Codebase list octavia / 6455173
Merge "Fix duplicate SG creation for listener peer port" Zuul authored 2 years ago Gerrit Code Review committed 2 years ago
3 changed file(s) with 51 addition(s) and 5 deletion(s). Raw diff Collapse all Expand all
+12
-5
octavia/network/drivers/neutron/allowed_address_pairs.py less more
151151 security_group_id=sec_grp_id)
152152
153153 updated_ports = []
154 listener_peer_ports = []
154155 for listener in load_balancer.listeners:
155156 if (listener.provisioning_status in [constants.PENDING_DELETE,
156157 constants.DELETED]):
170171 port = (listener.protocol_port, protocol, None)
171172 updated_ports.append(port)
172173
173 # As the peer port will hold the tcp connection for keepalived and
174 # haproxy session synchronization, so here the security group rule
175 # should be just related with tcp protocol only.
176 updated_ports.append(
177 (listener.peer_port, constants.PROTOCOL_TCP.lower(), None))
174 listener_peer_ports.append(listener.peer_port)
175
176 # As the peer port will hold the tcp connection for keepalived and
177 # haproxy session synchronization, so here the security group rule
178 # should be just related with tcp protocol only. To avoid adding
179 # duplicate rules, peer_port info should be added if updated_ports
180 # does not have the peer_port entry with allowed_cidr 0.0.0.0/0
181 tcp_lower = constants.PROTOCOL_TCP.lower()
182 for peer_port in listener_peer_ports:
183 if (peer_port, tcp_lower, "0.0.0.0/0") not in updated_ports:
184 updated_ports.append((peer_port, tcp_lower, None))
178185
179186 # Just going to use port_range_max for now because we can assume that
180187 # port_range_max and min will be the same since this driver is
+30
-0
octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py less more
10461046 mock.call(expected_create_rule_udp)],
10471047 any_order=True)
10481048
1049 def test_update_vip_when_protocol_and_peer_ports_overlap(self):
1050 lc_1 = data_models.ListenerCidr('l1', '0.0.0.0/0')
1051 listeners = [data_models.Listener(protocol_port=80, peer_port=1024,
1052 protocol=constants.PROTOCOL_TCP),
1053 data_models.Listener(protocol_port=443, peer_port=1025,
1054 protocol=constants.PROTOCOL_TCP),
1055 data_models.Listener(protocol_port=1025, peer_port=1026,
1056 protocol=constants.PROTOCOL_TCP,
1057 allowed_cidrs=[lc_1])]
1058 vip = data_models.Vip(ip_address='10.0.0.2')
1059 lb = data_models.LoadBalancer(id='1', listeners=listeners, vip=vip)
1060 list_sec_grps = self.driver.neutron_client.list_security_groups
1061 list_sec_grps.return_value = {'security_groups': [{'id': 'secgrp-1'}]}
1062 fake_rules = {
1063 'security_group_rules': [
1064 {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp'},
1065 {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'}
1066 ]
1067 }
1068 list_rules = self.driver.neutron_client.list_security_group_rules
1069 list_rules.return_value = fake_rules
1070 delete_rule = self.driver.neutron_client.delete_security_group_rule
1071 create_rule = self.driver.neutron_client.create_security_group_rule
1072 self.driver.update_vip(lb)
1073 delete_rule.assert_called_once_with('rule-22')
1074
1075 # Create SG rule calls should be 4, each for port 1024/1025/1026/443
1076 # No duplicate SG creation for overlap port 1025
1077 self.assertEqual(4, create_rule.call_count)
1078
10491079 def test_update_vip_when_listener_deleted(self):
10501080 listeners = [data_models.Listener(protocol_port=80,
10511081 protocol=constants.PROTOCOL_TCP),
+9
-0
releasenotes/notes/fix-duplicate-sg-creation-0c502a5d2d8c276d.yaml less more
0 ---
1 fixes:
2 - |
3 Fixes loadbalancer creation failure when one of the listener port matches
4 with the octavia generated peer ports and the allowed_cidr is explicitly
5 set to 0.0.0.0/0 on the listener. This is due to creation of two security
6 group rules with remote_ip_prefix as None and remote_ip_prefix as 0.0.0.0/0
7 which neutron rejects the second request with security group rule already
8 exists.