1 Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2 |
|
2 |
|
3 commit df2ea2e3acdede21b40d47b7adbeac04213d031b |
|
4 Author: John Garbutt <[email protected]> |
|
5 Date: Thu Sep 12 18:11:49 2013 +0100 |
|
6 |
|
7 xenapi: enforce filters after live-migration |
|
8 |
|
9 Currently and network filters, including security groups, are |
|
10 lost after a server has been live-migrated. |
|
11 |
|
12 This partially fixes the issue by ensuring that security groups are |
|
13 re-applied to the VM once it reached the destination, and been started. |
|
14 |
|
15 This leaves a small amount of time during the live-migrate where the VM |
|
16 is not protected. There is a further bug raised to close the rest of |
|
17 this whole, but this helps keep the VM protected for the majority of the |
|
18 time. |
|
19 |
|
20 Fixes bug 1202266 |
|
21 |
|
22 (Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7) |
|
23 |
|
24 Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a |
|
25 |
|
26 diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py |
|
27 index f7fb81d..d4c19a4 100644 |
|
28 --- a/nova/tests/test_xenapi.py |
|
29 +++ b/nova/tests/test_xenapi.py |
|
30 @@ -2723,7 +2723,27 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBase): |
|
31 # ensure method is present |
|
32 stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests) |
|
33 self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False) |
|
34 - self.conn.post_live_migration_at_destination(None, None, None, None) |
|
35 + |
|
36 + fake_instance = "instance" |
|
37 + fake_network_info = "network_info" |
|
38 + |
|
39 + def fake_fw(instance, network_info): |
|
40 + self.assertEquals(instance, fake_instance) |
|
41 + self.assertEquals(network_info, fake_network_info) |
|
42 + fake_fw.called += 1 |
|
43 + |
|
44 + fake_fw.called = 0 |
|
45 + _vmops = self.conn._vmops |
|
46 + self.stubs.Set(_vmops.firewall_driver, |
|
47 + 'setup_basic_filtering', fake_fw) |
|
48 + self.stubs.Set(_vmops.firewall_driver, |
|
49 + 'prepare_instance_filter', fake_fw) |
|
50 + self.stubs.Set(_vmops.firewall_driver, |
|
51 + 'apply_instance_filter', fake_fw) |
|
52 + |
|
53 + self.conn.post_live_migration_at_destination(None, fake_instance, |
|
54 + fake_network_info, None) |
|
55 + self.assertEqual(fake_fw.called, 3) |
|
56 |
|
57 def test_check_can_live_migrate_destination_with_block_migration(self): |
|
58 stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests) |
|
59 diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py |
|
60 index 128f67f..564c587 100755 |
|
61 --- a/nova/virt/xenapi/driver.py |
|
62 +++ b/nova/virt/xenapi/driver.py |
|
63 @@ -1,4 +1,3 @@ |
|
64 -# vim: tabstop=4 shiftwidth=4 softtabstop=4 |
|
65 |
|
66 # Copyright (c) 2010 Citrix Systems, Inc. |
|
67 # Copyright 2010 OpenStack Foundation |
|
68 @@ -514,7 +513,8 @@ class XenAPIDriver(driver.ComputeDriver): |
|
69 :params : block_migration: if true, post operation of block_migraiton. |
|
70 """ |
|
71 # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel |
|
72 - pass |
|
73 + self._vmops.post_live_migration_at_destination(ctxt, instance_ref, |
|
74 + network_info, block_device_info, block_device_info) |
|
75 |
|
76 def unfilter_instance(self, instance_ref, network_info): |
|
77 """Removes security groups configured for an instance.""" |
|
78 diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py |
|
79 index eccf3e0..ae5c697 100644 |
|
80 --- a/nova/virt/xenapi/vmops.py |
|
81 +++ b/nova/virt/xenapi/vmops.py |
|
82 @@ -1737,6 +1737,24 @@ class VMOps(object): |
|
83 recover_method(context, instance, destination_hostname, |
|
84 block_migration) |
|
85 |
|
86 + def post_live_migration_at_destination(self, context, instance, |
|
87 + network_info, block_migration, |
|
88 + block_device_info): |
|
89 + # FIXME(johngarbutt): we should block all traffic until we have |
|
90 + # applied security groups, however this requires changes to XenServer |
|
91 + try: |
|
92 + self.firewall_driver.setup_basic_filtering( |
|
93 + instance, network_info) |
|
94 + except NotImplementedError: |
|
95 + # NOTE(salvatore-orlando): setup_basic_filtering might be |
|
96 + # empty or not implemented at all, as basic filter could |
|
97 + # be implemented with VIF rules created by xapi plugin |
|
98 + pass |
|
99 + |
|
100 + self.firewall_driver.prepare_instance_filter(instance, |
|
101 + network_info) |
|
102 + self.firewall_driver.apply_instance_filter(instance, network_info) |
|
103 + |
|
104 def get_per_instance_usage(self): |
|
105 """Get usage info about each active instance.""" |
|
106 usage = {} |
|
107 commit 01de658210fd65171bfbf5450c93673b5ce0bd9e |
|
108 Author: John Garbutt <[email protected]> |
|
109 Date: Mon Oct 21 19:34:43 2013 +0100 |
|
110 |
|
111 xenapi: apply firewall rules in finish_migrate |
|
112 |
|
113 When security groups were added, the rules were not re-applied to |
|
114 servers that have been migrated to a new hypervisor. |
|
115 |
|
116 This change ensures the firewall rules are applied as part of creating |
|
117 the new VM in finish_migrate. This code follows a very similar pattern |
|
118 to the code in spawn, and that is where the cut and paste code comes |
|
119 from. This code duplication was removed in Havana. |
|
120 |
|
121 Fixes bug 1073306 |
|
122 |
|
123 Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e |
|
124 |
|
125 diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py |
|
126 index eccf3e0..7a96ac2 100644 |
|
127 --- a/nova/virt/xenapi/vmops.py |
|
128 +++ b/nova/virt/xenapi/vmops.py |
|
129 @@ -277,8 +277,23 @@ class VMOps(object): |
|
130 |
|
131 self._attach_mapped_block_devices(instance, block_device_info) |
|
132 |
|
133 + try: |
|
134 + self.firewall_driver.setup_basic_filtering( |
|
135 + instance, network_info) |
|
136 + except NotImplementedError: |
|
137 + # NOTE(salvatore-orlando): setup_basic_filtering might be |
|
138 + # empty or not implemented at all, as basic filter could |
|
139 + # be implemented with VIF rules created by xapi plugin |
|
140 + pass |
|
141 + |
|
142 + self.firewall_driver.prepare_instance_filter(instance, |
|
143 + network_info) |
|
144 + |
|
145 # 5. Start VM |
|
146 self._start(instance, vm_ref=vm_ref) |
|
147 + |
|
148 + self.firewall_driver.apply_instance_filter(instance, network_info) |
|
149 + |
|
150 self._update_instance_progress(context, instance, |
|
151 step=5, |
|
152 total_steps=RESIZE_TOTAL_STEPS) |
|