1723 Commits

Author SHA1 Message Date
Bence Romsics
27601f8eea Set trunk parent port as access port in ovs to avoid loop
A non-vlan-transparent trunk parent port (tpt) should only forward
untagged frames. Earlier it was configured to forward anything (trunk
mode in ovs). This patch changes the trunk mode to access mode and
sets the trunk parent's tag explicitly to 0.

Change-Id: I4bcfe53fe87d7c9218dd0db9d7224bb323709a21
Closes-Bug: #2048785
2024-01-24 14:42:13 +01:00
Miguel Lavalle
49366ecada Router flavors and service type for OVN
Support is added to the OVN L3 service plugin for the router
flavors and service type framework

Partial-Bug: #2020823
Change-Id: If40d7b39e7b59a39ff7622bd823dbdb14bfc69d2
2024-01-17 09:33:07 -06:00
Zuul
1c074df05a Merge "Add info about metering agent gap in the ML2/OVN backend" 2024-01-11 12:47:51 +00:00
Slawek Kaplonski
3eeb5d3e6a Add info about metering agent gap in the ML2/OVN backend
Metering agent don't supports ML2/OVN backend currently and this should
be documented in the feature parity gaps document.

Related-bug: #2048773
Change-Id: I2b8c37f33e3ae4b17cc88bffde014d7d730e59d3
2024-01-11 11:42:05 +00:00
Zuul
90ad995fa2 Merge "doc: Drop description about old translation method" 2024-01-08 20:57:12 +00:00
Takashi Kajinami
ff94b49ce5 doc: Drop description about old translation method
Current translation no longer use babel[1] or these setup.cfg
entries[2].

[1] 4e907ed2f39329eaa12d1712d49ca8903db15124
[2] 22df2f6395c1426485a7cb97166601823f8a2a28

Change-Id: Ic866a41b00c37c549a83274e33ac18d0aba846bb
2023-12-21 02:36:09 +09:00
Zuul
ef3089547b Merge "Fix IGMP inconsistency across drivers" 2023-12-18 13:19:07 +00:00
Zuul
cf1d5ea35c Merge "[ovn] Add support for IPv6 metadata" 2023-12-15 13:10:13 +00:00
Lucas Alvares Gomes
114ca0f1be Fix IGMP inconsistency across drivers
Prior to this patch, ML2/OVS and ML2/OVN had inconsistent IGMP
configurations. Neutron only exposed one configuration option for IGMP:
igmp_snooping_enabled.

Other features such as IGMP flood, IGMP flood reports and IGMP flood
unregistered were hardcoded differently on each driver (see LP#2044272
for a more details).

These hardcoded values has led to many changes over the years tweaking
them to work on different scenarios but they were never final because
the fix for one case would break the other.

This patch introduces 3 new configuration options for these other IGMP
features that can be enabled or disabled on both backends. Operators
can now fine tune their deployments in the way that will work for them.

As a consequence of the hardcoded values for each driver we had to break
some defaults and, in the case of ML2/OVS, if operators want to keep
things as they were before this patch they will need to enable the new
mcast_flood and mcast_flood_unregistered configuration options.

That said, the for ML2/OVS there was also an inconsistency with the help
string of igmp_snooping_enabled configuration option as it mentioned
that enabling snooping would disable flooding to unregistered ports but
that was not true anymore after the fix [0].

[0] https://bugs.launchpad.net/neutron/+bug/1884723

Closes-Bug: #2044272
Change-Id: Ic4dde46aa0ea2b03362329c87341c83b24d32176
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2023-12-15 09:05:19 +00:00
Zuul
0bb22b355e Merge "[OVN] Add baremetal support without Neutron DHCP agent for IPv6" 2023-12-12 03:32:18 +00:00
Daniel Alvarez Sanchez
d9c8731af3 [ovn] Add support for IPv6 metadata
This patch adds support for IPv6 metadata service in ML2/OVN.
The changes include:

- Add the 'fe80::a9fe:a9fe/128' address to the interface of the
  ovnmeta- namespace so that it's reachable from the guests

- Identify the port of the VM by looking up the source MAC address
  of the metadata request

- Restarts the haproxy instances to honor the configuration changes
  upon start of the metadata agent. In particular, haproxy now also
  binds on the 'fe80::a9fe:a9fe' address

When the VM requests metadata from its LLA, the traffic will reach
the ovnmeta namespace associated to its network.

The IPv6 metadata tests are passing and enabled in Tempest by
this patch:
https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/894027

Besides, this patch ensures that the link-local address of the
metadata interface is present so that the metadata IPv6 endpoint
is reachable. It also fixes a bug that was causing the wrong LLA
to be present as the interface was set `up` first prior to changing
the MAC address. Now this order is inverted so that the proper LLA
is configured.

Change-Id: Idcef6de33ed2a73cb3c426db1c55fa9cd06de63f
Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
2023-12-08 17:15:42 -05:00
Zuul
3de5f57135 Merge "Remove some invalid text from the network component doc" 2023-12-08 15:36:38 +00:00
Zuul
919572d191 Merge "ovn: Document fragmentation / pmtud gaps" 2023-12-08 15:36:25 +00:00
Slawek Kaplonski
034fcb0f6d [OVN] Add baremetal support without Neutron DHCP agent for IPv6
Support for the required DHCPv6 options was recently added in core
OVN with [1].
This patch adds support for that in ML2/OVN backend also and by that
closing one of the gaps between ML2/OVN and ML2/OVS backends.

This patch also adds upgrade check to check used ovn version and warn
operators if native OVN DHCP is used for BM provisioning and OVN version
is older than 23.06.0.
Unfortunately there is no easy way to check used version of OVN so check
relies on the ovnnb schema version.

[1] c5fd51bd15

Closes-Bug: #2030520
Change-Id: Iaa3ff8e97021e44f352e5a9a370714bf5f1d77b8
2023-11-29 09:36:27 +01:00
Lucas Alvares Gomes
cd8816acd1 [OVN] Update the External Ports documentation
This patch is part of the solution for LP #2037294 and updates the
documentation to explain the new "enable-chassis-as-extport-host"
configuration as well as enhancing the documentation in general
to better explain each configuration, database information and
high availability for external ports.

Change-Id: Iad048a71653dc791fc27585b509c02470e5d08a2
Related-Bug: #2037294
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2023-11-14 08:55:01 +00:00
Dr. Jens Harbott
e4542bca80 ovn: Document fragmentation / pmtud gaps
OVN does not correctly fragment packets or send ICMP
"packet too big" responses that would allow pmtud to work.

Related-Bug: #2032817
Change-Id: Ibc19ec6a9625124fb19e33c3bd6af40266aa5003
2023-11-03 14:54:56 -04:00
Zuul
fbca7f0104 Merge "[OVN] Populate the "router.distributed" flag in ML2/OVN" 2023-10-30 15:05:09 +00:00
Slawek Kaplonski
842f2f8e6c [Docs] Fix info about provider bridge name in the bridge_mappings
Previously in all our install guides there were info that name of the
physical interface should be put in the bridge_mappings config option in
ths OVS agent's config. This wasn't correct as bridge_mappings expects
there bridge name instead.

Change-Id: I0698aa4621a15c1927ad2c352501cea02e6ee70c
2023-10-27 17:57:41 +02:00
Zuul
53f4fd6b9f Merge "doc: Fix wrong sections of ovs-agent config options" 2023-10-26 18:36:56 +00:00
Takashi Kajinami
34f7a5805e doc: Fix wrong sections of ovs-agent config options
The sections described in the documentation does not match the actual
section names in current neutron.

 * local_ip now belongs to the [ovs] section
 * tunnel_types now belongs to the [agent] section
 * l2_population now belongs to the [agent] section

Also the tunnel_types option is not explained in the example snippet.

Change-Id: Ic2bde217a03a884855d299f3142394a4229745bc
2023-10-26 09:00:56 +09:00
Zuul
389bc155f8 Merge "doc: Stop configuring authtoken middleware in compute" 2023-10-25 23:58:36 +00:00
Takashi Kajinami
2bcad25d34 doc: Stop configuring authtoken middleware in compute
... because the middleware is used only by neutron-server.

This also removes the metadata shared secret from compute, because
metadata-agent runs only in controller nodes according to the guide.

Change-Id: I0e5ed7453384d24581bcd8c3a85c8fc36fab910f
2023-10-25 11:26:51 +09:00
Takashi Kajinami
2a637820eb doc: Remove remaining description about allow_overlapping_ips
The option was already removed.

Change-Id: Ic1bcec77e3ef1bac5dc59d5f492348ee9ac9993e
2023-10-25 11:24:51 +09:00
Alexey Stupnikov
3fc8d32383 Don't set port capabilities for OVS HW offloading
Nova will automatically translate VF capabilities to Neutron
port binding profiles after patch [1] will be merged. Existing
recommendations in "admin/config-ovs-offload.html" should be
updated: there is no need to define capabilities in port
binding profiles for new ports anymore.

[1] https://review.opendev.org/c/openstack/nova/+/884439

Related-bug: #2020813
Depends-on: https://review.opendev.org/c/openstack/nova/+/884439
Change-Id: I63b0641f6b7ef0e1190f421a90619bb2971d0d44
2023-10-17 19:34:51 +00:00
Rodolfo Alonso Hernandez
1f1824397d [OVN] Populate the "router.distributed" flag in ML2/OVN
In ML2/OVN there is a static common configuration parameter to define
if the routers (more in particular the floating IPs) can be distributed
or centralized:
  [ovn] enable_distributed_floating_ip

This patch writes this value on each new router created. It also
implements a maintenance method to populate this flag when the
Neutron API is restarted and the value changed.

Closes-Bug: #2022058
Change-Id: Ib109b09fde4db8738c1d0b3e394c201492d210c6
2023-10-16 08:04:31 +00:00
Zuul
4a6eae9a84 Merge "Alphabetize some of the admin and contrib docs" 2023-09-28 03:24:09 +00:00
Zuul
61ac046cf7 Merge "contributor docs: Architectural overview for metadata" 2023-09-27 08:06:19 +00:00
Brian Haley
e63cdd216b Alphabetize some of the admin and contrib docs
Over time docs were added or updated such that they were
no longer in alphabetical order based on the index order
or their title strings. Tried to fix it up a bit along
with some capitalization.

Trivialfix

Change-Id: I948b2a1c86faaffed07adcf0198a3fba72401abe
2023-09-18 13:12:31 -04:00
Bence Romsics
2ec273cdc7 contributor docs: Architectural overview for metadata
I found some old graphs I have drawn about the workings of the
traditional metadata service. I don't know why I haven't contributed
this earlier to Neutron docs. But anyway, better late than never.

Change-Id: I7a412883c8c0d673d1617a3b212598b35e9e698f
2023-09-18 10:32:32 +02:00
Brian Haley
0611735715 Remove ovn.ini example file
The ovn.ini file is a hold-over from the networking-ovn
tree. The docs all reference configuring OVN (and OVS)
options in ml2_conf.ini, so remove the old file and add
the neutron.ml2.ovn namespace to
etc/oslo-config-generator/ml2_conf.ini.

Trivialfix

Change-Id: I26dedc80e07aedffb1713560d4431b7a334b70b5
2023-09-06 15:19:30 -04:00
Zuul
ed6023c347 Merge "Update QoS config document: use YAML config examples" 2023-09-01 09:06:51 +00:00
Zuul
1bb9fe1b21 Merge "Default SG rules template - Update related docs and add release note" 2023-08-31 19:05:54 +00:00
Slawek Kaplonski
5c2f54ca03 Default SG rules template - Update related docs and add release note
This patch updates docs related to the Security Groups to add info about
possibility to change default set of rules created in every new security
group.
It also adds release note about this new API in Neutron.

Closes-Bug: #1983053
Change-Id: I0f6ecc5cf374a0090930e9786834ed7a1be3dc0b
2023-08-30 10:18:34 +00:00
Rodolfo Alonso Hernandez
fa130f29f7 Update QoS config document: use YAML config examples
Closes-Bug: #2033203
Change-Id: I0162cf74e74ff915918d36bd1150d2ac474ac882
2023-08-28 10:12:58 +00:00
Dr. Jens Harbott
0e5c91c499 Add some more known issues to the OVN gap document
See the related bugs.

Related-Bug: #2030294
Related-Bug: #2030295
Change-Id: If90e4233c599b0ab4363d7eea6b00436bf7ab92c
2023-08-27 15:15:42 +02:00
Brian Haley
994d6ace18 Remove some invalid text from the network component doc
Just describe what a firewall does, not its implemenation
details. This text was copied from elsewhere and mentioning
iptables is outdated and not correct.

Change-Id: Ia078fe6f3cee873d37a4621c98a089a90cd47d51
Closes-bug: #2030753
2023-08-08 09:05:25 -04:00
Zuul
321f7672e7 Merge "[Docs] Add recommendation about usage of cache in the neutron-metadata-agent" 2023-07-19 14:44:55 +00:00
Slawek Kaplonski
49b68d36a0 [Docs] Add recommendation about usage of cache in the neutron-metadata-agent
Neutron-metadata-agent can cause big load on the RPC bus and
neutron-server by asking for port details very often. And this can be
optimized by simple using cache mechanism provided by oslo.cache module.
This feature wasn't really described in our docs so this patch adds
short document about why and when use cache in metadata agent, why it's
not needed in the neutron-ovn-metadata-agent and how to enable it.

Closes-Bug: #2024581
Change-Id: I2c7e496f4c0588eebc1fbf42a43473101f67032f
2023-07-07 14:47:59 -04:00
Sahid Orentino Ferdjaoui
f2dd2d3cac doc: fix typo in metering-agent.rst
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: I54b3dbf64ad313f6e3c34a2c774975f6327843c4
2023-07-03 09:21:28 +02:00
Zuul
6e30e3e59f Merge "[ovn]disable security group notifier" 2023-06-09 05:19:14 +00:00
Zuul
7072b34650 Merge "Make DB migration creating indexes in RBACs conditional" 2023-06-07 21:37:03 +00:00
Zuul
4bc538d7ea Merge "[OVN][Migration] Enable settings backup subnet for NFS clients" 2023-05-29 18:35:03 +00:00
Rodolfo Alonso Hernandez
e8cd39b3d7 Make DB migration creating indexes in RBACs conditional
This patch makes conditional the existing DB migration that adds
the new indexes "target_tenant" and "action" in the "*rbacs" tables.
The rationale of this patch is to be able to manually improve older
systems by just manually creating the indexes in the database.
Once these indexes are added, those operations including RBACs
checks (all these called from non-admin user to RBAC administrated
resourced) will be improved.

This patch is avoiding the migration issue a system could find if
these indexes have been manually added and then the system is
upgraded. The new check added will first retrieve the table indexes;
if the index is already present, the index addition is skipped.

Closes-Bug: #2020802
Change-Id: I1962fbc844bb67180e9071bcee01f8e95853bdda
2023-05-29 15:26:11 +00:00
zhouhenglc
35cb164ea5 [ovn]disable security group notifier
When we use the ovn driver, the security group is implemented
by the ACL of ovn. There is no need to send rpc messages.

Closes-Bug: #2007327

Change-Id: I4b486c910ed298633ac6f60fd93f695c6c3bfef2
2023-05-24 14:15:33 +08:00
Miro Tomaska
b677d65b2d [OVN][Migration] Enable settings backup subnet for NFS clients
If the BACKUP_MIGRATION_IP is set to a different IP outside of
the default nets[1] set in the “openstack overcloud backup”
playbook setup_nfs role[2]. Then the NFS will fail to mount
directories during the backup, because they will not be
reachable | permitted.
This change simply adds a new variable
BACKUP_MIGRATION_CTL_PLANE_CIDRS into the ovn_migration script
to allow the user to overwrite the extra-var used for
Openstack overcloud backup --setup-nfs command.

[1] e281ae7624/tripleo_ansible/roles/backup_and_restore/defaults/main.yml (L47)
[2] e281ae7624/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml (L127)

Change-Id: I160dfc4e893b93ac7a40e19b3dd6b89750dac57d
2023-05-19 19:18:32 +00:00
Guillaume Espanel
5f4a41326d Add rate-limiting to metadata agents
Requests handled by the metadata-agents can now be rate-limited by
source-ip. This is done to protect the OpenStack control plane against
VMs querying the metadata endpoint in an overly enthusiastic way.

Co-authored-by: Miguel Lavalle <mlavalle@redhat.com>

Related-Bug: #1989199
Change-Id: I748ccfa8b50496dcbcbe41fd22f84249a4d46b11
2023-05-17 18:52:25 -05:00
Brian Haley
01af4b2cda Remove the neutron-debug tool
With removal of the neutron client shell code this tool is
no longer usable. It had been marked for deprecation since
the Newton (9.0) cycle and unmaintained.

This code is also breaking the neutron gate pep8 job.

Change-Id: I3c0c93de0b860d9287019b7834cb8337d9668cc0
2023-05-12 12:42:31 -04:00
Stephen Finucane
d409296bde docs: Deindent code blocks
We had a number of code blocks that were being incorrectly rendered
inside block quotes, which messed with formatting somewhat. Correct
them. This was done using the following script:

  sphinx-build -W -b xml doc/source doc/build/xml
  files=$(find doc/build/xml -name '*.xml' -print)
  for file in $files; do
      if xmllint -xpath "//block_quote/literal_block" "$file" &>/dev/null; then
          echo "$file"
      fi
  done

Note that this also highlighted a file using DOS line endings. This is
corrected.

Change-Id: If63f31bf13c76a185e2c6eebc9b85f9a1f3bbde8
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-05-10 17:37:26 +01:00
Zuul
fd17662611 Merge "Change API to validate network MTU minimums" 2023-05-04 20:47:52 +00:00
Arnaud Morin
30c0e5699e Fix doc links for networking option 2
Wrong links were introduced long time ago, this is setting the good
links.

Change-Id: Ib3dbe570f3aecb9533fa4623726db5551fd87100
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
2023-05-04 11:07:16 +02:00