PSARC/2013/350 OpenStack for Solaris (Umbrella)
PSARC/2014/007 OpenStack client API components for Grizzly
PSARC/2014/048 OpenStack Keystone (OpenStack Identity Service)
PSARC/2014/049 OpenStack Nova (OpenStack Compute Service)
PSARC/2014/054 OpenStack Cinder (OpenStack Block Storage Service)
PSARC/2014/055 OpenStack Glance (OpenStack Image Service)
PSARC/2014/058 OpenStack Horizon (OpenStack Dashboard)
PSARC/2014/059 OpenStack Neutron (OpenStack Networking Service)
17531161 greenlet doesn't build with gcc 4.7.X
18143276 greenlet can crash with register window corruption on MP SPARC
18290089 integrate cinderclient
18290097 integrate glanceclient
18290102 integrate keystoneclient
18290109 integrate neutronclient
18290113 integrate novaclient
18290119 integrate swiftclient
18290125 integrate quantumclient
18307582 Request to integrate Cinder into userland
18307595 Request to integrate Glance into userland
18307626 Request to integrate Horizon into userland
18307641 Request to integrate Keystone into userland
18307650 Request to integrate Neutron into userland
18307659 Request to integrate Nova into userland
18321909 a few Python packages deliver both po and mo files
18362900 Dnsmasq's SMF method_credential is missing a privilege
18363793 Dnsmasq should use SIOCSXARP ioctl
Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2
commit df2ea2e3acdede21b40d47b7adbeac04213d031b
Author: John Garbutt <[email protected]>
Date: Thu Sep 12 18:11:49 2013 +0100
xenapi: enforce filters after live-migration
Currently and network filters, including security groups, are
lost after a server has been live-migrated.
This partially fixes the issue by ensuring that security groups are
re-applied to the VM once it reached the destination, and been started.
This leaves a small amount of time during the live-migrate where the VM
is not protected. There is a further bug raised to close the rest of
this whole, but this helps keep the VM protected for the majority of the
time.
Fixes bug 1202266
(Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)
Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a
diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index f7fb81d..d4c19a4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -2723,7 +2723,27 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBase):
# ensure method is present
stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
- self.conn.post_live_migration_at_destination(None, None, None, None)
+
+ fake_instance = "instance"
+ fake_network_info = "network_info"
+
+ def fake_fw(instance, network_info):
+ self.assertEquals(instance, fake_instance)
+ self.assertEquals(network_info, fake_network_info)
+ fake_fw.called += 1
+
+ fake_fw.called = 0
+ _vmops = self.conn._vmops
+ self.stubs.Set(_vmops.firewall_driver,
+ 'setup_basic_filtering', fake_fw)
+ self.stubs.Set(_vmops.firewall_driver,
+ 'prepare_instance_filter', fake_fw)
+ self.stubs.Set(_vmops.firewall_driver,
+ 'apply_instance_filter', fake_fw)
+
+ self.conn.post_live_migration_at_destination(None, fake_instance,
+ fake_network_info, None)
+ self.assertEqual(fake_fw.called, 3)
def test_check_can_live_migrate_destination_with_block_migration(self):
stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index 128f67f..564c587 100755
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -1,4 +1,3 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright (c) 2010 Citrix Systems, Inc.
# Copyright 2010 OpenStack Foundation
@@ -514,7 +513,8 @@ class XenAPIDriver(driver.ComputeDriver):
:params : block_migration: if true, post operation of block_migraiton.
"""
# TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
- pass
+ self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
+ network_info, block_device_info, block_device_info)
def unfilter_instance(self, instance_ref, network_info):
"""Removes security groups configured for an instance."""
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index eccf3e0..ae5c697 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -1737,6 +1737,24 @@ class VMOps(object):
recover_method(context, instance, destination_hostname,
block_migration)
+ def post_live_migration_at_destination(self, context, instance,
+ network_info, block_migration,
+ block_device_info):
+ # FIXME(johngarbutt): we should block all traffic until we have
+ # applied security groups, however this requires changes to XenServer
+ try:
+ self.firewall_driver.setup_basic_filtering(
+ instance, network_info)
+ except NotImplementedError:
+ # NOTE(salvatore-orlando): setup_basic_filtering might be
+ # empty or not implemented at all, as basic filter could
+ # be implemented with VIF rules created by xapi plugin
+ pass
+
+ self.firewall_driver.prepare_instance_filter(instance,
+ network_info)
+ self.firewall_driver.apply_instance_filter(instance, network_info)
+
def get_per_instance_usage(self):
"""Get usage info about each active instance."""
usage = {}
commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
Author: John Garbutt <[email protected]>
Date: Mon Oct 21 19:34:43 2013 +0100
xenapi: apply firewall rules in finish_migrate
When security groups were added, the rules were not re-applied to
servers that have been migrated to a new hypervisor.
This change ensures the firewall rules are applied as part of creating
the new VM in finish_migrate. This code follows a very similar pattern
to the code in spawn, and that is where the cut and paste code comes
from. This code duplication was removed in Havana.
Fixes bug 1073306
Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index eccf3e0..7a96ac2 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -277,8 +277,23 @@ class VMOps(object):
self._attach_mapped_block_devices(instance, block_device_info)
+ try:
+ self.firewall_driver.setup_basic_filtering(
+ instance, network_info)
+ except NotImplementedError:
+ # NOTE(salvatore-orlando): setup_basic_filtering might be
+ # empty or not implemented at all, as basic filter could
+ # be implemented with VIF rules created by xapi plugin
+ pass
+
+ self.firewall_driver.prepare_instance_filter(instance,
+ network_info)
+
# 5. Start VM
self._start(instance, vm_ref=vm_ref)
+
+ self.firewall_driver.apply_instance_filter(instance, network_info)
+
self._update_instance_progress(context, instance,
step=5,
total_steps=RESIZE_TOTAL_STEPS)