def get_security_group_rule(context, id, fields=None): LOG.info("get_security_group_rule %s for tenant %s" % (id, context.tenant_id)) rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(rule_id=id) return v._make_security_group_rule_dict(rule, fields)
def get_security_group_rules(context, filters=None, fields=None, sorts=None, limit=None, marker=None, page_reverse=False): LOG.info("get_security_group_rules for tenant %s" % (context.tenant_id)) rules = db_api.security_group_rule_find(context, **filters) return [v._make_security_group_rule_dict(rule) for rule in rules]
def update_security_group_rule(context, id, security_group_rule): '''Updates a rule and updates the ports''' LOG.info("update_security_group_rule for tenant %s" % (context.tenant_id)) new_rule = security_group_rule["security_group_rule"] # Only allow updatable fields new_rule = _filter_update_security_group_rule(new_rule) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) db_rule = db_api.security_group_rule_update(context, rule, **new_rule) group_id = db_rule.group_id group = db_api.security_group_find(context, id=group_id, scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=group_id) if group: _perform_async_update_rule(context, group_id, group, rule.id, RULE_UPDATE) return v._make_security_group_rule_dict(db_rule)
def get_security_group_rule(context, id, fields=None): LOG.info("get_security_group_rule %s for tenant %s" % (id, context.tenant_id)) rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) return v._make_security_group_rule_dict(rule, fields)
def delete_security_group_rule(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) rule["id"] = id db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(group_id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) rule["id"] = id db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id): LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(group_id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) net_driver.delete_security_group_rule( context, group.id, v._make_security_group_rule_dict(rule)) rule["id"] = id db_api.security_group_rule_delete(context, rule)
def delete_security_group_rule(context, id): """Deletes a rule and updates the ports (async) if enabled.""" LOG.info("delete_security_group %s for tenant %s" % (id, context.tenant_id)) with context.session.begin(): rule = db_api.security_group_rule_find(context, id=id, scope=db_api.ONE) if not rule: raise sg_ext.SecurityGroupRuleNotFound(id=id) group = db_api.security_group_find(context, id=rule["group_id"], scope=db_api.ONE) if not group: raise sg_ext.SecurityGroupNotFound(id=id) rule["id"] = id db_api.security_group_rule_delete(context, rule) if group: _perform_async_update_rule(context, group.id, group, id, RULE_DELETE)
def write_groups(self, dryrun=False): client = self._get_connection(use_master=not dryrun) ctx = neutron.context.get_admin_context() ports_with_groups = db_api.ports_with_security_groups_find(ctx).all() if dryrun: print() print("Writing groups in dry run mode. Existing rules in Redis " "will be checked against those in the database, with a " "running report generated of all those that will be " "overwritten.\n\nTo actually apply the groups, re-run " "with the --yarly flag.") print() print("Found %s ports with security groups" % len(ports_with_groups)) if dryrun: vifs = len(client.vif_keys()) if vifs > 0: print("There are %d VIFs with rules in Redis, some of which " "may be overwritten!" % vifs) print() overwrite_count = 0 for port in ports_with_groups: mac = netaddr.EUI(port["mac_address"]) # Rather than loading everything in one giant chunk, we'll make # trips per port. group_ids = [g["id"] for g in port.security_groups] rules = db_api.security_group_rule_find(ctx, group_id=group_ids, scope=db_api.ALL) if dryrun: existing_rules = client.get_rules_for_port(port["device_id"], port["mac_address"]) if existing_rules: overwrite_count += 1 db_len = len(rules) existing_len = len(existing_rules["rules"]) print("== Port ID:%s - MAC:%s - Device ID:%s - " "Redis Rules:%d - DB Rules:%d" % (port["id"], mac, port["device_id"], existing_len, db_len)) if not dryrun: for retry in xrange(self._retries): try: payload = client.serialize_rules(rules) client.apply_rules( port["device_id"], port["mac_address"], payload) break except q_exc.RedisConnectionFailure: time.sleep(self._retry_delay) client = self._get_connection(use_master=True, giveup=False) if dryrun: print() print("Total number of VIFs to overwrite/were overwritten: %s" % overwrite_count) diff = vifs - overwrite_count if diff > 0: print("Orphaned VIFs in Redis:", diff) print("Run purge-orphans to clean then up") if dryrun: print("Total number of VIFs to write: %d" % len(ports_with_groups)) if dryrun: print('=' * 80) print("Re-run with --yarly to apply changes") print("Done!")
def write_groups(self, dryrun=False): client = self._get_connection(use_master=not dryrun) ctx = neutron.context.get_admin_context() ports_with_groups = db_api.ports_with_security_groups_find(ctx).all() if dryrun: print() print("Writing groups in dry run mode. Existing rules in Redis " "will be checked against those in the database, with a " "running report generated of all those that will be " "overwritten.\n\nTo actually apply the groups, re-run " "with the --yarly flag.") print() print("Found %s ports with security groups" % len(ports_with_groups)) if dryrun: vifs = len(client.vif_keys()) if vifs > 0: print("There are %d VIFs with rules in Redis, some of which " "may be overwritten!" % vifs) print() overwrite_count = 0 for port in ports_with_groups: mac = netaddr.EUI(port["mac_address"]) # Rather than loading everything in one giant chunk, we'll make # trips per port. group_ids = [g["id"] for g in port.security_groups] rules = db_api.security_group_rule_find(ctx, group_id=group_ids, scope=db_api.ALL) if dryrun: existing_rules = client.get_rules_for_port( port["device_id"], port["mac_address"]) if existing_rules: overwrite_count += 1 db_len = len(rules) existing_len = len(existing_rules["rules"]) print("== Port ID:%s - MAC:%s - Device ID:%s - " "Redis Rules:%d - DB Rules:%d" % (port["id"], mac, port["device_id"], existing_len, db_len)) if not dryrun: for retry in xrange(self._retries): try: payload = client.serialize_rules(rules) client.apply_rules(port["device_id"], port["mac_address"], payload) break except q_exc.RedisConnectionFailure: time.sleep(self._retry_delay) client = self._get_connection(use_master=True, giveup=False) if dryrun: print() print("Total number of VIFs to overwrite/were overwritten: %s" % overwrite_count) diff = vifs - overwrite_count if diff > 0: print("Orphaned VIFs in Redis:", diff) print("Run purge-orphans to clean then up") if dryrun: print("Total number of VIFs to write: %d" % len(ports_with_groups)) if dryrun: print('=' * 80) print("Re-run with --yarly to apply changes") print("Done!")