Make the same status information available to notification consumers
(resource==agent, event==after_create/after_update) as it was already
available where the notification is sent in class AgentDbMixin.
Change-Id: Ie74091da934c7e49fd29ae4c6f930a7eb47e14b2
Partial-Bug: #1578989
See-Also: https://review.openstack.org/502306 (nova spec)
See-Also: https://review.openstack.org/508149 (neutron spec)
Now supported_vnic_types is hardcoded to the mechanism drivers, but that
can depend on several factors, like type of the NIC, admin decision,
etc.
With this patch we put the right to decide which vnic types are
supported for ovs agent into the hands of the admin, by allowing
blacklisting items from the mechanism driver specific list.
Background: http://eavesdrop.openstack.org/meetings/neutron_qos/2018/
neutron_qos.2018-07-31-15.00.log.html#l-58
Change-Id: I63e562e2eccc5b02c1c767d6a2c28cb803131e99
Partial-Bug: #1578989
See-Also: https://review.openstack.org/502306 (nova spec)
See-Also: https://review.openstack.org/508149 (neutron spec)
This patch integrates Port Binding Level OVO in /plugin/ml2/db.py
and introduces context instead of session for usage in object
operations.
Change-Id: Ifa779f5f70a7502bd96b34d64a84d272af2a6886
Partially-Implements: blueprint adopt-oslo-versioned-objects-for-db
Co-Authored-By: Anindita Das <anindita.das@intel.com>
Co-Authored-By: Slawek Kaplonski <slawek@kaplonski.pl>
This patch aims to fix a co-existence problem between security_group
and firewall_group log resources due to incorrect log querying from
database.
Change-Id: Ic60ad436e0fbb23cdae0e63eaeb73130ebf02089
Closes-Bug: #1787119
Currently the metering iptables driver is using the old method
to load the interface driver. This patch allows it to load
interface driver via stevedore aliases.
Change-Id: I9e3027c1ec695ec3a09db0c53a0388e406e4ced6
Related-Bug: #1504536
This patch adds a release note for the floating IPs port forwarding
functionality.
Change-Id: I2e0069148cd2551d4534d8a2fd8799f432ffb5e3
Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Add common parent owner check for the resources which introduced by
service plugin.
Then port forwarding resource will share the same tenant_id with
floatingip. That means only the fip owner can create/update/get/delete
the associated port forwarding resource.
Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Change-Id: I450c674e55ca15e1d9a6a6224138f3305427da68
As part of the implementation of multiple port bindings [1], add binding
activation support to the linux bridge agent. This will enable the
execution with linux bridge agents of the complete sequence of steps
outlined in [1] during an instance migration:
1) Create inactive port bindings for destination host
2) Migrate the instance to the destination host and plug its VIFs
3) Activate the port bindings in the destination host
4) Delete the port bindings for the source host
[1] https://review.openstack.org/#/c/309416/
Change-Id: I2c937cc0a551e5ce0e8534c4dd4384ec2ca92da1
Partial-Bug: #1580880
Enforce validation on filter parameters on list requests.
If an API request contains an unknown or unsupported parameter,
the server will return a 400 response instead of silently ignoring
the invalid input.
In resource attributes map, all filter parameters are annotated by
the ``is_filter`` keyword. Attributes with is_filter set to True
are candidates for validation.
Enabling filter validation requires support from core plugin and
all service plugins so each plugin need to indicate if it supports
the validation by setting ``__filter_validation_support`` to True.
If this field is not set, the default is False and validation is
turned off. Right now, the ML2 plugin and all the in-tree service
plugin support filter validation. Out-of-tree plugins will have
filter validation disabled by default.
An API extension is introduced to allow API users to discover this
new API behavior. This feature can be disabled by cloud operators
if they choose to do that. If it is disabled, the extension won't
be presented.
Depends-On: Ic3ab5b3ffdc378d570678b9c967cb42b0c7a8a9b
Depends-On: I4397df1c35463a8b532afdc9c5d28b37224a37b4
Depends-On: I3f2e6e861adaeef81a1a5819a57b28f5c6281d80
Depends-On: I1189bc9a50308df5c7e18c329f3a1262c90b9e12
Depends-On: I057cd917628c77dd20c0ff7747936c3fec7b4844
Depends-On: I0b24a304cc3466a2c05426cdbb6f9d99f1797edd
Change-Id: I21bf8a752813802822fd9966dda6ab3b6c4abfdc
Partial-Bug: #1749820
Ensure that host routes are maintained for each subnet within
a network. Subnets associated with different segments on the
same network get host_routes entries added/removed as subnets
are created, deleted or updated.
This change handle the host_routes for the peer subnets on the
same network when a subnet is created or deleted.
Also adds a shim api extension.
APIImpact: Host routes are now calculated for routed networks.
Closes-Bug: #1766380
Change-Id: Iafbabe6352283e7f1a535a7b147bd81fb32f0ed1
Passing 'null' (None) as the mac address in a port update
request causes the port's mac address to be re-generated
using the base MAC address Neutron uses for VIFs.
This change implementes a temporary lib api definition
with a new converter that will generate valid mac if the
data provided is None.
APIImpact: Port mac_addr regenerated if None passed on update.
Closes-Bug: #1768690
Change-Id: I7d04beea4810718c3b745de8ea97897b1323267e
The Neutron API exposes the 'dns_domain' attribute on the
Network model. Presently, deployments using the DHCP
agent ignore this attribute when resolving DNS queries
between instances. This patch changes that so that
the DHCP agent will pass on the dns_domain to the
network's dnsmasq process, in turn passing it to
instances.
UpgradeImpact
Closes-Bug: 1774710
Change-Id: I6120d504959631f084d63458f6e9dada0dc5cbdf
By default number of MAC addresses which ovs stores in memory
is quite low - 2048.
Any eviction of a MAC learning table entry triggers revalidation.
Such revalidation is very costly so it cause high CPU usage by
ovs-vswitchd process.
To workaround this problem, higher value of mac-table-size
option can be set for bridge. Then this revalidation will happen
less often and CPU usage will be lower.
This patch adds config option for neutron-openvswitch-agent to allow
users tune this setting in bridges managed by agent.
By default this value is set to 50000 which should be enough for most
systems.
Change-Id: If628f52d75c2b5fec87ad61e0219b3286423468c
Closes-Bug: #1775797
To enable the possibility to migrate a non-routed network to a
routed network allow updating the segment_id of a subnet.
Only allow the operation if:
- The network only has one segment
- The network only has one subnet
- The current segment_id == None
APIImpact: The segment_id attribute of subnets now allows put operation.
Closes-Bug: #1692490
Depends-On: Iffda823a149a1143f46ee9a05e9640b34bf42c51
Change-Id: I1aee29dfb59e9769ec0f1cb1f5d2933bc5dc0dc5
Ironic is sending 'client-id' as a number (61) to meet rfc4776 [1],
due to this change Neutron DHCP should support this option as well.
[1] 228a2a7885
Closes-Bug: #1770932
Change-Id: I9728354d5f9e08a0dc23900b2bc22b4a0aedb737
This will enable users to filter list of results with attributes
with empty value. For example, the request below will list
all unbound ports (unbound ports have blank device_id).
GET "/ports?device_id="
APIImpact
Change-Id: I9001214de126eb888c2425b6a6275f59ec8478e7
Closes-Bug: #1749304
In case when there is a lot of ports to clean in bridge, default
ovsdb_timeout which is set for 10 seconds is not enough.
This patch overrides default 10 seconds timeout in neutron-ovs-cleanup
tool to 600 seconds.
600 seconds value was tested experimentally on my dev environment for
at least 10000 ports in bridge.
In case when user will have more ports to delete with this script,
it will be required to increase this ovsdb_timeout value in
configuration.
Change-Id: I79a554acdb1d6d61903be0c42d0215d302884e93
Closes-Bug: #1763604
Standard attributes (i.e. revision_number, created_at, updated_at)
are missing in the segment resource. This is because the controller
doesn't process extensions on rendering the response. This patch
fixes it. In particular, this patch does the following:
* Process extensions when making the segment dict. This allows
other extensions to add attributes to segment response.
* Make segment extension implement update_attributes_map.
Tempest test: https://review.openstack.org/#/c/558609/
APIImpact update api reference of segments
Closes-Bug: #1760902
Change-Id: I3c93818002c2d7753454547231ba08544b6fa1c0
A HA router should always be active unless all of the agents hosting
that router go down. In that event, the router should switch to
standby. This behavior changed with review:
https://review.openstack.org/#/c/411784
That review seemed to be accounting for a flakey message bus. This
change should account for that, but also revert to the original behavior
of the router state only changing when its backing agent hosts are down.
Change-Id: I89c3b2546382624f175f8de4de621c3e53adf527
Closes-Bug: 1682145
When creating SSL OVSDB connection it is required to set the private
key, certificate, and the CA certificate in order to communicate with
OVSDB. This patch configures these when an SSL connection URI is used.
The settings must be provided as part of neutron.conf under [ovs]
section.
Closes-Bug: 1745038
Change-Id: I19fd9dd0c72260835eb91e557a6029ec9d652179
Signed-off-by: Tim Rozet <trozet@redhat.com>
With a large number of instances and/or security group rules,
conntrack updates when ports are removed or rules are changed
can take a long time to process. By enqueuing these to a set
or worker threads, the agent can continue with other work while
they are processed in the background.
This is a change in behavior in the agent since it could
program a new set of security group rules before all existing
conntrack entries are deleted, but since the iptables or OVSfw
NAT rules will have been removed, it should not pose a
security issue.
Change-Id: Ibf858c7fdf7a822a30e4a0c4722d70fd272741b6
Closes-bug: #1745468
This patch allows users to filter ports depending on security groups.
In addition to that I added a unit test to verify this change.
TODO: move security_groups_port_filtering_lib.py into neutron-lib.
Closes-Bug: 1405057
Change-Id: I528719d895fc1d89f74e2ee85b9ddc470323c601
Adding ability to set DSCP field in OVS tunnels outer header, or
inherit it from the inner header's DSCP value for OVS and linuxbridge.
Change-Id: Ia59753ded73cd23019605668e60cfbc8841e803d
Closes-Bug: #1692951
Neutron currently supports filtering ports by matching the exact
IP address. This patch adds support for substring matching using
"LIKE" SQL operator.
This patch also added a new API extension to show whether or not
the substring matching capability is available.
APIImpact add IP address substring filtering on listing ports
API-ref: I97259b85a2dce5a54bb6ea2cb9d9779ec0a25504
Co-Authored-By: Zhenyu Zheng <zhengzhenyu@huawei.com>
Change-Id: I9549b2ba676e1bad0812682c3f3f3c97de15f5f6
Closes-Bug: #1718605
This commit adds common_agent_extension class which is agent API
for L2 extension drivers used e.g. by Linuxbridge agent.
This is necessary to be able to use instance of iptables_manager
used in firewall driver also in L2 extension drivers (like qos).
This patch refactors little bit iptables_manager code to make possible
to initialize e.g. mangle or nat table on demand, even if iptables
is created as "state_less"
Change-Id: I3b66e49b7f176124e8aea3eb96d0d465f1ab1ea0
Closes-Bug: #1736674