octavia 15.0.0.0rc1__py3-none-any.whl → 16.0.0__py3-none-any.whl

octavia/amphorae/backends/agent/api_server/keepalivedlvs.py

@@ -201,6 +201,15 @@ class KeepalivedLvs(lvs_listener_base.LvsListenerApiServerBase):
                             f"{listener_id}"),
                 'details': e.output}, status=500)
 
+        is_vrrp = (CONF.controller_worker.loadbalancer_topology ==
+                   consts.TOPOLOGY_ACTIVE_STANDBY)
+        # TODO(gthiemonge) remove RESTART from the list (same as previous todo
+        # in this function)
+        if not is_vrrp and action in [consts.AMP_ACTION_START,
+                                      consts.AMP_ACTION_RESTART,
+                                      consts.AMP_ACTION_RELOAD]:
+            util.send_vip_advertisements(listener_id=listener_id)
+
         return webob.Response(
             json={'message': 'OK',
                   'details': (f'keepalivedlvs listener {listener_id} '

octavia/amphorae/backends/agent/api_server/loadbalancer.py

@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import hashlib
 import io
 import os
 import re
@@ -24,7 +25,6 @@ import flask
 import jinja2
 from oslo_config import cfg
 from oslo_log import log as logging
-from oslo_utils.secretutils import md5
 import webob
 from werkzeug import exceptions
 
@@ -55,7 +55,7 @@ SYSTEMD_TEMPLATE = JINJA_ENV.get_template(SYSTEMD_CONF)
 class Wrapped:
     def __init__(self, stream_):
         self.stream = stream_
-        self.hash = md5(usedforsecurity=False)  # nosec
+        self.hash = hashlib.md5(usedforsecurity=False)  # nosec
 
     def read(self, line):
         block = self.stream.read(line)
@@ -82,8 +82,8 @@ class Loadbalancer:
             cfg = file.read()
             resp = webob.Response(cfg, content_type='text/plain')
             resp.headers['ETag'] = (
-                md5(octavia_utils.b(cfg),
-                    usedforsecurity=False).hexdigest())  # nosec
+                hashlib.md5(octavia_utils.b(cfg),
+                            usedforsecurity=False).hexdigest())  # nosec
             return resp
 
     def upload_haproxy_config(self, amphora_id, lb_id):
@@ -408,8 +408,8 @@ class Loadbalancer:
 
         with open(cert_path, encoding='utf-8') as crt_file:
             cert = crt_file.read()
-            md5sum = md5(octavia_utils.b(cert),
-                         usedforsecurity=False).hexdigest()  # nosec
+            md5sum = hashlib.md5(octavia_utils.b(cert),
+                                 usedforsecurity=False).hexdigest()  # nosec
             resp = webob.Response(json={'md5sum': md5sum})
             resp.headers['ETag'] = md5sum
             return resp

octavia/amphorae/backends/agent/api_server/plug.py

@@ -247,7 +247,7 @@ class Plug:
             with pyroute2.IPRoute() as ipr:
                 idx = ipr.link_lookup(address=mac)[0]
                 # Workaround for https://github.com/PyCQA/pylint/issues/8497
-                # pylint: disable=E1136, E1121
+                # pylint: disable=E1136, E1121, E1133
                 addr = ipr.get_links(idx)[0]
                 for attr in addr['attrs']:
                     if attr[0] == consts.IFLA_IFNAME:

octavia/amphorae/backends/agent/api_server/util.py

@@ -347,7 +347,37 @@ def get_haproxy_vip_addresses(lb_id):
     return vips
 
 
-def send_vip_advertisements(lb_id):
+def get_lvs_vip_addresses(listener_id: str) -> list[str]:
+    """Get the VIP addresses for a LVS load balancer.
+
+    :param listener_id: The listener ID to get VIP addresses from.
+    :returns: List of VIP addresses (IPv4 and IPv6)
+    """
+    vips = []
+    # Extract the VIP addresses from keepalived configuration
+    # Format is
+    # virtual_server_group ipv<n>-group {
+    #     vip_address1 port1
+    #     vip_address2 port2
+    # }
+    # it can be repeated in case of dual-stack LBs
+    with open(keepalived_lvs_cfg_path(listener_id), encoding='utf-8') as file:
+        vsg_section = False
+        for line in file:
+            current_line = line.strip()
+            if vsg_section:
+                if current_line.startswith('}'):
+                    vsg_section = False
+                else:
+                    vip_address = current_line.split(' ')[0]
+                    vips.append(vip_address)
+            elif line.startswith('virtual_server_group '):
+                vsg_section = True
+    return vips
+
+
+def send_vip_advertisements(lb_id: tp.Optional[str] = None,
+                            listener_id: tp.Optional[str] = None):
     """Sends address advertisements for each load balancer VIP.
 
     This method will send either GARP (IPv4) or neighbor advertisements (IPv6)
@@ -357,7 +387,10 @@ def send_vip_advertisements(lb_id):
     :returns: None
     """
     try:
-        vips = get_haproxy_vip_addresses(lb_id)
+        if lb_id:
+            vips = get_haproxy_vip_addresses(lb_id)
+        else:
+            vips = get_lvs_vip_addresses(listener_id)
 
         for vip in vips:
             interface = network_utils.get_interface_name(

octavia/amphorae/backends/health_daemon/status_message.py

@@ -19,7 +19,6 @@ import zlib
 
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
-from oslo_utils import secretutils
 
 from octavia.common import exceptions
 
@@ -70,7 +69,7 @@ def get_payload(envelope, key, hex=True):
     payload = envelope[:-len]
     expected_hmc = envelope[-len:]
     calculated_hmc = get_hmac(payload, key, hex=hex)
-    if not secretutils.constant_time_compare(expected_hmc, calculated_hmc):
+    if not hmac.compare_digest(expected_hmc, calculated_hmc):
         LOG.warning(
             'calculated hmac(hex=%(hex)s): %(s1)s not equal to msg hmac: '
             '%(s2)s dropping packet',

octavia/amphorae/drivers/haproxy/rest_api_driver.py

@@ -23,7 +23,6 @@ import warnings
 
 from oslo_context import context as oslo_context
 from oslo_log import log as logging
-from oslo_utils.secretutils import md5
 import requests
 from stevedore import driver as stevedore_driver
 
@@ -407,7 +406,10 @@ class HaproxyAmphoraLoadBalancerDriver(
             fixed_ips.append(ip)
         port_info = {'mac_address': port.mac_address,
                      'fixed_ips': fixed_ips,
-                     'mtu': port.network.mtu}
+                     'mtu': port.network.mtu,
+                     'is_sriov': False}
+        if port.vnic_type == consts.VNIC_TYPE_DIRECT:
+            port_info['is_sriov'] = True
         if port.id == amphora.vrrp_port_id:
             # We have to special-case sharing the vrrp port and pass through
             # enough extra information to populate the whole VIP port
@@ -450,7 +452,8 @@ class HaproxyAmphoraLoadBalancerDriver(
         if amphora and obj_id:
             for cert in certs:
                 pem = cert_parser.build_pem(cert)
-                md5sum = md5(pem, usedforsecurity=False).hexdigest()  # nosec
+                md5sum = hashlib.md5(
+                    pem, usedforsecurity=False).hexdigest()  # nosec
                 name = f'{cert.id}.pem'
                 cert_filename_list.append(
                     os.path.join(
@@ -461,8 +464,8 @@ class HaproxyAmphoraLoadBalancerDriver(
                 # Build and upload the crt-list file for haproxy
                 crt_list = "\n".join(cert_filename_list)
                 crt_list = f'{crt_list}\n'.encode()
-                md5sum = md5(crt_list,
-                             usedforsecurity=False).hexdigest()  # nosec
+                md5sum = hashlib.md5(
+                    crt_list, usedforsecurity=False).hexdigest()  # nosec
                 name = f'{listener.id}.pem'
                 self._upload_cert(amphora, obj_id, crt_list, md5sum, name)
         return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
@@ -480,7 +483,8 @@ class HaproxyAmphoraLoadBalancerDriver(
             secret = secret.encode('utf-8')
         except AttributeError:
             pass
-        md5sum = md5(secret, usedforsecurity=False).hexdigest()  # nosec
+        md5sum = hashlib.md5(
+            secret, usedforsecurity=False).hexdigest()  # nosec
         id = hashlib.sha1(secret).hexdigest()  # nosec
         name = f'{id}.pem'
 
@@ -519,7 +523,8 @@ class HaproxyAmphoraLoadBalancerDriver(
                 pem = pem.encode('utf-8')
             except AttributeError:
                 pass
-            md5sum = md5(pem, usedforsecurity=False).hexdigest()  # nosec
+            md5sum = hashlib.md5(
+                pem, usedforsecurity=False).hexdigest()  # nosec
             name = f'{tls_cert.id}.pem'
             if amphora and obj_id:
                 self._upload_cert(amphora, obj_id, pem=pem,

octavia/api/drivers/amphora_driver/flavor_schema.py

@@ -53,5 +53,10 @@ SUPPORTED_FLAVOR_SCHEMA = {
             "description": "When true, the VIP port will be created using an "
                            "SR-IOV VF port."
         },
+        consts.ALLOW_MEMBER_SRIOV: {
+            "type": "boolean",
+            "description": "When true, users can request a member port be "
+                           "SR-IOV enabled at member creation time."
+        }
     }
 }

octavia/api/drivers/noop_driver/driver.py

@@ -50,7 +50,8 @@ class NoopManager:
         vip = data_models.VIP(vip_address=vip_address,
                               vip_network_id=vip_network_id,
                               vip_port_id=vip_port_id,
-                              vip_subnet_id=vip_subnet_id)
+                              vip_subnet_id=vip_subnet_id,
+                              vip_sg_ids=vip_dictionary.get('vip_sg_ids', []))
 
         vip_return_dict = vip.to_dict()
         additional_vip_dicts = additional_vip_dicts or []

octavia/api/drivers/utils.py

@@ -16,6 +16,7 @@ import copy
 
 from octavia_lib.api.drivers import data_models as driver_dm
 from octavia_lib.api.drivers import exceptions as lib_exceptions
+from octavia_lib.common import constants as lib_consts
 from oslo_config import cfg
 from oslo_context import context as oslo_context
 from oslo_log import log as logging
@@ -130,6 +131,7 @@ def lb_dict_to_provider_dict(lb_dict, vip=None, add_vips=None, db_pools=None,
         new_lb_dict['vip_port_id'] = vip.port_id
         new_lb_dict['vip_subnet_id'] = vip.subnet_id
         new_lb_dict['vip_qos_policy_id'] = vip.qos_policy_id
+        new_lb_dict[lib_consts.VIP_SG_IDS] = vip.sg_ids
     if 'flavor_id' in lb_dict and lb_dict['flavor_id']:
         flavor_repo = repositories.FlavorRepository()
         session = db_api.get_session()
@@ -460,6 +462,12 @@ def db_members_to_provider_members(db_members):
 
 def db_member_to_provider_member(db_member):
     new_member_dict = member_dict_to_provider_dict(db_member.to_dict())
+    if constants.REQUEST_SRIOV in new_member_dict:
+        request_sriov = new_member_dict.pop(constants.REQUEST_SRIOV)
+        if request_sriov:
+            new_member_dict[constants.VNIC_TYPE] = constants.VNIC_TYPE_DIRECT
+        else:
+            new_member_dict[constants.VNIC_TYPE] = constants.VNIC_TYPE_NORMAL
     return driver_dm.Member.from_dict(new_member_dict)
 
 
@@ -565,6 +573,8 @@ def vip_dict_to_provider_dict(vip_dict):
         new_vip_dict['vip_subnet_id'] = vip_dict['subnet_id']
     if 'qos_policy_id' in vip_dict:
         new_vip_dict['vip_qos_policy_id'] = vip_dict['qos_policy_id']
+    if constants.SG_IDS in vip_dict:
+        new_vip_dict[lib_consts.VIP_SG_IDS] = vip_dict[constants.SG_IDS]
     if constants.OCTAVIA_OWNED in vip_dict:
         new_vip_dict[constants.OCTAVIA_OWNED] = vip_dict[
             constants.OCTAVIA_OWNED]
@@ -596,6 +606,8 @@ def provider_vip_dict_to_vip_obj(vip_dictionary):
         vip_obj.subnet_id = vip_dictionary['vip_subnet_id']
     if 'vip_qos_policy_id' in vip_dictionary:
         vip_obj.qos_policy_id = vip_dictionary['vip_qos_policy_id']
+    if lib_consts.VIP_SG_IDS in vip_dictionary:
+        vip_obj.sg_ids = vip_dictionary[lib_consts.VIP_SG_IDS]
     if constants.OCTAVIA_OWNED in vip_dictionary:
         vip_obj.octavia_owned = vip_dictionary[constants.OCTAVIA_OWNED]
     return vip_obj

octavia/api/root_controller.py

@@ -148,7 +148,13 @@ class RootController:
         # HTTP Strict Transport Security (HSTS)
         self._add_a_version(versions, 'v2.27', 'v2', 'SUPPORTED',
                             '2023-05-05T00:00:00Z', host_url)
-        # Add port vnic_type for SR-IOV
-        self._add_a_version(versions, 'v2.28', 'v2', 'CURRENT',
+        # Add VIP port vnic_type for SR-IOV
+        self._add_a_version(versions, 'v2.28', 'v2', 'SUPPORTED',
                             '2023-11-08T00:00:00Z', host_url)
+        # Add VIP SGs
+        self._add_a_version(versions, 'v2.29', 'v2', 'SUPPORTED',
+                            '2024-10-15T00:00:00Z', host_url)
+        # Add member port SR-IOV support
+        self._add_a_version(versions, 'v2.30', 'v2', 'CURRENT',
+                            '2025-02-26T00:00:00Z', host_url)
         return {'versions': versions}

octavia/api/v2/controllers/base.py

@@ -64,9 +64,11 @@ class BaseController(pecan_rest.RestController):
         return converted
 
     @staticmethod
-    def _get_db_obj(session, repo, data_model, id, show_deleted=True):
+    def _get_db_obj(session, repo, data_model, id, show_deleted=True,
+                    limited_graph=False):
         """Gets an object from the database and returns it."""
-        db_obj = repo.get(session, id=id, show_deleted=show_deleted)
+        db_obj = repo.get(session, id=id, show_deleted=show_deleted,
+                          limited_graph=limited_graph)
         if not db_obj:
             LOG.debug('%(name)s %(id)s not found',
                       {'name': data_model._name(), 'id': id})
@@ -92,11 +94,13 @@ class BaseController(pecan_rest.RestController):
         listener_id = db_l7policy.listener_id
         return load_balancer_id, listener_id
 
-    def _get_db_pool(self, session, id, show_deleted=True):
+    def _get_db_pool(self, session, id, show_deleted=True,
+                     limited_graph=False):
         """Get a pool from the database."""
         return self._get_db_obj(session, self.repositories.pool,
                                 data_models.Pool, id,
-                                show_deleted=show_deleted)
+                                show_deleted=show_deleted,
+                                limited_graph=limited_graph)
 
     def _get_db_member(self, session, id, show_deleted=True):
         """Get a member from the database."""

octavia/api/v2/controllers/listener.py

@@ -157,7 +157,15 @@ class ListenersController(base.BaseController):
                     value=headers,
                     option=f'{listener_protocol} protocol listener.')
 
-    def _validate_cidr_compatible_with_vip(self, vips, allowed_cidrs):
+    def _validate_cidr_compatible_with_vip(self, db_vip: data_models.Vip,
+                                           vips: list[str],
+                                           allowed_cidrs: list[str]):
+        if allowed_cidrs and db_vip.sg_ids:
+            msg = _("Allowed CIDRs are not allowed when using custom VIP "
+                    "Security Groups.")
+            raise exceptions.ValidationException(
+                detail=msg)
+
         for cidr in allowed_cidrs:
             for vip in vips:
                 # Check if CIDR IP version matches VIP IP version
@@ -315,7 +323,8 @@ class ListenersController(base.BaseController):
             lock_session, id=lb_id)
         vip_addresses = [lb_db.vip.ip_address]
         vip_addresses.extend([vip.ip_address for vip in lb_db.additional_vips])
-        self._validate_cidr_compatible_with_vip(vip_addresses, allowed_cidrs)
+        self._validate_cidr_compatible_with_vip(lb_db.vip,
+                                                vip_addresses, allowed_cidrs)
 
         if _can_tls_offload:
             # Validate TLS version list
@@ -542,6 +551,7 @@ class ListenersController(base.BaseController):
                  for vip in db_listener.load_balancer.additional_vips]
             )
             self._validate_cidr_compatible_with_vip(
+                db_listener.load_balancer.vip,
                 vip_addresses, listener.allowed_cidrs)
 
         # Check TLS cipher prohibit list

octavia/api/v2/controllers/load_balancer.py

@@ -307,6 +307,19 @@ class LoadBalancersController(base.BaseController):
         # Multi-vip validation for ensuring subnets are "sane"
         self._validate_subnets_share_network_but_no_duplicates(load_balancer)
 
+        # Validate optional security groups
+        if load_balancer.vip_sg_ids:
+            for sg_id in load_balancer.vip_sg_ids:
+                validate.security_group_exists(sg_id, context=context)
+
+    def _validate_vnic_type(self, vnic_type: str,
+                            load_balancer: lb_types.LoadBalancerPOST):
+        if (vnic_type == constants.VNIC_TYPE_DIRECT and
+                load_balancer.vip_sg_ids):
+            msg = _("VIP Security Groups are not allowed with VNIC direct "
+                    "type")
+            raise exceptions.ValidationException(detail=msg)
+
     @staticmethod
     def _create_vip_port_if_not_exist(load_balancer_db):
         """Create vip port."""
@@ -433,7 +446,7 @@ class LoadBalancersController(base.BaseController):
 
     @wsme_pecan.wsexpose(lb_types.LoadBalancerFullRootResponse,
                          body=lb_types.LoadBalancerRootPOST, status_code=201)
-    def post(self, load_balancer):
+    def post(self, load_balancer: lb_types.LoadBalancerRootPOST):
         """Creates a load balancer."""
         load_balancer = load_balancer.loadbalancer
         context = pecan_request.context.get('octavia_context')
@@ -449,6 +462,10 @@ class LoadBalancersController(base.BaseController):
 
         self._auth_validate_action(context, load_balancer.project_id,
                                    constants.RBAC_POST)
+        if not isinstance(load_balancer.vip_sg_ids, wtypes.UnsetType):
+            self._auth_validate_action(
+                context, load_balancer.project_id,
+                f"{constants.RBAC_POST}:vip_sg_ids")
 
         self._validate_vip_request_object(load_balancer, context=context)
 
@@ -503,6 +520,9 @@ class LoadBalancersController(base.BaseController):
             else:
                 vip_dict[constants.VNIC_TYPE] = constants.VNIC_TYPE_NORMAL
 
+            self._validate_vnic_type(vip_dict[constants.VNIC_TYPE],
+                                     load_balancer)
+
             db_lb = self.repositories.create_load_balancer_and_vip(
                 lock_session, lb_dict, vip_dict, additional_vip_dicts)
 
@@ -716,6 +736,9 @@ class LoadBalancersController(base.BaseController):
 
         self._auth_validate_action(context, db_lb.project_id,
                                    constants.RBAC_PUT)
+        if not isinstance(load_balancer.vip_sg_ids, wtypes.UnsetType):
+            self._auth_validate_action(context, db_lb.project_id,
+                                       f"{constants.RBAC_PUT}:vip_sg_ids")
 
         if not isinstance(load_balancer.vip_qos_policy_id, wtypes.UnsetType):
             network_driver = utils.get_network_driver()
@@ -724,6 +747,15 @@ class LoadBalancersController(base.BaseController):
                 if db_lb.vip.qos_policy_id != load_balancer.vip_qos_policy_id:
                     validate.qos_policy_exists(load_balancer.vip_qos_policy_id)
 
+        if not isinstance(load_balancer.vip_sg_ids, wtypes.UnsetType):
+            if load_balancer.vip_sg_ids is None:
+                load_balancer.vip_sg_ids = []
+            else:
+                for sg_id in load_balancer.vip_sg_ids:
+                    validate.security_group_exists(sg_id, context=context)
+
+        self._validate_vnic_type(db_lb.vip.vnic_type, load_balancer)
+
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(db_lb.provider)
 

octavia/api/v2/controllers/member.py

@@ -19,6 +19,7 @@ from oslo_log import log as logging
 from oslo_utils import excutils
 from oslo_utils import strutils
 from pecan import request as pecan_request
+from sqlalchemy.orm import exc as sa_exception
 from wsme import types as wtypes
 from wsmeext import pecan as wsme_pecan
 
@@ -73,7 +74,7 @@ class MemberController(base.BaseController):
 
         with context.session.begin():
             pool = self._get_db_pool(context.session, self.pool_id,
-                                     show_deleted=False)
+                                     show_deleted=False, limited_graph=True)
 
             self._auth_validate_action(context, pool.project_id,
                                        constants.RBAC_GET_ALL)
@@ -81,7 +82,8 @@ class MemberController(base.BaseController):
             db_members, links = self.repositories.member.get_all_API_list(
                 context.session, show_deleted=False,
                 pool_id=self.pool_id,
-                pagination_helper=pcontext.get(constants.PAGINATION_HELPER))
+                pagination_helper=pcontext.get(constants.PAGINATION_HELPER),
+                limited_graph=True)
         result = self._convert_db_to_type(
             db_members, [member_types.MemberResponse])
         if fields is not None:
@@ -145,10 +147,20 @@ class MemberController(base.BaseController):
         member = member_.member
         context = pecan_request.context.get('octavia_context')
 
+        flavor_dict = {}
         with context.session.begin():
             pool = self.repositories.pool.get(context.session, id=self.pool_id)
             member.project_id, provider = self._get_lb_project_id_provider(
                 context.session, pool.load_balancer_id)
+            if pool.load_balancer.flavor_id:
+                try:
+                    flavor_dict = (
+                        self.repositories.flavor.get_flavor_metadata_dict(
+                            context.session, pool.load_balancer.flavor_id))
+                except sa_exception.NoResultFound:
+                    LOG.error("load balancer has a flavor ID: %s that was not "
+                              "found in the database. Assuming no flavor.",
+                              pool.load_balancer.flavor_id)
 
         self._auth_validate_action(context, member.project_id,
                                    constants.RBAC_POST)
@@ -172,8 +184,23 @@ class MemberController(base.BaseController):
                 raise exceptions.QuotaException(
                     resource=data_models.Member._name())
 
-            member_dict = db_prepare.create_member(member.to_dict(
-                render_unsets=True), self.pool_id, bool(pool.health_monitor))
+            db_member_dict = member.to_dict(render_unsets=True)
+
+            # Validate and store port SR-IOV vnic_type
+            request_sriov = db_member_dict.pop('request_sriov')
+            if (request_sriov and not
+                    flavor_dict.get(constants.ALLOW_MEMBER_SRIOV, False)):
+                raise exceptions.MemberSRIOVDisabled
+            if request_sriov:
+                db_member_dict[constants.VNIC_TYPE] = (
+                    constants.VNIC_TYPE_DIRECT)
+            else:
+                db_member_dict[constants.VNIC_TYPE] = (
+                    constants.VNIC_TYPE_NORMAL)
+
+            member_dict = db_prepare.create_member(db_member_dict,
+                                                   self.pool_id,
+                                                   bool(pool.health_monitor))
 
             self._test_lb_and_listener_and_pool_statuses(context.session)
 
@@ -203,6 +230,28 @@ class MemberController(base.BaseController):
 
     def _graph_create(self, lock_session, member_dict):
         pool = self.repositories.pool.get(lock_session, id=self.pool_id)
+
+        # Validate and store port SR-IOV vnic_type
+        request_sriov = member_dict.pop('request_sriov')
+        flavor_dict = {}
+        if pool.load_balancer.flavor_id:
+            try:
+                flavor_dict = (
+                    self.repositories.flavor.get_flavor_metadata_dict(
+                        lock_session, pool.load_balancer.flavor_id))
+            except sa_exception.NoResultFound:
+                LOG.error("load balancer has a flavor ID: %s that was not "
+                          "found in the database. Assuming no flavor.",
+                          pool.load_balancer.flavor_id)
+        if (request_sriov and not
+                flavor_dict.get(constants.ALLOW_MEMBER_SRIOV, False)):
+            raise exceptions.MemberSRIOVDisabled
+
+        if request_sriov:
+            member_dict[constants.VNIC_TYPE] = constants.VNIC_TYPE_DIRECT
+        else:
+            member_dict[constants.VNIC_TYPE] = constants.VNIC_TYPE_NORMAL
+
         member_dict = db_prepare.create_member(
             member_dict, self.pool_id, bool(pool.health_monitor))
         db_member = self._validate_create_member(lock_session, member_dict)
@@ -439,6 +488,11 @@ class MembersController(MemberController):
                 m.project_id = db_pool.project_id
                 db_member_dict = m.to_dict(render_unsets=False)
                 db_member_dict.pop('id')
+                # We don't allow updating the vnic_type
+                # TODO(johnsom) Give the user an error once we change the
+                #               wsme type for batch member update to not use
+                #               the MemberPOST type
+                db_member_dict.pop(constants.REQUEST_SRIOV)
                 self.repositories.member.update(
                     context.session, m.id, **db_member_dict)
 

octavia/api/v2/types/load_balancer.py

@@ -26,6 +26,7 @@ class BaseLoadBalancerType(types.BaseType):
                           'vip_network_id': 'vip.network_id',
                           'vip_qos_policy_id': 'vip.qos_policy_id',
                           'vip_vnic_type': 'vip.vnic_type',
+                          'vip_sg_ids': 'vip.sg_ids',
                           'admin_state_up': 'enabled'}
     _child_map = {'vip': {
         'ip_address': 'vip_address',
@@ -33,7 +34,8 @@ class BaseLoadBalancerType(types.BaseType):
         'port_id': 'vip_port_id',
         'network_id': 'vip_network_id',
         'qos_policy_id': 'vip_qos_policy_id',
-        'vnic_type': 'vip_vnic_type'}}
+        'vnic_type': 'vip_vnic_type',
+        'sg_ids': 'vip_sg_ids'}}
 
 
 class AdditionalVipsType(types.BaseType):
@@ -57,6 +59,7 @@ class LoadBalancerResponse(BaseLoadBalancerType):
     vip_port_id = wtypes.wsattr(wtypes.UuidType())
     vip_subnet_id = wtypes.wsattr(wtypes.UuidType())
     vip_network_id = wtypes.wsattr(wtypes.UuidType())
+    vip_sg_ids = wtypes.wsattr([wtypes.UuidType()])
     additional_vips = wtypes.wsattr([AdditionalVipsType])
     listeners = wtypes.wsattr([types.IdOnlyType])
     pools = wtypes.wsattr([types.IdOnlyType])
@@ -78,6 +81,7 @@ class LoadBalancerResponse(BaseLoadBalancerType):
             result.vip_network_id = data_model.vip.network_id
             result.vip_qos_policy_id = data_model.vip.qos_policy_id
             result.vip_vnic_type = data_model.vip.vnic_type
+            result.vip_sg_ids = data_model.vip.sg_ids
         result.additional_vips = [
             AdditionalVipsType.from_data_model(i)
             for i in data_model.additional_vips]
@@ -131,6 +135,7 @@ class LoadBalancerPOST(BaseLoadBalancerType):
     vip_subnet_id = wtypes.wsattr(wtypes.UuidType())
     vip_network_id = wtypes.wsattr(wtypes.UuidType())
     vip_qos_policy_id = wtypes.wsattr(wtypes.UuidType())
+    vip_sg_ids = wtypes.wsattr([wtypes.UuidType()])
     additional_vips = wtypes.wsattr([AdditionalVipsType], default=[])
     project_id = wtypes.wsattr(wtypes.StringType(max_length=36))
     listeners = wtypes.wsattr([listener.ListenerSingleCreate], default=[])
@@ -152,6 +157,7 @@ class LoadBalancerPUT(BaseLoadBalancerType):
     description = wtypes.wsattr(wtypes.StringType(max_length=255))
     vip_qos_policy_id = wtypes.wsattr(wtypes.UuidType())
     admin_state_up = wtypes.wsattr(bool)
+    vip_sg_ids = wtypes.wsattr([wtypes.UuidType()])
     tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
 
 

octavia/api/v2/types/member.py

@@ -42,6 +42,7 @@ class MemberResponse(BaseMemberType):
     monitor_address = wtypes.wsattr(types.IPAddressType())
     monitor_port = wtypes.wsattr(wtypes.IntegerType())
     tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType()))
+    vnic_type = wtypes.wsattr(wtypes.StringType())
 
     @classmethod
     def from_data_model(cls, data_model, children=False):
@@ -85,6 +86,7 @@ class MemberPOST(BaseMemberType):
         default=None)
     monitor_address = wtypes.wsattr(types.IPAddressType(), default=None)
     tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
+    request_sriov = wtypes.wsattr(bool, default=False)
 
 
 class MemberRootPOST(types.BaseType):
@@ -129,6 +131,7 @@ class MemberSingleCreate(BaseMemberType):
         minimum=constants.MIN_PORT_NUMBER, maximum=constants.MAX_PORT_NUMBER))
     monitor_address = wtypes.wsattr(types.IPAddressType())
     tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType(max_length=255)))
+    request_sriov = wtypes.wsattr(bool, default=False)
 
 
 class MemberStatusResponse(BaseMemberType):