1 Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2

     2 

     3 commit df2ea2e3acdede21b40d47b7adbeac04213d031b

     4 Author: John Garbutt <[email protected]>

     5 Date:   Thu Sep 12 18:11:49 2013 +0100

     6 

     7     xenapi: enforce filters after live-migration

     8     

     9     Currently and network filters, including security groups, are

    10     lost after a server has been live-migrated.

    11     

    12     This partially fixes the issue by ensuring that security groups are

    13     re-applied to the VM once it reached the destination, and been started.

    14     

    15     This leaves a small amount of time during the live-migrate where the VM

    16     is not protected. There is a further bug raised to close the rest of

    17     this whole, but this helps keep the VM protected for the majority of the

    18     time.

    19     

    20     Fixes bug 1202266

    21     

    22     (Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)

    23     

    24     Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a

    25 

    26 diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py

    27 index f7fb81d..d4c19a4 100644

    28 --- a/nova/tests/test_xenapi.py

    29 +++ b/nova/tests/test_xenapi.py

    30 @@ -2723,7 +2723,27 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBase):

    31          # ensure method is present

    32          stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)

    33          self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)

    34 -        self.conn.post_live_migration_at_destination(None, None, None, None)

    35 +

    36 +        fake_instance = "instance"

    37 +        fake_network_info = "network_info"

    38 +

    39 +        def fake_fw(instance, network_info):

    40 +            self.assertEquals(instance, fake_instance)

    41 +            self.assertEquals(network_info, fake_network_info)

    42 +            fake_fw.called += 1

    43 +

    44 +        fake_fw.called = 0

    45 +        _vmops = self.conn._vmops

    46 +        self.stubs.Set(_vmops.firewall_driver,

    47 +                       'setup_basic_filtering', fake_fw)

    48 +        self.stubs.Set(_vmops.firewall_driver,

    49 +                       'prepare_instance_filter', fake_fw)

    50 +        self.stubs.Set(_vmops.firewall_driver,

    51 +                       'apply_instance_filter', fake_fw)

    52 +

    53 +        self.conn.post_live_migration_at_destination(None, fake_instance,

    54 +                                                     fake_network_info, None)

    55 +        self.assertEqual(fake_fw.called, 3)

    56  

    57      def test_check_can_live_migrate_destination_with_block_migration(self):

    58          stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)

    59 diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py

    60 index 128f67f..564c587 100755

    61 --- a/nova/virt/xenapi/driver.py

    62 +++ b/nova/virt/xenapi/driver.py

    63 @@ -1,4 +1,3 @@

    64 -# vim: tabstop=4 shiftwidth=4 softtabstop=4

    65  

    66  # Copyright (c) 2010 Citrix Systems, Inc.

    67  # Copyright 2010 OpenStack Foundation

    68 @@ -514,7 +513,8 @@ class XenAPIDriver(driver.ComputeDriver):

    69          :params : block_migration: if true, post operation of block_migraiton.

    70          """

    71          # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel

    72 -        pass

    73 +        self._vmops.post_live_migration_at_destination(ctxt, instance_ref,

    74 +                network_info, block_device_info, block_device_info)

    75  

    76      def unfilter_instance(self, instance_ref, network_info):

    77          """Removes security groups configured for an instance."""

    78 diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py

    79 index eccf3e0..ae5c697 100644

    80 --- a/nova/virt/xenapi/vmops.py

    81 +++ b/nova/virt/xenapi/vmops.py

    82 @@ -1737,6 +1737,24 @@ class VMOps(object):

    83                  recover_method(context, instance, destination_hostname,

    84                                 block_migration)

    85  

    86 +    def post_live_migration_at_destination(self, context, instance,

    87 +                                           network_info, block_migration,

    88 +                                           block_device_info):

    89 +        # FIXME(johngarbutt): we should block all traffic until we have

    90 +        # applied security groups, however this requires changes to XenServer

    91 +        try:

    92 +            self.firewall_driver.setup_basic_filtering(

    93 +                    instance, network_info)

    94 +        except NotImplementedError:

    95 +            # NOTE(salvatore-orlando): setup_basic_filtering might be

    96 +            # empty or not implemented at all, as basic filter could

    97 +            # be implemented with VIF rules created by xapi plugin

    98 +            pass

    99 +

   100 +        self.firewall_driver.prepare_instance_filter(instance,

   101 +                                                     network_info)

   102 +        self.firewall_driver.apply_instance_filter(instance, network_info)

   103 +

   104      def get_per_instance_usage(self):

   105          """Get usage info about each active instance."""

   106          usage = {}

   107 commit 01de658210fd65171bfbf5450c93673b5ce0bd9e

   108 Author: John Garbutt <[email protected]>

   109 Date:   Mon Oct 21 19:34:43 2013 +0100

   110 

   111     xenapi: apply firewall rules in finish_migrate

   112     

   113     When security groups were added, the rules were not re-applied to

   114     servers that have been migrated to a new hypervisor.

   115     

   116     This change ensures the firewall rules are applied as part of creating

   117     the new VM in finish_migrate. This code follows a very similar pattern

   118     to the code in spawn, and that is where the cut and paste code comes

   119     from. This code duplication was removed in Havana.

   120     

   121     Fixes bug 1073306

   122     

   123     Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e

   124 

   125 diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py

   126 index eccf3e0..7a96ac2 100644

   127 --- a/nova/virt/xenapi/vmops.py

   128 +++ b/nova/virt/xenapi/vmops.py

   129 @@ -277,8 +277,23 @@ class VMOps(object):

   130  

   131          self._attach_mapped_block_devices(instance, block_device_info)

   132  

   133 +        try:

   134 +            self.firewall_driver.setup_basic_filtering(

   135 +                    instance, network_info)

   136 +        except NotImplementedError:

   137 +            # NOTE(salvatore-orlando): setup_basic_filtering might be

   138 +            # empty or not implemented at all, as basic filter could

   139 +            # be implemented with VIF rules created by xapi plugin

   140 +            pass

   141 +

   142 +        self.firewall_driver.prepare_instance_filter(instance,

   143 +                                                     network_info)

   144 +

   145          # 5. Start VM

   146          self._start(instance, vm_ref=vm_ref)

   147 +

   148 +        self.firewall_driver.apply_instance_filter(instance, network_info)

   149 +

   150          self._update_instance_progress(context, instance,

   151                                         step=5,

   152                                         total_steps=RESIZE_TOTAL_STEPS)