This patch adds info about how multicast traffic is treated by
openvswitch and iptables based firewall drivers.
Patch [1] was trying to fix behaviour of OVS based driver to make
it similar to how iptables drivers works but it introduced bug [2]
which we wasn't able to fix without basically disabling what [1] did
for some ports on the compute nodes.
So based on that we decided to revert [1] - it is done in [3] and to
document different behaviour between those 2 firewall drivers which is
done by this patch.
[1] https://review.opendev.org/#/c/748719/
[2] https://bugs.launchpad.net/neutron/+bug/1899967
[3] https://review.opendev.org/#/c/759555/
Change-Id: If8a56579c62f58befdc57f5916a5763e9fb99531
Related-Bug: #1899967
Related-Bug: #1889631
This reverts commit b8be1a05facff2ba8b484902494ce1663e0aae7c.
As was reported in bug [1] this patch broke multicast traffic send
from ports with disabled port security. And that broke L3HA routers
as keepalived processes couldn't talk to each other.
During attempt to fix that issue with keepalived we found out another
corner cases which we may break and in fact to fix them, we would
effectively revert this change and allow multicast traffic for all
ports in e.g. networks with ports which have port security and ports
which don't have port security and are on same node.
As we also don't really know what other corner cases we may hit going
further with that, lets revert this patch.
As a follow up patch I will propose new patch which will document
differences in handling multicast traffic between iptables and
openvswitch based firewall drivers.
[1] https://bugs.launchpad.net/neutron/+bug/1899967
Change-Id: I37a8b33cf8e16d5bb5dc1966fc2dca6bb619026c
Closes-Bug: #1899967
Maciej no longer works on Openstack, so remove him, and add
Flavio Fernandes as a replacement. Also added contact into
to the neutron-teams page.
Change-Id: I2f43a389644afcfa5a42571b6c5c093fd21560f1
It just makes it simpler for the user to copy & paste a command to
obtain the port's UUID.
Change-Id: Ib839c8ed1e78f14d49690367a68f007a68c5cebe
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
By default, if any multicast traffic sent to 224.0.0.X is allowed
in the OVS firewall (that means there is a specific egress rule),
this traffic is sent, in table 73 (ACCEPT_OR_INGRESS_TABLE), to
a rule with action NORMAL.
As commented in the related bug, https://tools.ietf.org/html/rfc4541,
chapter 2.1.2, section (2):
"Packets with a destination IP (DIP) address in the 224.0.0.X range
which are not IGMP must be forwarded on all ports."
That means those packets will be forwarded to all ports regardless of
any ingress rule. This patch process this traffic separately, sending
those packets to table 102 (MCAST_RULES_INGRESS_TABLE). In this table
the ingress rules that have a defined protocol, will have an Open Flow
rule to output the traffic directly to those ports associated to this
rule.
For example, in the problem reported in the related bug, the VRRP
protocol (112), will be sent only to those ports that have this
ingress rule.
Change-Id: Ie271de144f78e364d938731ec9f5297e1a9d73f9
Closes-Bug: #1889631
This patch converts neutron-grenade-ovn job to be Zuulv3 native
and adds it as non-voting job to the check queue.
Depends-On: https://review.opendev.org/752412
Change-Id: Ie27f7c9313ff4b18eba739e40fdb136036652313
And add note about different handling of packets marked as INVALID
by both those drivers.
Change-Id: I3d436289073e95312e5f5077acabd136266b9e8a
Closes-Bug: #1896587
ML2/OVN currently doesn't support IPv6 prefix delegation. This patch
adds it to the list of gaps.
Change-Id: Icf23cb9113d48322a4ba0db13a55c370e2bb14a4
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Ryu Ishimoto was removed from the list of networking-midonet maintainers
as he is not active in the community anymore - thank You Ryu for all
Your work in the Neutron community.
Sam Morrison was added to the list as he recently stepped in to maintain
networking-midonet in the Neutron stadium. Welcome Sam and thanks for
Your help with this project.
Change-Id: I639fa5f69f56c96bc69873e6bcac555fff441ce2
Extend neutron metering agent to generate Granular metering data.
The rationale here is to have data (bytes and packets) not just in
a label basis, but also in tenant, router, and router-label, and tenant-label
basis. This allows operators to develop more complex network monitoring
solutions.
Moreover, I added documentation to explain what is the neutron metering agent,
its configs, and different message formats.
Change-Id: I7b6172f88efd4df89d7bed9a0af52f80c61acbe0
Implements: https://blueprints.launchpad.net/neutron/+spec/granular-metering-data
Closes-Bug: #1886949
Move port_forwarding.rst to doc/source/contributor/internals/ovn
Also, keep lines from the document no longer than 80 chars.
Change-Id: I2887eb022b268763193f93a68a32a4a0deaad42b
Add QoS minimum bandwidth allocation in Placement API to the feature
partity gap list.
Change-Id: I06a8d6af367c806681bd7bfa2d1930e390371dd7
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
This patch removes part about neutron-pd-agent from the PD docs.
This agent was retired many cycles ago with [1] so we shouldn't mention
about that in our docs.
[1] https://review.opendev.org/#/c/388919/
Change-Id: I546d04373b475deef3a3c7fb2694da5a4fecaa26
There is no real reason we should be using some of the
terms we do, they're outdated, and we're behind other
open-source projects in this respect. Let's switch to
using more inclusive terms in all possible places.
Change-Id: I99913107e803384b34cbd5ca588451b1cf64d594
Uwsgi based jobs (functional, fullstack and tempest) are voting since
some time and are as stable as "non-uwsgi" onces.
Recently on the CI meeting we decided to move "non-uwsgi" functional and
fullstack jobs to be run only in periodic queue and promote "uwsgi" jobs
to be gating also.
Change-Id: Id24316f04e1ff619c8ce2fe475f873961cbb92e4
This patch adds the verification of whether admin context when
verifying the valid security groups of port.
Change-Id: I2674bdc448d9a091b9fe8c68f0866fd19141c6be
Closes-Bug: #1890539
This is a subset of the changes for implementing the floating IP
port forwarding feature in neutron, using OVN as the backend.
This changeset covers the documentation updates for the feature,
as well as a high-level description of how OVN implements it.
Partially-implements: ovn/port_forwarding
Partially-implements: blueprint portforwarding-description
Partial-Bug: #1877447
Change-Id: I2059a011f650dd7070a74dc6107aab2b15ca7104
Since [1], the SR-IOV commands are executed using Pyroute2. The
support to execute those commands is guaranteed by the requested
minimum version of this library.
[1]https://review.opendev.org/#/c/727811/
Change-Id: I53372524c9cdc75c4b24e1f3c973f8f87a73a8f9
Closes-Bug: #1888920
The heat stack name is variable. This patch adds a new environment
variable to support migrating stacks that are different name than
overcloud.
Change-Id: I6fd72bf83def28ae633d720b8495888cea3ac0a3
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
OVN creates localport [1] for each network that has metadata
and allocate IP address from subnet within this network that has
DHCP enabled. The traffic from this port will never go outside
the chassis.
While using multiple segments with subnet linked to each segment
OVN needs to create an allocation of IP address for each of those
subnets [2] in order to generate data for OVN NBDB IPv4 DHCP Options.
The change [3] started to validate that condition, while multiple
IP addresses from different segments are tried to be allocated on
one port. We can skip this for OVN Metadata port, because there
is no reason to prevent those kind of allocation for OVN.
[1] http://www.openvswitch.org/support/dist-docs/ovn-architecture.7.html
[2] 5f42488a9a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py (L2279)
[3] https://review.opendev.org/#/c/709444/
Change-Id: Ib51cde89ed873f48db4daebc27a0980da9cc0f19
Closes-Bug: 1871608
As we agreed during virtual PTG we want to change
tempest-multinode-full-py3 that it will run only integrated-networking
tests. And then promote it to be voting and gating job.
This new multinode job can replace singlenode tempest-integrated-networking
job so this patch removes this one from the queues too.
Change-Id: Ic61b636625824bbd6b7624a057db308a484ee463
In order for IPv6 to function correctly for instances, a router
must be created and added to a subnet. Update the documentation
to better highlight this as it wasn't clear a router was
required on an isolated subnet such that Router Advertisements
messages would be sent.
Change-Id: I4aca67c98ae77bbc4c130764af5a92515b95443a
Closes-bug: #1886116
New cirros with recent fixes for metadata service
has been released. Lets update the image version on gate.
Also stop using different images for OVN. Lets use default
settings from devstack.
First we need to merge [2].
[1] e40bcd2964
[2] https://review.opendev.org/#/c/711492/
Change-Id: Idc614f9f25188bd1a1e1d5424274acf04ba99328
In patch [1] we moved neutron_tempest_plugin test executions to
neutron-tempest-plugin repository.
That moves us forward with unifying the way of executing tests
after OVN merge.
[1] https://review.opendev.org/#/c/734832/
Change-Id: Iecca2649fc5e066fabe7f4b4746094506b595f0b
This patch is adding documentation about the router availability zones
feature in the OVN driver.
Change-Id: I6c8267100e1ee82c8b563528467b50b91f7700f6
Related-Bug: #1881095
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
This was proposed to be deprecated long time ago already.
We have patch ports in Openvswitch to connect bridges together.
Change-Id: Ie343f83a886bb8c366873fd5e076bb7096e1a6ed
Related-bug: #1587296
As we discussed during last PTG, this patch adds singlenode tempest
job which uses neutron-lib from master branch always.
Change-Id: I883ba5d68b716d601898621079a835c706f52f85