1693 Commits

Author SHA1 Message Date
Brian Haley
0611735715 Remove ovn.ini example file
The ovn.ini file is a hold-over from the networking-ovn
tree. The docs all reference configuring OVN (and OVS)
options in ml2_conf.ini, so remove the old file and add
the neutron.ml2.ovn namespace to
etc/oslo-config-generator/ml2_conf.ini.

Trivialfix

Change-Id: I26dedc80e07aedffb1713560d4431b7a334b70b5
2023-09-06 15:19:30 -04:00
Zuul
ed6023c347 Merge "Update QoS config document: use YAML config examples" 2023-09-01 09:06:51 +00:00
Zuul
1bb9fe1b21 Merge "Default SG rules template - Update related docs and add release note" 2023-08-31 19:05:54 +00:00
Slawek Kaplonski
5c2f54ca03 Default SG rules template - Update related docs and add release note
This patch updates docs related to the Security Groups to add info about
possibility to change default set of rules created in every new security
group.
It also adds release note about this new API in Neutron.

Closes-Bug: #1983053
Change-Id: I0f6ecc5cf374a0090930e9786834ed7a1be3dc0b
2023-08-30 10:18:34 +00:00
Rodolfo Alonso Hernandez
fa130f29f7 Update QoS config document: use YAML config examples
Closes-Bug: #2033203
Change-Id: I0162cf74e74ff915918d36bd1150d2ac474ac882
2023-08-28 10:12:58 +00:00
Dr. Jens Harbott
0e5c91c499 Add some more known issues to the OVN gap document
See the related bugs.

Related-Bug: #2030294
Related-Bug: #2030295
Change-Id: If90e4233c599b0ab4363d7eea6b00436bf7ab92c
2023-08-27 15:15:42 +02:00
Zuul
321f7672e7 Merge "[Docs] Add recommendation about usage of cache in the neutron-metadata-agent" 2023-07-19 14:44:55 +00:00
Slawek Kaplonski
49b68d36a0 [Docs] Add recommendation about usage of cache in the neutron-metadata-agent
Neutron-metadata-agent can cause big load on the RPC bus and
neutron-server by asking for port details very often. And this can be
optimized by simple using cache mechanism provided by oslo.cache module.
This feature wasn't really described in our docs so this patch adds
short document about why and when use cache in metadata agent, why it's
not needed in the neutron-ovn-metadata-agent and how to enable it.

Closes-Bug: #2024581
Change-Id: I2c7e496f4c0588eebc1fbf42a43473101f67032f
2023-07-07 14:47:59 -04:00
Sahid Orentino Ferdjaoui
f2dd2d3cac doc: fix typo in metering-agent.rst
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: I54b3dbf64ad313f6e3c34a2c774975f6327843c4
2023-07-03 09:21:28 +02:00
Zuul
6e30e3e59f Merge "[ovn]disable security group notifier" 2023-06-09 05:19:14 +00:00
Zuul
7072b34650 Merge "Make DB migration creating indexes in RBACs conditional" 2023-06-07 21:37:03 +00:00
Zuul
4bc538d7ea Merge "[OVN][Migration] Enable settings backup subnet for NFS clients" 2023-05-29 18:35:03 +00:00
Rodolfo Alonso Hernandez
e8cd39b3d7 Make DB migration creating indexes in RBACs conditional
This patch makes conditional the existing DB migration that adds
the new indexes "target_tenant" and "action" in the "*rbacs" tables.
The rationale of this patch is to be able to manually improve older
systems by just manually creating the indexes in the database.
Once these indexes are added, those operations including RBACs
checks (all these called from non-admin user to RBAC administrated
resourced) will be improved.

This patch is avoiding the migration issue a system could find if
these indexes have been manually added and then the system is
upgraded. The new check added will first retrieve the table indexes;
if the index is already present, the index addition is skipped.

Closes-Bug: #2020802
Change-Id: I1962fbc844bb67180e9071bcee01f8e95853bdda
2023-05-29 15:26:11 +00:00
zhouhenglc
35cb164ea5 [ovn]disable security group notifier
When we use the ovn driver, the security group is implemented
by the ACL of ovn. There is no need to send rpc messages.

Closes-Bug: #2007327

Change-Id: I4b486c910ed298633ac6f60fd93f695c6c3bfef2
2023-05-24 14:15:33 +08:00
Miro Tomaska
b677d65b2d [OVN][Migration] Enable settings backup subnet for NFS clients
If the BACKUP_MIGRATION_IP is set to a different IP outside of
the default nets[1] set in the “openstack overcloud backup”
playbook setup_nfs role[2]. Then the NFS will fail to mount
directories during the backup, because they will not be
reachable | permitted.
This change simply adds a new variable
BACKUP_MIGRATION_CTL_PLANE_CIDRS into the ovn_migration script
to allow the user to overwrite the extra-var used for
Openstack overcloud backup --setup-nfs command.

[1] e281ae7624/tripleo_ansible/roles/backup_and_restore/defaults/main.yml (L47)
[2] e281ae7624/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml (L127)

Change-Id: I160dfc4e893b93ac7a40e19b3dd6b89750dac57d
2023-05-19 19:18:32 +00:00
Guillaume Espanel
5f4a41326d Add rate-limiting to metadata agents
Requests handled by the metadata-agents can now be rate-limited by
source-ip. This is done to protect the OpenStack control plane against
VMs querying the metadata endpoint in an overly enthusiastic way.

Co-authored-by: Miguel Lavalle <mlavalle@redhat.com>

Related-Bug: #1989199
Change-Id: I748ccfa8b50496dcbcbe41fd22f84249a4d46b11
2023-05-17 18:52:25 -05:00
Brian Haley
01af4b2cda Remove the neutron-debug tool
With removal of the neutron client shell code this tool is
no longer usable. It had been marked for deprecation since
the Newton (9.0) cycle and unmaintained.

This code is also breaking the neutron gate pep8 job.

Change-Id: I3c0c93de0b860d9287019b7834cb8337d9668cc0
2023-05-12 12:42:31 -04:00
Stephen Finucane
d409296bde docs: Deindent code blocks
We had a number of code blocks that were being incorrectly rendered
inside block quotes, which messed with formatting somewhat. Correct
them. This was done using the following script:

  sphinx-build -W -b xml doc/source doc/build/xml
  files=$(find doc/build/xml -name '*.xml' -print)
  for file in $files; do
      if xmllint -xpath "//block_quote/literal_block" "$file" &>/dev/null; then
          echo "$file"
      fi
  done

Note that this also highlighted a file using DOS line endings. This is
corrected.

Change-Id: If63f31bf13c76a185e2c6eebc9b85f9a1f3bbde8
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
2023-05-10 17:37:26 +01:00
Zuul
fd17662611 Merge "Change API to validate network MTU minimums" 2023-05-04 20:47:52 +00:00
Arnaud Morin
30c0e5699e Fix doc links for networking option 2
Wrong links were introduced long time ago, this is setting the good
links.

Change-Id: Ib3dbe570f3aecb9533fa4623726db5551fd87100
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
2023-05-04 11:07:16 +02:00
Zuul
dfdf15a2f2 Merge "Remove "neutron-ovn-tempest-ovs-release-ubuntu-old" job" 2023-05-03 15:44:38 +00:00
Zuul
5c45b1ee29 Merge "Doc: Add FWaaS v2 install details" 2023-04-28 18:36:15 +00:00
Rodolfo Alonso Hernandez
4bac350f68 Remove "neutron-ovn-tempest-ovs-release-ubuntu-old" job
Neutron is no longer tested in "Ubuntu Focal".

Closes-Bug: #2017500
Change-Id: I16b40c4b0a67370721a125ea377f483c7c08efa0
2023-04-28 14:15:45 +00:00
Zuul
1ee0e38588 Merge "[OVN] Admin procedure for duplicated or deleted OVN agents" 2023-04-27 14:21:54 +00:00
Brian Haley
88ce859b56 Change API to validate network MTU minimums
A network's MTU is now only valid if it is the minimum value
allowed based on the IP version of the associated subnets,
68 for IPv4 and 1280 for IPv6.

This minimum is now enforced in the following ways:

1) When a subnet is associated with a network, validate
   the MTU is large enough for the IP version. Not only
   would the subnet be unusable if it was allowed, but the
   Linux kernel can fail adding addresses and configuring
   network settings like the MTU.

2) When a network MTU is changed, validate the MTU is large
   enough for any currently associated subnets. Allowing a
   smaller MTU would render any existing subnets unusable.

Closes-bug: #1988069
Change-Id: Ia4017a8737f9a7c63945df546c8a7243b2673ceb
2023-04-26 12:22:30 -04:00
Zuul
d8eb64e1cf Merge "Update QoS documentation" 2023-04-26 08:34:16 +00:00
elajkat
9f22dc1d3a Doc: Add FWaaS v2 install details
Change-Id: I8813efac46ff3d2a93933c3025bf5490d21cd622
Closes-bug: #2009832
2023-04-26 07:52:58 +00:00
Zuul
3d54423ecf Merge "Suppress IPv6 metadata DAD failure and delete address" 2023-04-26 07:38:07 +00:00
Rodolfo Alonso Hernandez
b31453af47 [OVN] Admin procedure for duplicated or deleted OVN agents
This patch documents how to detect that the system has duplicated
"Chassis" and "Chassis_Private" registers or when a "Chassis_Private"
register is orphaned, and how to proceed to health the OVN Southbound
database.

Closes-Bug: #2012104
Change-Id: I926e6b9fe5fbad2968fc92e65082b7bb0d8571a9
2023-04-22 02:44:07 +02:00
Rodolfo Alonso Hernandez
d757c530bc Update QoS documentation
* Added DSCP mark 44 [1]
* Added ingress/egress support for gateway IP for OVN rotuers [2]

[1]https://review.opendev.org/c/openstack/neutron-lib/+/854117
[2]https://review.opendev.org/c/openstack/neutron/+/833455

Trivial-Fix

Change-Id: Ic15ba644be7967fc6bcbbb8c8aad0b7370b4affe
2023-04-21 10:59:20 +00:00
706a0e0268 Fix parent of neutron-ovn-tempest-with-uwsgi-loki
Missed in [1], also drop reference of
neutron-tempest-with-uwsgi-loki from docs.

Also set NEUTRON_DEPLOY_MOD_WSGI: false for
parent ovn job[2].

[1] https://review.opendev.org/c/openstack/neutron/+/797051
[2] https://bugs.launchpad.net/neutron/+bug/1912359

Change-Id: If865a863971bb655ddc59a5237c4d1e57e46e407
2023-04-17 16:44:07 +05:30
Zuul
81b982b669 Merge "Update url and package name" 2023-04-13 13:38:39 +00:00
Bence Romsics
2aee961ab6 Suppress IPv6 metadata DAD failure and delete address
IPv4 DAD is non-existent in Linux or its failure is silent, so we
never needed to catch and ignore it. On the other hand IPv6 DAD
failure is explicit, hence comes this change.

This of course leaves the metadata service dead on hosts where
duplicate address detection failed. But if we catch the
DADFailed exception and delete the address, at least other
functions of the dhcp-agent should not be affected.

With this the IPv6 isolated metadata service is not redundant, which
is the best we can do without a redesign.

Also document the promised service level of isolated metadata.

Added additional tests for the metadata driver as well.

Change-Id: I6b544c5528cb22e5e8846fc47dfb8b05f70f975c
Partial-Bug: #1953165
2023-04-04 09:39:19 -04:00
WeiLingfei
33c4a2d97e Update url and package name
The package name and url need to update.

- Update package from "python-neutron-ovn-migration-tool" and
"python-neutron" to "openstack-neutron-ovn-migration-tool" and
"openstack-neutron".
- Update url from "github" to "opendev"

Change-Id: I41ba7d6929b28317622dbf868f265eab4c6fd84e
2023-03-28 06:59:20 +00:00
Brian Haley
b777aa57b2 Update the quota guide examples
The quota guide was using the old 'neutron quota-list' style
commands, update to use the 'openstack quota' ones. Removed
wording on adding L2/L3 ones as they are all in neutron.conf.

Trivialfix

Change-Id: I1cb19ff93e617d19338b0ddfd7eb496eb1ae3572
2023-03-27 17:38:26 -04:00
Yamato Tanaka
c97dcfd03f doc: state that O flag can be 0 in dhcpv6-stateful
The current document states that O flag will be 1 when ipv6_ra_mode is
dhcpv6_stateful, but the actual implementations of both ml2/OVS and
ml2/OVN set O flag to 0 according to the following implementations:

ML2/OVS
f545c002dc/neutron/agent/linux/ra.py (L53-L55)

ML2/OVN
a5238e6234/controller/pinctrl.c (L3733-L3734)
a5238e6234/lib/actions.c (L3349-L3350)

This actual behavior looks correct because O flag can be either 1 or 0
when M flag is 1, according to the following statement of RFC 4861:

  https://www.rfc-editor.org/rfc/rfc4861#section-4.2
  If the M flag is set, the O flag is redundant and can be ignored
  because DHCPv6 will return all available configuration information.

To make consistency between the documet and actually behavior, this
commit changes the document to state that O flag can be either 1 or 0
when ipv6_ra_mode is dhcpv6_stateful.

Closes-Bug: #2011687
Change-Id: Id61031d7e707d0ba7b007bae0c9e0f59b8b40f8b
2023-03-19 20:17:55 +09:00
Zuul
43c9642115 Merge "Add Jens Harbott as Lieutenants in Infra area" 2023-03-14 08:57:12 +00:00
Rodolfo Alonso Hernandez
008277b8c1 [OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.

Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.

[1]https://review.opendev.org/c/openstack/neutron/+/678021
[2]https://review.opendev.org/c/openstack/neutron/+/668224/

Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
2023-03-08 04:25:53 +01:00
Zuul
708c34c7a3 Merge "Add Lajos Katona to Client and Doc areas as lieutenant" 2023-03-07 13:33:07 +00:00
Brian Haley
5d2086c698 Add 2023.1 release name in routed networks doc
Since Antelope is a code name, add the release name as
well, similar to qos-min-bw doc.

Trivialfix

Change-Id: I31b03178c888990002340b83083a17a5f1ccc94a
2023-03-03 11:29:47 -05:00
elajkat
b6bc4c8a66 Add Lajos Katona to Client and Doc areas as lieutenant
Change-Id: I9e4f78fd79c7836be71175c0f664257abb9ea177
2023-03-03 12:22:21 +00:00
Zuul
1e8949c9e9 Merge "Update lieutenants for ovn-octavia-provider" 2023-03-01 21:22:49 +00:00
Zuul
48b57bf80f Merge "Add Slawomir Kaplonski as Lieutenant in API, Client and Testing areas" 2023-02-28 21:11:50 +00:00
Rodolfo Alonso Hernandez
12093015de Add Jens Harbott as Lieutenants in Infra area
Jens Harbott will replace Yamamoto Takashi in this area.

Change-Id: I497d921fa4936657572c3d6d0c30c4d07b89fa56
2023-02-28 15:19:56 +00:00
Rodolfo Alonso Hernandez
19482a049b Add Slawomir Kaplonski as Lieutenant in API, Client and Testing areas
Change-Id: I6863ace7759b7f2991a2ed188a897b80ed844ef0
2023-02-28 15:02:22 +00:00
Luis Tomas Bolivar
6cac935824 Update lieutenants for ovn-octavia-provider
Change-Id: Ic27f0dc74c898f19fd39dc4a23f5acf2682dc458
2023-02-28 15:49:28 +01:00
Slawek Kaplonski
169ef05589 Change neutron-ovs-tempest-dvr-ha-multinode-full job's config
Now this job runs on 3 nodes:

* 1 main, controller and networker like, without nova-compute service on
  it, this node has "dvr_snat" set as L3 agent's mode,
* 2 compute like nodes with nova compute and L3 agent in "dvr" mode

Even though there is only one "dvr_snat" node in the job, it keeps
"l3_ha" option set to "true" in Neutron's config. That way we are still
testing "ha" code path of the centralized part of the router but also
job is now closer to the real life, and supported deployments topology.

Additionally this patch adds nodeset for 3 nodes with Ubuntu Jammy and
controller node not running compute service as there is no such nodeset
defined globally.

Related-Bug: #1934666

Change-Id: Id6a91795ebc73be26bb34d9eaf8a53b2b6a1ba0c
2023-02-21 22:19:52 +01:00
Brian Haley
c609084b59 Add doc note on nf_conntrack module requirement
The OVS firewall driver requires nf_conntrack module(s)
to be loaded to function properly. While they are typically
loaded automatically, add a note to the admin guide about
the requirement to make it explicit.

Closes-bug: #1834213

Change-Id: I55871eff1e37d4155b8d2b5ae8c182d160c4af9f
2023-01-25 15:25:18 +00:00
Zuul
c078c6569f Merge "Support for minimum bandwidth rules in tunnelled networks" 2023-01-16 18:59:59 +00:00
Brian Haley
d0e64c6617 Add auto-allocated-topology delete example to docs
There was not an example of how to delete an auto
allocated topology (get me a network), so add one.
Only a partial fix as it seems the api-ref doc in
neutron-lib is incorrect as there is only create and
delete operations on this resource, not show.

Change-Id: Iaa797b7e0c1c9bac25ff00659a74286173297206
Partial-bug: #1617548
2023-01-13 17:42:34 -05:00