Merge "Fix duplicate SG creation for listener peer port"
Zuul authored 2 years ago
Gerrit Code Review committed 2 years ago
151 | 151 | security_group_id=sec_grp_id) |
152 | 152 | |
153 | 153 | updated_ports = [] |
154 | listener_peer_ports = [] | |
154 | 155 | for listener in load_balancer.listeners: |
155 | 156 | if (listener.provisioning_status in [constants.PENDING_DELETE, |
156 | 157 | constants.DELETED]): |
170 | 171 | port = (listener.protocol_port, protocol, None) |
171 | 172 | updated_ports.append(port) |
172 | 173 | |
173 | # As the peer port will hold the tcp connection for keepalived and | |
174 | # haproxy session synchronization, so here the security group rule | |
175 | # should be just related with tcp protocol only. | |
176 | updated_ports.append( | |
177 | (listener.peer_port, constants.PROTOCOL_TCP.lower(), None)) | |
174 | listener_peer_ports.append(listener.peer_port) | |
175 | ||
176 | # As the peer port will hold the tcp connection for keepalived and | |
177 | # haproxy session synchronization, so here the security group rule | |
178 | # should be just related with tcp protocol only. To avoid adding | |
179 | # duplicate rules, peer_port info should be added if updated_ports | |
180 | # does not have the peer_port entry with allowed_cidr 0.0.0.0/0 | |
181 | tcp_lower = constants.PROTOCOL_TCP.lower() | |
182 | for peer_port in listener_peer_ports: | |
183 | if (peer_port, tcp_lower, "0.0.0.0/0") not in updated_ports: | |
184 | updated_ports.append((peer_port, tcp_lower, None)) | |
178 | 185 | |
179 | 186 | # Just going to use port_range_max for now because we can assume that |
180 | 187 | # port_range_max and min will be the same since this driver is |
1046 | 1046 | mock.call(expected_create_rule_udp)], |
1047 | 1047 | any_order=True) |
1048 | 1048 | |
1049 | def test_update_vip_when_protocol_and_peer_ports_overlap(self): | |
1050 | lc_1 = data_models.ListenerCidr('l1', '0.0.0.0/0') | |
1051 | listeners = [data_models.Listener(protocol_port=80, peer_port=1024, | |
1052 | protocol=constants.PROTOCOL_TCP), | |
1053 | data_models.Listener(protocol_port=443, peer_port=1025, | |
1054 | protocol=constants.PROTOCOL_TCP), | |
1055 | data_models.Listener(protocol_port=1025, peer_port=1026, | |
1056 | protocol=constants.PROTOCOL_TCP, | |
1057 | allowed_cidrs=[lc_1])] | |
1058 | vip = data_models.Vip(ip_address='10.0.0.2') | |
1059 | lb = data_models.LoadBalancer(id='1', listeners=listeners, vip=vip) | |
1060 | list_sec_grps = self.driver.neutron_client.list_security_groups | |
1061 | list_sec_grps.return_value = {'security_groups': [{'id': 'secgrp-1'}]} | |
1062 | fake_rules = { | |
1063 | 'security_group_rules': [ | |
1064 | {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp'}, | |
1065 | {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'} | |
1066 | ] | |
1067 | } | |
1068 | list_rules = self.driver.neutron_client.list_security_group_rules | |
1069 | list_rules.return_value = fake_rules | |
1070 | delete_rule = self.driver.neutron_client.delete_security_group_rule | |
1071 | create_rule = self.driver.neutron_client.create_security_group_rule | |
1072 | self.driver.update_vip(lb) | |
1073 | delete_rule.assert_called_once_with('rule-22') | |
1074 | ||
1075 | # Create SG rule calls should be 4, each for port 1024/1025/1026/443 | |
1076 | # No duplicate SG creation for overlap port 1025 | |
1077 | self.assertEqual(4, create_rule.call_count) | |
1078 | ||
1049 | 1079 | def test_update_vip_when_listener_deleted(self): |
1050 | 1080 | listeners = [data_models.Listener(protocol_port=80, |
1051 | 1081 | protocol=constants.PROTOCOL_TCP), |
0 | --- | |
1 | fixes: | |
2 | - | | |
3 | Fixes loadbalancer creation failure when one of the listener port matches | |
4 | with the octavia generated peer ports and the allowed_cidr is explicitly | |
5 | set to 0.0.0.0/0 on the listener. This is due to creation of two security | |
6 | group rules with remote_ip_prefix as None and remote_ip_prefix as 0.0.0.0/0 | |
7 | which neutron rejects the second request with security group rule already | |
8 | exists. |