It's a common practice to have /tmp/ mounted separately with noexec
option. This effectively means no scripts can be executed from the
filesystem mounted to /tmp.
This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.
Closes-Bug: #1965183
Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Port status, server status and server console log output are printed
when the create-resources.sh script fails during the OVN migration
Example: OVN migration fails because SSH connection is not possible,
after ping successfully replied - probably a metadata issue and having
the console logs could help to identify it
Change-Id: I83e55203907526caf44ba34cd38241eccf70adb3
After stopping and deleting the services if this role is runned
again it could fail bc systemd has still some ovs services loaded
(eventhough the service is stopped) this will cause that ansible
will try to delete again and fail while trying to disable and
delete the service.
Change-Id: If51d7f25375768f8c60492c84d84e91d91886025
Following fixes are done in the script:-
- Use openstack_citest as db user as done in CI[1] as
with root as db user it fails configure it.
- Use MYSQL_USER var instead of hardcoded root user
- Fix Syntax Error in CREATE USER psql command by using
quotes for DATABASE_PASSWORD
- Swith to root user for running psql command as without
it, it asks for stack user password which is not configured,
same is done in devstack[2].
- Create variable DATABASE_NAME for database name and use
at all required places.
[1] https://review.opendev.org/c/openstack/neutron/+/814009/
[2] https://opendev.org/openstack/devstack/src/branch/master/lib/databases/postgresql#L90
Change-Id: Ieb523e3afdf69fff87ea9062ed857c37a8d56f5c
While migrating from OVS to OVN one of the steps of the migration
is clean all the OVS trunk ports, this will fail if the environment
does not have any trunk ports configured.
This will do a comprovation in order to know if it's necessary
to clean them or not.
Also, since this playbook it will only clean the ovn interfaces
it is not necessary to stop the whole migration. If any error
occured while deleting any ovs interface a message will be
printed so the user can take action if necessary.
Change-Id: I6ec0b392b13daa9f64e051fb12b4b97a6c0a1730
This is basically revert of the [1] which was revert of the [2]
but now it should not break our CI jobs.
In the configure_for_func_testing script openvswitch is installed
from source. We need to set proper flag (Q_BUILD_OVS_FROM_GIT) which
is used in Devstack to tell Devstack to install it from source and
not from packages.
This patch also removes flag BUILD_OVS_FROM_SOURCE from the
configure_for_func_testing file as it was only used in that file
and was actually duplicating the Q_BUILD_OVS_FROM_GIT option used also
in Devstack.
[1] https://review.opendev.org/c/openstack/neutron/+/824750
[2] https://review.opendev.org/c/openstack/neutron/+/824750
Change-Id: I35715a047d23ed87312afd294cc898de7c164583
This reverts commit 391726bd4c0302ca3ce27f5de8e39ee4c6d91457.
Reason for revert: This patch is breaking CI testing, functional jobs. Variable
"BUILD_OVS_FROM_SOURCE" should be kept.
From a working CI job:
/home/zuul/src/opendev.org/openstack/neutron/tools/configure_for_func_testing.sh:_install_base_deps:106 : [[ True == \T\r\u\e ]]
From a now broken CI job:
/home/zuul/src/opendev.org/openstack/neutron/tools/configure_for_func_testing.sh:_install_base_deps:106 : [[ False == \T\r\u\e ]]
"BUILD_OVS_FROM_SOURCE: True" in the "neutron-functional" job definition.
Closes-Bug: #1957936
Change-Id: I564358c64c8ea7ae6039e9f8e6c0e90655fbb8eb
It was accepting 3 arguments where first one was "build_modules".
It wasn't used anywhere in that function so it was removed from
it.
This patch reflects that Devstack change in the Neutron's functional
tests script too.
Closes-Bug: #1957887
Depends-On: https://review.opendev.org/c/openstack/devstack/+/822717
Change-Id: Id8302bf23f48b227d05f1ec2a7136935b7b1c2fb
In the configure_for_func_testing script openvswitch is installed
from source. We need to set proper flag (Q_BUILD_OVS_FROM_GIT) which
is used in Devstack to tell Devstack to install it from source and
not from packages.
This patch also removes flag BUILD_OVS_FROM_SOURCE from the
configure_for_func_testing file as it was only used in that file
and was actually duplicating the Q_BUILD_OVS_FROM_GIT option used also
in Devstack.
Change-Id: I09c79d0e9700cc2bfdf71e5314ea660de75ac1d3
Prevent the OVS to OVN migration if any node has the OVS agent
firewall set to "iptables_hybrid". If present, the migration will
exit. This check is implemented in the OVN migration script for
TripleO environments.
Closes-Bug: #1951272
Change-Id: I55f25f56f87bfa2a5e330cdf4c1087e8d4082b29
This change is to include missing OvS DPDK nodes also as part of
ovn-controllers group in hosts_for_migration file.
Change-Id: Ic0727ffdbd1f60574b6d5397177a58172cbd60f0
It's not needed at all so if we avoid installation, especially from
sources, it may save us few minutes of the job's execution time.
It may also save some resources on the node.
To save a bit more time in the fullstack job's execution this patch also
disables compilation of the OVS from source in that job. We can use OVS
installed from packages provided by the distro instead.
Change-Id: Ic4b6740671e51f0d306967013e3d500f4d0cd6a5
This patch adds definition of the functional and fullstack jobs
with enabled support for FIPS [1].
Jobs are based on the Centos 8 stream as this disto allows to enable
FIPS support.
Jobs are added to the experimental queue for now.
This patch also makes some changes in the bindep and
configure_functional_tests role to make functional/fullstack tests
working on the Centos.
[1] https://csrc.nist.gov/publications/detail/fips/140/3/final
Co-Authored-By: Ade Lee <alee@redhat.com>
Change-Id: I582495826155740ad2660ee2a8717696b0393d26
- Telco usecases requires a flavor which has to contain "extra_specs"
to boot a dpdk instance.
Add the "FLAVOR_NAME" parameter to override the use of the default
flavor used during migration flow.
- Modify the hardcoded server user name (cirros) to use the
"SERVER_USER_NAME" environment variable.
Change-Id: I3d50526d3192cafb673092bc8b22da6c48454434
Currently workload VMs start before subnet is connected to router.
When DVR is enabled this causes sometimes that one of the VMs is not
able to get metadata.
Closes bug: #1947547
Change-Id: Ifd686d7ff452abd1226fbbc97f499e05102e4596
Log the results of the Ansible playbooks by default so that it is easier
to go through them later in case there's something unexpected. The log
is located in $HOME instead of /var/log/ to avoid the need of privileges.
Signed-off-by: Elvira García <egarciar@redhat.com>
Change-Id: Ida2fc11f28200030fff9ddf1e56fc442a2016bab
After migration from ML2/OVS to ML2/OVN trunk subports which were created
by the neutron-ovs-agent to connect br-int with trunk bridges (tbr-)
aren't needed anymore and should be deleted.
Closes-Bug: #1946479
Change-Id: Ib1e3b78597ebdde1aa9d2b242e2005a05a7db89f
After migration from ML2/OVS to ML2/OVN tap ports which were created
by the DHCP agents and router ports (like e.g. qr- or qg-) which were
created by the L3 agents aren't needed at all and should be deleted.
Previously those ports were set to be DOWN only. With this patch
all such ports will be simply deleted from the openvswitch.
Related-bug: #1946479
Change-Id: I74cd5820389c86819c6884d3d61c9b2f7907cc88
In the OVN repo [1] there is no "master" branch anymore.
There is "main" instead and that patch reflects that change in
the Neutron repo.
[1] https://github.com/ovn-org/ovn
Change-Id: Ia666e78b748567a63484752c99856c46c22630ec
Some VMs are created before the ovn mgiration process starts in order to
verify they are healthy after the migration
Sometimes these VMs are not accessible via ssh due to an issue in cirros
0.4.0 that was fixed in a later release [1]
Closes-Bug: #1945299
[1] https://github.com/cirros-dev/cirros/pull/11
Change-Id: Ib133b5e1bed19aeac8514e3c6690ca768991bbd4
OVN migration script fails when VALIDATE_MIGRATION is not set to
True. oc_check_public_network should return successfully in case
VALIDATE_MIGRATION is set to False.
Closes bug: #1942344
Change-Id: Ibd0aea5b4e6bf44803d5d0100cacc17d401b03cc
This patch removes the devstack/lib/ovs module and update the scripts to
use the ovs_source module from DevStack instead.
Depends-On: https://review.opendev.org/c/openstack/devstack/+/791085
Change-Id: I65fe53ee753ac68340f7d4d928643d3d8e5c8694
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
In DVR environment, there are FG interfaces on nodes. We can delete
those after the migration.
Change-Id: I44967e55213d12af24acbf9561a96afb34548324
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
The new "migrate" mode for the DB sync utility changes DB contents as
follows:
- it changes vxlan networks to Geneve, including its allocation in
order to avoid future collisions when creating new geneve networks
- it removes settings from ports' vif_details that are no longer
needed, such as hybrid plugging or bridge_name for the trunk bridges
- it sets profile for subports - OVN doesn't use trunk_details but port
profile to store data about trunk. Subports have tag and parent_name
fileds.
Previously, the vxlan to Geneve change was done via ansible role. The
tasks in the role were replaced by the script therefore the role is
removed.
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: I29a39108d9fddb30050ec63a1cdf6bba0400e136
In the fix for #1853840 I made a mistake and since then we created
the physical NIC resource providers as a child of the hypervisor
resource provider instead of the agent resource provider. Here:
https://review.opendev.org/c/openstack/neutron/+/696600/3/neutron/agent/common/placement_report.py#159
This *did not* break the minimum bandwidth aware scheduling.
But still there are multiple problems:
1) If you created your physical NIC RPs before the fix for #1853840
but upgraded to after the fix for #1853840, then resource syncs
will throw an error in neutron-server at each physical NIC RP
update. That pollutes the logs and wastes some resources since
the prohibited update will be forever retried.
2) If you created your physical NIC RPs after the fix for #1853840
then your physical NIC RPs have the wrong parent. Which again
does not break minimum bandwidth aware scheduling. But it may pose
problems for later features wanting to build on the originally
planned RP tree structure.
3) Cleanup of decommissioned RPs is a bit different than expected.
This cleanup was always left to the admin, so it only affects a
manual process.
The proper RP structure was and should be the following:
The hypervisor RP(s) must be the root(s).
As a child of each hypervisor RP, there should be an agent RP.
The physical NIC RPs should be the children of the agent RPs.
Unfortunately at the moment the Placement API generically prohibits
update of the parent resource provider id in a PUT request:
https://docs.openstack.org/api-ref/placement/?expanded=update-resource-provider-detail#update-resource-provider
Therefore without a later Placement change we cannot fix the RPs
already created with the wrong parent. However we can fix the RPs
to be created later. We do that here. We also fix a bug in the unit
tests that allowed the wrong parent to pass unnoticed. Plus we
add an extra log message to direct the user seeing the pollution
in the logs to the proper bug report.
There may be a follow up patch later, because not all RP re-parenting
operations are problematic, therefore we are thinking of relaxing
this blanket prohibition in Placement. When Placement allows updates
to the parent id we can fix RPs already created with the wrong parent
too.
Change-Id: I7caa8827d22103600ca685a58294640fc831dbd9
Closes-Bug: #1921150
Co-Authored-By: "Balazs Gibizer" <balazs.gibizer@est.tech>
Related-Bug: #1853840
It turned out there doesn't need to be crudini tool present on the node
running the command. This patch fetches the Neutron conf file instead
and performs an ini lookup over it in order to get the DB connection
string.
Change-Id: Iaf79b8512a920e9f667bd6881d50e8852595fa71
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
The Ansible command itself is hard to read, the patch adds some doctext
to improve understanding of the ansible task.
Change-Id: I4ab7a83da9bbf64ee6b19b2a0611fd64e09e2132
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Previously, the migration script used controller nodes to configure
dnsmasq when configuring new MTU. Controller nodes may not run DHCP
agents. The patch detects DHCP agents instead and uses those to
configure dnsmasq.
Change-Id: Ib468c04779af7aaf4dedf84ba885bce71078248b
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
The patch goes to one of ovn-dbs nodes and runs a SQL query to change
all vxlan networks to Geneve. It's done via Python and sqlalchemy in
neutron_api container because mysql client is not installed there. This
approach was chosen to avoid installing more dependencies.
Change-Id: Ic417a115fdc212527866122bc9d3c93ea9599bdf
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
The undercloud node user is configurable in TripleO and isn't always set
to heat-admin. This patch introduces an environment variable for cases
where user is different.
Change-Id: If65925ded1b5df2bfdcfba50445ff7d821c725d8
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>