A non-vlan-transparent trunk parent port (tpt) should only forward
untagged frames. Earlier it was configured to forward anything (trunk
mode in ovs). This patch changes the trunk mode to access mode and
sets the trunk parent's tag explicitly to 0.
Change-Id: I4bcfe53fe87d7c9218dd0db9d7224bb323709a21
Closes-Bug: #2048785
Support is added to the OVN L3 service plugin for the router
flavors and service type framework
Partial-Bug: #2020823
Change-Id: If40d7b39e7b59a39ff7622bd823dbdb14bfc69d2
Metering agent don't supports ML2/OVN backend currently and this should
be documented in the feature parity gaps document.
Related-bug: #2048773
Change-Id: I2b8c37f33e3ae4b17cc88bffde014d7d730e59d3
Current translation no longer use babel[1] or these setup.cfg
entries[2].
[1] 4e907ed2f39329eaa12d1712d49ca8903db15124
[2] 22df2f6395c1426485a7cb97166601823f8a2a28
Change-Id: Ic866a41b00c37c549a83274e33ac18d0aba846bb
Prior to this patch, ML2/OVS and ML2/OVN had inconsistent IGMP
configurations. Neutron only exposed one configuration option for IGMP:
igmp_snooping_enabled.
Other features such as IGMP flood, IGMP flood reports and IGMP flood
unregistered were hardcoded differently on each driver (see LP#2044272
for a more details).
These hardcoded values has led to many changes over the years tweaking
them to work on different scenarios but they were never final because
the fix for one case would break the other.
This patch introduces 3 new configuration options for these other IGMP
features that can be enabled or disabled on both backends. Operators
can now fine tune their deployments in the way that will work for them.
As a consequence of the hardcoded values for each driver we had to break
some defaults and, in the case of ML2/OVS, if operators want to keep
things as they were before this patch they will need to enable the new
mcast_flood and mcast_flood_unregistered configuration options.
That said, the for ML2/OVS there was also an inconsistency with the help
string of igmp_snooping_enabled configuration option as it mentioned
that enabling snooping would disable flooding to unregistered ports but
that was not true anymore after the fix [0].
[0] https://bugs.launchpad.net/neutron/+bug/1884723
Closes-Bug: #2044272
Change-Id: Ic4dde46aa0ea2b03362329c87341c83b24d32176
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
This patch adds support for IPv6 metadata service in ML2/OVN.
The changes include:
- Add the 'fe80::a9fe:a9fe/128' address to the interface of the
ovnmeta- namespace so that it's reachable from the guests
- Identify the port of the VM by looking up the source MAC address
of the metadata request
- Restarts the haproxy instances to honor the configuration changes
upon start of the metadata agent. In particular, haproxy now also
binds on the 'fe80::a9fe:a9fe' address
When the VM requests metadata from its LLA, the traffic will reach
the ovnmeta namespace associated to its network.
The IPv6 metadata tests are passing and enabled in Tempest by
this patch:
https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/894027
Besides, this patch ensures that the link-local address of the
metadata interface is present so that the metadata IPv6 endpoint
is reachable. It also fixes a bug that was causing the wrong LLA
to be present as the interface was set `up` first prior to changing
the MAC address. Now this order is inverted so that the proper LLA
is configured.
Change-Id: Idcef6de33ed2a73cb3c426db1c55fa9cd06de63f
Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Support for the required DHCPv6 options was recently added in core
OVN with [1].
This patch adds support for that in ML2/OVN backend also and by that
closing one of the gaps between ML2/OVN and ML2/OVS backends.
This patch also adds upgrade check to check used ovn version and warn
operators if native OVN DHCP is used for BM provisioning and OVN version
is older than 23.06.0.
Unfortunately there is no easy way to check used version of OVN so check
relies on the ovnnb schema version.
[1] c5fd51bd15
Closes-Bug: #2030520
Change-Id: Iaa3ff8e97021e44f352e5a9a370714bf5f1d77b8
This patch is part of the solution for LP #2037294 and updates the
documentation to explain the new "enable-chassis-as-extport-host"
configuration as well as enhancing the documentation in general
to better explain each configuration, database information and
high availability for external ports.
Change-Id: Iad048a71653dc791fc27585b509c02470e5d08a2
Related-Bug: #2037294
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
OVN does not correctly fragment packets or send ICMP
"packet too big" responses that would allow pmtud to work.
Related-Bug: #2032817
Change-Id: Ibc19ec6a9625124fb19e33c3bd6af40266aa5003
Previously in all our install guides there were info that name of the
physical interface should be put in the bridge_mappings config option in
ths OVS agent's config. This wasn't correct as bridge_mappings expects
there bridge name instead.
Change-Id: I0698aa4621a15c1927ad2c352501cea02e6ee70c
The sections described in the documentation does not match the actual
section names in current neutron.
* local_ip now belongs to the [ovs] section
* tunnel_types now belongs to the [agent] section
* l2_population now belongs to the [agent] section
Also the tunnel_types option is not explained in the example snippet.
Change-Id: Ic2bde217a03a884855d299f3142394a4229745bc
... because the middleware is used only by neutron-server.
This also removes the metadata shared secret from compute, because
metadata-agent runs only in controller nodes according to the guide.
Change-Id: I0e5ed7453384d24581bcd8c3a85c8fc36fab910f
Nova will automatically translate VF capabilities to Neutron
port binding profiles after patch [1] will be merged. Existing
recommendations in "admin/config-ovs-offload.html" should be
updated: there is no need to define capabilities in port
binding profiles for new ports anymore.
[1] https://review.opendev.org/c/openstack/nova/+/884439
Related-bug: #2020813
Depends-on: https://review.opendev.org/c/openstack/nova/+/884439
Change-Id: I63b0641f6b7ef0e1190f421a90619bb2971d0d44
In ML2/OVN there is a static common configuration parameter to define
if the routers (more in particular the floating IPs) can be distributed
or centralized:
[ovn] enable_distributed_floating_ip
This patch writes this value on each new router created. It also
implements a maintenance method to populate this flag when the
Neutron API is restarted and the value changed.
Closes-Bug: #2022058
Change-Id: Ib109b09fde4db8738c1d0b3e394c201492d210c6
Over time docs were added or updated such that they were
no longer in alphabetical order based on the index order
or their title strings. Tried to fix it up a bit along
with some capitalization.
Trivialfix
Change-Id: I948b2a1c86faaffed07adcf0198a3fba72401abe
I found some old graphs I have drawn about the workings of the
traditional metadata service. I don't know why I haven't contributed
this earlier to Neutron docs. But anyway, better late than never.
Change-Id: I7a412883c8c0d673d1617a3b212598b35e9e698f
The ovn.ini file is a hold-over from the networking-ovn
tree. The docs all reference configuring OVN (and OVS)
options in ml2_conf.ini, so remove the old file and add
the neutron.ml2.ovn namespace to
etc/oslo-config-generator/ml2_conf.ini.
Trivialfix
Change-Id: I26dedc80e07aedffb1713560d4431b7a334b70b5
This patch updates docs related to the Security Groups to add info about
possibility to change default set of rules created in every new security
group.
It also adds release note about this new API in Neutron.
Closes-Bug: #1983053
Change-Id: I0f6ecc5cf374a0090930e9786834ed7a1be3dc0b
Just describe what a firewall does, not its implemenation
details. This text was copied from elsewhere and mentioning
iptables is outdated and not correct.
Change-Id: Ia078fe6f3cee873d37a4621c98a089a90cd47d51
Closes-bug: #2030753
Neutron-metadata-agent can cause big load on the RPC bus and
neutron-server by asking for port details very often. And this can be
optimized by simple using cache mechanism provided by oslo.cache module.
This feature wasn't really described in our docs so this patch adds
short document about why and when use cache in metadata agent, why it's
not needed in the neutron-ovn-metadata-agent and how to enable it.
Closes-Bug: #2024581
Change-Id: I2c7e496f4c0588eebc1fbf42a43473101f67032f
This patch makes conditional the existing DB migration that adds
the new indexes "target_tenant" and "action" in the "*rbacs" tables.
The rationale of this patch is to be able to manually improve older
systems by just manually creating the indexes in the database.
Once these indexes are added, those operations including RBACs
checks (all these called from non-admin user to RBAC administrated
resourced) will be improved.
This patch is avoiding the migration issue a system could find if
these indexes have been manually added and then the system is
upgraded. The new check added will first retrieve the table indexes;
if the index is already present, the index addition is skipped.
Closes-Bug: #2020802
Change-Id: I1962fbc844bb67180e9071bcee01f8e95853bdda
When we use the ovn driver, the security group is implemented
by the ACL of ovn. There is no need to send rpc messages.
Closes-Bug: #2007327
Change-Id: I4b486c910ed298633ac6f60fd93f695c6c3bfef2
If the BACKUP_MIGRATION_IP is set to a different IP outside of
the default nets[1] set in the “openstack overcloud backup”
playbook setup_nfs role[2]. Then the NFS will fail to mount
directories during the backup, because they will not be
reachable | permitted.
This change simply adds a new variable
BACKUP_MIGRATION_CTL_PLANE_CIDRS into the ovn_migration script
to allow the user to overwrite the extra-var used for
Openstack overcloud backup --setup-nfs command.
[1] e281ae7624/tripleo_ansible/roles/backup_and_restore/defaults/main.yml (L47)
[2] e281ae7624/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml (L127)
Change-Id: I160dfc4e893b93ac7a40e19b3dd6b89750dac57d
Requests handled by the metadata-agents can now be rate-limited by
source-ip. This is done to protect the OpenStack control plane against
VMs querying the metadata endpoint in an overly enthusiastic way.
Co-authored-by: Miguel Lavalle <mlavalle@redhat.com>
Related-Bug: #1989199
Change-Id: I748ccfa8b50496dcbcbe41fd22f84249a4d46b11
With removal of the neutron client shell code this tool is
no longer usable. It had been marked for deprecation since
the Newton (9.0) cycle and unmaintained.
This code is also breaking the neutron gate pep8 job.
Change-Id: I3c0c93de0b860d9287019b7834cb8337d9668cc0
We had a number of code blocks that were being incorrectly rendered
inside block quotes, which messed with formatting somewhat. Correct
them. This was done using the following script:
sphinx-build -W -b xml doc/source doc/build/xml
files=$(find doc/build/xml -name '*.xml' -print)
for file in $files; do
if xmllint -xpath "//block_quote/literal_block" "$file" &>/dev/null; then
echo "$file"
fi
done
Note that this also highlighted a file using DOS line endings. This is
corrected.
Change-Id: If63f31bf13c76a185e2c6eebc9b85f9a1f3bbde8
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Wrong links were introduced long time ago, this is setting the good
links.
Change-Id: Ib3dbe570f3aecb9533fa4623726db5551fd87100
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>