The ovn.ini file is a hold-over from the networking-ovn
tree. The docs all reference configuring OVN (and OVS)
options in ml2_conf.ini, so remove the old file and add
the neutron.ml2.ovn namespace to
etc/oslo-config-generator/ml2_conf.ini.
Trivialfix
Change-Id: I26dedc80e07aedffb1713560d4431b7a334b70b5
This patch updates docs related to the Security Groups to add info about
possibility to change default set of rules created in every new security
group.
It also adds release note about this new API in Neutron.
Closes-Bug: #1983053
Change-Id: I0f6ecc5cf374a0090930e9786834ed7a1be3dc0b
Neutron-metadata-agent can cause big load on the RPC bus and
neutron-server by asking for port details very often. And this can be
optimized by simple using cache mechanism provided by oslo.cache module.
This feature wasn't really described in our docs so this patch adds
short document about why and when use cache in metadata agent, why it's
not needed in the neutron-ovn-metadata-agent and how to enable it.
Closes-Bug: #2024581
Change-Id: I2c7e496f4c0588eebc1fbf42a43473101f67032f
This patch makes conditional the existing DB migration that adds
the new indexes "target_tenant" and "action" in the "*rbacs" tables.
The rationale of this patch is to be able to manually improve older
systems by just manually creating the indexes in the database.
Once these indexes are added, those operations including RBACs
checks (all these called from non-admin user to RBAC administrated
resourced) will be improved.
This patch is avoiding the migration issue a system could find if
these indexes have been manually added and then the system is
upgraded. The new check added will first retrieve the table indexes;
if the index is already present, the index addition is skipped.
Closes-Bug: #2020802
Change-Id: I1962fbc844bb67180e9071bcee01f8e95853bdda
When we use the ovn driver, the security group is implemented
by the ACL of ovn. There is no need to send rpc messages.
Closes-Bug: #2007327
Change-Id: I4b486c910ed298633ac6f60fd93f695c6c3bfef2
If the BACKUP_MIGRATION_IP is set to a different IP outside of
the default nets[1] set in the “openstack overcloud backup”
playbook setup_nfs role[2]. Then the NFS will fail to mount
directories during the backup, because they will not be
reachable | permitted.
This change simply adds a new variable
BACKUP_MIGRATION_CTL_PLANE_CIDRS into the ovn_migration script
to allow the user to overwrite the extra-var used for
Openstack overcloud backup --setup-nfs command.
[1] e281ae7624/tripleo_ansible/roles/backup_and_restore/defaults/main.yml (L47)
[2] e281ae7624/tripleo_ansible/roles/backup_and_restore/tasks/setup_nfs.yml (L127)
Change-Id: I160dfc4e893b93ac7a40e19b3dd6b89750dac57d
Requests handled by the metadata-agents can now be rate-limited by
source-ip. This is done to protect the OpenStack control plane against
VMs querying the metadata endpoint in an overly enthusiastic way.
Co-authored-by: Miguel Lavalle <mlavalle@redhat.com>
Related-Bug: #1989199
Change-Id: I748ccfa8b50496dcbcbe41fd22f84249a4d46b11
With removal of the neutron client shell code this tool is
no longer usable. It had been marked for deprecation since
the Newton (9.0) cycle and unmaintained.
This code is also breaking the neutron gate pep8 job.
Change-Id: I3c0c93de0b860d9287019b7834cb8337d9668cc0
We had a number of code blocks that were being incorrectly rendered
inside block quotes, which messed with formatting somewhat. Correct
them. This was done using the following script:
sphinx-build -W -b xml doc/source doc/build/xml
files=$(find doc/build/xml -name '*.xml' -print)
for file in $files; do
if xmllint -xpath "//block_quote/literal_block" "$file" &>/dev/null; then
echo "$file"
fi
done
Note that this also highlighted a file using DOS line endings. This is
corrected.
Change-Id: If63f31bf13c76a185e2c6eebc9b85f9a1f3bbde8
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Wrong links were introduced long time ago, this is setting the good
links.
Change-Id: Ib3dbe570f3aecb9533fa4623726db5551fd87100
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
A network's MTU is now only valid if it is the minimum value
allowed based on the IP version of the associated subnets,
68 for IPv4 and 1280 for IPv6.
This minimum is now enforced in the following ways:
1) When a subnet is associated with a network, validate
the MTU is large enough for the IP version. Not only
would the subnet be unusable if it was allowed, but the
Linux kernel can fail adding addresses and configuring
network settings like the MTU.
2) When a network MTU is changed, validate the MTU is large
enough for any currently associated subnets. Allowing a
smaller MTU would render any existing subnets unusable.
Closes-bug: #1988069
Change-Id: Ia4017a8737f9a7c63945df546c8a7243b2673ceb
This patch documents how to detect that the system has duplicated
"Chassis" and "Chassis_Private" registers or when a "Chassis_Private"
register is orphaned, and how to proceed to health the OVN Southbound
database.
Closes-Bug: #2012104
Change-Id: I926e6b9fe5fbad2968fc92e65082b7bb0d8571a9
IPv4 DAD is non-existent in Linux or its failure is silent, so we
never needed to catch and ignore it. On the other hand IPv6 DAD
failure is explicit, hence comes this change.
This of course leaves the metadata service dead on hosts where
duplicate address detection failed. But if we catch the
DADFailed exception and delete the address, at least other
functions of the dhcp-agent should not be affected.
With this the IPv6 isolated metadata service is not redundant, which
is the best we can do without a redesign.
Also document the promised service level of isolated metadata.
Added additional tests for the metadata driver as well.
Change-Id: I6b544c5528cb22e5e8846fc47dfb8b05f70f975c
Partial-Bug: #1953165
The package name and url need to update.
- Update package from "python-neutron-ovn-migration-tool" and
"python-neutron" to "openstack-neutron-ovn-migration-tool" and
"openstack-neutron".
- Update url from "github" to "opendev"
Change-Id: I41ba7d6929b28317622dbf868f265eab4c6fd84e
The quota guide was using the old 'neutron quota-list' style
commands, update to use the 'openstack quota' ones. Removed
wording on adding L2/L3 ones as they are all in neutron.conf.
Trivialfix
Change-Id: I1cb19ff93e617d19338b0ddfd7eb496eb1ae3572
The current document states that O flag will be 1 when ipv6_ra_mode is
dhcpv6_stateful, but the actual implementations of both ml2/OVS and
ml2/OVN set O flag to 0 according to the following implementations:
ML2/OVS
f545c002dc/neutron/agent/linux/ra.py (L53-L55)
ML2/OVN
a5238e6234/controller/pinctrl.c (L3733-L3734)a5238e6234/lib/actions.c (L3349-L3350)
This actual behavior looks correct because O flag can be either 1 or 0
when M flag is 1, according to the following statement of RFC 4861:
https://www.rfc-editor.org/rfc/rfc4861#section-4.2
If the M flag is set, the O flag is redundant and can be ignored
because DHCPv6 will return all available configuration information.
To make consistency between the documet and actually behavior, this
commit changes the document to state that O flag can be either 1 or 0
when ipv6_ra_mode is dhcpv6_stateful.
Closes-Bug: #2011687
Change-Id: Id61031d7e707d0ba7b007bae0c9e0f59b8b40f8b
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https://review.opendev.org/c/openstack/neutron/+/678021
[2]https://review.opendev.org/c/openstack/neutron/+/668224/
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
Since Antelope is a code name, add the release name as
well, similar to qos-min-bw doc.
Trivialfix
Change-Id: I31b03178c888990002340b83083a17a5f1ccc94a
Now this job runs on 3 nodes:
* 1 main, controller and networker like, without nova-compute service on
it, this node has "dvr_snat" set as L3 agent's mode,
* 2 compute like nodes with nova compute and L3 agent in "dvr" mode
Even though there is only one "dvr_snat" node in the job, it keeps
"l3_ha" option set to "true" in Neutron's config. That way we are still
testing "ha" code path of the centralized part of the router but also
job is now closer to the real life, and supported deployments topology.
Additionally this patch adds nodeset for 3 nodes with Ubuntu Jammy and
controller node not running compute service as there is no such nodeset
defined globally.
Related-Bug: #1934666
Change-Id: Id6a91795ebc73be26bb34d9eaf8a53b2b6a1ba0c
The OVS firewall driver requires nf_conntrack module(s)
to be loaded to function properly. While they are typically
loaded automatically, add a note to the admin guide about
the requirement to make it explicit.
Closes-bug: #1834213
Change-Id: I55871eff1e37d4155b8d2b5ae8c182d160c4af9f
There was not an example of how to delete an auto
allocated topology (get me a network), so add one.
Only a partial fix as it seems the api-ref doc in
neutron-lib is incorrect as there is only create and
delete operations on this resource, not show.
Change-Id: Iaa797b7e0c1c9bac25ff00659a74286173297206
Partial-bug: #1617548