From: bravof Date: Tue, 20 Oct 2020 13:27:42 +0000 (-0300) Subject: feat(port security): adds port security strategy X-Git-Tag: release-v9.0-start~7 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=7a1f525e6e76418766f5aed3874ec7f54333091f;p=osm%2FRO.git feat(port security): adds port security strategy Change-Id: I31b067a787f3f9b90b1e8f9cb7ba042e723c270b Signed-off-by: bravof --- diff --git a/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py b/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py index 99cb64f1..acc5ba8a 100644 --- a/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py +++ b/RO-VIM-openstack/osm_rovim_openstack/vimconn_openstack.py @@ -1338,7 +1338,7 @@ class vimconnector(vimconn.VimConnector): # is dropped. # As a workaround we wait until the VM is active and then disable the port-security if net.get("port_security") is False and not self.config.get("no_port_security_extension"): - no_secured_ports.append(new_port["port"]["id"]) + no_secured_ports.append((new_port["port"]["id"], net.get("port_security_disable_strategy"))) # if metadata_vpci: # metadata = {"pci_assignement": json.dumps(metadata_vpci)} @@ -1412,13 +1412,33 @@ class vimconnector(vimconn.VimConnector): if no_secured_ports: self.__wait_for_vm(server.id, 'ACTIVE') - for port_id in no_secured_ports: + for port in no_secured_ports: + port_update = { + "port": { + "port_security_enabled": False, + "security_groups": None + } + } + + if port[1] == "allow-address-pairs": + port_update = { + "port": { + "allowed_address_pairs": [ + { + "ip_address": "0.0.0.0/0" + } + ] + } + } + try: - self.neutron.update_port(port_id, - {"port": {"port_security_enabled": False, "security_groups": None}}) + self.neutron.update_port(port[0], port_update) except Exception: - raise vimconn.VimConnException("It was not possible to disable port security for port {}".format( - port_id)) + raise vimconn.VimConnException( + "It was not possible to disable port security for port {}" + .format(port[0]) + ) + # print "DONE :-)", server # pool_id = None diff --git a/RO/osm_ro/database_utils/migrate_mano_db.sh b/RO/osm_ro/database_utils/migrate_mano_db.sh index 334b5ab1..12f4566c 100755 --- a/RO/osm_ro/database_utils/migrate_mano_db.sh +++ b/RO/osm_ro/database_utils/migrate_mano_db.sh @@ -36,7 +36,7 @@ QUIET_MODE="" BACKUP_DIR="" BACKUP_FILE="" # TODO update it with the last database version -LAST_DB_VERSION=41 +LAST_DB_VERSION=42 # Detect paths MYSQL=$(which mysql) @@ -199,6 +199,7 @@ fi #[ $OPENMANO_VER_NUM -ge 6020 ] && DB_VERSION=39 #0.6.20 => 39 #[ $OPENMANO_VER_NUM -ge 6000004 ] && DB_VERSION=40 #6.0.4 => 40 #[ $OPENMANO_VER_NUM -ge 8000000 ] && DB_VERSION=41 #8.0.0 => 41 +#[ $OPENMANO_VER_NUM -ge 8000002 ] && DB_VERSION=42 #8.0.2 => 42 # TODO ... put next versions here function upgrade_to_1(){ @@ -1526,6 +1527,19 @@ function downgrade_from_41(){ sql "DELETE FROM schema_version WHERE version_int='41';" } +function upgrade_to_42(){ + echo " Adding 'port_security_disable_strategy' to 'interfaces'" + sql "ALTER TABLE interfaces ADD COLUMN port_security_disable_strategy CHAR(25);" + sql "INSERT INTO schema_version (version_int, version, openmano_ver, comments, date) " \ + "VALUES (42, '0.42', '8.0.2', 'Adding port_security_disable_strategy to interfaces', '2020-10-19');" +} + +function downgrade_to_42(){ + echo " Removing 'port_security_disable_strategy' from 'interfaces'" + sql "ALTER TABLE interfaces DROP port_security_disable_strategy;" + sql "DELETE FROM schema_version WHERE version_int='42';" +} + #TODO ... put functions here diff --git a/RO/osm_ro/nfvo.py b/RO/osm_ro/nfvo.py index a7b15a29..74cfbf0d 100644 --- a/RO/osm_ro/nfvo.py +++ b/RO/osm_ro/nfvo.py @@ -1198,8 +1198,9 @@ def new_vnfd_v3(mydb, tenant_id, vnf_descriptor): vdu_id2cp_name[vdu_id] = db_interface["external_name"] # port security - if str(cp_descriptor.get("port-security-enabled")).lower() == "false": + if "port-security-disable-strategy" in cp_descriptor or str(cp_descriptor.get("port-security-enabled")).lower() == "false": db_interface["port_security"] = 0 + db_interface["port_security_disable_strategy"] = cp_descriptor.get("port-security-disable-strategy", "full") elif str(cp_descriptor.get("port-security-enabled")).lower() == "true": db_interface["port_security"] = 1 except KeyError: @@ -1233,8 +1234,9 @@ def new_vnfd_v3(mydb, tenant_id, vnf_descriptor): ("SR-IOV", "PCI-PASSTHROUGH"): db_nets[net_id2index[icp_vld.get("id")]]["type"] = "data" db_interface["net_id"] = net_id2uuid[icp_vld.get("id")] - if str(icp_descriptor.get("port-security-enabled")).lower() == "false": + if "port-security-disable-strategy" in icp_descriptor or str(icp_descriptor.get("port-security-enabled")).lower() == "false": db_interface["port_security"] = 0 + db_interface["port_security_disable_strategy"] = icp_descriptor.get("port-security-disable-strategy", "full") elif str(icp_descriptor.get("port-security-enabled")).lower() == "true": db_interface["port_security"] = 1 if icp.get("ip-address"): @@ -4115,6 +4117,8 @@ def instantiate_vnf(mydb, sce_vnf, params, params_out, rollbackList): netDict['ip_address'] = iface['ip_address'] if iface.get("port-security") is not None: netDict['port_security'] = iface['port-security'] + if iface.get("port_security_disable_strategy") is not None: + netDict['port_security_disable_strategy'] = iface['port_security_disable_strategy'] if iface.get("floating-ip") is not None: netDict['floating_ip'] = iface['floating-ip'] netDict['name'] = iface['internal_name'] diff --git a/RO/osm_ro/openmanod.py b/RO/osm_ro/openmanod.py index d53450dd..d6ac566c 100755 --- a/RO/osm_ro/openmanod.py +++ b/RO/osm_ro/openmanod.py @@ -54,8 +54,8 @@ import osm_ro __author__ = "Alfonso Tierno, Gerardo Garcia, Pablo Montes" __date__ = "$26-aug-2014 11:09:29$" __version__ = "8.0.0.post1" -version_date = "Jul 2020" -database_version = 41 # expected database schema version +version_date = "Oct 2020" +database_version = 42 # expected database schema version global global_config global logger