The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0
Related-Bug: #1832758
As part of the fix for bug 1826419, a prior release note was
deleted and no new release note was added to document the
change in behaviour as a result of upgrading.
Add new release note to detail the behaviour of
{network,conf}.dns_domain with respect to the DHCP agent
post upgrade.
The deleted release note will be restored in the stable
branches where it was removed.
Change-Id: Ic668d64c28cdc1068cb2413b09839a127bad46d3
Related-Bug: 1826419
For various synchronized scenarios, this decorator
allows flexible lock name with parameters and names
of underlying functions.
For instance:
@synchronized('{f_name}-{resource.id}-{snap[name]}')
def foo(self, resource, snap):
Change-Id: I4bf75be2902cd598a5a5a2c5887d4b4262f3e042
Related-Bug: #1824911
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.
Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
The dns_domain attribute of a network is intended for use
by neutron when creating DNS records in an external DNS
system such as Designate.
By using the networks dns_domain, the configured search
path on booted instances mismatches with the generated
dns assignments for instance ports in the hosts file
for dnsmasq which creates a mismatched forward/reverse
lookup behaviour.
This reverts commit 137a6d61053fb1cfb9a0a583b5a5c0f6253c75e6
and commit 7fdd6adc7acf99e74fbe1c12606f8c867ae134ae.
Closes-Bug: 1826419
Depends-On: I145144c042b100f7e12a02a8ac7e0fbbe41e984d
Change-Id: I5ff03b5ad8af432a9f7919ef953d7d8c434b93bd
Common neutron resource(e.g, Port) consists of:
1. Resource Attributes, e.g: Port.mac_address, etc.
2. Standard Attributes, e.g: created_at, and are shared among all
neutron resources.
The `sort` opt only supports limited attributes. We need to filter
attributes that are defined with `is_sort_key=True` and it's preferred
to explicitly warn CLI & API users of illegal sort keys rather than
just accept without check, pass forward and then hit a internal error
which's quite confusing.
Depends-on: https://review.opendev.org/#/c/660097/
Change-Id: I8d206f909b09f1279dfcdc25c39989a67bff93d5
Closes-Bug: #1659175
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.
Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
Adds support for OVS DPDK port representors[1], a direct port on
a netdev datapath is considered a DPDK representor port.
get_vif_type returns OVS VIF type in case of a direct port.
[1] http://docs.openvswitch.org/en/latest/topics/dpdk/phy/#representors
Closes-Bug: #1829734
Change-Id: I3956eeda19ebc93fdb0b13c1cfb3dc64abffee9f
Currently, 'icmp', 'ipv6-icmp' and 'icmpv6' can be
specified as an IPv6 ICMP protocol value. This can
lead to duplicate entries in the DB for doing exactly
the same thing.
Change to always be 'ipv6-icmp' so this doesn't happen.
Existing rules using one of the old values will now be
returned with 'ipv6-icmp' as the protocol value.
Depends-on: https://review.opendev.org/660206
Depends-on: https://review.opendev.org/660387
Change-Id: I7cd146691dce1a690e1d2c309dfd54b4a0032f76
Partial-Bug: #1582500
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.
Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
In case of Smart NIC vNIC type neutron should mimic nova-compute
that plug the port to the ovs bridge.
Extend the Neutron OVS mechanism driver and Neutron OVS Agent to bind
the Neutron port for the baremetal host with Smart NIC. This will allow
the Neutron OVS Agent to configure the pipeline of the OVS running on
the Smart NIC and leverage the pipeline features such as: VXLAN,
Security Groups and ARP Responder.
Story: #2003346
Closes-Bug: #1785608
Change-Id: I6d520d3bac2e9ceb30b5b6197c6eb0f958cc3659
Added the ability to change the segmentation ID of a network
with ports bound to OVS agent. The rules, both in the integration
bridge and the physical bridge, to convert the internal VLAN tag
and the external segmentation ID (external VLAN tag) are deleted
and created again with the new value. The traffic from the tenant
networks will be tagged then with the new segmentation ID.
Added get network details agent RPC call to retrieve the information
of the updated network.
Partial-Bug: #1806052
Change-Id: I69f6f3ef717c3ed40218099b1f389afd3d39bd62
This parameter applies to the OVSDB Controller table when the
native openflow driver is used. There are reports that increasing
it can reduce errors on busy systems. This patch also sets the
default value to 10s which is more than the OVS default of 5s.
See the ovs-vswitchd.conf.db man page for full description.
Change-Id: If0d42919412dac75deb4d7f484c42cea630fbc59
Partial-Bug: #1817022
Currently, most implementations override the L3NatAgent class itself
for their own logic since there is no proper interface to extend
RouterInfo class. This adds unnecessary complexity for developers
who just want to extend router mechanism instead of whole RPC.
Add a RouterFactory class that developer can registers RouterInfo class
and delegate it for RouterInfo creation. Seperate functions and variables
which currently used externally to abstract class from RouterInfo, so that
extension can use the basic interface.
Provide the router registration function to the l3 extension API so that
extension can extend RouterInfo itself which correspond to each features
(ha, distribtued, ha + distributed)
Depends-On: https://review.openstack.org/#/c/620348/
Closes-Bug: #1804634
Partially-Implements: blueprint openflow-based-dvr
Change-Id: I1eff726900a8e67596814ca9a5f392938f154d7b
neutron-keepalived-state-change may not start but have no method
to find out why. This patch adds the log file for it.
Change-Id: I688a6e6d0ac42c00d87571484f726e0eae091675
Related-Bug: #1822155
Large number of flows can cause local ovs connection
timeout. Ultimately getting succeed will be better
than a retry or fullsync.
Related-Bug: #1813703
Related-Bug: #1813705
Related-Bug: #1813707
Related-Bug: #1813709
Change-Id: Ifa0608a7e131df3cad2f7727426720afce641a58
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I56674b093e7de39399d7753df7f9cd46ccd197e5
Sem-Ver: feature
As done for the l3-agent in 837c9283abd4ccb56d5b4ad0eb1ca435cd2fdf3b,
dynamically resize the DHCP process queue green pool.
This patch adds a new measurement based on the network quantity to
indicate the DHCP process queue green pool size. The pool size
will be limited from 8 (original value) to 32, because we do not want
to increase the DHCP agent processing cost on the node.
Change-Id: Ic0e7bc15f138273c7a6ad41f228c9f315e6c7a91
Related-Bug: #1813787
Ovs-agent can be very time-consuming in handling a large number
of ports. At this point, the ovs-agent status report may have
exceeded the set timeout value. Some flows updating operations
will not be triggerred. This results in flows loss during agent
restart, especially for hosts to hosts of vxlan tunnel flow.
This fix will let the ovs-agent explicitly, in the first rpc loop,
indicate that the status is restarted. Then l2pop will be required
to update fdb entries.
Closes-Bug: #1813703
Closes-Bug: #1813714
Closes-Bug: #1813715
Closes-Bug: #1794991
Closes-Bug: #1799178
Change-Id: I8edc2deb509216add1fb21e1893f1c17dda80961
This patch adds qos-rules-alias extension to enable users to perform
GET, PUT and DELETE operations on QoS rules as though they are first
level resources. In other words, the user doesn't have to specify the
QoS policy ID.
Change-Id: Ia7535d83e3ae874106e22652dfd97bd9250ad37b
Partial-Bug: #1777627
After taking a closer look at bug 1818385, I found a couple
of follow-on things to fix in the security group code.
First, there are very few protocols that accept ports,
especially via iptables. For this reason I think it's
acceptable that the API rejects them as invalid.
Second, UDPlite has some interesting support in iptables. It
does not support using --dport directly, but does using
'-m multiport --dports 123', and also supports port ranges using
'-m multiport --dports 123:124'. Added code for this special
case.
Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
Closes-Bug: #1818385
This option is deprecated and marked to be deleted in Ocata. So
as we are now in Stein development cycle I think that it's good time
to remove it.
Change-Id: I07474713206c218710544ad98c08caaa37dbf53a
This patch adds the support for network segment range CRUD. Subsequent
patches will be added to use this network segment range on segment
allocation if this extension is loaded.
Changes include:
- an API extension which exposes the segment range to be administered;
- standard attributes with tagging support for the new resource;
- a new service plugin "network_segment_range" for the feature
enabling/disabling;
- a new network segment range DB table model along with operation
logic;
- Oslo Versioned Objects for network segment range data model;
- policy-in-code support for network segment range.
Co-authored-by: Allain Legacy <Allain.legacy@windriver.com>
Partially-implements: blueprint network-segment-range-management
Change-Id: I75814e50b2c9402fe6776229d469745d7a72290b
We spawn a lot of neutron-servers, on all but the smallest systems.
It's often hard to tell which are busy/overloaded or spinning.
Add an option to set the process names to their role.
This has a small chance of breaking existing scripting, depending
how they're parsing ps output.
Sample output:
$ ps xw | grep neutron-server
1126 pts/2 S+ 0:00 grep --color=auto neutron-server
25355 ? Ss 0:26 /usr/bin/python /usr/local/bin/neutron-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
25368 ? S 0:00 neutron-server: api worker
25369 ? S 0:00 neutron-server: api worker
25370 ? S 0:00 neutron-server: api worker
25371 ? S 0:00 neutron-server: api worker
25372 ? S 0:02 neutron-server: rpc worker
25373 ? S 0:02 neutron-server: rpc worker
25374 ? S 0:02 neutron-server: services worker
The "normal" looking ps output is the main parent.
Partial-Bug: #1816485
Depends-On: https://review.openstack.org/637119
Change-Id: I0e664a5f8e792d85b8f5483fb8c6f1cd59a677cd
This patch enables the adoption of existing subnets into a
subnetpool. Adoption of a subnet is done by passing the ID
of the hosting network and the address family (ip_version)
which causes all subnets in the specified address family
on the given network to be adopted by the subnet pool. This
continues to work within the constraints on subnet pool
membership of subnets on the same network. This also ensures
prefix uniqueness across an address scope before comitting the
adoption of subnets.
Change-Id: I5d3c07beb7f109142d2e3633e69f86ca39edc450
Partially-Implements: blueprint subnet-onboard
Co-Authored-By: Ryan Tidwell <rtidwell@suse.com>
Co-Authored-By: Reedip <reedip.banerjee@nectechnologies.in>
Co-Authored-By: Trevor McCasland <TM2086@att.com>
Co-Authored-By: Bernard Caffarelli <bcafarel@redhat.com>
Updating QoS policies and rules backed by resources tracked in Placement
is a complex task, which was left out of scope for the Stein release.
Of course this is only relevant for policies/rules already in use on
bound ports. Rules of unbound ports can still be updated freely.
Please note this patch cannot catch all possible problems. There will
always be a time window between the allocation committed to Placement
and Nova sending the port binding request to Neutron. If the policy or
rule is changed in this window we cannot do anything against it.
APIImpact: Reject QoS minimum bandwidth policy/rule updates for bound
ports as NotImplemented
Change-Id: I477edb0ae35b385ac776a58195f22382e2fce4ed
Partial-Bug: #1578989
See-Also: https://review.openstack.org/502306 (nova spec)
See-Also: https://review.openstack.org/508149 (neutron spec)
- Limit number of api workers to roughly using half of system
RAM. Spawning a bunch, just to have the OOM killer nuke them
regularly is not useful.
- Bump the rpc_workers default to half of the api_workers.
A default of 1 falls behind on any reasonably sized node.
Change-Id: I8b84a359f83133014b3d4414aafc10e6b7c6a876
Closes-bug: #1815629
Adds a required list 'required_service_plugins' to each service plugin,
then we can initialize the service plugin with required dependency.
And also adds the 'router' plugin to port forwarding service plugin
required list.
Closes-Bug: #1809238
Change-Id: I53fdaee0cd96a5315a7abc39799657d613eb3a2e