From 4f8f68dea9b168a933b1e05d89ed30e1bb4d8fbd Mon Sep 17 00:00:00 2001 From: Ross Brattain Date: Wed, 5 Jul 2017 01:36:47 -0700 Subject: heat: port_security_enabled, allowed_address_pairs, disable gateway_ip xe0: cidr: '10.0.2.0/24' vld_id: public allowed_address_pairs: - ip_address: '0.0.0.0/0' xe1: cidr: '10.0.3.0/24' vld_id: private allowed_address_pairs: - ip_address: '0.0.0.0/0' We need to disable gateways on data plane interfaces With TGs and VFNs we probably don't need gateway on data interfaces Change-Id: I276a7d591a0a3ff03877c4f525303fc2874de683 Signed-off-by: Ross Brattain --- yardstick/benchmark/contexts/heat.py | 7 +++++-- yardstick/benchmark/contexts/model.py | 29 +++++++++++++++++++++++----- yardstick/orchestrator/heat.py | 36 +++++++++++++++++++++++------------ 3 files changed, 53 insertions(+), 19 deletions(-) (limited to 'yardstick') diff --git a/yardstick/benchmark/contexts/heat.py b/yardstick/benchmark/contexts/heat.py index 0a94dd976..d5349eab5 100644 --- a/yardstick/benchmark/contexts/heat.py +++ b/yardstick/benchmark/contexts/heat.py @@ -152,9 +152,12 @@ class HeatContext(Context): template.add_network(network.stack_name, network.physical_network, network.provider, - network.segmentation_id) + network.segmentation_id, + network.port_security_enabled) template.add_subnet(network.subnet_stack_name, network.stack_name, - network.subnet_cidr) + network.subnet_cidr, + network.enable_dhcp, + network.gateway_ip) if network.router: template.add_router(network.router.stack_name, diff --git a/yardstick/benchmark/contexts/model.py b/yardstick/benchmark/contexts/model.py index 06538d8a9..6601ecf3b 100644 --- a/yardstick/benchmark/contexts/model.py +++ b/yardstick/benchmark/contexts/model.py @@ -104,11 +104,24 @@ class Network(Object): self.stack_name = context.name + "-" + self.name self.subnet_stack_name = self.stack_name + "-subnet" self.subnet_cidr = attrs.get('cidr', '10.0.1.0/24') + self.enable_dhcp = attrs.get('enable_dhcp', 'true') self.router = None self.physical_network = attrs.get('physical_network', 'physnet1') self.provider = attrs.get('provider') self.segmentation_id = attrs.get('segmentation_id') self.network_type = attrs.get('network_type') + self.port_security_enabled = attrs.get('port_security_enabled', True) + self.allowed_address_pairs = attrs.get('allowed_address_pairs', []) + try: + # we require 'null' or '' to disable setting gateway_ip + self.gateway_ip = attrs['gateway_ip'] + except KeyError: + # default to explicit None + self.gateway_ip = None + else: + # null is None in YAML, so we have to convert back to string + if self.gateway_ip is None: + self.gateway_ip = "null" if "external_network" in attrs: self.router = Router("router", self.name, @@ -234,10 +247,16 @@ class Server(Object): # pragma: no cover for network in networks: port_name = server_name + "-" + network.name + "-port" self.ports[network.name] = {"stack_name": port_name} - template.add_port(port_name, network.stack_name, - network.subnet_stack_name, - sec_group_id=self.secgroup_name, - provider=network.provider) + # we can't use secgroups if port_security_enabled is False + if network.port_security_enabled: + sec_group_id = self.secgroup_name + else: + sec_group_id = None + # don't refactor to pass in network object, that causes JSON + # circular ref encode errors + template.add_port(port_name, network.stack_name, network.subnet_stack_name, + sec_group_id=sec_group_id, provider=network.provider, + allowed_address_pairs=network.allowed_address_pairs) port_name_list.append(port_name) if self.floating_ip: @@ -248,7 +267,7 @@ class Server(Object): # pragma: no cover external_network, port_name, network.router.stack_if_name, - self.secgroup_name) + sec_group_id) self.floating_ip_assoc["stack_name"] = \ server_name + "-fip-assoc" template.add_floating_ip_association( diff --git a/yardstick/orchestrator/heat.py b/yardstick/orchestrator/heat.py index 2a907d124..57b23d393 100644 --- a/yardstick/orchestrator/heat.py +++ b/yardstick/orchestrator/heat.py @@ -231,13 +231,16 @@ name (i.e. %s).\ } def add_network(self, name, physical_network='physnet1', provider=None, - segmentation_id=None): + segmentation_id=None, port_security_enabled=True): """add to the template a Neutron Net""" log.debug("adding Neutron::Net '%s'", name) if provider is None: self.resources[name] = { 'type': 'OS::Neutron::Net', - 'properties': {'name': name} + 'properties': { + 'name': name, + 'port_security_enabled': port_security_enabled, + } } else: self.resources[name] = { @@ -245,12 +248,12 @@ name (i.e. %s).\ 'properties': { 'name': name, 'network_type': 'vlan', - 'physical_network': physical_network - } + 'physical_network': physical_network, + 'port_security_enabled': port_security_enabled, + }, } if segmentation_id: - seg_id_dit = {'segmentation_id': segmentation_id} - self.resources[name]["properties"].update(seg_id_dit) + self.resources[name]['properties']['segmentation_id'] = segmentation_id def add_server_group(self, name, policies): # pragma: no cover """add to the template a ServerGroup""" @@ -262,8 +265,9 @@ name (i.e. %s).\ 'policies': policies} } - def add_subnet(self, name, network, cidr): - """add to the template a Neutron Subnet""" + def add_subnet(self, name, network, cidr, enable_dhcp='true', gateway_ip=None): + """add to the template a Neutron Subnet + """ log.debug("adding Neutron::Subnet '%s' in network '%s', cidr '%s'", name, network, cidr) self.resources[name] = { @@ -272,9 +276,12 @@ name (i.e. %s).\ 'properties': { 'name': name, 'cidr': cidr, - 'network_id': {'get_resource': network} + 'network_id': {'get_resource': network}, + 'enable_dhcp': enable_dhcp, } } + if gateway_ip is not None: + self.resources[name]['properties']['gateway_ip'] = gateway_ip self._template['outputs'][name] = { 'description': 'subnet %s ID' % name, @@ -316,9 +323,10 @@ name (i.e. %s).\ } } - def add_port(self, name, network_name, subnet_name, sec_group_id=None, - provider=None): - """add to the template a named Neutron Port""" + def add_port(self, name, network_name, subnet_name, sec_group_id=None, provider=None, + allowed_address_pairs=None): + """add to the template a named Neutron Port + """ log.debug("adding Neutron::Port '%s', network:'%s', subnet:'%s', " "secgroup:%s", name, network_name, subnet_name, sec_group_id) self.resources[name] = { @@ -341,6 +349,10 @@ name (i.e. %s).\ self.resources[name]['properties']['security_groups'] = \ [sec_group_id] + if allowed_address_pairs: + self.resources[name]['properties'][ + 'allowed_address_pairs'] = allowed_address_pairs + self._template['outputs'][name] = { 'description': 'Address for interface %s' % name, 'value': {'get_attr': [name, 'fixed_ips', 0, 'ip_address']} -- cgit 1.2.3-korg