octavia 13.0.0__py3-none-any.whl → 14.0.0__py3-none-any.whl

octavia/controller/worker/v2/controller_worker.py

@@ -270,6 +270,14 @@ class ControllerWorker(object):
             raise db_exceptions.NoResultFound
 
         load_balancer = db_listener.load_balancer
+        flavor_dict = {}
+        if load_balancer.flavor_id:
+            with session.begin():
+                flavor_dict = (
+                    self._flavor_repo.get_flavor_metadata_dict(
+                        session, load_balancer.flavor_id))
+        flavor_dict[constants.LOADBALANCER_TOPOLOGY] = load_balancer.topology
+
         provider_lb = provider_utils.db_loadbalancer_to_provider_loadbalancer(
             load_balancer).to_dict(recurse=True)
 
@@ -279,7 +287,7 @@ class ControllerWorker(object):
 
         self.run_flow(
             flow_utils.get_create_listener_flow,
-            store=store)
+            flavor_dict=flavor_dict, store=store)
 
     def delete_listener(self, listener):
         """Deletes a listener.
@@ -288,12 +296,32 @@ class ControllerWorker(object):
         :returns: None
         :raises ListenerNotFound: The referenced listener was not found
         """
+        try:
+            db_lb = self._get_db_obj_until_pending_update(
+                self._lb_repo, listener[constants.LOADBALANCER_ID])
+        except tenacity.RetryError as e:
+            LOG.warning('Loadbalancer did not go into %s in 60 seconds. '
+                        'This either due to an in-progress Octavia upgrade '
+                        'or an overloaded and failing database. Assuming '
+                        'an upgrade is in progress and continuing.',
+                        constants.PENDING_UPDATE)
+            db_lb = e.last_attempt.result()
+
+        flavor_dict = {}
+        if db_lb.flavor_id:
+            session = db_apis.get_session()
+            with session.begin():
+                flavor_dict = (
+                    self._flavor_repo.get_flavor_metadata_dict(
+                        session, db_lb.flavor_id))
+        flavor_dict[constants.LOADBALANCER_TOPOLOGY] = db_lb.topology
+
         store = {constants.LISTENER: listener,
                  constants.LOADBALANCER_ID:
                      listener[constants.LOADBALANCER_ID],
                  constants.PROJECT_ID: listener[constants.PROJECT_ID]}
         self.run_flow(
-            flow_utils.get_delete_listener_flow,
+            flow_utils.get_delete_listener_flow, flavor_dict=flavor_dict,
             store=store)
 
     def update_listener(self, listener, listener_updates):
@@ -315,12 +343,21 @@ class ControllerWorker(object):
                         constants.PENDING_UPDATE)
             db_lb = e.last_attempt.result()
 
+        session = db_apis.get_session()
+        flavor_dict = {}
+        if db_lb.flavor_id:
+            with session.begin():
+                flavor_dict = (
+                    self._flavor_repo.get_flavor_metadata_dict(
+                        session, db_lb.flavor_id))
+        flavor_dict[constants.LOADBALANCER_TOPOLOGY] = db_lb.topology
+
         store = {constants.LISTENER: listener,
                  constants.UPDATE_DICT: listener_updates,
                  constants.LOADBALANCER_ID: db_lb.id,
                  constants.LISTENERS: [listener]}
         self.run_flow(
-            flow_utils.get_update_listener_flow,
+            flow_utils.get_update_listener_flow, flavor_dict=flavor_dict,
             store=store)
 
     @tenacity.retry(
@@ -375,7 +412,7 @@ class ControllerWorker(object):
         }
         self.run_flow(
             flow_utils.get_create_load_balancer_flow,
-            topology, listeners=listeners_dicts,
+            topology, listeners=listeners_dicts, flavor_dict=flavor,
             store=store)
 
     def delete_load_balancer(self, load_balancer, cascade=False):
@@ -536,7 +573,7 @@ class ControllerWorker(object):
                 self._member_repo.get(
                     session, id=member[constants.MEMBER_ID])
                 for member in new_members]
-        # The API may not have commited all of the new member records yet.
+        # The API may not have committed all of the new member records yet.
         # Make sure we retry looking them up.
         if None in db_new_members or len(db_new_members) != len(new_members):
             LOG.warning('Failed to fetch one of the new members from DB. '
@@ -998,16 +1035,14 @@ class ControllerWorker(object):
                 lb_id = loadbalancer.id
                 # Even if the LB doesn't have a flavor, create one and
                 # pass through the topology.
+                flavor_dict = {}
                 if loadbalancer.flavor_id:
                     with session.begin():
                         flavor_dict = (
                             self._flavor_repo.get_flavor_metadata_dict(
                                 session, loadbalancer.flavor_id))
-                    flavor_dict[constants.LOADBALANCER_TOPOLOGY] = (
-                        loadbalancer.topology)
-                else:
-                    flavor_dict = {constants.LOADBALANCER_TOPOLOGY:
-                                   loadbalancer.topology}
+                flavor_dict[constants.LOADBALANCER_TOPOLOGY] = (
+                    loadbalancer.topology)
                 if loadbalancer.availability_zone:
                     with session.begin():
                         az_metadata = (
@@ -1035,7 +1070,7 @@ class ControllerWorker(object):
 
             self.run_flow(
                 flow_utils.get_failover_amphora_flow,
-                amphora.to_dict(), lb_amp_count,
+                amphora.to_dict(), lb_amp_count, flavor_dict=flavor_dict,
                 store=stored_params)
 
             LOG.info("Successfully completed the failover for an amphora: %s",
@@ -1128,7 +1163,7 @@ class ControllerWorker(object):
 
         :param load_balancer_id: ID for load balancer to failover
         :returns: None
-        :raises octavia.commom.exceptions.NotFound: The load balancer was not
+        :raises octavia.common.exceptions.NotFound: The load balancer was not
                                                     found.
         """
         try:
@@ -1162,13 +1197,12 @@ class ControllerWorker(object):
             # We must provide a topology in the flavor definition
             # here for the amphora to be created with the correct
             # configuration.
+            flavor = {}
             if lb.flavor_id:
                 with session.begin():
                     flavor = self._flavor_repo.get_flavor_metadata_dict(
                         session, lb.flavor_id)
-                flavor[constants.LOADBALANCER_TOPOLOGY] = lb.topology
-            else:
-                flavor = {constants.LOADBALANCER_TOPOLOGY: lb.topology}
+            flavor[constants.LOADBALANCER_TOPOLOGY] = lb.topology
 
             if lb:
                 provider_lb_dict = (

octavia/controller/worker/v2/flows/amphora_flows.py

@@ -28,6 +28,7 @@ from octavia.controller.worker.v2.tasks import database_tasks
 from octavia.controller.worker.v2.tasks import lifecycle_tasks
 from octavia.controller.worker.v2.tasks import network_tasks
 from octavia.controller.worker.v2.tasks import retry_tasks
+from octavia.controller.worker.v2.tasks import shim_tasks
 
 CONF = cfg.CONF
 LOG = logging.getLogger(__name__)
@@ -226,7 +227,8 @@ class AmphoraFlows(object):
         return delete_amphora_flow
 
     def get_vrrp_subflow(self, prefix, timeout_dict=None,
-                         create_vrrp_group=True):
+                         create_vrrp_group=True,
+                         get_amphorae_status=True, flavor_dict=None):
         sf_name = prefix + '-' + constants.GET_VRRP_SUBFLOW
         vrrp_subflow = linear_flow.Flow(sf_name)
 
@@ -242,17 +244,29 @@ class AmphoraFlows(object):
             requires=constants.LOADBALANCER_ID,
             provides=constants.AMPHORAE_NETWORK_CONFIG))
 
+        if get_amphorae_status:
+            # Get the amphorae_status dict in case the caller hasn't fetched
+            # it yet.
+            vrrp_subflow.add(
+                amphora_driver_tasks.AmphoraeGetConnectivityStatus(
+                    name=constants.AMPHORAE_GET_CONNECTIVITY_STATUS,
+                    requires=constants.AMPHORAE,
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
+                    inject={constants.TIMEOUT_DICT: timeout_dict},
+                    provides=constants.AMPHORAE_STATUS))
+
         # VRRP update needs to be run on all amphora to update
         # their peer configurations. So parallelize this with an
         # unordered subflow.
         update_amps_subflow = unordered_flow.Flow('VRRP-update-subflow')
 
-        # We have three tasks to run in order, per amphora
+        # We have tasks to run in order, per amphora
         amp_0_subflow = linear_flow.Flow('VRRP-amp-0-update-subflow')
 
         amp_0_subflow.add(amphora_driver_tasks.AmphoraIndexUpdateVRRPInterface(
             name=sf_name + '-0-' + constants.AMP_UPDATE_VRRP_INTF,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict},
             provides=constants.AMP_VRRP_INT))
@@ -261,13 +275,30 @@ class AmphoraFlows(object):
             name=sf_name + '-0-' + constants.AMP_VRRP_UPDATE,
             requires=(constants.LOADBALANCER_ID,
                       constants.AMPHORAE_NETWORK_CONFIG, constants.AMPHORAE,
-                      constants.AMP_VRRP_INT),
+                      constants.AMPHORAE_STATUS, constants.AMP_VRRP_INT),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            amp_0_subflow.add(database_tasks.GetAmphoraFirewallRules(
+                name=sf_name + '-0-' + constants.GET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE,
+                          constants.AMPHORAE_NETWORK_CONFIG),
+                provides=constants.AMPHORA_FIREWALL_RULES,
+                inject={constants.AMPHORA_INDEX: 0}))
+
+            amp_0_subflow.add(amphora_driver_tasks.SetAmphoraFirewallRules(
+                name=sf_name + '-0-' + constants.SET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS,
+                          constants.AMPHORA_FIREWALL_RULES),
+                inject={constants.AMPHORA_INDEX: 0,
+                        constants.TIMEOUT_DICT: timeout_dict}))
+
         amp_0_subflow.add(amphora_driver_tasks.AmphoraIndexVRRPStart(
             name=sf_name + '-0-' + constants.AMP_VRRP_START,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -275,7 +306,8 @@ class AmphoraFlows(object):
 
         amp_1_subflow.add(amphora_driver_tasks.AmphoraIndexUpdateVRRPInterface(
             name=sf_name + '-1-' + constants.AMP_UPDATE_VRRP_INTF,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict},
             provides=constants.AMP_VRRP_INT))
@@ -284,12 +316,30 @@ class AmphoraFlows(object):
             name=sf_name + '-1-' + constants.AMP_VRRP_UPDATE,
             requires=(constants.LOADBALANCER_ID,
                       constants.AMPHORAE_NETWORK_CONFIG, constants.AMPHORAE,
-                      constants.AMP_VRRP_INT),
+                      constants.AMPHORAE_STATUS, constants.AMP_VRRP_INT),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict}))
+
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            amp_1_subflow.add(database_tasks.GetAmphoraFirewallRules(
+                name=sf_name + '-1-' + constants.GET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE,
+                          constants.AMPHORAE_NETWORK_CONFIG),
+                provides=constants.AMPHORA_FIREWALL_RULES,
+                inject={constants.AMPHORA_INDEX: 1}))
+
+            amp_1_subflow.add(amphora_driver_tasks.SetAmphoraFirewallRules(
+                name=sf_name + '-1-' + constants.SET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS,
+                          constants.AMPHORA_FIREWALL_RULES),
+                inject={constants.AMPHORA_INDEX: 1,
+                        constants.TIMEOUT_DICT: timeout_dict}))
+
         amp_1_subflow.add(amphora_driver_tasks.AmphoraIndexVRRPStart(
             name=sf_name + '-1-' + constants.AMP_VRRP_START,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -353,7 +403,8 @@ class AmphoraFlows(object):
 
     def get_amphora_for_lb_failover_subflow(
             self, prefix, role=constants.ROLE_STANDALONE,
-            failed_amp_vrrp_port_id=None, is_vrrp_ipv6=False):
+            failed_amp_vrrp_port_id=None, is_vrrp_ipv6=False,
+            flavor_dict=None):
         """Creates a new amphora that will be used in a failover flow.
 
         :requires: loadbalancer_id, flavor, vip, vip_sg_id, loadbalancer
@@ -374,13 +425,24 @@ class AmphoraFlows(object):
             prefix=prefix + '-' + constants.FAILOVER_LOADBALANCER_FLOW,
             role=role))
 
-        # Create the VIP base (aka VRRP) port for the amphora.
-        amp_for_failover_flow.add(network_tasks.CreateVIPBasePort(
-            name=prefix + '-' + constants.CREATE_VIP_BASE_PORT,
-            requires=(constants.VIP, constants.VIP_SG_ID,
-                      constants.AMPHORA_ID,
-                      constants.ADDITIONAL_VIPS),
-            provides=constants.BASE_PORT))
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            amp_for_failover_flow.add(network_tasks.GetSubnetFromVIP(
+                name=prefix + '-' + constants.GET_SUBNET_FROM_VIP,
+                requires=constants.LOADBALANCER,
+                provides=constants.SUBNET))
+            amp_for_failover_flow.add(network_tasks.CreateSRIOVBasePort(
+                name=prefix + '-' + constants.PLUG_VIP_AMPHORA,
+                requires=(constants.LOADBALANCER, constants.AMPHORA,
+                          constants.SUBNET),
+                provides=constants.BASE_PORT))
+        else:
+            # Create the VIP base (aka VRRP) port for the amphora.
+            amp_for_failover_flow.add(network_tasks.CreateVIPBasePort(
+                name=prefix + '-' + constants.CREATE_VIP_BASE_PORT,
+                requires=(constants.VIP, constants.VIP_SG_ID,
+                          constants.AMPHORA_ID,
+                          constants.ADDITIONAL_VIPS),
+                provides=constants.BASE_PORT))
 
         # Attach the VIP base (aka VRRP) port to the amphora.
         amp_for_failover_flow.add(compute_tasks.AttachPort(
@@ -413,6 +475,27 @@ class AmphoraFlows(object):
             requires=(constants.AMPHORA, constants.LOADBALANCER,
                       constants.AMPHORAE_NETWORK_CONFIG)))
 
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            amp_for_failover_flow.add(
+                shim_tasks.AmphoraToAmphoraeWithVRRPIP(
+                    name=prefix + '-' + constants.AMPHORA_TO_AMPHORAE_VRRP_IP,
+                    requires=(constants.AMPHORA, constants.BASE_PORT),
+                    provides=constants.NEW_AMPHORAE))
+            amp_for_failover_flow.add(database_tasks.GetAmphoraFirewallRules(
+                name=prefix + '-' + constants.GET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE,
+                          constants.AMPHORAE_NETWORK_CONFIG),
+                rebind={constants.AMPHORAE: constants.NEW_AMPHORAE},
+                provides=constants.AMPHORA_FIREWALL_RULES,
+                inject={constants.AMPHORA_INDEX: 0}))
+            amp_for_failover_flow.add(
+                amphora_driver_tasks.SetAmphoraFirewallRules(
+                    name=prefix + '-' + constants.SET_AMPHORA_FIREWALL_RULES,
+                    requires=(constants.AMPHORAE,
+                              constants.AMPHORA_FIREWALL_RULES),
+                    rebind={constants.AMPHORAE: constants.NEW_AMPHORAE},
+                    inject={constants.AMPHORA_INDEX: 0}))
+
         # Plug member ports
         amp_for_failover_flow.add(network_tasks.CalculateAmphoraDelta(
             name=prefix + '-' + constants.CALCULATE_AMPHORA_DELTA,
@@ -431,7 +514,8 @@ class AmphoraFlows(object):
 
         return amp_for_failover_flow
 
-    def get_failover_amphora_flow(self, failed_amphora, lb_amp_count):
+    def get_failover_amphora_flow(self, failed_amphora, lb_amp_count,
+                                  flavor_dict=None):
         """Get a Taskflow flow to failover an amphora.
 
         1. Build a replacement amphora.
@@ -441,6 +525,7 @@ class AmphoraFlows(object):
 
         :param failed_amphora: The amphora dict to failover.
         :param lb_amp_count: The number of amphora on this load balancer.
+        :param flavor_dict: The load balancer flavor dictionary.
         :returns: The flow that will provide the failover.
         """
         failover_amp_flow = linear_flow.Flow(
@@ -501,7 +586,7 @@ class AmphoraFlows(object):
                 role=failed_amphora[constants.ROLE],
                 failed_amp_vrrp_port_id=failed_amphora.get(
                     constants.VRRP_PORT_ID),
-                is_vrrp_ipv6=is_vrrp_ipv6))
+                is_vrrp_ipv6=is_vrrp_ipv6, flavor_dict=flavor_dict))
 
         failover_amp_flow.add(
             self.get_delete_amphora_flow(
@@ -538,6 +623,14 @@ class AmphoraFlows(object):
             constants.CONN_RETRY_INTERVAL:
                 CONF.haproxy_amphora.active_connection_retry_interval}
 
+        failover_amp_flow.add(
+            amphora_driver_tasks.AmphoraeGetConnectivityStatus(
+                name=constants.AMPHORAE_GET_CONNECTIVITY_STATUS,
+                requires=constants.AMPHORAE,
+                rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
+                inject={constants.TIMEOUT_DICT: timeout_dict},
+                provides=constants.AMPHORAE_STATUS))
+
         # Listeners update needs to be run on all amphora to update
         # their peer configurations. So parallelize this with an
         # unordered subflow.
@@ -548,7 +641,9 @@ class AmphoraFlows(object):
             update_amps_subflow.add(
                 amphora_driver_tasks.AmphoraIndexListenerUpdate(
                     name=str(amp_index) + '-' + constants.AMP_LISTENER_UPDATE,
-                    requires=(constants.LOADBALANCER, constants.AMPHORAE),
+                    requires=(constants.LOADBALANCER, constants.AMPHORAE,
+                              constants.AMPHORAE_STATUS),
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
                     inject={constants.AMPHORA_INDEX: amp_index,
                             constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -558,7 +653,9 @@ class AmphoraFlows(object):
         if lb_amp_count == 2:
             failover_amp_flow.add(
                 self.get_vrrp_subflow(constants.GET_VRRP_SUBFLOW,
-                                      timeout_dict, create_vrrp_group=False))
+                                      timeout_dict, create_vrrp_group=False,
+                                      get_amphorae_status=False,
+                                      flavor_dict=flavor_dict))
 
         # Reload the listener. This needs to be done here because
         # it will create the required haproxy check scripts for
@@ -574,7 +671,9 @@ class AmphoraFlows(object):
                 amphora_driver_tasks.AmphoraIndexListenersReload(
                     name=(str(amp_index) + '-' +
                           constants.AMPHORA_RELOAD_LISTENER),
-                    requires=(constants.LOADBALANCER, constants.AMPHORAE),
+                    requires=(constants.LOADBALANCER, constants.AMPHORAE,
+                              constants.AMPHORAE_STATUS),
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
                     inject={constants.AMPHORA_INDEX: amp_index,
                             constants.TIMEOUT_DICT: timeout_dict}))
 

octavia/controller/worker/v2/flows/flow_utils.py

@@ -32,9 +32,9 @@ M_FLOWS = member_flows.MemberFlows()
 P_FLOWS = pool_flows.PoolFlows()
 
 
-def get_create_load_balancer_flow(topology, listeners=None):
-    return LB_FLOWS.get_create_load_balancer_flow(topology,
-                                                  listeners=listeners)
+def get_create_load_balancer_flow(topology, listeners=None, flavor_dict=None):
+    return LB_FLOWS.get_create_load_balancer_flow(
+        topology, listeners=listeners, flavor_dict=flavor_dict)
 
 
 def get_delete_load_balancer_flow(lb):
@@ -90,8 +90,9 @@ def get_failover_LB_flow(amps, lb):
     return LB_FLOWS.get_failover_LB_flow(amps, lb)
 
 
-def get_failover_amphora_flow(amphora_dict, lb_amp_count):
-    return AMP_FLOWS.get_failover_amphora_flow(amphora_dict, lb_amp_count)
+def get_failover_amphora_flow(amphora_dict, lb_amp_count, flavor_dict=None):
+    return AMP_FLOWS.get_failover_amphora_flow(amphora_dict, lb_amp_count,
+                                               flavor_dict=flavor_dict)
 
 
 def cert_rotate_amphora_flow():
@@ -138,20 +139,21 @@ def get_update_l7rule_flow():
     return L7_RULES_FLOWS.get_update_l7rule_flow()
 
 
-def get_create_listener_flow():
-    return LISTENER_FLOWS.get_create_listener_flow()
+def get_create_listener_flow(flavor_dict=None):
+    return LISTENER_FLOWS.get_create_listener_flow(flavor_dict=flavor_dict)
 
 
-def get_create_all_listeners_flow():
-    return LISTENER_FLOWS.get_create_all_listeners_flow()
+def get_create_all_listeners_flow(flavor_dict=None):
+    return LISTENER_FLOWS.get_create_all_listeners_flow(
+        flavor_dict=flavor_dict)
 
 
-def get_delete_listener_flow():
-    return LISTENER_FLOWS.get_delete_listener_flow()
+def get_delete_listener_flow(flavor_dict=None):
+    return LISTENER_FLOWS.get_delete_listener_flow(flavor_dict=flavor_dict)
 
 
-def get_update_listener_flow():
-    return LISTENER_FLOWS.get_update_listener_flow()
+def get_update_listener_flow(flavor_dict=None):
+    return LISTENER_FLOWS.get_update_listener_flow(flavor_dict=flavor_dict)
 
 
 def get_create_member_flow():

octavia/controller/worker/v2/flows/listener_flows.py

@@ -14,6 +14,7 @@
 #
 
 from taskflow.patterns import linear_flow
+from taskflow.patterns import unordered_flow
 
 from octavia.common import constants
 from octavia.controller.worker.v2.tasks import amphora_driver_tasks
@@ -24,7 +25,7 @@ from octavia.controller.worker.v2.tasks import network_tasks
 
 class ListenerFlows(object):
 
-    def get_create_listener_flow(self):
+    def get_create_listener_flow(self, flavor_dict=None):
         """Create a flow to create a listener
 
         :returns: The flow for creating a listener
@@ -36,13 +37,18 @@ class ListenerFlows(object):
             requires=constants.LOADBALANCER_ID))
         create_listener_flow.add(network_tasks.UpdateVIP(
             requires=constants.LISTENERS))
+
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            create_listener_flow.add(*self._get_firewall_rules_subflow(
+                flavor_dict))
+
         create_listener_flow.add(database_tasks.
                                  MarkLBAndListenersActiveInDB(
                                      requires=(constants.LOADBALANCER_ID,
                                                constants.LISTENERS)))
         return create_listener_flow
 
-    def get_create_all_listeners_flow(self):
+    def get_create_all_listeners_flow(self, flavor_dict=None):
         """Create a flow to create all listeners
 
         :returns: The flow for creating all listeners
@@ -60,12 +66,17 @@ class ListenerFlows(object):
             requires=constants.LOADBALANCER_ID))
         create_all_listeners_flow.add(network_tasks.UpdateVIP(
             requires=constants.LISTENERS))
+
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            create_all_listeners_flow.add(*self._get_firewall_rules_subflow(
+                flavor_dict))
+
         create_all_listeners_flow.add(
             database_tasks.MarkHealthMonitorsOnlineInDB(
                 requires=constants.LOADBALANCER))
         return create_all_listeners_flow
 
-    def get_delete_listener_flow(self):
+    def get_delete_listener_flow(self, flavor_dict=None):
         """Create a flow to delete a listener
 
         :returns: The flow for deleting a listener
@@ -79,6 +90,11 @@ class ListenerFlows(object):
             requires=constants.LOADBALANCER_ID))
         delete_listener_flow.add(database_tasks.DeleteListenerInDB(
             requires=constants.LISTENER))
+
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            delete_listener_flow.add(*self._get_firewall_rules_subflow(
+                flavor_dict))
+
         delete_listener_flow.add(database_tasks.DecrementListenerQuota(
             requires=constants.PROJECT_ID))
         delete_listener_flow.add(database_tasks.MarkLBActiveInDBByListener(
@@ -86,7 +102,7 @@ class ListenerFlows(object):
 
         return delete_listener_flow
 
-    def get_delete_listener_internal_flow(self, listener):
+    def get_delete_listener_internal_flow(self, listener, flavor_dict=None):
         """Create a flow to delete a listener and l7policies internally
 
            (will skip deletion on the amp and marking LB active)
@@ -104,13 +120,22 @@ class ListenerFlows(object):
             name='delete_listener_in_db_' + listener_id,
             requires=constants.LISTENER,
             inject={constants.LISTENER: listener}))
+
+        # Currently the flavor_dict will always be None since there is
+        # no point updating the firewall rules when deleting the LB.
+        # However, this may be used for additional flows in the future, so
+        # adding this code for completeness.
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            delete_listener_flow.add(*self._get_firewall_rules_subflow(
+                flavor_dict))
+
         delete_listener_flow.add(database_tasks.DecrementListenerQuota(
             name='decrement_listener_quota_' + listener_id,
             requires=constants.PROJECT_ID))
 
         return delete_listener_flow
 
-    def get_update_listener_flow(self):
+    def get_update_listener_flow(self, flavor_dict=None):
         """Create a flow to update a listener
 
         :returns: The flow for updating a listener
@@ -122,6 +147,11 @@ class ListenerFlows(object):
             requires=constants.LOADBALANCER_ID))
         update_listener_flow.add(network_tasks.UpdateVIP(
             requires=constants.LISTENERS))
+
+        if flavor_dict and flavor_dict.get(constants.SRIOV_VIP, False):
+            update_listener_flow.add(*self._get_firewall_rules_subflow(
+                flavor_dict))
+
         update_listener_flow.add(database_tasks.UpdateListenerInDB(
             requires=[constants.LISTENER, constants.UPDATE_DICT]))
         update_listener_flow.add(database_tasks.
@@ -130,3 +160,63 @@ class ListenerFlows(object):
                                                constants.LISTENERS)))
 
         return update_listener_flow
+
+    def _get_firewall_rules_subflow(self, flavor_dict):
+        """Creates a subflow that updates the firewall rules in the amphorae.
+
+        :returns: The subflow for updating firewall rules in the amphorae.
+        """
+        sf_name = constants.FIREWALL_RULES_SUBFLOW
+        fw_rules_subflow = linear_flow.Flow(sf_name)
+
+        fw_rules_subflow.add(database_tasks.GetAmphoraeFromLoadbalancer(
+            name=sf_name + '-' + constants.GET_AMPHORAE_FROM_LB,
+            requires=constants.LOADBALANCER_ID,
+            provides=constants.AMPHORAE))
+
+        fw_rules_subflow.add(network_tasks.GetAmphoraeNetworkConfigs(
+            name=sf_name + '-' + constants.GET_AMP_NETWORK_CONFIG,
+            requires=constants.LOADBALANCER_ID,
+            provides=constants.AMPHORAE_NETWORK_CONFIG))
+
+        update_amps_subflow = unordered_flow.Flow(
+            constants.AMP_UPDATE_FW_SUBFLOW)
+
+        amp_0_subflow = linear_flow.Flow('amp-0-fw-update')
+
+        amp_0_subflow.add(database_tasks.GetAmphoraFirewallRules(
+            name=sf_name + '-0-' + constants.GET_AMPHORA_FIREWALL_RULES,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_NETWORK_CONFIG),
+            provides=constants.AMPHORA_FIREWALL_RULES,
+            inject={constants.AMPHORA_INDEX: 0}))
+
+        amp_0_subflow.add(amphora_driver_tasks.SetAmphoraFirewallRules(
+            name=sf_name + '-0-' + constants.SET_AMPHORA_FIREWALL_RULES,
+            requires=(constants.AMPHORAE, constants.AMPHORA_FIREWALL_RULES),
+            inject={constants.AMPHORA_INDEX: 0}))
+
+        update_amps_subflow.add(amp_0_subflow)
+
+        if (flavor_dict[constants.LOADBALANCER_TOPOLOGY] ==
+                constants.TOPOLOGY_ACTIVE_STANDBY):
+
+            amp_1_subflow = linear_flow.Flow('amp-1-fw-update')
+
+            amp_1_subflow.add(database_tasks.GetAmphoraFirewallRules(
+                name=sf_name + '-1-' + constants.GET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE,
+                          constants.AMPHORAE_NETWORK_CONFIG),
+                provides=constants.AMPHORA_FIREWALL_RULES,
+                inject={constants.AMPHORA_INDEX: 1}))
+
+            amp_1_subflow.add(amphora_driver_tasks.SetAmphoraFirewallRules(
+                name=sf_name + '-1-' + constants.SET_AMPHORA_FIREWALL_RULES,
+                requires=(constants.AMPHORAE,
+                          constants.AMPHORA_FIREWALL_RULES),
+                inject={constants.AMPHORA_INDEX: 1}))
+
+            update_amps_subflow.add(amp_1_subflow)
+
+        fw_rules_subflow.add(update_amps_subflow)
+
+        return fw_rules_subflow