Introduce "icmp" option for security group rule
This change introduces new datastore option "icmp" to configure whether to permit ICMP. It helps users to check DB instance health in different way from access DB ports. DocImpact Closes-Bug: #1485884 Change-Id: I61edeb38ded5543b7976a01363108a7b5b4fc5b5
This commit is contained in:
Masaki Matsushita
parent
e19876465b
commit
1584f198a5
@ -216,6 +216,8 @@ rabbit_password=f7999d1955c5014aa32c
|
||||
#rabbit_virtual_host=/
|
||||
|
||||
[mysql]
|
||||
# Whether to permit ICMP. default is False.
|
||||
icmp = True
|
||||
# Format (single port or port range): A, B-C
|
||||
# where C greater than B
|
||||
tcp_ports = 3306
|
||||
|
||||
5
releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
Normal file
5
releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- Add icmp option for DB security group.
|
||||
if icmp=True, users will be allowed to
|
||||
ping to DB instances.
|
||||
@ -480,6 +480,8 @@ mysql_group = cfg.OptGroup(
|
||||
'mysql', title='MySQL options',
|
||||
help="Oslo option group designed for MySQL datastore")
|
||||
mysql_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["3306"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -558,6 +560,8 @@ percona_group = cfg.OptGroup(
|
||||
'percona', title='Percona options',
|
||||
help="Oslo option group designed for Percona datastore")
|
||||
percona_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["3306"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -729,6 +733,8 @@ redis_group = cfg.OptGroup(
|
||||
'redis', title='Redis options',
|
||||
help="Oslo option group designed for Redis datastore")
|
||||
redis_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["6379", "16379"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -804,6 +810,8 @@ cassandra_group = cfg.OptGroup(
|
||||
'cassandra', title='Cassandra options',
|
||||
help="Oslo option group designed for Cassandra datastore")
|
||||
cassandra_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["7000", "7001", "7199", "9042", "9160"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -881,6 +889,8 @@ couchbase_group = cfg.OptGroup(
|
||||
'couchbase', title='Couchbase options',
|
||||
help="Oslo option group designed for Couchbase datastore")
|
||||
couchbase_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["8091", "8092", "4369", "11209-11211",
|
||||
"21100-21199"],
|
||||
@ -943,6 +953,8 @@ mongodb_group = cfg.OptGroup(
|
||||
'mongodb', title='MongoDB options',
|
||||
help="Oslo option group designed for MongoDB datastore")
|
||||
mongodb_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["2500", "27017", "27019"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -1034,6 +1046,8 @@ postgresql_group = cfg.OptGroup(
|
||||
'postgresql', title='PostgreSQL options',
|
||||
help="Oslo option group for the PostgreSQL datastore.")
|
||||
postgresql_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports', default=["5432"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
'in the security group (only applicable '
|
||||
@ -1098,6 +1112,8 @@ couchdb_group = cfg.OptGroup(
|
||||
'couchdb', title='CouchDB options',
|
||||
help="Oslo option group designed for CouchDB datastore")
|
||||
couchdb_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["5984"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
@ -1158,6 +1174,8 @@ vertica_group = cfg.OptGroup(
|
||||
'vertica', title='Vertica options',
|
||||
help="Oslo option group designed for Vertica datastore")
|
||||
vertica_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["5433", "5434", "22", "5444", "5450", "4803"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
@ -1226,6 +1244,8 @@ db2_group = cfg.OptGroup(
|
||||
'db2', title='DB2 options',
|
||||
help="Oslo option group designed for DB2 datastore")
|
||||
db2_opts = [
|
||||
cfg.BoolOpt('icmp', default=False,
|
||||
help='Whether to permit ICMP.'),
|
||||
cfg.ListOpt('tcp_ports',
|
||||
default=["50000"],
|
||||
help='List of TCP ports and/or port ranges to open '
|
||||
|
||||
@ -1032,8 +1032,11 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
|
||||
self.id, self.context)
|
||||
tcp_ports = CONF.get(datastore_manager).tcp_ports
|
||||
udp_ports = CONF.get(datastore_manager).udp_ports
|
||||
icmp = CONF.get(datastore_manager).icmp
|
||||
self._create_rules(security_group, tcp_ports, 'tcp')
|
||||
self._create_rules(security_group, udp_ports, 'udp')
|
||||
if icmp:
|
||||
self._create_rules(security_group, None, 'icmp')
|
||||
return [security_group["name"]]
|
||||
|
||||
def _create_rules(self, s_group, ports, protocol):
|
||||
@ -1049,16 +1052,22 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
|
||||
'to': to_port}
|
||||
raise MalformedSecurityGroupRuleError(message=msg)
|
||||
|
||||
for port_or_range in set(ports):
|
||||
try:
|
||||
from_, to_ = (None, None)
|
||||
from_, to_ = utils.gen_ports(port_or_range)
|
||||
cidr = CONF.trove_security_group_rule_cidr
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, protocol, int(from_), int(to_),
|
||||
cidr, self.context)
|
||||
except (ValueError, TroveError):
|
||||
set_error_and_raise([from_, to_])
|
||||
cidr = CONF.trove_security_group_rule_cidr
|
||||
|
||||
if protocol == 'icmp':
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, 'icmp', None, None,
|
||||
cidr, self.context)
|
||||
else:
|
||||
for port_or_range in set(ports):
|
||||
try:
|
||||
from_, to_ = (None, None)
|
||||
from_, to_ = utils.gen_ports(port_or_range)
|
||||
SecurityGroupRule.create_sec_group_rule(
|
||||
s_group, protocol, int(from_), int(to_),
|
||||
cidr, self.context)
|
||||
except (ValueError, TroveError):
|
||||
set_error_and_raise([from_, to_])
|
||||
|
||||
def _build_heat_nics(self, nics):
|
||||
ifaces = []
|
||||
|
||||
@ -60,9 +60,10 @@ VOLUME_ID = 'volume-id-1'
|
||||
|
||||
class FakeOptGroup(object):
|
||||
def __init__(self, tcp_ports=['3306', '3301-3307'],
|
||||
udp_ports=[]):
|
||||
udp_ports=[], icmp=False):
|
||||
self.tcp_ports = tcp_ports
|
||||
self.udp_ports = udp_ports
|
||||
self.icmp = icmp
|
||||
|
||||
|
||||
class fake_Server:
|
||||
@ -368,6 +369,15 @@ class FreshInstanceTasksTest(trove_testtools.TestCase):
|
||||
self.freshinstancetasks._create_secgroup,
|
||||
datastore_manager)
|
||||
|
||||
def test_create_sg_rules_icmp(self):
|
||||
datastore_manager = 'mysql'
|
||||
self.task_models_conf_mock.get = Mock(
|
||||
return_value=FakeOptGroup(icmp=True))
|
||||
self.freshinstancetasks.update_db = Mock()
|
||||
self.freshinstancetasks._create_secgroup(datastore_manager)
|
||||
self.assertEqual(3, taskmanager_models.SecurityGroupRule.
|
||||
create_sec_group_rule.call_count)
|
||||
|
||||
@patch.object(BaseInstance, 'update_db')
|
||||
@patch('trove.taskmanager.models.CONF')
|
||||
@patch('trove.taskmanager.models.LOG')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user