Without it segment plugin fails to connect with
placement api. Configure the placement section
if service is deployed.
Closes-Bug: #1973783
Change-Id: Ie7f37770a04f622735cf2263c601257669ab5064
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.
Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821
Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
Previously those functions were defined in the neutron's devstack plugin
but with [1] we moved qos related code into devstack and we missed about
moving them too.
This is follow up patch to fix that issue.
[1] https://review.opendev.org/c/openstack/devstack/+/815686
Change-Id: Icf459a2f8c6ae3c3cb29b16ba0b92766af41af30
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
QoS service is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.
[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142
Change-Id: I48f65d530db53fe2c94cad57a8072e1158d738b0
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo as plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
Placement integration is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.
[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142
Change-Id: Ib86071881f16de1b69c0f9b1b19b6df8b7e66a07
Neutron L3 module in Devstack has way to conigure access to physical
network on the node. It can put physical interface to the physical
bridge or, in case when such physical device isn't set, it creates
NAT rule in iptables.
There was missing the same operation for ML2/OVN backend as L3 agent is
not used there at all.
This patch adds the same to be done in both L3 agent and ovn_agent
modules.
Closes-Bug: #1939627
Change-Id: I9e558d1d5d3edbce9e7a025ba3c11267f1579820
For change 739139 [1] PS 12, the
neutron-tempest-plugin-scenario-linuxbridge died in devstack with
"/opt/stack/devstack/functions-common:237 Failure retrieving default
route device", which comes from
"/opt/stack/devstack/lib/neutron-legacy:237:die_if_not_set".
Looking at the worlddump.txt for that job [2] I see that there is a
default ipv6 route; the vm was not configured with ipv4 networking.
ip route
--------
ip -6 route
-----------
::1 dev lo proto kernel metric 256 pref medium
2607:ff68:100:54::/64 dev ens3 proto kernel metric 256 expires 86380sec pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
default via fe80::f816:3eff:fe77:b05c dev ens3 proto ra metric 1024 expires 280sec hoplimit 64 pref medium
Looking at the devstack code that throws the error [3] it looks like
it only looks for a default route in the output of `ip route`, which
does not include ipv6 information. This change should look in both
the ipv4 and ipv6 route table. A similar check in the L3 setup code
is also updated.
[1] https://review.opendev.org/#/c/739139/
[2] https://d4eb7e3efe98cba79a4b-f4d168cdb20f40841821e4b213645c0f.ssl.cf2.rackcdn.com/739139/12/gate/neutron-tempest-plugin-scenario-linuxbridge/9a6b4f7/controller/logs/worlddump-latest.txt
[3] https://opendev.org/openstack/devstack/src/branch/master/lib/neutron-legacy#L236
Closes-Bug: #1902002
Change-Id: I839e8c222368df98fec308cf41248a9dd0a8c187
Sometimes instances don't have an IPv4 default route, so only check for
it when we actually need it. In a followup patch we could extend the
code to check for an IPv6 default route instead or in addition.
Related-Bug: 1902002
Change-Id: Ie6cd241721f6b1f8e030960921a696939b2dab10
This patch is a follow-up of Ib4194329474e8d68a90886d2a04f027eecd741df.
This patch removes the configure_port_forwarding call from the
neutron-legacy module because port forwarding (just like other
extensions such as DNS, QOS, etc...) are already enabled in the
plugin.sh file in the neutron repository [0]. The
configure_port_forwarding method itself is also defined in the neutron
repository so calling it here may result in a failure in case the plugin
is not enabled.
We are also removing the "dns" extensions from the default
Q_ML2_PLUGIN_EXT_DRIVERS variable because this extension conflicts with
the default DNS extensions that is enabled by Neutron when
q-dns/neutron-dns service is enabled (also in [0]). The LP for this
conflict problem is: https://bugs.launchpad.net/neutron/+bug/1887163.
[0]
945a244588/devstack/plugin.sh (L101-L103)
Change-Id: Iafb9e45520798b2a612192cfc6cca28501465862
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
As part of the Victoria PTG the Neutron team entertained the idea of
having the OVN driver as the default backend in DevStack (this hasn't
yet being decided by the community, this will be discussed within this
cycle).
For this to happen, we also would need to move the module that configures
OVN to the DevStack repository. This is what this patch is doing.
Note that we are updating the lib/neutron-legacy module instead of
lib/neutron in this patch, this is because as part of the PTG the
Neutron team has decided to un-deprecate the neutron-legacy module since
the "new" lib/neutron module is broken and nobody is current working on
it (also all services uses neutron-legacy).
Also, the ovsdbapp has been added to the ALL_LIBS list because a gate
job in the ovsdbapp project repository relies on installing the library
from source instead of pip to run.
Depends-On: https://review.opendev.org/#/c/740663/
Change-Id: Ib4194329474e8d68a90886d2a04f027eecd741df
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Keystone no longer has any special functionality hidden behind the admin
endpoint. Stop referencing it in consumers, so it can later be dropped
completely.
Change-Id: I04a5d77908005268cc7c59e7e9ddeea70f6732e2
Some arping versions only accept an integer number for the
"deadline" (-w) parameter.
Change-Id: Ie21c9b5820262d049c0fcd8147d85cc110d88272
Closes-Bug: #1885169
All these uwsgi invocations assume that the uwsgi binary is in the
same directory as their project binaries are installed into (probably
/usr/bin). That may not be correct -- for example if using a packaged
uwsgi on Fedora the binary will live in /usr/sbin/uwsgi (not /usr/bin
where the project files from pip are).
Switch invocations to just find it in the path.
Change-Id: I298e3374e9c84e209ffcabbaaacda17f8df19f4f
Work on the new neutron scripts has stalled and they aren't in a useable
state yet. Given the ongoing decline in contributions, let us
acknowledge this and undeprecate the neutron-legacy scripts so that
people can continue to use them without feeling guilty about it.
Change-Id: I4bce19da861abf18ddb89d82fd312c5e49a4ee7c
This has now been removed and even prior to removal defaulted to True.
Change-Id: I847a873d833a4dbee96afa1d2726fea2b8045eeb
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This option has default to the 'NoopFirewallDriver' for some time and
will soon be removed. Stop configuring it entirely.
Change-Id: I4dbc0015cf26d7edf51d0d5fd978ccd3a1ad1b79
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This is no longer being used due to Keystone PKI tokens no longer
being implemented.
In order to not break backward compatibility we create a new function
that is to be used instead and deprecate the old one. Modify the old
function to ignore the 3rd argument and display a deprecation warning.
Adjust callers to no longer create and set that directory, calling the
new function instead.
Change-Id: Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610
Remove nova cells v1 support, which also allows/necessitates removing
support for nova networks (which was only supported with cells v1) and
nova-consoleauth (which was required by cells v1 but is unnecessary
otherwise).
The Depends-On isn't really necessary, but it's here to make sure this
doesn't merge until we _really_ have killed cells v1.
I honestly expected this patch would be bigger.
Change-Id: I90316208d1af42c1659d3bee386f95e38aaf2c56
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Depends-On: Ib0e0b708c46e4330e51f8f8fdfbb02d45aaf0f44
Current code assumes the variable is being set to either "True" or
"False", which will lead to weird errors if it is being set to something
like "true" instead.
Change-Id: I88983c9150efad882cd867c2d14d86ba6b2522c9
Neutron is in a process to migrate to policy-in-code.
DevStack needs to be able to handle both cases with and
without policy.json in the neutron repo.
Note that nova assumes neutron API access with admin
so user_name:neutron needs to be included in context_is_admin
to make DevStack work properly. Hopefully this can be cleanup
but this is a separate topic from policy-in-code.
Needed-By: https://review.openstack.org/#/c/585037/
Change-Id: Id1b0600d92e839ade1790a15c372e82e8e16ee9f
Set 'PUBLIC_INTERFACE' in local.conf, so the code will
be entered into _move_neutron_addresses_route of
neutron-legacy.
But if lack of sudo to run command arping, the information
"arping: socket: Operation not permitted" occurs. So add
'sudo' for 'ARP_CMD' of lib/neutron-legacy.
Change-Id: I8ac8a9bc2bbba049c45b28bf9b93d9a10e398fe6
Closes-Bug: #1783046
This patch provides a new mechanism to deploy Neutron using
WSGI script. This also starts a Neutron RPC server process
when the Neutron API is loaded via a WSGI entry point to
serve the agents.
Co-Authored-By: Victor Morales <victor.morales@intel.com>
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Change-Id: I16a199b04858bfc03ef50d9883154dba8b0d66ea
Depends-On: https://review.openstack.org/#/c/580049/
Partially-implements: blueprint run-in-wsgi-server
The commit e95f2a36645b58b172855213cb8311a3486bfcd9 broke
networking-ovn (and potentially other ml2 drivers) by making the config
parameter mandatory. It doesn't need to be.
Change-Id: I0d5738ac3a6d27ddb7655835d77689409a6ff6f4
The nova-conductor service running in the cell
needs to be configured to talk to neutron for
things like deallocating networks during server
build failure. This changes the configure_neutron_nova
flows such that the top-level nova.conf is configured
as before, but we also configure each nova_cell*.conf
cell conductor config files to also be able to talk
to neutron.
Change-Id: Ic5e17298996b5fb085272425bb3b68583247aa34
Closes-Bug: #1777505
- There are some locations where we need the raw IPv6 address instead of the
url-quoted version enclosed in brackets.
- Make nova-api-metadata service listen on IPv6 when we need that.
- Use SERVICE_HOST instead of HOST_IP for TLS_IP.
Change-Id: Id074be38ee95754e88b7219de7d9beb06f796fad
Partial-Bug: 1656329
Since[1], "url" in the [neutron] section in nova.conf should no
longer be set.
[1]
6cde77ebba
Depends-On: https://review.openstack.org/548572
Related-Bug: #1752289
Change-Id: Ied6c155da9d51a25ba7a524e69d018d39ed3442c
Option nova_metadata_ip was deprecated in favor
of nova_metadata_host. lib/neutron was updated
recently but lib/neutron-legacy was missed.
Change-Id: Iadd42458dda705ad0c24aa4ab2afd5b27dd8f0e1
VPNaaS agent is going to be an L3 agent extention.
Related-Bug: #1692128
Depends-On: I0b86c432e4b2210e5f2a73a7e3ba16d10467f0f2
Change-Id: Id827274b7c74cdf71db6d1f2ab3eadb5fef099f5
This reverts commit ef5ebed6c9ca3d9d47fd2a732a1542555a0f65ba.
The problem here is a backwards-incompatible change to
configure_auth_token_middleware. Plugins are still passing a
"signing_dir" which is interpreted now as the "section" argument
... this leads to an interesting red-herring issue; because "v" is a
gnu sed command for checking the version, a signing_dir of "/var/..."
(as done in most plugins) gives the weird error:
sed: -e expression #1, char 32: expected newer version of sed
I think we'll either need a new function, or dummy arguments to get
this back in.
Change-Id: I2098d4eb2747282622cf486fa7dbf216f932f58b
PKI tokens have been actively deprecated from keystone and there are
deprecations being emitted from keystonemiddleware. Because of this we
no longer need an auth cache directory in the services where the PKI
certifcates used to be stored.
Remove the creation and use of all these AUTH_CACHE directories.
Change-Id: I5680376e70e74882e9fdb87ee1b95d5f40570ad7
DVR isn't supported by the Linux Bridge agent, but the
mechanism driver is enabled by default, so Neutron attempts
port-bindings for it, generating ERRORS in the neutron-server
log in the check and gate jobs. Just remove it in the DVR case.
Change-Id: Ic50e12e5fecf366a182c141b5c99649e653254cb
Closes-bug: #1716782
Various services are returning broken links when running behind
tls-proxy. These issues can be fixed by setting the X-Forwarded-Proto
header in the apache config and letting oslo_middleware parse it.
Change-Id: Ibe5dbdc4644ec812f0435f59319666fc336c195a
Partial-Bug: 1713731
We are trying to keep better track of what pieces of devstack consume
the most time. Add the db sync commands to the time tracking as they run
the database migrations which can take more time than expected.
Change-Id: Ib92f2b8304ccf703712d45fd7207444de3599e2d
If the current interface has a default gateway configured is
determined by the regex
default.+<interface-name>
If for example 'enc1' is used, but also an interface 'enc1800' is
present, the regex will also match the 'enc1800' default gateway.
This patch fixes this by looking for <interface-name><white-space>.
This way 'enc1800' is not matched.
Change-Id: Id1d58f5be6296c3a37aef788359ae8fe0fe11d8b