Added a check for OVN NB schema, looking for "Port_Group" table
(added in OVN NB schema 5.11).
This patch removes the code to support OVN without "Port_Group"
table. It is assumed that this table is always present.
Closes-Bug: #1946023
Change-Id: If193ff5bc6e1421f4fa9db3779872a82a36c8b69
The goal of [1] is to, in case of failing when removing the quota
reservation, continue the operation. Any expired reservation will
be removed automatically in any driver.
If the DB transaction fails, it should affect only to the reservation
trying to be deleted. This is why this patch isolates the
"remove_reservation" method and guarantees it is called outside an
active DB session. That guarantees, in case of failure, no other DB
operation will be affected.
This patch also partially reverts [2] but still checks the security
group rule quota when a new security group is created. Instead of
creating and releasing a quota reservation for the security group
rules created, now only the available quota limit is checked before
creating them. That won't prevent another operation to create security
group rules in parallel, exceeding the available quota. However, this
is not even guaranteed with the current quota driver.
[1]https://review.opendev.org/c/openstack/neutron/+/805031
[2]https://review.opendev.org/c/openstack/neutron/+/701565
Closes-Bug: #1943714
Change-Id: Id73368576a948f78a043d7cf0be16661a65626a9
OVS agent configuration is extended to support new configuration
options:
- 'resource_provider_packet_processing_without_direction'
- 'resource_provider_packet_processing_with_direction'
- 'resource_provider_packet_processing_inventory_defaults'
OVS agent RPC hearthbeat now reports this information to neutron
server in 'configuration' field .
Example config:
ml2_conf.ini:
[ovs]
resource_provider_packet_processing_with_direction = :1000:1000
Partial-Bug: #1922237
See-Also: https://review.opendev.org/785236
Change-Id: Ief554bc445dfd93ea6995bb42b4d010674c7a091
This patch implements support for CRUD operations for QoS minimum
packet rate, for example:
DELETE /qos/policies/$POLICY_ID/minimum_packet_rate_rules/$RULE_ID
Placement or dataplane enforcement is not implemented yet.
Partial-Bug: #1922237
See-Also: https://review.opendev.org/785236
Change-Id: Ie994bdab62bab33737f25287e568519c782dea9a
Using stateless NAT in OVN should always be a better choice for FIPs
because it allows to avoid hitting conntrack, potentially improving
NAT performance, esp. where hardware offload for the openflow rules is
involved.
The only limitation for using stateless NAT in OVN is that it requires
1:1 IP mapping; which is always the case for FIPs. This is why this
patch unconditionally switches to stateless for all FIPs.
Before setting stateless key to NAT's options, check that 'options'
are supported. (Support was added in OVN 20.03 as part of stateless
NAT implementation.) If an older OVN version is used, nothing changes.
The patch also adds a runtime migration rule for neutron-server to
transform all existing stateful fips to stateless.
Change-Id: I312a950131d62d93fb4bc121bc5e60febb8d35ee
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I307fdfc8957028671706265f0575789afa5e60af
Also updates the docs to be clearer on OVN-Geneve relation topics.
Co-Authored-By: Elvira García Ruiz <egarciar@redhat.com>
Change-Id: Ia253cc4d85261ce1535f4d27b3da91275d879903
Closes-bug: #1868137
Number of resources for neutron to divide
the large RPC call data sets always equals 100.
In "big" networks even these numbers can be
still huge and cause service timeouts.
Now we can decrease these numbers in config.
Default value equals 20 now.
Closes-Bug: 1938202
Change-Id: Idf545ad31398ded460b6c2ae1675dd5e9ae71440
Passing newline to the dnsmasq may cause security issues, especially
that in case of Neutron that dhcp options' values are controlled by
cloud users.
This patch removes everything what is after first newline character
in the dhcp_extra_opt's values before passing them to dnsmasq.
Closes-Bug: #1939733
Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
This patch adds the documentation to the Network Availability Zones
support in OVN. Instead of having two documentation pages, one for router
AZs and another one for network AZs, this patch merges both guides into
one single documentation. Setting up AZs in OVN is the same for both
types and the differences between the two are documented within their
own sections.
The patch also removes a limitation listed in the SR-IOV documentation
for OVN since we no longer have a default HA Chassis Group. This
limitation was removed as part of the Network AZ work.
Change-Id: I55f27a5473dcd1e6e2255007108c2008acfb6dec
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
This patch adds new API extension to QoS service plugin
to allow CURD actions for packet rate limit (packet per
second) rule in Neutron server side.
NOTE: This patch will NOT implement the real functionality
in L2/L3 backend to limit the pps.
Co-Authored-By: NANALI <lin203@chinaunicom.cn>
Closes-bug: #1912460
Change-Id: Icc88accb88d9cec40c960c56f032c3c27317b42e
This reverts commit 66ac943b6435901c163c3050ad41dfcaf36ac11d.
Reason for revert: After discussions with the core reviewers for ML2/OVN
and Neutron folks about this configuration option we understood that we
should just enable RpcWorkers to connect to the OVN database by default
and later allow rpc_workers to be set to 0 in Neutron (for those looking
for optimizations and that don't need RpcWorkers in their deployment). So
I am proposing a revert for this configuration option.
Change-Id: I73ba195401fff9f832b84633398816383f710b23
This patch changes the policy for updating routes to support ECMP,
and will now add ECMP routes to the Neutron router namespace when
there are multiple routes pointing to the same destination address.
Change-Id: I842c1408ee0235bc54441e9ed69c8b87ea30651b
Related-Bug: #1880532
This patch sanitizes the MAC address coming from a user input:
- The "base_mac" address configuration parameter.
- The "port.mac_address" stored in the database, if the script
provided is not executed.
This patch relays on [1], that will sanitize any input coming from
the server API.
This patch adds a new script to sanitize all "port.mac_address"
registers stored in the dabatabase.
[1]https://review.opendev.org/c/openstack/neutron-lib/+/788300
Related-Bug: #1926273
Change-Id: I8572906cc435feda1f82263fd94dda47fc1526e1
This adds a middleware for noauth that would inject a fake
project_id for create requests. This would ensure that api
consumers don't have to provide a fake project_id in requests.
Closes-Bug: #1934039
Change-Id: I5e1de571034be41f1147c130fce66e6cf70b1369
Previously if extension was not supported by one of the mech drivers,
but it wasn't filtered out by next mech driver, it was available finally
in the list.
Now, this patch changes that so if extension is disabled by one of the
drivers it isn't available on the list at all.
This will work better e.g. with discoverability of what is available
e.g. when OVN backend is used by Neutron.
Closes-Bug: #1929676
Change-Id: I6a4ff42f47f7ee90365516d37472c09ac87773e5
When the router GW interface is updated or deleted, the routes should
be checked in other to prove all of them have connectivity to any of
the router interface subnets.
In a router, all routes nexthops must have connectivity with one
interface subnet. If not, this route cannot send the packets to this
route gateway; therefore this route becomes invalid.
Closes-Bug: #1925368
Change-Id: I7ce93b863b0dc0d4a2376fcfd602d2facb6fb2d0
Add a new ovs agent extension to support distributed DHCP for
VMs in compute nodes directly. For large scale deployment, this
can be used to reduce the number of neutron agents. Large scale
cloud can benefit from it.
From the perspective of virtual machine, this will reduce the
probability of DHCP request failure. The VMs will get a higher
level availability for DHCP R/R, no single point of failure
permanently. If one host goes down, VMs in other hosts will not
be influnced by it.
For the perspective of network performance, after using this
extension, the DHCP broadcasting packages will be limited
to the host locally.
Partially-Implements: bp/distributed-dhcp-for-ml2-ovs
Closes-Bug: #1900934
Change-Id: Id8a4c501daad7c2185e6d69441182666ef987e61
Add a configuration option to ovn group:
additional_worker_classes_with_ovn_idl
to optionally enable OVN IDL connections on additional workers.
By default the IDL connections are only initialized on API and
maintenance workers as other worker types normally don't need them.
But some plugins or extensions might still require IDL connections on
other workers and now may enable them via configuration, by adding the
worker class (or its alias from neutron.worker_classes) to
additional_worker_classes_with_ovn_idl.
Closes-Bug: #1927977
Change-Id: Ia0d882220cd281e3c91648e3f32a842d61a5f57d
This change ensures that neutron relies on the same logic as libvirt
to generate hypervisor hostname, to fix imcompatible hostname format
used in Nova and Neutron for resource provider name in some
configuration pattens like the one generated by TripleO.
Closes-Bug: #1926693
Change-Id: Iea2533f4c52935b4ecda9ec22fb619c131febfa1
Map OpenStack SG stateful=False to OVN ACL allow-stateless action verb.
The verb is added in the latest OVN release, 21.06. Inspect db schema to
determine if the new action is supported by OVN before trying to create
it. Fall back to allow-related when it's not supported yet.
Also-Needs: I7343fb609fab91c20490842378747f7265241e82
This will require ovsdbapp version bump with the patch mentioned above
to make it work.
Change-Id: Ic1c36fb71a9d03e8697583a1ea9453d4c0052f74
When needing to create a point to point connection via a subnet,
generally and /31 is the recommended cidr. Neutron supports /31
disabling dhcp and gateway on a subnet. /32 is also supported in
openstack.
Closes-Bug: #1580927
Change-Id: I3bfa3efb9fb8076656b16c89d2f35d74efde12b7
SR-IOV agent can handle ports with same MAC address (located in
different networks). The agent can retrieve, from the system, the
MAC address and the PCI slot; because the PCI slot is unique per
port in the same host, this parameter is used to match with the
Neutron port ID stored in the database (published via RPC).
RPC API bumped to version 1.9.
Closes-Bug: #1791159
Change-Id: Id8c3e0485bebc55c778ecaadaabca1c28ec56205
This new quota driver, ``DbQuotaNoLockDriver``, does not create a lock
per (resource, project_id) but retrieves the instant (resource,
project_id) usage and the current (resource, project_id) reservations.
If the requested number of resources fit the available quota, a new
``Reservation`` register is created with the amount of units requested.
All those operations are done inside a DB transaction context. That
means the amount of resources and reservations is guaranteed inside
this transaction (depending on the DB backend isolation level defined)
and the new reservation created will not clash with other DB transation.
That will guarantee the number of resources and instant reservations
never exceed the quota limits defined for this (resource, project_id).
NOTES:
- This change tries to be as unobtrusive as possible. The new driver
uses the same ``DbQuotaDriver`` dabatase tables (except for
``QuotaUsage``) and the same Quota engine API, located in
``neutron.quota``. However, the Quota engine resources implements some
particular API actions like "dirty", that are not used in the new
driver.
- The Pecan Quota enforcement hooks,
``neutron.pecan_wgsi.hooks.quota_enforcement``, execute actions like
"resync", "mark_resources_dirty" or "set_resources_dirty", that has
no meaning in the new driver.
- The isolation between the Quota engine and the Pecan hook, and the
driver itself is not clearly defined. A refactor of the Quota engine,
Quota service, Quota drivers and a common API between the driver and
the engine is needed.
- If ``DbQuotaDriver`` is deprecated, ``CountableResource`` and
``TrackedResource`` will be joined in a single class. This resource
class will have a count method (countable) or a hard dependency on a
database table (tracked resource). The only difference will be the
"count" method implementation.
Closes-Bug: #1926787
Change-Id: I4f98c6fcd781459fd7150aff426d19c7fdfa98c1
Currently neutron uses socket.gethostname() to determine hypervisor
names, but this implementation is not fully compatible with libvirt
driver which uses canonical name for hypervisor name.
This incompatibility causes an issue with root resource provider
detection if a deployment uses FQDNs as canonicanl names.
This change introduces the resource_provider_default_hypervisor option,
so that users can override the hypervisor name by the single option(*1)
instead of setting two list options(*2). This is especially useful if
the deployment has multiple bridges or interfaces.
(*1)
[OVS]
resource_provider_bandwidths=br-data1:1024:1024,br-data2:1024:1024,\
br-data3:1024,1024,br-data4,1024:1024
resource_provider_default_hypervisor=compute0.mydomain
(*2)
[OVS]
resource_provider_bandwidths=br-data1:1024:1024,br-data2:1024:1024,\
br-data3:1024,1024,br-data4,1024:1024
resource_provider_hypervisors=br-data1:compute0.mydomain,br-data2:\
compute0.mydomain,br-data3:compute0.mydomain,br-data4:compute0.mydomain
Related-Bug: #1926693
Change-Id: I692219200535df3af1265248e88c96947e4d8f9d
The admin_* parameters are implementing the same functionality as
keystoneauth parameters alghouth these don't provide all parameters for
Keystone v3 identity but are still based on Keystone v2 identity.
This change deprecates these parameters so that we can remove
such redundant and outdated definitions in a future release.
Closes-Bug: #1927494
Change-Id: I6294098008fbebb2e64922b3aaa085c1361d48a2
When floating IP or port with DNS records are created and the recordset
quota value of the external dns service (e.g. designate) exceeds limit,
the recordset creation fails. Report the exact reason of failure i.e.
ExternalDNSOverQuota instead of HttpException.
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/786174
Closes-Bug: #1923700
Change-Id: Ie1dd5c26ec0eb1875d2a6a176838598117678f4a
This change cleans up the configuration options for Xen API support,
which was deprecated during the Wallaby cycle[1] and have been
ineffective.
[1] a6dbf97242caa3be646e8eb6b1502b5e59e123fd
Change-Id: I89f304f767b2ec645ac7bb216890b6ac470fd875
Until the migration to the new native "nftables" API is completed,
Neutron Linux Bridge mechanism driver can work with:
- The legacy binaries ("iptables", "ip6tables", "arptables" and
" ebtables").
- The "nftables" legacy API tools. "ipset" tool is not compatible
with "nftables" and must be disabled.
Closes-Bug: #1915341
Related-Bug: #1508155
Related-Bug: #1922892
Change-Id: I10ef4e9124ba8f243680acde506eebc586c2f9a7
In TripleO we are moving to a model where heat is not
used to manage neutron resources. This work relies on
using tags, and we are hitting the 60 characther limit.
This change bumps the tag elements to 255 characters.
Closes-Bug: #1921713
Change-Id: Ie69526acb94b62fd5d8db1dbddc1f24072df7a5e
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: If44ab719ae638c44a1a65053950fb33f6e6ef4f4