openstack/ironic-inspector
Code Issues Proposed changes

Make sure to clean the blacklist cache when disabling the firewall

Browse Source 
Otherwise on reintrospection the firewall code may not update
iptables rules, assuming they are already correct.

Change-Id: Icc05174854bd9ab51bfed9d1360873bf5db9ed54
Closes-Bug: #1570447
This commit is contained in:
Dmitry Tantsur 2016-04-14 18:02:27 +02:00
parent 33b31efa78
commit 41580add20
3 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ironic_inspector/firewall.py
View File

@ -135,7 +135,7 @@ def _temporary_chain(chain, main_chain):
def _disable_dhcp(): def _disable_dhcp():
"""Disable DHCP completely.""" """Disable DHCP completely."""
global ENABLED global ENABLED, BLACKLIST_CACHE
if not ENABLED: if not ENABLED:
LOG.debug('DHCP is already disabled, not updating') LOG.debug('DHCP is already disabled, not updating')
@ -143,6 +143,7 @@ def _disable_dhcp():
LOG.debug('No nodes on introspection and node_not_found_hook is ' LOG.debug('No nodes on introspection and node_not_found_hook is '
'not set - disabling DHCP') 'not set - disabling DHCP')
BLACKLIST_CACHE = None
with _temporary_chain(NEW_CHAIN, CHAIN): with _temporary_chain(NEW_CHAIN, CHAIN):
# Blacklist everything # Blacklist everything
_iptables('-A', NEW_CHAIN, '-j', 'REJECT') _iptables('-A', NEW_CHAIN, '-j', 'REJECT')

6
ironic_inspector/test/unit/test_firewall.py
View File

@ -288,6 +288,9 @@ class TestFirewall(test_base.NodeTest):
mock_get_client, mock_get_client,
mock_iptables): mock_iptables):
firewall.init() firewall.init()
firewall.BLACKLIST_CACHE = ['foo']
mock_get_client.return_value.port.list.return_value = [
mock.Mock(address='foobar')]
update_filters_expected_args = [ update_filters_expected_args = [
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport', ('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
@ -317,6 +320,8 @@ class TestFirewall(test_base.NodeTest):
call_args_list): call_args_list):
self.assertEqual(args, call[0]) self.assertEqual(args, call[0])
self.assertIsNone(firewall.BLACKLIST_CACHE)
# Check caching enabled flag # Check caching enabled flag
mock_iptables.reset_mock() mock_iptables.reset_mock()
@ -330,3 +335,4 @@ class TestFirewall(test_base.NodeTest):
firewall.update_filters() firewall.update_filters()
mock_iptables.assert_any_call('-A', firewall.NEW_CHAIN, '-j', 'ACCEPT') mock_iptables.assert_any_call('-A', firewall.NEW_CHAIN, '-j', 'ACCEPT')
self.assertEqual({'foobar'}, firewall.BLACKLIST_CACHE)

4
releasenotes/notes/firewall-rerun-f2d0f64cca2698ff.yaml Normal file
View File

@ -0,0 +1,4 @@
---
fixes:
- Fixed a regression in the firewall code, which causes re-running
introspection for an already inspected node to fail.