Commit b977d687 authored by Christos Stavrakakis's avatar Christos Stavrakakis
Browse files

cyclades: Remove firewall tag when removing NIC

Remove firewall tag from ganeti instance when disconnecting them from
networks. Until now, this was not needed because a vm could not be
disconnected from public networks. Since floating IPs, a vm may be
dynamically be connected and disconnected to public networks, and so a
hanging firewall tag may affect another NIC.
parent 21934769
......@@ -759,9 +759,22 @@ def disconnect_from_network(vm, nic):
log.debug("Removing nic of VM %s, with index %s", vm, str(nic.index))
with pooled_rapi_client(vm) as client:
return client.ModifyInstance(vm.backend_vm_id, nics=op,
jobID = client.ModifyInstance(vm.backend_vm_id, nics=op,
# If the NIC has a tag for a firewall profile it must be deleted,
# otherwise it may affect another NIC. XXX: Deleting the tag should
# depend on the removing the NIC, but currently RAPI client does not
# support this, this may result in clearing the firewall profile
# without successfully removing the NIC. This issue will be fixed with
# use of NIC UUIDs.
firewall_profile = nic.firewall_profile
if firewall_profile != "DISABLED":
tag = _firewall_tags[firewall_profile] % nic.index
client.DeleteInstanceTags(vm.backend_vm_id, [tag],
return jobID
def set_firewall_profile(vm, profile, index=0):
......@@ -781,7 +794,9 @@ def set_firewall_profile(vm, profile, index=0):
client.DeleteInstanceTags(vm.backend_vm_id, delete_tags,
client.AddInstanceTags(vm.backend_vm_id, [tag], dry_run=settings.TEST)
if profile != "DISABLED":
client.AddInstanceTags(vm.backend_vm_id, [tag],
# XXX NOP ModifyInstance call to force process_net_status to run
# on the dispatcher
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment