237 Commits

Author SHA1 Message Date
92a34dbe95 Configure placement section in neutron conf
Without it segment plugin fails to connect with
placement api. Configure the placement section
if service is deployed.

Closes-Bug: #1973783
Change-Id: Ie7f37770a04f622735cf2263c601257669ab5064
2022-05-18 15:27:40 +05:30
Grzegorz Grasza
8615563df4 Global option for enforcing scope (ENFORCE_SCOPE)
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.

Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
2022-04-26 14:17:20 +02:00
Slawek Kaplonski
24b65adc9c Deploy Neutron with enforced new RBAC rules
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821

Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
2021-12-20 14:42:35 +01:00
Slawek Kaplonski
faed11d2a1 Add missing ml2, L2 and L3 agent functions to devstack
Previously those functions were defined in the neutron's devstack plugin
but with [1] we moved qos related code into devstack and we missed about
moving them too.
This is follow up patch to fix that issue.

[1] https://review.opendev.org/c/openstack/devstack/+/815686

Change-Id: Icf459a2f8c6ae3c3cb29b16ba0b92766af41af30
2021-11-18 16:42:40 +01:00
Slawek Kaplonski
f9a896c6e6 Rehome functions to enable Neutron's QoS service
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
QoS service is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.

[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142

Change-Id: I48f65d530db53fe2c94cad57a8072e1158d738b0
2021-11-13 19:52:06 +00:00
Zuul
483e7e243a Merge "Rehome functions to enable Neutron's placement integration" 2021-11-13 19:02:48 +00:00
Zuul
2000d0ccf3 Merge "neutron-legacy: Remove no longer necessary vpnaas conditional" 2021-11-09 13:59:10 +00:00
Slawek Kaplonski
7f6d9283b8 Rehome functions to enable Neutron's placement integration
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo as plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
Placement integration is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.

[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142

Change-Id: Ib86071881f16de1b69c0f9b1b19b6df8b7e66a07
2021-10-27 16:40:30 +02:00
Slawek Kaplonski
f758b60a4b Rehome functions to enable Neutron's Trunk service plugin
Those functions were part of the neutron devstack plugin but we
discussed on the neutron team meeting [1] to move it to the Devstack
repo as it's mature enough now.

[1] https://meetings.opendev.org/meetings/networking/2021/networking.2021-10-05-14.00.log.html#l-156

Change-Id: I35446adad1d8a7fed142d834de20c48b611015a5
2021-10-06 12:04:26 +02:00
Slawek Kaplonski
b1a89eb80b Configure access to physical network also with ML2/OVN backend
Neutron L3 module in Devstack has way to conigure access to physical
network on the node. It can put physical interface to the physical
bridge or, in case when such physical device isn't set, it creates
NAT rule in iptables.

There was missing the same operation for ML2/OVN backend as L3 agent is
not used there at all.

This patch adds the same to be done in both L3 agent and ovn_agent
modules.

Closes-Bug: #1939627
Change-Id: I9e558d1d5d3edbce9e7a025ba3c11267f1579820
2021-08-31 12:41:47 +00:00
Nate Johnston
efc04eec00 Look for ipv6 routes so ipv6-only jobs will not fail
For change 739139 [1] PS 12, the
neutron-tempest-plugin-scenario-linuxbridge died in devstack with
"/opt/stack/devstack/functions-common:237 Failure retrieving default
route device", which comes from
"/opt/stack/devstack/lib/neutron-legacy:237:die_if_not_set".

Looking at the worlddump.txt for that job [2] I see that there is a
default ipv6 route; the vm was not configured with ipv4 networking.

    ip route
    --------

    ip -6 route
    -----------

    ::1 dev lo proto kernel metric 256 pref medium
    2607:ff68:100:54::/64 dev ens3 proto kernel metric 256 expires 86380sec pref medium
    fe80::/64 dev ens3 proto kernel metric 256 pref medium
    default via fe80::f816:3eff:fe77:b05c dev ens3 proto ra metric 1024 expires 280sec hoplimit 64 pref medium

Looking at the devstack code that throws the error [3] it looks like
it only looks for a default route in the output of `ip route`, which
does not include ipv6 information.  This change should look in both
the ipv4 and ipv6 route table.  A similar check in the L3 setup code
is also updated.

[1] https://review.opendev.org/#/c/739139/
[2] https://d4eb7e3efe98cba79a4b-f4d168cdb20f40841821e4b213645c0f.ssl.cf2.rackcdn.com/739139/12/gate/neutron-tempest-plugin-scenario-linuxbridge/9a6b4f7/controller/logs/worlddump-latest.txt
[3] https://opendev.org/openstack/devstack/src/branch/master/lib/neutron-legacy#L236

Closes-Bug: #1902002
Change-Id: I839e8c222368df98fec308cf41248a9dd0a8c187
2020-11-09 17:05:38 -05:00
Jens Harbott
47f76acbba Determine default IPv4 route device only when needed
Sometimes instances don't have an IPv4 default route, so only check for
it when we actually need it. In a followup patch we could extend the
code to check for an IPv6 default route instead or in addition.

Related-Bug: 1902002
Change-Id: Ie6cd241721f6b1f8e030960921a696939b2dab10
2020-10-30 09:43:55 +01:00
Lucas Alvares Gomes
e7625fc72c [OVN] Follow up of OVN module migration to DevStack
This patch is a follow-up of Ib4194329474e8d68a90886d2a04f027eecd741df.

This patch removes the configure_port_forwarding call from the
neutron-legacy module because port forwarding (just like other
extensions such as DNS, QOS, etc...) are already enabled in the
plugin.sh file in the neutron repository [0]. The
configure_port_forwarding method itself is also defined in the neutron
repository so calling it here may result in a failure in case the plugin
is not enabled.

We are also removing the "dns" extensions from the default
Q_ML2_PLUGIN_EXT_DRIVERS variable because this extension conflicts with
the default DNS extensions that is enabled by Neutron when
q-dns/neutron-dns service is enabled (also in [0]). The LP for this
conflict problem is: https://bugs.launchpad.net/neutron/+bug/1887163.

[0]
945a244588/devstack/plugin.sh (L101-L103)

Change-Id: Iafb9e45520798b2a612192cfc6cca28501465862
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2020-08-26 09:46:35 +01:00
Lucas Alvares Gomes
1d468d45db [OVN] Move OVN module from Neutron to DevStack
As part of the Victoria PTG the Neutron team entertained the idea of
having the OVN driver as the default backend in DevStack (this hasn't
yet being decided by the community, this will be discussed within this
cycle).

For this to happen, we also would need to move the module that configures
OVN to the DevStack repository. This is what this patch is doing.

Note that we are updating the lib/neutron-legacy module instead of
lib/neutron in this patch, this is because as part of the PTG the
Neutron team has decided to un-deprecate the neutron-legacy module since
the "new" lib/neutron module is broken and nobody is current working on
it (also all services uses neutron-legacy).

Also, the ovsdbapp has been added to the ALL_LIBS list because a gate
job in the ovsdbapp project repository relies on installing the library
from source instead of pip to run.

Depends-On: https://review.opendev.org/#/c/740663/
Change-Id: Ib4194329474e8d68a90886d2a04f027eecd741df
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2020-08-11 15:47:01 +01:00
Zuul
46e74f339d Merge "Prepare for dropping keystone admin endpoint" 2020-06-27 12:25:29 +00:00
Jens Harbott
32c00890ed Prepare for dropping keystone admin endpoint
Keystone no longer has any special functionality hidden behind the admin
endpoint. Stop referencing it in consumers, so it can later be dropped
completely.

Change-Id: I04a5d77908005268cc7c59e7e9ddeea70f6732e2
2020-06-26 15:26:22 +02:00
Rodolfo Alonso Hernandez
ca486c5259 Provide integer number to arping "-w" parameter
Some arping versions only accept an integer number for the
"deadline" (-w) parameter.

Change-Id: Ie21c9b5820262d049c0fcd8147d85cc110d88272
Closes-Bug: #1885169
2020-06-25 18:22:28 +00:00
Zuul
038ea9ab92 Merge "Undeprecate neutron-legacy scripts" 2020-06-15 17:15:45 +00:00
Ian Wienand
312517d510 Use uwsgi binary from path
All these uwsgi invocations assume that the uwsgi binary is in the
same directory as their project binaries are installed into (probably
/usr/bin).  That may not be correct -- for example if using a packaged
uwsgi on Fedora the binary will live in /usr/sbin/uwsgi (not /usr/bin
where the project files from pip are).

Switch invocations to just find it in the path.

Change-Id: I298e3374e9c84e209ffcabbaaacda17f8df19f4f
2020-06-01 15:48:16 +00:00
Dr. Jens Harbott
f6597b1b46 Undeprecate neutron-legacy scripts
Work on the new neutron scripts has stalled and they aren't in a useable
state yet. Given the ongoing decline in contributions, let us
acknowledge this and undeprecate the neutron-legacy scripts so that
people can continue to use them without feeling guilty about it.

Change-Id: I4bce19da861abf18ddb89d82fd312c5e49a4ee7c
2020-01-29 15:46:35 +00:00
Stephen Finucane
f9ff151549 Stop configuring '[DEFAULT] use_neutron' for nova
This has now been removed and even prior to removal defaulted to True.

Change-Id: I847a873d833a4dbee96afa1d2726fea2b8045eeb
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2020-01-16 10:52:52 +00:00
Stephen Finucane
248d4bb8d2 Stop configuring '[DEFAULT] firewall_driver' for nova
This option has default to the 'NoopFirewallDriver' for some time and
will soon be removed. Stop configuring it entirely.

Change-Id: I4dbc0015cf26d7edf51d0d5fd978ccd3a1ad1b79
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2020-01-16 09:27:54 +00:00
Dirk Mueller
8ab64b3236 Drop signing_dir option from configure_auth_token_middleware
This is no longer being used due to Keystone PKI tokens no longer
being implemented.

In order to not break backward compatibility we create a new function
that is to be used instead and deprecate the old one. Modify the old
function to ignore the 3rd argument and display a deprecation warning.
Adjust callers to no longer create and set that directory, calling the
new function instead.

Change-Id: Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610
2019-06-28 16:28:03 +00:00
Stephen Finucane
4b8cba77fe Remove n-cells, n-net and n-cauth
Remove nova cells v1 support, which also allows/necessitates removing
support for nova networks (which was only supported with cells v1) and
nova-consoleauth (which was required by cells v1 but is unnecessary
otherwise).

The Depends-On isn't really necessary, but it's here to make sure this
doesn't merge until we _really_ have killed cells v1.

I honestly expected this patch would be bigger.

Change-Id: I90316208d1af42c1659d3bee386f95e38aaf2c56
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Depends-On: Ib0e0b708c46e4330e51f8f8fdfbb02d45aaf0f44
2019-05-31 15:10:05 +01:00
Zuul
d5a3a3e23f Merge "Use trueorfalse for NEUTRON_DEPLOY_MOD_WSGI" 2019-03-17 14:52:46 +00:00
Jens Harbott
3492feeedd Use trueorfalse for NEUTRON_DEPLOY_MOD_WSGI
Current code assumes the variable is being set to either "True" or
"False", which will lead to weird errors if it is being set to something
like "true" instead.

Change-Id: I88983c9150efad882cd867c2d14d86ba6b2522c9
2018-11-30 13:57:17 +00:00
Akihiro Motoki
80769c5714 Migration logic for neutron policy-in-code
Neutron is in a process to migrate to policy-in-code.
DevStack needs to be able to handle both cases with and
without policy.json in the neutron repo.

Note that nova assumes neutron API access with admin
so user_name:neutron needs to be included in context_is_admin
to make DevStack work properly. Hopefully this can be cleanup
but this is a separate topic from policy-in-code.

Needed-By: https://review.openstack.org/#/c/585037/
Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f
2018-11-24 01:42:34 +09:00
zhubx007
59f50c7967 BUG Fix: add sudo to run command arping
Set 'PUBLIC_INTERFACE' in local.conf, so the code will
be entered into _move_neutron_addresses_route of
neutron-legacy.

But if lack of sudo to run command arping, the information
"arping: socket: Operation not permitted" occurs. So add
'sudo' for 'ARP_CMD' of lib/neutron-legacy.

Change-Id: I8ac8a9bc2bbba049c45b28bf9b93d9a10e398fe6
Closes-Bug: #1783046
2018-08-08 15:09:01 +08:00
Kevin Benton
66b361b538 WSGI Neutron integration
This patch provides a new mechanism to deploy Neutron using
WSGI script. This also starts a Neutron RPC server process
when the Neutron API is loaded via a WSGI entry point to
serve the agents.

Co-Authored-By: Victor Morales <victor.morales@intel.com>
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>

Change-Id: I16a199b04858bfc03ef50d9883154dba8b0d66ea
Depends-On: https://review.openstack.org/#/c/580049/
Partially-implements: blueprint run-in-wsgi-server
2018-07-30 12:30:37 +07:00
Zuul
5da7e4a22e Merge "Fix running with SERVICE_IP_VERSION=6" 2018-07-10 06:10:28 +00:00
Lucas Alvares Gomes
e638593624 Make configure_neutron_nova_new and create_nova_conf_neutron param optional
The commit e95f2a36645b58b172855213cb8311a3486bfcd9 broke
networking-ovn (and potentially other ml2 drivers) by making the config
parameter mandatory. It doesn't need to be.

Change-Id: I0d5738ac3a6d27ddb7655835d77689409a6ff6f4
2018-06-28 11:24:47 +01:00
Matt Riedemann
e95f2a3664 Configure [neutron] in nova_cell*.conf
The nova-conductor service running in the cell
needs to be configured to talk to neutron for
things like deallocating networks during server
build failure. This changes the configure_neutron_nova
flows such that the top-level nova.conf is configured
as before, but we also configure each nova_cell*.conf
cell conductor config files to also be able to talk
to neutron.

Change-Id: Ic5e17298996b5fb085272425bb3b68583247aa34
Closes-Bug: #1777505
2018-06-18 16:20:39 -04:00
Zuul
07241f8b8a Merge "neutron: Do no longer set "url" in nova.conf" 2018-03-18 17:24:30 +00:00
Jens Harbott
dc7b429463 Fix running with SERVICE_IP_VERSION=6
- There are some locations where we need the raw IPv6 address instead of the
  url-quoted version enclosed in brackets.
- Make nova-api-metadata service listen on IPv6 when we need that.
- Use SERVICE_HOST instead of HOST_IP for TLS_IP.

Change-Id: Id074be38ee95754e88b7219de7d9beb06f796fad
Partial-Bug: 1656329
2018-03-11 08:53:41 +00:00
Zuul
4b41c304aa Merge "Change lib/neutron-legacy to use openstackclient" 2018-03-05 16:40:06 +00:00
Thomas Bechtold
ca61966f47 neutron: Do no longer set "url" in nova.conf
Since[1], "url" in the [neutron] section in nova.conf should no
longer be set.

[1]
6cde77ebba

Depends-On: https://review.openstack.org/548572
Related-Bug: #1752289
Change-Id: Ied6c155da9d51a25ba7a524e69d018d39ed3442c
2018-02-28 16:40:38 +01:00
Brian Haley
4bc42c7197 Change lib/neutron-legacy to use openstackclient
neutronclient has been deprecated, use openstack.

Change-Id: I55ea7b8c90b54c05aa0e3f3d4543732e516dc2e6
2017-11-16 17:20:21 +00:00
Brian Haley
efc5168245 Replace deprecated nova_metadata_ip
Option nova_metadata_ip was deprecated in favor
of nova_metadata_host.  lib/neutron was updated
recently but lib/neutron-legacy was missed.

Change-Id: Iadd42458dda705ad0c24aa4ab2afd5b27dd8f0e1
2017-11-10 00:50:48 -05:00
YAMAMOTO Takashi
6839d42819 neutron-legacy: Remove no longer necessary vpnaas conditional
VPNaaS agent is going to be an L3 agent extention.

Related-Bug: #1692128
Depends-On: I0b86c432e4b2210e5f2a73a7e3ba16d10467f0f2
Change-Id: Id827274b7c74cdf71db6d1f2ab3eadb5fef099f5
2017-10-17 12:59:27 +09:00
Ian Wienand
1f82f43016 Revert "Remove cache dirs from the services"
This reverts commit ef5ebed6c9ca3d9d47fd2a732a1542555a0f65ba.

The problem here is a backwards-incompatible change to
configure_auth_token_middleware.  Plugins are still passing a
"signing_dir" which is interpreted now as the "section" argument
... this leads to an interesting red-herring issue; because "v" is a
gnu sed command for checking the version, a signing_dir of "/var/..."
(as done in most plugins) gives the weird error:

 sed: -e expression #1, char 32: expected newer version of sed

I think we'll either need a new function, or dummy arguments to get
this back in.

Change-Id: I2098d4eb2747282622cf486fa7dbf216f932f58b
2017-10-04 09:54:43 +11:00
Jamie Lennox
ef5ebed6c9 Remove cache dirs from the services
PKI tokens have been actively deprecated from keystone and there are
deprecations being emitted from keystonemiddleware. Because of this we
no longer need an auth cache directory in the services where the PKI
certifcates used to be stored.

Remove the creation and use of all these AUTH_CACHE directories.

Change-Id: I5680376e70e74882e9fdb87ee1b95d5f40570ad7
2017-09-26 10:10:11 +10:00
Jenkins
86bdfffbe0 Merge "clean up screen and tail_log references" 2017-09-19 13:23:02 +00:00
Brian Haley
e43dfdd453 Change lib/neutron-legacy to not enable linuxbridge for DVR
DVR isn't supported by the Linux Bridge agent, but the
mechanism driver is enabled by default, so Neutron attempts
port-bindings for it, generating ERRORS in the neutron-server
log in the check and gate jobs.  Just remove it in the DVR case.

Change-Id: Ic50e12e5fecf366a182c141b5c99649e653254cb
Closes-bug: #1716782
2017-09-12 16:13:26 -06:00
Sean Dague
0eebeb415a clean up screen and tail_log references
Change-Id: I6bcfa09931ed1f70e071ccb16688c15c7ef2898f
2017-09-01 15:08:17 -04:00
Jens Harbott
411c34da69 Fix URLs when running with tls-proxy enabled
Various services are returning broken links when running behind
tls-proxy. These issues can be fixed by setting the X-Forwarded-Proto
header in the apache config and letting oslo_middleware parse it.

Change-Id: Ibe5dbdc4644ec812f0435f59319666fc336c195a
Partial-Bug: 1713731
2017-08-29 14:40:26 +00:00
Clark Boylan
633dbc3d8e Track db sync command time useage
We are trying to keep better track of what pieces of devstack consume
the most time. Add the db sync commands to the time tracking as they run
the database migrations which can take more time than expected.

Change-Id: Ib92f2b8304ccf703712d45fd7207444de3599e2d
2017-06-14 12:09:21 -07:00
Jenkins
caad9221e0 Merge "default gateway regex: use exact match for iface name" 2017-05-08 03:15:07 +00:00
Sean Dague
c13b8a1f33 try to use unversioned keystone endpoints everywhere
Change-Id: Iad2a3654d8ba181a7ad452d8aba872a8313d4ece
2017-05-01 09:12:20 -04:00
Jenkins
a8204752e3 Merge "neutron-legacy: Defer service_plugins configuration" 2017-04-26 21:22:09 +00:00
Andreas Scheuring
92e6b1a0e8 default gateway regex: use exact match for iface name
If the current interface has a default gateway configured is
determined by the regex

  default.+<interface-name>

If for example 'enc1' is used, but also an interface 'enc1800' is
present, the regex will also match the 'enc1800' default gateway.

This patch fixes this by looking for <interface-name><white-space>.
This way 'enc1800' is not matched.

Change-Id: Id1d58f5be6296c3a37aef788359ae8fe0fe11d8b
2017-04-26 16:02:06 +00:00