From 1584f198a5d92de172e878282274de5661a076f1 Mon Sep 17 00:00:00 2001
From: Masaki Matsushita <glass.saga@gmail.com>
Date: Fri, 14 Aug 2015 16:45:21 +0900
Subject: [PATCH] Introduce "icmp" option for security group rule

This change introduces new datastore option "icmp" to
configure whether to permit ICMP. It helps users to
check DB instance health in different way from access
DB ports.

DocImpact
Closes-Bug: #1485884
Change-Id: I61edeb38ded5543b7976a01363108a7b5b4fc5b5
---
 etc/trove/trove-taskmanager.conf.sample       |  2 ++
 .../notes/add-icmp-flag-58937cce344e77d9.yaml |  5 ++++
 trove/common/cfg.py                           | 20 +++++++++++++
 trove/taskmanager/models.py                   | 29 ++++++++++++-------
 .../unittests/taskmanager/test_models.py      | 12 +++++++-
 5 files changed, 57 insertions(+), 11 deletions(-)
 create mode 100644 releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml

diff --git a/etc/trove/trove-taskmanager.conf.sample b/etc/trove/trove-taskmanager.conf.sample
index 873ad40623..135fd8e634 100644
--- a/etc/trove/trove-taskmanager.conf.sample
+++ b/etc/trove/trove-taskmanager.conf.sample
@@ -216,6 +216,8 @@ rabbit_password=f7999d1955c5014aa32c
 #rabbit_virtual_host=/
 
 [mysql]
+# Whether to permit ICMP. default is False.
+icmp = True
 # Format (single port or port range): A, B-C
 # where C greater than B
 tcp_ports = 3306
diff --git a/releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml b/releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
new file mode 100644
index 0000000000..c81baa00c1
--- /dev/null
+++ b/releasenotes/notes/add-icmp-flag-58937cce344e77d9.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add icmp option for DB security group.
+    if icmp=True, users will be allowed to
+    ping to DB instances.
diff --git a/trove/common/cfg.py b/trove/common/cfg.py
index b2c0d3d671..201aa83c1d 100644
--- a/trove/common/cfg.py
+++ b/trove/common/cfg.py
@@ -480,6 +480,8 @@ mysql_group = cfg.OptGroup(
     'mysql', title='MySQL options',
     help="Oslo option group designed for MySQL datastore")
 mysql_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["3306"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -558,6 +560,8 @@ percona_group = cfg.OptGroup(
     'percona', title='Percona options',
     help="Oslo option group designed for Percona datastore")
 percona_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["3306"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -729,6 +733,8 @@ redis_group = cfg.OptGroup(
     'redis', title='Redis options',
     help="Oslo option group designed for Redis datastore")
 redis_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["6379", "16379"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -804,6 +810,8 @@ cassandra_group = cfg.OptGroup(
     'cassandra', title='Cassandra options',
     help="Oslo option group designed for Cassandra datastore")
 cassandra_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["7000", "7001", "7199", "9042", "9160"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -881,6 +889,8 @@ couchbase_group = cfg.OptGroup(
     'couchbase', title='Couchbase options',
     help="Oslo option group designed for Couchbase datastore")
 couchbase_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports',
                 default=["8091", "8092", "4369", "11209-11211",
                          "21100-21199"],
@@ -943,6 +953,8 @@ mongodb_group = cfg.OptGroup(
     'mongodb', title='MongoDB options',
     help="Oslo option group designed for MongoDB datastore")
 mongodb_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["2500", "27017", "27019"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -1034,6 +1046,8 @@ postgresql_group = cfg.OptGroup(
     'postgresql', title='PostgreSQL options',
     help="Oslo option group for the PostgreSQL datastore.")
 postgresql_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports', default=["5432"],
                 help='List of TCP ports and/or port ranges to open '
                      'in the security group (only applicable '
@@ -1098,6 +1112,8 @@ couchdb_group = cfg.OptGroup(
     'couchdb', title='CouchDB options',
     help="Oslo option group designed for CouchDB datastore")
 couchdb_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports',
                 default=["5984"],
                 help='List of TCP ports and/or port ranges to open '
@@ -1158,6 +1174,8 @@ vertica_group = cfg.OptGroup(
     'vertica', title='Vertica options',
     help="Oslo option group designed for Vertica datastore")
 vertica_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports',
                 default=["5433", "5434", "22", "5444", "5450", "4803"],
                 help='List of TCP ports and/or port ranges to open '
@@ -1226,6 +1244,8 @@ db2_group = cfg.OptGroup(
     'db2', title='DB2 options',
     help="Oslo option group designed for DB2 datastore")
 db2_opts = [
+    cfg.BoolOpt('icmp', default=False,
+                help='Whether to permit ICMP.'),
     cfg.ListOpt('tcp_ports',
                 default=["50000"],
                 help='List of TCP ports and/or port ranges to open '
diff --git a/trove/taskmanager/models.py b/trove/taskmanager/models.py
index c936050083..ce6af07149 100644
--- a/trove/taskmanager/models.py
+++ b/trove/taskmanager/models.py
@@ -1032,8 +1032,11 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
             self.id, self.context)
         tcp_ports = CONF.get(datastore_manager).tcp_ports
         udp_ports = CONF.get(datastore_manager).udp_ports
+        icmp = CONF.get(datastore_manager).icmp
         self._create_rules(security_group, tcp_ports, 'tcp')
         self._create_rules(security_group, udp_ports, 'udp')
+        if icmp:
+            self._create_rules(security_group, None, 'icmp')
         return [security_group["name"]]
 
     def _create_rules(self, s_group, ports, protocol):
@@ -1049,16 +1052,22 @@ class FreshInstanceTasks(FreshInstance, NotifyMixin, ConfigurationMixin):
                              'to': to_port}
             raise MalformedSecurityGroupRuleError(message=msg)
 
-        for port_or_range in set(ports):
-            try:
-                from_, to_ = (None, None)
-                from_, to_ = utils.gen_ports(port_or_range)
-                cidr = CONF.trove_security_group_rule_cidr
-                SecurityGroupRule.create_sec_group_rule(
-                    s_group, protocol, int(from_), int(to_),
-                    cidr, self.context)
-            except (ValueError, TroveError):
-                set_error_and_raise([from_, to_])
+        cidr = CONF.trove_security_group_rule_cidr
+
+        if protocol == 'icmp':
+            SecurityGroupRule.create_sec_group_rule(
+                s_group, 'icmp', None, None,
+                cidr, self.context)
+        else:
+            for port_or_range in set(ports):
+                try:
+                    from_, to_ = (None, None)
+                    from_, to_ = utils.gen_ports(port_or_range)
+                    SecurityGroupRule.create_sec_group_rule(
+                        s_group, protocol, int(from_), int(to_),
+                        cidr, self.context)
+                except (ValueError, TroveError):
+                    set_error_and_raise([from_, to_])
 
     def _build_heat_nics(self, nics):
         ifaces = []
diff --git a/trove/tests/unittests/taskmanager/test_models.py b/trove/tests/unittests/taskmanager/test_models.py
index 6f875d0ae5..359b358267 100644
--- a/trove/tests/unittests/taskmanager/test_models.py
+++ b/trove/tests/unittests/taskmanager/test_models.py
@@ -60,9 +60,10 @@ VOLUME_ID = 'volume-id-1'
 
 class FakeOptGroup(object):
     def __init__(self, tcp_ports=['3306', '3301-3307'],
-                 udp_ports=[]):
+                 udp_ports=[], icmp=False):
         self.tcp_ports = tcp_ports
         self.udp_ports = udp_ports
+        self.icmp = icmp
 
 
 class fake_Server:
@@ -368,6 +369,15 @@ class FreshInstanceTasksTest(trove_testtools.TestCase):
                           self.freshinstancetasks._create_secgroup,
                           datastore_manager)
 
+    def test_create_sg_rules_icmp(self):
+        datastore_manager = 'mysql'
+        self.task_models_conf_mock.get = Mock(
+            return_value=FakeOptGroup(icmp=True))
+        self.freshinstancetasks.update_db = Mock()
+        self.freshinstancetasks._create_secgroup(datastore_manager)
+        self.assertEqual(3, taskmanager_models.SecurityGroupRule.
+                         create_sec_group_rule.call_count)
+
     @patch.object(BaseInstance, 'update_db')
     @patch('trove.taskmanager.models.CONF')
     @patch('trove.taskmanager.models.LOG')