Make sure to clean the blacklist cache when disabling the firewall

Otherwise on reintrospection the firewall code may not update iptables rules, assuming they are already correct. Change-Id: Icc05174854bd9ab51bfed9d1360873bf5db9ed54 Closes-Bug: #1570447
2016-04-14 18:02:27 +02:00 · 2016-04-14 18:02:27 +02:00 · 41580add20
commit 41580add20
parent 33b31efa78
3 changed files with 12 additions and 1 deletions
--- a/ironic_inspector/firewall.py
+++ b/ironic_inspector/firewall.py
@ -135,7 +135,7 @@ def _temporary_chain(chain, main_chain):

 def _disable_dhcp():
    """Disable DHCP completely."""
-    global ENABLED
+    global ENABLED, BLACKLIST_CACHE

    if not ENABLED:
        LOG.debug('DHCP is already disabled, not updating')
@ -143,6 +143,7 @@ def _disable_dhcp():

    LOG.debug('No nodes on introspection and node_not_found_hook is '
              'not set - disabling DHCP')
+    BLACKLIST_CACHE = None
    with _temporary_chain(NEW_CHAIN, CHAIN):
        # Blacklist everything
        _iptables('-A', NEW_CHAIN, '-j', 'REJECT')
--- a/ironic_inspector/test/unit/test_firewall.py
+++ b/ironic_inspector/test/unit/test_firewall.py
@ -288,6 +288,9 @@ class TestFirewall(test_base.NodeTest):
                                                  mock_get_client,
                                                  mock_iptables):
        firewall.init()
+        firewall.BLACKLIST_CACHE = ['foo']
+        mock_get_client.return_value.port.list.return_value = [
+            mock.Mock(address='foobar')]

        update_filters_expected_args = [
            ('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
@ -317,6 +320,8 @@ class TestFirewall(test_base.NodeTest):
                                call_args_list):
            self.assertEqual(args, call[0])

+        self.assertIsNone(firewall.BLACKLIST_CACHE)
+
        # Check caching enabled flag

        mock_iptables.reset_mock()
@ -330,3 +335,4 @@ class TestFirewall(test_base.NodeTest):
        firewall.update_filters()

        mock_iptables.assert_any_call('-A', firewall.NEW_CHAIN, '-j', 'ACCEPT')
+        self.assertEqual({'foobar'}, firewall.BLACKLIST_CACHE)
--- a/releasenotes/notes/firewall-rerun-f2d0f64cca2698ff.yaml
+++ b/releasenotes/notes/firewall-rerun-f2d0f64cca2698ff.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - Fixed a regression in the firewall code, which causes re-running
+    introspection for an already inspected node to fail.