Drops unit tests related to fwaas policies.
Tests related to get_firewall_policy/rule are also unnecessary.
They have been migrated to neutron-fwaas already.
Closes-Bug: #1703347
Depends-On: I6dc6b2295a605444c918e44949f4b1485177e82e
Change-Id: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
This patch introduces the logging api definition and initial
implementation of LoggingApiPlugin. The api definition code will
be removed after [1] has been merged on neutron lib.
[1]https://review.openstack.org/#/c/415817/
Co-Authored-By: Yushiro FURUKAWA <y.furukawa_2@jp.fujitsu.com>
Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
Change-Id: Iace31506502de25da9dce5fcfdbfe2c726bea27f
In Ocata, notification_drivers were deprecated in favor of
the new QoSDriver architecture.
This patch removes backwards compatible support for notification
drivers along with its testing.
Change-Id: I5f747635be3fd66b70326d9f94c85a6736286bd2
Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.
This has some downsides:
1) It makes it harder to override these policy actions
2) It is inconsistent
3) The policy.json should be a "golden copy" of all the
policy actions enforced by the system.
4) It makes it harder to RBAC test Neutron
(because it is very difficult to determine which
policy actions are valid and which are not).
The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
- create_security_group
- delete_security_group
- delete_security_group_rule
- get_security_group_rules
- get_security_groups
- get_security_group_rule
- get_security_group
- update_security_group
- update_router
- update_router:external_gateway_info
- update_router:external_gateway_info:network_id
Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
Implements the port data plane status extension. Third parties
can report via Neutron API issues in the underlying data plane
affecting connectivity from/to Neutron ports.
Supported statuses:
- None: no status being reported; default value
- ACTIVE: all is up and running
- DOWN: no traffic can flow from/to the Neutron port
Setting attribute available to admin or any user with specific role
(default role: data_plane_integrator).
ML2 extension driver loaded on request via configuration:
[ml2]
extension_drivers = data_plane_status
Related-Bug: #1598081
Related-Bug: #1575146
DocImpact: users can get status of the underlying port data plane;
attribute writable by admin users and users granted the
'data-plane-integrator' role.
APIImpact: port now has data_plane_status attr, set on port update
Implements: blueprint port-data-plane-status
Depends-On: I04eef902b3310f799b1ce7ea44ed7cf77c74da04
Change-Id: Ic9e1e3ed9e3d4b88a4292114f4cb4192ac4b3502
When neutron is deployed with hypervisor is XenServer, current
implementation will grab port's iface-id via xapi, but this isn't
the proper way:
Port's iface-id is already set when creating VM or hot plugging
VIFs in nova project, so there is no need to grab it via xapi
Change-Id: Ie07527cc89ac81ff1e3519db66925cee482f77a4
Closes-Bug: #1649747
The following enhancements are added:
-- PD keeps track of status of neutron routers: active or
standalone (master), or standby (not master),
-- PD DHCP clients are only spawned in the active router. In the
standby router, PD keeps track of the assigned prefixes, but
doesn't spawn DHCP clients.
-- When switchover occurs, on the router becoming standby, PD
clients are "killed" so that they don't send prefix withdrawals
to the DHCP server. On the router becoming active, PD spawns DHCP
clients with the assigned prefixes configured as hints in the
DHCP client's configuration
Closes-Bug: #1651465
Change-Id: I17df98128c7a88e72e31251687f30f569df6b860
Due to the high memory footprint of current Python ns-metadata-proxy,
it has to be replaced with a lighter process to avoid OOM conditions in
large environments.
This patch spawns haproxy through a process monitor using a pidfile.
This allows tracking the process and respawn it if necessary as it was
done before. Also, it implements an upgrade path which consists of
detecting any running Python instance of ns-metadata-proxy and
replacing them by haproxy. Therefore, upgrades will take place by
simply restarting neutron-l3-agent and neutron-dhcp-agent.
According to /proc/<pid>/smaps, memory footprint goes down from ~50MB
to ~1.5MB.
Also, haproxy is added to bindep in order to ensure that it's installed.
UpgradeImpact
Depends-On: I36a5531cacc21c0d4bb7f20d4bec6da65d04c262
Depends-On: Ia37368a7ff38ea48c683a7bad76f87697e194b04
Closes-Bug: #1524916
Change-Id: I5a75cc582dca48defafb440207d10e2f7b4f218b
Those are different on different kernel versions, and have reasonable
default values on all newer kernel versions, including RHEL. We
nevertheless made devstack to set those in the past; now I propose to
clean the code from neutron tree and leave it up to deployment tools to
fix in an unlikely case the system has broken default values.
Now that iptables firewall code does not trigger sysctl, we can also
remove this filter from the corresponding rootwrap .filters file.
DocImpact make sure deployment docs mention the expected sysctl knob
values.
Change-Id: Iabf61021c90b0536be274463d48fb5a572ecc023
Related-Bug: #1622914
This reverts commit 84b3ae3ae9111e241352bdccad238c9fd37b83df.
The logic was incorrect[1]. We cannot achieve QoS egress minimum bandwidth of Linuxbridge by the patch. I also think that the issue is not solved by small patch and we must consider deeply.
[1]: https://bugs.launchpad.net/neutron/+bug/1662582
Change-Id: Id4703b5c63876f16e31b6805cd147b5840a4a591
When we run devstack with USE_PYTHON3, the existing KillFilter
definitions are not enough. Let's add one specific to python 3.5
as well.
Change-Id: I2472e4e39315225d6c9ea1651c8e3b20edc59b49
For Neutron's compute agent in a XenServer's compute node, the commands
actually need run in Dom0. Currently XenServer only supports rootwrap
for that purpose by invoking a script which invokes XenAPI to execute
commands in dom0. There are much performance overhead due to it requires
parsing on the script and the configuration file every time running
commands.
This change is to support daemon mode with which each agent service will
call XenAPI directly to execute commands in dom0. And it will keep the
single XenAPI session.
DocImpact: Need update the following configuration.
file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
root_helper_daemon = xenapi_root_helper
[xenapi]
connection_url = http://169.254.0.1
connection_username = root
connection_password = xenroot
Closes-Bug: #1585510
Change-Id: I684034359fe0571bc92dbcf342a9821553b1da35
This patch provides the Linux Bridge agent driver the ability to control
Linux Traffic Control (TC) to set the minimum required transmission rate
for an interface.
The TC library is refactored to use HTB qdiscs. This allows TC to
define, for several flows in the same interface, the maximum and the
minimum network bandwidth and the burst size.
To be able to do traffic shaping (instead of policing) for ingress
traffic, a new element, the Intermediate Functional Block device (IFB)
is introduced.
DocImpact
Partial-Bug: #1560963
Change-Id: I4d4db54519f1435068d1af38819404d1e5d9cd52
Only one line is picked up by configparser, so we should just
have one in the default privsep.filters file. This was found when
a stricter configparser kicked in for a python3.5 test.
Closes-Bug: #1652157
Change-Id: Ib7d9aa0e0b74a936002e0eea0b3af05102b06a62
Make use of oslo.privsep to support namespaces. This includes all
relevant code necessary for oslo.privsep to work.
Change ip_lib's get_routing_table method to use pyroute2, rather than
parsing the output of 'ip route'.
Change-Id: I89bfa3dbf1776da973cfca389b2841019a520f75
Partial-Bug: 1492714
Co-Authored-By: Angus Lees <gus@inodes.org>
This I42dadfd0b62730ca2d34d37cb63f19f6fec75567 patch
remove the supported_pci_vendor_devs option and now
no additional options are required for sriov ml2 mech
driver. The is a clean up patch to remove also the
ml2_conf_sriov.ini from the oslo-config-generator.
Closes-Bug: #1641220
Change-Id: Ida6c0930ce65169a9bc59ef80d6b427b2d5d4e09
This patch will kill processes that are listening on any port/UNIX
socket within the namespace to be cleaned up. To kill them it will
issue a SIGTERM to them (or to their parents if they were forked) and,
if they don't die after a few seconds, a SIGKILL to them and all their
children.
This is intended for those cases when there's no specific cleanup and
serves as a fallback method.
Change-Id: I4195f633ef4a1788496d1293846f19eef89416aa
Partial-Bug: #1403455
Agent state options (report_interval), or interface related options
(f.e. ovs_integration_bridge) should be exposed into all configuration
files for all agents that may report a state, or instantiate a bridge
object.
Since some of options that were previously considered 'base' don't apply
to metering agent (specifically, availability_zone), moved them into
separate lists and included them into relevant agents (l3 and dhcp).
The only glitch with the change is that log_agent_heartbeats option is
now exposed into metering agent configuration file, even though the
agent does not honour it. I think it's minor and we can live with it.
Change-Id: Ibceca20cec60e75a8c6ddd35f3f9cb8cca272a9e
This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The
purpose of this middleware is to set up the request URL correctly in
case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Neutron.
So, for instance, when TLS connections are being terminated in the
proxy, and one tries to get the versions from the / resource of
Neutron, one will notice that the protocol is incorrect; It will show
'http' instead of 'https'. So this middleware handles such cases.
Thus helping Keystone discovery work correctly.
The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.
Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b
Closes-Bug: #1590608
For new kernels (3.18+), bridge module is split into two pieces: bridge
and br_netfilter. The latter provides firewall support for bridged
traffic, as well as the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
Before kernel 3.18, any brctl command was loading the 'bridge' module
with the knobs, so at the moment where we reached iptables setup, they
were always available.
With new 3.18+ kernels, brctl still loads 'bridge' module, but not
br_netfilter. So bridge existance no longer guarantees us knobs'
presence. If we reach _enable_netfilter_for_bridges before the new
module is loaded, then the code will fail, triggering agent resync. It
will also fail to enable bridge firewalling on systems where it's
disabled by default (examples of those systems are most if not all Red
Hat/Fedora based systems), making security groups completely
ineffective.
Systems that don't override default settings for those knobs would work
fine except for this exception in the log file and agent resync. This is
because the first attempt to add a iptables rule using 'physdev' module
(-m physdev) will trigger the kernel module loading. In theory, we could
silently swallow missing knobs, and still operate correctly. But on
second thought, it's quite fragile to rely on that implicit module
loading. In the case where we can't detect whether firewall is enabled,
it's better to fail than hope for the best.
An alternative to the proposed path could be trying
to fix broken deployment, meaning we would need to load the missing
kernel module on agent startup. It's not even clear whether we can
assume the operation would be available to us. Even with that, adding a
rootwrap filter to allow loading code in the kernel sounds quite scary.
If we would follow the path, we would also hit an issue of
distinguishing between cases of built-in kernel module vs. modular one.
A complexity that is probably beyond what Neutron should fix.
The patch introduces a sanity check that would fail on missing
configuration knobs.
DocImpact: document the new deployment requirement in operations guide
UpgradeImpact: deployers relying on agents fixing wrong sysctl defaults
will need to make sure bridge firewalling is enabled.
Also, the kernel module providing sysctl knobs must be
loaded before starting the agent, otherwise it will fail
to start.
Depends-On: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Change-Id: I9137ea017624ac92a05f73863b77f9ee4681bbe7
Related-Bug: #1622914
This patch exposes the root (version) resource to CORS-enabled
browser clients that wish to perform API version discovery. It
does this by creating a new composite pipeline for the neutronversions
app, adding the already-existing CORS middleware into the chain.
This feature is required for js-openstack-lib, and its devstack
tests. https://review.openstack.org/#/c/366905/
Change-Id: I6611839f38d553fc29c813a4b8d874fde77b8034
required-by: Ia2f59213eedf6d7acbb02789ee921c13ff391d09
The FWaaS policy.json entries are being relocated into the FWaaS
repository.
Co-Authored-By: Nate Johnston <Nate_Johnston@cable.comcast.com>
Depends-On: Idd8993da78dbd779e2b3d38a4039dabf60d416d5
Change-Id: Iec36638a7a57cc14753e93c5d207853d4a3e3b6e
Original problem is that dhcp_release does not work with IPv6, but IPv6
leases still should be released. For example:
1. Start VM in dhcpv6-stateful network, make it acquire IPv6 address.
2. Delete VM.
3. Start another VM in same network before lease expires.
There's a very high chance that the same IPv6 address will be allocated
for both of these VMs (same address will be reused after first VM was
deleted).
On DHCP agent, hosts file would be changed, but not lease file, so
dnsmasq will not give second VM address until lease expires. Reducing
lease time is not a good solution here.
Solution is adding invocation of dhcp_release6 utility when
releasing IPv6 address. dhcp_release6 utility appears in dnsmasq 2.76.
It crafts DHCP6_Release packet, sends it from passed network
interface to IPv6 multicast address and waits for DHCP6_Reply.
Closes-Bug: 1521666
Change-Id: I5efab81cdaf0676503b6c7da0d4b4f400d859286
This patch introduces the front end implementation for QoS
minimum bandwidth rule.
APIImpact: New type of parameter for QoS rule in neutron API
DocImpact
Change-Id: I6b619a96a2bfde164646c71409b671352bc6ce7d
Partial-Bug: #1560963
This reverts commit b35d7fa3cbcd68ef10b9c40a47c0698c7e0a2089.
Patchset set is reverted after deciding Nova can get the segment_id
from the subnet associated to the port
Change-Id: Idf4ba107bf6e1427c82ab5b6a5cea0dba9264699
In this patchset, attribute 'ipam_segment_id' is added to ports to
contain the id of the segment where the port is bound in the case of a
routed network. This new attribute will be used by the Nova scheduler
to place an instance using the port in a host bound to the segment
Change-Id: Ide13a7c53c5f4a33894f459c38924830ba583f98
Partially-Implements: blueprint routed-networks
This patch enables basic CRUD operations to support
Subnet service-types.
Partially-implements: blueprint service-subnets
Co-Authored-By: John Davidge <john.davidge@rackspace.com>
Change-Id: I0a1724ad00f0a3e675bb700cdd291f55f898c6f3
This patch enables basic CRUD operations on trunk ports and defines
related API extensions. Trunk ports and sub-ports can be persisted
in the Neutron model and are made visible through the API, but the
L2 agent is not notified and no trunk ports or subports are actually
instantiated on compute hosts.
This one of the main patches in the series that implement the end
to end functionality.
Partially-implements: blueprint vlan-aware-vms
Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
Change-Id: I26453eb9a1b25e116193417271400994ac57e4c1
Oslo incubator is about to stop for cache module. We could use
oslo.cache instead. The legacy memory backend is replaced by
oslo_cache.dict.
Closes-Bug: #1517883
Change-Id: I108242ca9f27c9ec47959ce7615bc7d84cae014b
There still are BGP codes in neutron repo, this patch remove it.
It was missed in commit I20b6ddd37d10eae70e8294d578e53137c0f866fe
Change-Id: I6bf71b14a03ccc005dcd4d67078e7e9f4a7ed197
Closes-Bug: #1584333
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who wants to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds first wsgi trace point, with info about HTTP request
* Add initialization of osprofiler at start of service
Currently that includes oslo.messaging notifer instance creation
to send Ceilometer backend notifications.
Neutron client change: Ic11796889075b2a0e589b70398fc4d4ed6f3ef7c
Co-authored-by: Ryan Moats <rmoats@us.ibm.com>
Depends-On: I5102eb46a7a377eca31375a0d64951ba1fdd035d
Closes-Bug: #1335640
DocImpact Add devref and operator documentation on how to use this
APIImpact
Change-Id: I7fa2ad57dc5763ce72cba6945ebcadef2188e8bd
This patch enables CRUD on Segments by defining a new entity called
'Segment' with an extension definition and some DB code to read the
existing segments DB. A basic framework for create, update, and
delete are provided.
For now, this is just the basic boiler-plate but I've got to start
somewhere. It is implemented as a service plugin that is disabled by
default because it has not been fully tested with any plugin.
Follow-on patches will implement support for this new extension in
ML2 and OVN at least.
Change-Id: Ifc370fdd38f9a5b296334635fa85bd93d270b910
Partially-Implements: blueprint routed-networks
Once the spinout is undergoing we should perform the eviction.
Partially-implements: blueprint bgp-spinout
Depends-on: I8be510153edbc496575cde34943ca4c56645e0fb
Change-Id: I20b6ddd37d10eae70e8294d578e53137c0f866fe
QoS service plugin provides for now bandwidth limit rules for egress traffic
only (from VM point of view). QoS extension driver for Linuxbridge agent now
configures limits in proper way on tap interface so limited is traffic which is
outgoing from VM.
Linuxbridge agent's QoS extension configures egress bandwidth limit and burst
value in exactly same way how openvswitch is doing it with tc.
Old methods in TcCommand class will stay untouched because they can be used
later to implement also ingress bandwidth limits in QoS.
Change-Id: Id2b0463f49df52744e5bc3979a4cfd0ff06f9248
Closes-bug: #1563720
This patch adds the front end and back end implementation of QoS DSCP.
Associated patches that are dependent on this one:
* python-neutronclient: https://review.openstack.org/#/c/254280
* openstack-manuals: https://review.openstack.org/#/c/273638
* API Guide: https://review.openstack.org/#/c/275253
* Heat:
* Spec: https://review.openstack.org/#/c/272173
* QoSDscpMarkingRule resource: https://review.openstack.org/#/c/277567
* Fullstack tests: https://review.openstack.org/#/c/288392/
APIImpact - The API now supports marking traffic egressing from a VM's
dscp field with a valid dscp value.
Co-Authored-By: Nate Johnston <nate_johnston@cable.comcast.com>
Co-Authored-By: Victor Howard <victor.r.howard@gmail.com>
Co-Authored-By: Margaret Frances <margaret_frances@cable.comcast.com>
Co-Authored-By: James Reeves <james.reeves5546@gmail.com>
Co-Authored-By: John Schwarz <jschwarz@redhat.com>
Needed-By: I25ad60c1b9a66e568276a772b8c496987d9f8299
Needed-By: I881b8f5bc9024c20275bc56062de72a1c70c8321
Needed-By: I48ead4b459183db795337ab729830a1b3c0022da
Needed-By: Ib92b172dce48276b90ec75ee5880ddd69040d7c8
Needed-By: I4eb21495e84feea46880caf3360759263e1e8f95
Needed-By: I0ab6a1a0d1430c5791fea1d5b54106c6cc93b937
Partial-Bug: #1468353
Change-Id: Ic3baefe176df05f049a2e06529c58fd65fe6b419