def get_security_group_rule(context, id, fields=None):
LOG.info("get_security_group_rule %s for tenant %s" %
(id, context.tenant_id))
rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(rule_id=id)
return v._make_security_group_rule_dict(rule, fields)
def get_security_group_rules(context, filters=None, fields=None,
sorts=None, limit=None, marker=None,
page_reverse=False):
LOG.info("get_security_group_rules for tenant %s" %
(context.tenant_id))
rules = db_api.security_group_rule_find(context, **filters)
return [v._make_security_group_rule_dict(rule) for rule in rules]
def update_security_group_rule(context, id, security_group_rule):
'''Updates a rule and updates the ports'''
LOG.info("update_security_group_rule for tenant %s" % (context.tenant_id))
new_rule = security_group_rule["security_group_rule"]
# Only allow updatable fields
new_rule = _filter_update_security_group_rule(new_rule)
with context.session.begin():
rule = db_api.security_group_rule_find(context,
id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(id=id)
db_rule = db_api.security_group_rule_update(context, rule, **new_rule)
group_id = db_rule.group_id
group = db_api.security_group_find(context,
id=group_id,
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=group_id)
if group:
_perform_async_update_rule(context, group_id, group, rule.id,
RULE_UPDATE)
return v._make_security_group_rule_dict(db_rule)
def get_security_group_rule(context, id, fields=None):
LOG.info("get_security_group_rule %s for tenant %s" %
(id, context.tenant_id))
rule = db_api.security_group_rule_find(context, id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(id=id)
return v._make_security_group_rule_dict(rule, fields)
def get_security_group_rules(context,
filters=None,
fields=None,
sorts=None,
limit=None,
marker=None,
page_reverse=False):
LOG.info("get_security_group_rules for tenant %s" % (context.tenant_id))
rules = db_api.security_group_rule_find(context, **filters)
return [v._make_security_group_rule_dict(rule) for rule in rules]
def delete_security_group_rule(context, id):
LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id))
with context.session.begin():
rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(id=id)
group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id):
LOG.info("delete_security_group %s for tenant %s" %
(id, context.tenant_id))
with context.session.begin():
rule = db_api.security_group_rule_find(context,
id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(group_id=id)
group = db_api.security_group_find(context,
id=rule["group_id"],
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id):
LOG.info("delete_security_group %s for tenant %s" %
(id, context.tenant_id))
rule = db_api.security_group_rule_find(context, id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(group_id=id)
group = db_api.security_group_find(context, id=rule["group_id"],
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
net_driver.delete_security_group_rule(
context, group.id, v._make_security_group_rule_dict(rule))
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id):
LOG.info("delete_security_group %s for tenant %s" %
(id, context.tenant_id))
rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(group_id=id)
group = db_api.security_group_find(context,
id=rule["group_id"],
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
net_driver.delete_security_group_rule(
context, group.id, v._make_security_group_rule_dict(rule))
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id):
"""Deletes a rule and updates the ports (async) if enabled."""
LOG.info("delete_security_group %s for tenant %s" %
(id, context.tenant_id))
with context.session.begin():
rule = db_api.security_group_rule_find(context, id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(id=id)
group = db_api.security_group_find(context, id=rule["group_id"],
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
if group:
_perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
def delete_security_group_rule(context, id):
"""Deletes a rule and updates the ports (async) if enabled."""
LOG.info("delete_security_group %s for tenant %s" %
(id, context.tenant_id))
with context.session.begin():
rule = db_api.security_group_rule_find(context,
id=id,
scope=db_api.ONE)
if not rule:
raise sg_ext.SecurityGroupRuleNotFound(id=id)
group = db_api.security_group_find(context,
id=rule["group_id"],
scope=db_api.ONE)
if not group:
raise sg_ext.SecurityGroupNotFound(id=id)
rule["id"] = id
db_api.security_group_rule_delete(context, rule)
if group:
_perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
def write_groups(self, dryrun=False):
client = self._get_connection(use_master=not dryrun)
ctx = neutron.context.get_admin_context()
ports_with_groups = db_api.ports_with_security_groups_find(ctx).all()
if dryrun:
print()
print("Writing groups in dry run mode. Existing rules in Redis "
"will be checked against those in the database, with a "
"running report generated of all those that will be "
"overwritten.\n\nTo actually apply the groups, re-run "
"with the --yarly flag.")
print()
print("Found %s ports with security groups" %
len(ports_with_groups))
if dryrun:
vifs = len(client.vif_keys())
if vifs > 0:
print("There are %d VIFs with rules in Redis, some of which "
"may be overwritten!" % vifs)
print()
overwrite_count = 0
for port in ports_with_groups:
mac = netaddr.EUI(port["mac_address"])
# Rather than loading everything in one giant chunk, we'll make
# trips per port.
group_ids = [g["id"] for g in port.security_groups]
rules = db_api.security_group_rule_find(ctx, group_id=group_ids,
scope=db_api.ALL)
if dryrun:
existing_rules = client.get_rules_for_port(port["device_id"],
port["mac_address"])
if existing_rules:
overwrite_count += 1
db_len = len(rules)
existing_len = len(existing_rules["rules"])
print("== Port ID:%s - MAC:%s - Device ID:%s - "
"Redis Rules:%d - DB Rules:%d" %
(port["id"], mac, port["device_id"], existing_len,
db_len))
if not dryrun:
for retry in xrange(self._retries):
try:
payload = client.serialize_rules(rules)
client.apply_rules(
port["device_id"], port["mac_address"], payload)
break
except q_exc.RedisConnectionFailure:
time.sleep(self._retry_delay)
client = self._get_connection(use_master=True,
giveup=False)
if dryrun:
print()
print("Total number of VIFs to overwrite/were overwritten: %s" %
overwrite_count)
diff = vifs - overwrite_count
if diff > 0:
print("Orphaned VIFs in Redis:", diff)
print("Run purge-orphans to clean then up")
if dryrun:
print("Total number of VIFs to write: %d" %
len(ports_with_groups))
if dryrun:
print('=' * 80)
print("Re-run with --yarly to apply changes")
print("Done!")
def write_groups(self, dryrun=False):
client = self._get_connection(use_master=not dryrun)
ctx = neutron.context.get_admin_context()
ports_with_groups = db_api.ports_with_security_groups_find(ctx).all()
if dryrun:
print()
print("Writing groups in dry run mode. Existing rules in Redis "
"will be checked against those in the database, with a "
"running report generated of all those that will be "
"overwritten.\n\nTo actually apply the groups, re-run "
"with the --yarly flag.")
print()
print("Found %s ports with security groups" %
len(ports_with_groups))
if dryrun:
vifs = len(client.vif_keys())
if vifs > 0:
print("There are %d VIFs with rules in Redis, some of which "
"may be overwritten!" % vifs)
print()
overwrite_count = 0
for port in ports_with_groups:
mac = netaddr.EUI(port["mac_address"])
# Rather than loading everything in one giant chunk, we'll make
# trips per port.
group_ids = [g["id"] for g in port.security_groups]
rules = db_api.security_group_rule_find(ctx,
group_id=group_ids,
scope=db_api.ALL)
if dryrun:
existing_rules = client.get_rules_for_port(
port["device_id"], port["mac_address"])
if existing_rules:
overwrite_count += 1
db_len = len(rules)
existing_len = len(existing_rules["rules"])
print("== Port ID:%s - MAC:%s - Device ID:%s - "
"Redis Rules:%d - DB Rules:%d" %
(port["id"], mac, port["device_id"], existing_len,
db_len))
if not dryrun:
for retry in xrange(self._retries):
try:
payload = client.serialize_rules(rules)
client.apply_rules(port["device_id"],
port["mac_address"], payload)
break
except q_exc.RedisConnectionFailure:
time.sleep(self._retry_delay)
client = self._get_connection(use_master=True,
giveup=False)
if dryrun:
print()
print("Total number of VIFs to overwrite/were overwritten: %s" %
overwrite_count)
diff = vifs - overwrite_count
if diff > 0:
print("Orphaned VIFs in Redis:", diff)
print("Run purge-orphans to clean then up")
if dryrun:
print("Total number of VIFs to write: %d" % len(ports_with_groups))
if dryrun:
print('=' * 80)
print("Re-run with --yarly to apply changes")
print("Done!")