4.1. 安全组创建
1、 Neutron-client发送createsecuritygroup消息(消息中包含要创建的安全组信息)给neutron-server,neutron-server调用securitygroupplugin中的create_security_group方法处理消息;
2、 在create_security_group方法中根据安全组是否默认安全组进行处理。如果是默认安全组,则将安全组加入到SecurityGroup表和DefaultSecurityGroup表,并创建默认安全组规则;如果不是默认安全组,则检查默认安全组是否存在,如不存在,则创建默认安全组和默认安全组的默认规则,然后将安全组加入到SecurityGroup表。
3、 securitygroup plugin会回应createsecuritygroup result给neutron-client。创建成功则返回创建的安全组信息;失败则返回失败原因。
代码如下:
neutron.db.securitygroups_db.py
class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase)
def create_security_group(self, context, security_group,default_sg=False):
"""Create securitygroup.
If default_sg is true that means we area default security group for
a given tenant if it does not exist.
"""
s = security_group['security_group']
kwargs = {
'context': context,
'security_group': s,
'is_default': default_sg,
}
# NOTE(armax): a callback exceptionhere will prevent the request
# from being processed. This is a hookpoint for backend's validation;
# we raise to propagate the reason forthe failure.
try:
registry.notify(
resources.SECURITY_GROUP,events.BEFORE_CREATE, self,
**kwargs)
except exceptions.CallbackFailure as e:
raiseext_sg.SecurityGroupConflict(reason=e)
tenant_id =self._get_tenant_id_for_create(context, s)
if not default_sg:
#如果不是默认安全组,需要确认默认安全组是否存在,如不存在,则创建.
self._ensure_default_security_group(context, tenant_id)
withdb_api.autonested_transaction(context.session):
#添加到SecurityGroup表
security_group_db =SecurityGroup(id=s.get('id') or (
uuidutils.generate_uuid()),
description=s['description'],
tenant_id=tenant_id,
name=s['name'])
context.session.add(security_group_db)
if default_sg: #如果是默认安全组,则添加到DefaultSecurityGroup表
context.session.add(DefaultSecurityGroup(
security_group=security_group_db,
tenant_id=security_group_db['tenant_id']))
for ethertype inext_sg.sg_supported_ethertypes:
if default_sg:
# Allow All
remote_ip_prefix = '0.0.0.0/0' \
if ethertype is'IPv4' else '::/0'
#创建默认安全组的默认规则
ingress_rule =SecurityGroupRule(
id=uuidutils.generate_uuid(), tenant_id=tenant_id,
security_group=security_group_db,
direction='ingress',
ethertype=ethertype,
remote_ip_prefix=remote_ip_prefix)
context.session.add(ingress_rule)
egress_rule =SecurityGroupRule(
id=uuidutils.generate_uuid(), tenant_id=tenant_id,
security_group=security_group_db,
direction='egress',
ethertype=ethertype)
context.session.add(egress_rule)
secgroup_dict =self._make_security_group_dict(security_group_db)
kwargs['security_group'] =secgroup_dict
registry.notify(resources.SECURITY_GROUP,events.AFTER_CREATE, self,
**kwargs)
return secgroup_dict