795 Commits

Author SHA1 Message Date
Rodolfo Alonso Hernandez
91f0864dc0 Add an active wait during the port provisioning event
In ML2/OVN, during a live-migration process, it could
happend that the port provisioning event is received before
the port binding has been updated. That means the port has
been created in the destination host and the event received
(this event will remove any pending provisioning block). But
the Nova port binding request has not arrived yet, updating
the port binding registers. Because the port is considered
"not bound" (yet), the port provisioning doesn't set the port
status to ACTIVE.

This patch creates an active wait during the port provisioning
event method. If the port binding is still "unbound", the method
retries the port retrieval several times, giving some time to the
port binding request from Nova to arrive.

Closes-Bug: #1988199
Change-Id: I50091c84e67c172c94ce9140f23235421599185c
2022-08-31 23:20:37 +02:00
Zuul
76b6388d4b Merge "Allow operator to disable usage of random-fully" 2022-08-26 08:42:03 +00:00
David Hill
bbefe5285e Allow operator to disable usage of random-fully
In some specific use case, the cloud operator expects the source port
of a packet to stay the same across all masquerading layer up to the
destination host.   With the implementation of the random-fully code,
this behavior was changed as source_port is always rewritten no matter
which type of architecture / network CIDRs is being used in the backend.
This setting allows a user to fallback to the original behavior of the
masquerading process which is to keep the source_port consistent across
all layers.  The initial random-fully fix  prevents packet drops when
duplicate tuples are generated from two different namespace when the
source_ip:source_port goes toward the same destination so enabling this
setting would allow this issue to show again.   Perhaps a right approach
here would be to fix this "racey" situation in the kernel by perhaps
using the mac address as a seed to the tuple ...

Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
Closes-bug: #1987396
2022-08-25 16:48:45 -04:00
Zuul
67aab582dc Merge "Script to remove duplicated port bindings" 2022-08-24 00:54:47 +00:00
Zuul
f1926c086a Merge "[OVN][QoS] Add minimum bandwidth rule support to ML2/OVN" 2022-08-22 10:04:30 +00:00
Rodolfo Alonso Hernandez
c5b76a8393 Script to remove duplicated port bindings
A new script to remove the duplicated port bindings was added. This
script will list all ``ml2_port_bindings`` records in the database,
finding those ones with the same port ID. Then the script removes
those ones with status=INACTIVE. This script is useful to remove
those leftovers that remain in the database after a failed live
migration.

"dry_run" mode is possible if selected in "[cli_script] dry_run"
boolean config option. The duplicated port bindings are printed in
the shell but not deleted.

Related-Bug: #1979072

Change-Id: I0de5fbb70eb852f82bd311616557985d1ce89bbf
2022-08-18 08:13:56 +00:00
Rodolfo Alonso Hernandez
846737dac4 [OVN][QoS] Add minimum bandwidth rule support to ML2/OVN
This patch adds support for QoS egress minimum bandwidth rules in
ML2/OVN. The enforcement is done in the network backend.

Since [1], in v22.06.0, OVN is capable of guarantee a minimal
bandwidth for a logical switch port. The enforcement of this rule
is done in the physical bridge interface.

[1]dbf12e5fe1

Closes-Bug: #1982951

Change-Id: Ia3831b18463c29f676c253edb64419667b5f2c0b
2022-08-12 00:58:17 +02:00
Lucas Alvares Gomes
982c22dd46 [OVN] Fix updating network segmentation ID
The ML2/OVN driver wasn't handling updates to the segmentation ID for a
given network. This patch fixes this problem.

This patch extends the _update_segmentation_id() method to check on
drivers which does not inherits from AgentMechanismDriverBase, which
is the case of OVN (which inherits from MechanismDriver). A new method
is now called for those drivers to get a list of supported VIF types,
called get_supported_vif_types().

Closes-Bug: #1944708
Change-Id: Ibe08bfbc2efc55b9d628cdd0605941b7486186b6
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2022-08-10 09:44:55 +01:00
Zuul
3ffbf831cf Merge "Forbid create ndp proxy on same router with same ip address" 2022-07-20 22:47:19 +00:00
Rodolfo Alonso Hernandez
d4801bd529 Add release note for OVN "requested-chassis" feature
This patch adds the missing release note for [1].

[1]https://review.opendev.org/c/openstack/neutron/+/828455/6

Trivial-Fix

Change-Id: I544128e0e4813acd851b5e48b4c352c3fb62c869
2022-07-07 21:23:59 +00:00
Miguel Lavalle
7f0413c84c Implement experimental features framework
During the Zed PTG it was decided to handle unsupported features in
Neutron as experimental. See section titled "When we say something is
not supported?", day 2 in [1]. The agreement was:

"We keep existing jobs for linuxbridge driver for example, but when the
tests start to fail we skip them and finally we stop the job also.
To make it clear for operators we add warning logs highlighting that the
given feature/driver is experimental, and introduce cfg option to enable
such features explicitly."

This commit implements this agreement, initially with Linuxbridge

Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/845646

[1] https://lists.openstack.org/pipermail/openstack-discuss/2022-April/028164.html

Change-Id: Ib18efa3f472736b58c8967847b1061da0e3897d7
2022-06-30 17:59:49 -05:00
Zuul
7ebc8281e5 Merge "ovn: revert to stateful dnat_and_snat" 2022-06-30 16:38:00 +00:00
Zuul
088d115978 Merge "Add a release note for 834162" 2022-06-24 09:31:34 +00:00
Damian Dabrowski
2365abfd00 Add a release note for 834162
I forgot to write a release note when pushing change 834162 [1].
It may be an important change for operators so it's good to have a
release note about that.

[1] https://review.opendev.org/c/openstack/neutron/+/834162

Related-Bug: #1952907
Change-Id: Ie707f461af11357d6eaa004bc98c7eb09a62202f
2022-06-23 22:18:44 +02:00
OpenStack Proposal Bot
afd61b7b6a Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I831f86460bce279fa140d6171fb5679a4a4e2ece
2022-06-22 03:38:57 +00:00
Ihar Hrachyshka
ffd64df9d3 ovn: revert to stateful dnat_and_snat
This is an effective revert of:
I312a950131d62d93fb4bc121bc5e60febb8d35ee
"ovn: use stateless NAT rules for FIPs".

The performance benefits promised by the "reverted" patch never
materialized. On the contrary, the discussion in [1] revealed that the
switch to stateless=true made it impossible to fully hw offload nat
rules, while it's possible with stateless=false.  Specifically, see this
comment [2].

Since at this point it's unclear if keeping stateless=true as an option
is beneficial for any case, even when w/o hw offload, and to avoid
complexity of introducing a config option for unclear benefit, this
patch reverts the effects of the original patch, switching all
dnat_and_snat objects to implicit stateless=false state.

This patch cannot be a clean revert because of the need for db
migration.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2004995
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2004995#c18

Change-Id: I9e6e05b7a4f36383a44bd80f07d25052b17bdfa0
2022-06-08 18:12:28 +00:00
yangjianfeng
9dd06e9c44 Forbid create ndp proxy on same router with same ip address
Create multiple ndp proxies with same ip address within one router
is invalid. The related database constraint was missed in previous
patchsets. The patch add some codes fixed this error.

Additionally, Fixed two typo errors.

Related-Bug: #1877301
Change-Id: Iab24ad78a3d4d9b0ee584cf0986328c9ae2bd16a
2022-06-04 10:27:13 +08:00
Zuul
75b95ad1c4 Merge "[OVN] Add baremetal support without Neutron DHCP agent for IPv4" 2022-06-02 13:55:11 +00:00
Zuul
7fc509aa9a Merge "[ovn]Refusing to bind port to dead agent" 2022-05-26 14:14:31 +00:00
Lucas Alvares Gomes
e73a85f3dd [OVN] Add baremetal support without Neutron DHCP agent for IPv4
This patch adds support for deploying baremetal nodes with OVN's
built-in DHCP server for IPv4.

Since Neutron API's for setting DHCP options is mostly a pass-thru,
Ironic uses a dnsmasq syntax for setting the baremetal options [0].
Since this syntax is unlikely to change and it's only a tiny subset of
what dnsmasq can offer this patch does translate that syntax used by
Ironic and convert it to OVN's equivalent options. In this way we do not
need to re-design Neutron's DHCP options API nor change Ironic to use it
with ML2/OVN.

This option also adds a new configuration option called
"disable_ovn_dhcp_for_baremetal_ports". PXE booting nodes can be very
sensitive and operators may prefer to use a fully-fledged DHCP server to
do it (even Ironic makes DHCP pluggable). So if operators wish to
disable OVN's built-in DHCP server for baremetal provisioning they can
do so by setting this new option to True. It defaults to False.

This change has been tested with real hardware and it does work. That
said, we found a problem in core OVN itself [1] while testing it that
can affect PXE from reaching the TFTP server, we already communicated
this with the core OVN folks and we hope it can be fixed soon. The
change in core OVN should not affect the Neutron change tho.

Not that the "server-ip-address" DHCP Option now points to the
"next_server" option in OVN instead of the "tftp_server_address". The
previous behavior was wrong, the "server-ip-address" should set the
"siaddr" in the DHCP header and this has been introduced in OVN [2] as
an option called "next_server".

[0]
49113385e8/ironic/common/pxe_utils.py (L523-L538)
[1]
https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051821.html
[2]
https://patchwork.ozlabs.org/project/ovn/patch/20220511142757.168196-1-lmartins@redhat.com/

Partial-Bug: #1971431
Change-Id: Ia041f640293ba26abf9f70af915817e9861e8ffc
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2022-05-25 10:14:46 +01:00
Ghanshyam Mann
02e1658f8a Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: I8a10b462868f8c015fec3bee5622c41833b06e08
2022-05-11 22:23:24 -05:00
Zuul
dc854e8e1e Merge "Allow to process FW OF rules belonging to a port in a single operation" 2022-05-10 16:48:47 +00:00
Zuul
dbe68a7454 Merge "[OVN] Implement GW IP network QoS inheritance" 2022-05-09 23:47:31 +00:00
Rodolfo Alonso Hernandez
ab84b7fb2b Allow to process FW OF rules belonging to a port in a single operation
This patch adds a new configuration variable to control the OVS
OpenFlow rule processing operations:

* ``openflow_processed_per_port``: by default "False". If enabled,
  all OpenFlow rules associated to a port will be processed at once,
  in one single transaction. If disabled, the flows will be processed
  in batches of "AGENT_RES_PROCESSING_STEP=100" number of OpenFlow
  rules.

With ``openflow_processed_per_port`` enabled, all Firewall
OpenFlow rules related to a port are processed in one transaction
(executed in one single command). That ensures the rules are written
atomically and apply all of them at the same time.

That means all needed rules to handle the ingress and egress traffic
of a port using the Open vSwitch Firewall, are committed in the OVS
DB at the same time. That will prevent from partially applied OpenFlow
sets in the Firewall and inconsistencies when applying new SG rules or
during the OVS agent restart.

That will override, if needed, the hard limit of
"AGENT_RES_PROCESSING_STEP=100" OpenFlow rules that could be
processed in OVS at once.

If the default configuration values are not modified, the behaviour of
the OVS library does not change.

Closes-Bug: #1934917

Change-Id: If4984dece266a789d607725f8497f1aac3d73d23
2022-05-09 16:49:29 +00:00
zhouhenglc
8a55f09192 [ovn]Refusing to bind port to dead agent
Closes-bug: #1958501

Change-Id: Ia84410675d28002afc74368349c9b54f048f4f4d
2022-05-07 11:05:24 +08:00
Rodolfo Alonso Hernandez
9025f8a571 Remove "live_migration_events" configuration option
This option was introduced in [1]. This option depended on [2],
the Nova code enabling this feature, that filters the
"vif-plugged-event" to be sent to Nova.

Now the default behaviour is "True".

Related-Bug: #1901707

[1]https://review.opendev.org/c/openstack/neutron/+/766277
[2]https://review.opendev.org/c/openstack/nova/+/767368

Change-Id: I05f7e6a7d91f6a4a1fe6d4765589f30257243628
2022-04-24 00:45:26 +00:00
OpenStack Proposal Bot
c4677e1b3c Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I6bdf4798864bf82a93cf8e21b153a03210dae256
2022-04-30 03:45:16 +00:00
Zuul
720a1c3de9 Merge "ovn migration: Turn validations off by default" 2022-04-25 12:54:39 +00:00
Zuul
cab15b15e2 Merge "Update port MAC from binding profile for PFs" 2022-04-25 12:54:29 +00:00
Zuul
789aa71220 Merge "[ovn]Set NB/SB "connection" inactivity probe support multi addresses" 2022-04-25 11:47:47 +00:00
Balazs Gibizer
4e78aaa694 Update port MAC from binding profile for PFs
Today Nova updates the mac_address of a direct-physical port to reflect
the MAC address of the physical device the port is bound to. But this
can only be done before the port is bound. However during migration Nova
is not able to update the MAC when the port is bound to a different
physical device on the destination host.

This patch extends port binding logic for direct-physical ports to allow
providing the MAC address of the physical device via the binding profile.
If it is provided then Neutron overwrites the value of the mac_address
field of the port with the value from the active binding profile.

Also when the port is being unbound or the MAC address is removed from
the active binding porfile then neutron resets the mac_address field of
port to a generated MAC to avoid duplicated MAC issues when another port
is being bound to the same physical device.

The shim API extension for this change is being proposed in
I54b4c85ffc4856fba7ad5e9e29f77f74815e1275 in neutron-lib.

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/831935

Closes-Bug: #1942329

Change-Id: Ib0638f5db69cb92daf6932890cb89e83cf84f295
2022-04-21 11:31:05 +02:00
Zuul
1a111b5e04 Merge "Remove "allow_overlapping_ips" config option" 2022-04-19 11:54:07 +00:00
Rodolfo Alonso Hernandez
15b826a05f [OVN] Implement GW IP network QoS inheritance
This patch enables the gateway IP network QoS inheritance in
the OVN backend driver. The OVN QoS extension will use the
router external network (GW network) QoS policy if the gateway
IP port has no QoS policy assigned.

Partial-Bug: #1950454

Change-Id: I5ee51dc124ae464b9e9fd366cf7bf85176376c25
2022-04-15 01:10:31 +00:00
Zuul
a5bcc34bf4 Merge "[quota] Enable `DbQuotaDriverNull` as a production driver" 2022-04-12 14:55:22 +00:00
Slawek Kaplonski
fde91e8059 Remove "allow_overlapping_ips" config option
It was deprecated in Yoga by patch [1]. Now it's time to remove it.

[1] https://review.opendev.org/c/openstack/neutron/+/807848

Closes-Bug: #1942294
Change-Id: I95555395c8adcec70459d5f438e1080da358c4d4
2022-04-12 16:29:21 +02:00
zhouhenglc
0124dab423 [ovn]Set NB/SB "connection" inactivity probe support multi addresses
When OVN is clustered, connection be set multiple addresses, inactivity
probe cannot currently be set correctly. this patch fix it.

Closes-bug: #1958364

Change-Id: I5f83d6f47dc60b849cca5830ec3f77c15a446530
2022-04-12 09:32:47 +08:00
yangjianfeng
ad3171c538 [docs] L3 router support ndp proxy
Change-Id: I2b8642b6830d3e1e1ef86c779c55e9ac1d0f7568
Partial-Bug: #1877301
2022-04-09 10:26:30 +08:00
Jakub Libosvar
8ccbbb2292 [quota] Enable `DbQuotaDriverNull` as a production driver
Enabled ``DbQuotaDriverNull`` as a productio quota database
quota driver. This driver does not enforce any quota nor have access
to the database. When using this quota driver, the API will return
the default empty values expected from the ``QuotaDriverAPI`` class.

Closes-bug: #1960032

Change-Id: Iafa24753e657746a8b8165b5a63c17de9a9ba791
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
2022-04-05 10:10:46 +00:00
Jakub Libosvar
0baf8841ee ovn migration: Turn validations off by default
The validation is intended mostly for tests and don't make much sense
when running the migration in production because likely there are
already running workloads. This patch changes the default to False so
migration validation must be explicitly asked for.

Change-Id: I5470f61a5e0b55bf682526208c3f57dc0ca6ffd5
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
2022-03-23 13:35:21 -04:00
Rodolfo Alonso Hernandez
3a81b051d4 [SR-IOV] Default "propagate_uplink_status" flag to True
Extension "uplink-status-propagation" does not allow to modify existing
ports. This extension only enables the creation of new ports with
this new flag.

Similar to [1], this patch changes the default behaviour of the
exiting ports: if no "propagate_uplink_status" flag is present, "True"
is returned now. The aim of this change is to enable this feature for
all existing ports, that is usually the aim of an administrator when
enables this extension.

[1]https://bugs.launchpad.net/neutron/+bug/1888487

Closes-Bug: #1967881
Related-Bug: #1888487

Change-Id: Ica5b76e0a9a5ae12f764c66be259d7f3cd5b248b
2022-03-21 11:43:08 +00:00
Rodolfo Alonso Hernandez
2d1b4fd80f [OVN] Implement router gateway IP QoS
This patch implements router gateway IP QoS based on meter,
using the existing plugin and extension, only the driver side
is different.

Closes-Bug: #1893625

Co-Authored-By: zhanghao <hao.zhang.am.i@gmail.com>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>

Change-Id: I46864b9234af64f190f6b6daebfd94d2e3bd0c17
2022-03-17 12:37:13 +00:00
Zuul
2f4661c876 Merge "Extend database to support portforwardings with port range" 2022-03-16 17:34:14 +00:00
Zuul
fd4db01242 Merge "Support filtering for QoS rule type list" 2022-03-15 15:42:10 +00:00
Pedro Martins
b271c82d10 Extend database to support portforwardings with port range
This patch is the second of a series of patches
to implement floating ip port forwarding with
port ranges.

The specification is defined in:
https://github.com/openstack/neutron-specs/blob/master/specs/wallaby/port-forwarding-port-ranges.rst

Implements: blueprint floatingips-portforwarding-ranges
Related-Bug: #1885921
Change-Id: I43e0b669096df865f37c74ddbd050b3b177fd5e5
2022-03-15 09:10:23 -03:00
2f475330ea Update master for stable/yoga
Add file to the reno documentation build to show release notes for
stable/yoga.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.

Sem-Ver: feature
Change-Id: I83a7081a2aaaa0cc4812ba823a9a91f48149556c
2022-03-10 12:18:38 +00:00
Rodolfo Alonso Hernandez
2f944d3105 Support filtering for QoS rule type list
Added support for filtering the QoS rule type list command.
Two new filter flags are added:
- all_supported: if True, the listing call will print all QoS rule
  types supported by at least one loaded mechanism driver.
- all_rules: if True, the listing call will print all QoS rule types
  supported by the Neutron server.

Both filter flags are exclusive and not required.

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/827533

Closes-Bug: #1959749
Change-Id: I41eaab177e121316c3daec34b309c266e2f81979
2022-02-24 08:28:53 +00:00
Frode Nordahl
7d64d0c116
[OVN] Off-path SmartNIC DPU Port Binding with OVN
Traditionally it has been the CMSs, in OpenStacks case Nova's,
responsibility to create Virtual Interfaces (VIFs) as part of
instance life cycle, and subsequently manage plug/unplug operations
on the Open vSwitch integration bridge.

With the advent of SmartNIC DPUs which are connected to multiple
distinct CPUs we can have a topology where the instance runs on one
host and Open vSwitch and OVN runs on a different host, the
SmartNIC DPU control plane CPU.

One of the main use cases for having this topology is security
where we treat the hypervisor host as untrusted and prohibit
direct communication between the hypervisor host and the SmartNIC
DPU control plane host.  In addition to that control facilities
such as switchdev devices are only visible from the SmartNIC DPU
control plane CPUs.

Adds support for binding ports of type VNIC_REMOTE_MANAGED by
looking up chassis based on serial number that Nova provides in
the binding_profile.

Information required by the OVN controller to successfully look up
and plug representor port is provided as options on the LSP as
defined by the representor plug provider documentation [0][1].

0: https://docs.ovn.org/en/stable/topics/vif-plug-providers/vif-plug-providers.html
1: https://github.com/ovn-org/ovn-vif/blob/main/Documentation/topics/vif-plug-providers/vif-plug-representor.rst
Partial-Bug: #1932154
Depends-On: I496db96ea40da3bee5b81bcee1edc79e1f46b541
Depends-On: I83a128a260acdd8bf78fede566af6881b8b82a9c
Change-Id: Icc6c2d0f7f8f5cc94997db6244175a8e8884789f
2022-02-18 07:17:36 +01:00
Przemyslaw Szczerbik
084bb163f2 Add qos-pps-minimum-rule-alias API extension
Introduce a new API extension to enable GET, PUT and DELETE
operations on QoS minimum packet rate rule without specifying
policy ID.

Partial-Bug: #1922237
See-Also: https://review.opendev.org/785236
Change-Id: Ia083b5ac98c9e18ddbcdd2e0fc46f2f8432a628c
2022-02-07 11:52:46 +01:00
Rodolfo Alonso Hernandez
ebca47365c "L3AgentExtensionsManager" check loaded extensions
Now "L3AgentExtensionsManager" lists loaded extension, checking if
they inherit from "neutron_lib.agent.l3_extension.L3AgentExtension".
If any extension does not, the L3 agent raises an exception and exits.

Closes-Bug: #1951569
Change-Id: I3ce4858cef9b3a3d7eab005dd1ad2bb3b5ef6ef3
2022-02-02 20:51:40 +00:00
Zuul
f94226c514 Merge "[OVN] Implement floating IP network QoS inheritance" 2022-02-02 20:38:26 +00:00