x/omni
Code Issues Proposed changes

Merge "[GCE] Skip Security group rule verification for egress rules"

Browse Source
This commit is contained in:
Jenkins 2017-08-11 02:36:44 +00:00 committed by Gerrit Code Review
commit 4aa67e3eea
2 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
neutron/neutron/common/gceutils.py
View File

@ -160,7 +160,7 @@ def get_gce_service(service_key):
raise GceServiceKeyNotFound(path=service_key) raise GceServiceKeyNotFound(path=service_key)
credentials = GoogleCredentials.from_stream(service_key) credentials = GoogleCredentials.from_stream(service_key)
service = build('compute', 'v1', credentials=credentials) service = build('compute', 'beta', credentials=credentials)
return service return service

31
neutron/neutron/plugins/ml2/drivers/gce/mech_gce.py
View File

@ -158,32 +158,31 @@ class GceMechanismDriver(api.MechanismDriver):
return "secgrp-" + openstack_id return "secgrp-" + openstack_id
def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False): def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False):
if rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=rule['ethertype'], values=('IPv4', ))
gce_rule = { gce_rule = {
'sourceRanges': [], 'sourceRanges': [],
'sourceTags': [],
'targetTags': [], 'targetTags': [],
'allowed': [{}], 'allowed': [{}],
'destinationRanges': [], 'priority': 1000
} }
if not validate:
gce_rule['name'] = self._gce_secgrp_id(rule['id'])
gce_rule['network'] = network_link
directions = { directions = {
'ingress': 'INGRESS', 'ingress': 'INGRESS',
} }
gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
if rule['direction'] in directions: if rule['direction'] in directions:
gce_rule['direction'] = directions[rule['direction']] gce_rule['direction'] = directions[rule['direction']]
else: else:
raise SecurityGroupInvalidDirection(direction=rule['direction'], raise SecurityGroupInvalidDirection(direction=rule['direction'],
values=directions.keys()) values=directions.keys())
if rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=rule['ethertype'], values=('IPv4', ))
if not validate:
gce_rule['name'] = self._gce_secgrp_id(rule['id'])
gce_rule['network'] = network_link
gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
protocol = rule['protocol'] protocol = rule['protocol']
if protocol is None: if protocol is None:
gce_rule['allowed'][0]['IPProtocol'] = 'all' gce_rule['allowed'][0]['IPProtocol'] = 'all'
@ -215,10 +214,13 @@ class GceMechanismDriver(api.MechanismDriver):
compute, project = self.gce_svc, self.gce_project compute, project = self.gce_svc, self.gce_project
try: try:
gce_rule = self._convert_secgrp_rule_to_gce(rule, network_link) gce_rule = self._convert_secgrp_rule_to_gce(rule, network_link)
except SecurityGroupInvalidDirection:
LOG.warn("Egress rules are not supported on GCE.")
return
except Exception as e: except Exception as e:
LOG.exception( LOG.exception(
"An error occured while creating security group: %s" % e) "An error occured while creating security group: %s" % e)
return raise e
LOG.info("Create GCE firewall rule %s" % gce_rule) LOG.info("Create GCE firewall rule %s" % gce_rule)
operation = gceutils.create_firewall_rule(compute, project, gce_rule) operation = gceutils.create_firewall_rule(compute, project, gce_rule)
gceutils.wait_for_operation(compute, project, operation) gceutils.wait_for_operation(compute, project, operation)
@ -227,6 +229,9 @@ class GceMechanismDriver(api.MechanismDriver):
try: try:
self._convert_secgrp_rule_to_gce( self._convert_secgrp_rule_to_gce(
rule, network_link=None, validate=True) rule, network_link=None, validate=True)
except SecurityGroupInvalidDirection:
LOG.warn("Egress rules are not supported on GCE.")
return
except Exception as e: except Exception as e:
LOG.exception("An error occurred while creating security " LOG.exception("An error occurred while creating security "
"group: %s" % e) "group: %s" % e)