112 lines
4.7 KiB
Diff
112 lines
4.7 KiB
Diff
From df2ea2e3acdede21b40d47b7adbeac04213d031b Mon Sep 17 00:00:00 2001
|
|
From: John Garbutt <john.garbutt@rackspace.com>
|
|
Date: Thu, 12 Sep 2013 18:11:49 +0100
|
|
Subject: [PATCH] xenapi: enforce filters after live-migration
|
|
|
|
Currently and network filters, including security groups, are
|
|
lost after a server has been live-migrated.
|
|
|
|
This partially fixes the issue by ensuring that security groups are
|
|
re-applied to the VM once it reached the destination, and been started.
|
|
|
|
This leaves a small amount of time during the live-migrate where the VM
|
|
is not protected. There is a further bug raised to close the rest of
|
|
this whole, but this helps keep the VM protected for the majority of the
|
|
time.
|
|
|
|
Fixes bug 1202266
|
|
|
|
(Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)
|
|
|
|
Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a
|
|
---
|
|
nova/tests/test_xenapi.py | 22 +++++++++++++++++++++-
|
|
nova/virt/xenapi/driver.py | 4 ++--
|
|
nova/virt/xenapi/vmops.py | 18 ++++++++++++++++++
|
|
3 files changed, 41 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
|
|
index f7fb81d..d4c19a4 100644
|
|
--- a/nova/tests/test_xenapi.py
|
|
+++ b/nova/tests/test_xenapi.py
|
|
@@ -2723,7 +2723,27 @@ def test_post_live_migration_at_destination(self):
|
|
# ensure method is present
|
|
stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
|
|
self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
|
|
- self.conn.post_live_migration_at_destination(None, None, None, None)
|
|
+
|
|
+ fake_instance = "instance"
|
|
+ fake_network_info = "network_info"
|
|
+
|
|
+ def fake_fw(instance, network_info):
|
|
+ self.assertEquals(instance, fake_instance)
|
|
+ self.assertEquals(network_info, fake_network_info)
|
|
+ fake_fw.called += 1
|
|
+
|
|
+ fake_fw.called = 0
|
|
+ _vmops = self.conn._vmops
|
|
+ self.stubs.Set(_vmops.firewall_driver,
|
|
+ 'setup_basic_filtering', fake_fw)
|
|
+ self.stubs.Set(_vmops.firewall_driver,
|
|
+ 'prepare_instance_filter', fake_fw)
|
|
+ self.stubs.Set(_vmops.firewall_driver,
|
|
+ 'apply_instance_filter', fake_fw)
|
|
+
|
|
+ self.conn.post_live_migration_at_destination(None, fake_instance,
|
|
+ fake_network_info, None)
|
|
+ self.assertEqual(fake_fw.called, 3)
|
|
|
|
def test_check_can_live_migrate_destination_with_block_migration(self):
|
|
stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
|
|
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
|
|
index 128f67f..564c587 100755
|
|
--- a/nova/virt/xenapi/driver.py
|
|
+++ b/nova/virt/xenapi/driver.py
|
|
@@ -1,4 +1,3 @@
|
|
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright (c) 2010 Citrix Systems, Inc.
|
|
# Copyright 2010 OpenStack Foundation
|
|
@@ -514,7 +513,8 @@ def post_live_migration_at_destination(self, ctxt, instance_ref,
|
|
:params : block_migration: if true, post operation of block_migraiton.
|
|
"""
|
|
# TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
|
|
- pass
|
|
+ self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
|
|
+ network_info, block_device_info, block_device_info)
|
|
|
|
def unfilter_instance(self, instance_ref, network_info):
|
|
"""Removes security groups configured for an instance."""
|
|
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
|
|
index eccf3e0..ae5c697 100644
|
|
--- a/nova/virt/xenapi/vmops.py
|
|
+++ b/nova/virt/xenapi/vmops.py
|
|
@@ -1737,6 +1737,24 @@ def live_migrate(self, context, instance, destination_hostname,
|
|
recover_method(context, instance, destination_hostname,
|
|
block_migration)
|
|
|
|
+ def post_live_migration_at_destination(self, context, instance,
|
|
+ network_info, block_migration,
|
|
+ block_device_info):
|
|
+ # FIXME(johngarbutt): we should block all traffic until we have
|
|
+ # applied security groups, however this requires changes to XenServer
|
|
+ try:
|
|
+ self.firewall_driver.setup_basic_filtering(
|
|
+ instance, network_info)
|
|
+ except NotImplementedError:
|
|
+ # NOTE(salvatore-orlando): setup_basic_filtering might be
|
|
+ # empty or not implemented at all, as basic filter could
|
|
+ # be implemented with VIF rules created by xapi plugin
|
|
+ pass
|
|
+
|
|
+ self.firewall_driver.prepare_instance_filter(instance,
|
|
+ network_info)
|
|
+ self.firewall_driver.apply_instance_filter(instance, network_info)
|
|
+
|
|
def get_per_instance_usage(self):
|
|
"""Get usage info about each active instance."""
|
|
usage = {}
|
|
--
|
|
1.8.4
|
|
|