase): self.agent.refresh_firewall([]) self.assertFalse(self.firewall.called) + def test_refresh_firewall_with_firewall_disabled(self): + cfg.CONF.set_override('enable_security_group', False, 'SECURITYGROUP') + self.agent.plugin_rpc.security_group_info_for_devices = mock.Mock() + self.agent.plugin_rpc.security_group_rules_for_devices = mock.Mock() + self.agent.firewall.defer_apply = mock.Mock() + self.agent.refresh_firewall([self.fake_device]) + self.assertFalse(self.agent.plugin_rpc. + security_group_info_for_devices.called) + self.assertFalse(self.agent.plugin_rpc. + security_group_rules_for_devices.called) + self.assertFalse(self.agent.firewall.defer_apply.called) + + def test_refresh_firewall_with_noopfirewall(self): + self.agent.firewall = self.default_firewall + self.agent.plugin_rpc.security_group_info_for_devices = mock.Mock() + self.agent.plugin_rpc.security_group_rules_for_devices = mock.Mock() + self.agent.firewall.defer_apply = mock.Mock() + self.agent.refresh_firewall([self.fake_device]) + self.assertFalse(self.agent.plugin_rpc. + security_group_info_for_devices.called) + self.assertFalse(self.agent.plugin_rpc. + security_group_rules_for_devices.called) + self.assertFalse(self.agent.firewall.defer_apply.called) + class SecurityGroupAgentEnhancedRpcTestCase( BaseSecurityGroupAgentRpcTestCase): |