Skip to content

Commit ad35d50

Browse files
Zuulopenstack-gerrit
Zuul
authored and
openstack-gerrit
committed
Merge "Use safer methods to get security groups on security group logging" into stable/2023.1
2 parents 34e7468 + 7066974 commit ad35d50

File tree

2 files changed

+30
-16
lines changed

2 files changed

+30
-16
lines changed

neutron/services/logapi/drivers/ovn/driver.py

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -157,12 +157,16 @@ def _set_acls_log(self, pgs, context, ovn_txn, actions_enabled, log_name):
157157
acl_changes, acl_visits = 0, 0
158158
for pg in pgs:
159159
meter_name = self.meter_name
160-
if ovn_const.OVN_DROP_PORT_GROUP_NAME not in pg["name"]:
161-
stateful = (sg_obj.SecurityGroup
162-
.get_sg_by_id(context, pg["name"]
163-
.replace('pg_', '', 1)
164-
.replace('_', '-')).stateful)
165-
if not stateful:
160+
if pg["name"] != ovn_const.OVN_DROP_PORT_GROUP_NAME:
161+
sg = sg_obj.SecurityGroup.get_sg_by_id(
162+
context,
163+
pg["external_ids"][ovn_const.OVN_SG_EXT_ID_KEY])
164+
if not sg:
165+
LOG.warning("Port Group %s is missing a corresponding "
166+
"security group, skipping its network log "
167+
"setting...", pg["name"])
168+
continue
169+
if not sg.stateful:
166170
meter_name = meter_name + ("_stateless")
167171
for acl_uuid in pg["acls"]:
168172
acl_visits += 1
@@ -197,7 +201,8 @@ def _update_log_objs(self, context, ovn_txn, log_objs):
197201

198202
def _pgs_all(self):
199203
return self.ovn_nb.db_list(
200-
"Port_Group", columns=["name", "acls"]).execute(check_error=True)
204+
"Port_Group",
205+
columns=["name", "external_ids", "acls"]).execute(check_error=True)
201206

202207
def _pgs_from_log_obj(self, context, log_obj):
203208
"""Map Neutron log_obj into affected port groups in OVN.
@@ -216,10 +221,12 @@ def _pgs_from_log_obj(self, context, log_obj):
216221
# No sg, no port, DROP: return DROP pg
217222
if log_obj.event == log_const.DROP_EVENT:
218223
return [{"name": pg_drop.name,
224+
"external_ids": pg_drop.external_ids,
219225
"acls": [r.uuid for r in pg_drop.acls]}]
220226
# No sg, no port, ACCEPT: return all except DROP pg
221227
pgs = self._pgs_all()
222228
pgs.remove({"name": pg_drop.name,
229+
"external_ids": pg_drop.external_ids,
223230
"acls": [r.uuid for r in pg_drop.acls]})
224231
return pgs
225232
except idlutils.RowNotFound:
@@ -232,6 +239,7 @@ def _pgs_from_log_obj(self, context, log_obj):
232239
pg = self.ovn_nb.lookup("Port_Group",
233240
ovn_const.OVN_DROP_PORT_GROUP_NAME)
234241
pgs.append({"name": pg.name,
242+
"external_ids": pg.external_ids,
235243
"acls": [r.uuid for r in pg.acls]})
236244
except idlutils.RowNotFound:
237245
pass
@@ -244,6 +252,7 @@ def _pgs_from_log_obj(self, context, log_obj):
244252
utils.ovn_port_group_name(
245253
log_obj.resource_id))
246254
pgs.append({"name": pg.name,
255+
"external_ids": pg.external_ids,
247256
"acls": [r.uuid for r in pg.acls]})
248257
except idlutils.RowNotFound:
249258
pass
@@ -257,6 +266,7 @@ def _pgs_from_log_obj(self, context, log_obj):
257266
pg = self.ovn_nb.lookup("Port_Group",
258267
utils.ovn_port_group_name(sg_id))
259268
pgs.append({"name": pg.name,
269+
"external_ids": pg.external_ids,
260270
"acls": [r.uuid for r in pg.acls]})
261271
except idlutils.RowNotFound:
262272
pass

neutron/tests/unit/services/logapi/drivers/ovn/test_driver.py

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -129,18 +129,16 @@ def __init__(self, name=None, **acl_dict):
129129
self.__dict__ = {**acl_defaults_dict, **acl_dict}
130130

131131
def _fake_pg_dict(self, **kwargs):
132+
uuid = uuidutils.generate_uuid()
132133
pg_defaults_dict = {
133-
"name": ovn_utils.ovn_port_group_name(uuidutils.generate_uuid()),
134+
"name": ovn_utils.ovn_port_group_name(uuid),
135+
"external_ids": {ovn_const.OVN_SG_EXT_ID_KEY: uuid},
134136
"acls": []
135137
}
136138
return {**pg_defaults_dict, **kwargs}
137139

138140
def _fake_pg(self, **kwargs):
139-
pg_defaults_dict = {
140-
"name": ovn_utils.ovn_port_group_name(uuidutils.generate_uuid()),
141-
"acls": []
142-
}
143-
pg_dict = {**pg_defaults_dict, **kwargs}
141+
pg_dict = self._fake_pg_dict(**kwargs)
144142
return mock.Mock(**pg_dict)
145143

146144
def _fake_log_obj(self, **kwargs):
@@ -190,7 +188,9 @@ def _mock_lookup(_pg_table, pg_name):
190188
pgs = self._log_driver._pgs_from_log_obj(self.context, log_obj)
191189
mock_pgs_all.assert_not_called()
192190
self.assertEqual(2, self._nb_ovn.lookup.call_count)
193-
self.assertEqual([{'acls': [], 'name': pg.name}], pgs)
191+
self.assertEqual([{'acls': [],
192+
'external_ids': pg.external_ids,
193+
'name': pg.name}], pgs)
194194

195195
def test__pgs_from_log_obj_pg(self):
196196
with mock.patch.object(self._log_driver, '_pgs_all',
@@ -204,7 +204,9 @@ def test__pgs_from_log_obj_pg(self):
204204
mock_pgs_all.assert_not_called()
205205
self._nb_ovn.lookup.assert_called_once_with(
206206
"Port_Group", ovn_utils.ovn_port_group_name('resource_id'))
207-
self.assertEqual([{'acls': [], 'name': pg.name}], pgs)
207+
self.assertEqual([{'acls': [],
208+
'external_ids': pg.external_ids,
209+
'name': pg.name}], pgs)
208210

209211
def test__pgs_from_log_obj_port(self):
210212
with mock.patch.object(self._log_driver, '_pgs_all',
@@ -221,7 +223,9 @@ def test__pgs_from_log_obj_port(self):
221223
self._nb_ovn.lookup.assert_called_once_with("Port_Group", pg_name)
222224
self.fake_get_sgs_attached_to_port.assert_called_once_with(
223225
self.context, 'target_id')
224-
self.assertEqual([{'acls': [], 'name': pg.name}], pgs)
226+
self.assertEqual([{'acls': [],
227+
'external_ids': pg.external_ids,
228+
'name': pg.name}], pgs)
225229

226230
@mock.patch.object(ovn_driver.LOG, 'info')
227231
def test__remove_acls_log(self, m_info):

0 commit comments

Comments
 (0)