1079 Commits

Author SHA1 Message Date
Maciej Józefczyk
65692127f6 [OVN] Move OVN commons to neutron tree
Move OVN related commons to neutron tree.

Previous paths in networking-ovn tree:
./networking_ovn/common/constants.py -> ./neutron/common/ovn/constants.py
./networking_ovn/common/exceptions.py -> ./neutron/common/ovn/exceptions.py
./networking_ovn/common/utils.py -> ./neutron/common/ovn/utils.py
./networking_ovn/common/hash_ring_manager.py -> neutron/common/ovn/hash_ring_manager.py
./networking_ovn/common/config.py -> ./neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py

Co-Authored-By: Gal Sagie <gal.sagie@huawei.com>
Co-Authored-By: Boden R <bodenvmw@gmail.com>
Co-Authored-By: Daniel Alvarez <dalvarez@redhat.com>
Co-Authored-By: Amitabha Biswas <abiswas@us.ibm.com>
Co-Authored-By: Chandra S Vejendla <csvejend@us.ibm.com>
Co-Authored-By: Babu Shanmugam <bschanmu@redhat.com>
Co-Authored-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
Co-Authored-By: Terry Wilson <twilson@redhat.com>
Co-Authored-By: Ramu Ramamurthy <ramu.ramamurthy@us.ibm.com>
Co-Authored-By: Maciej Józefczyk <mjozefcz@redhat.com>
Co-Authored-By: Gary Kotton <gkotton@vmware.com>
Co-Authored-By: Andrew Austin <aaustin@redhat.com>
Co-Authored-By: Miguel Angel Ajo <majopela@redhat.com>
Co-Authored-By: Brian Haley <bhaley@redhat.com>
Co-Authored-By: Dong Jun <dongj@dtdream.com>
Co-Authored-By: xurong00037997 <xu.rong@zte.com.cn>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>

Change-Id: Ib46bfdd14a150a324dbf28c6a50c839c5c824e35
Related-Blueprint: neutron-ovn-merge
2019-12-04 13:15:16 +00:00
Rodolfo Alonso Hernandez
7218873050 Set rootwrap daemon timeout for fullstack and functional tests
Set a big timeout for rootwrap daemon in functional and fullstack
tests. The value defined in 7800, the same as the Zuul jobs
timeout.

This timeout increase will prevent the daemon to close when
executing a test root command, as described in the bug. An
unexpected rootwrap daemon closure is not considered as a normal
event during the test execution.

The default value set in the configuration file is 600 seconds, the
same as daemon default value. This timeout is increased only when
OS_SUDO_TESTING=1, that means functional and fullstack tests, when
using the script "tools/deploy_rootwrap.sh".

Change-Id: I691300a4e9a7cccd8887bc8f95ba9cea32988bac
Closes-Bug: #1850558
2019-10-31 11:42:47 +00:00
Brian Haley
6842465260 Stop testing python 2
Since it's no longer supported past Train, lets stop
running the tests.

Updated docs and made some pep8 code tweaks as well.

Change-Id: I1c171ab906a3b4c66558163ad26947ebf710a276
2019-10-25 18:50:08 +00:00
Zuul
86e4f14115 Merge "Log the IPTables rules if "debug_iptables_rules"" 2019-10-19 01:56:23 +00:00
Rodolfo Alonso Hernandez
2bb241b7a2 Log the IPTables rules if "debug_iptables_rules"
If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.

Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:

* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables

In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.

[1] https://review.opendev.org/#/c/371523/

Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259
2019-09-23 09:58:36 +00:00
Rodolfo Alonso Hernandez
be7bb4d0f5 Kill all processes running in a namespace before deletion
In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.

Closes-Bug: #1838793

Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
2019-08-21 09:03:54 +00:00
Adrian Chiris
f9a750fcaf Prevent providing privsep-helper paths outside /etc
This commit aligns privsep filters with other projects
e.g nova[1], cinder[2] to prevent a malicious user from
invoking privsep-helper with an arbitrary configuration file
in case it took control over an unprivileged neutron process.

[1]4f261f98e1/etc/nova/rootwrap.d/compute.filters (L23)
[2]f5feb87ab8/etc/cinder/rootwrap.d/volume.filters (L41)

Change-Id: I0b4e8cdee0cbbc46547599e176efb4420ee1b318
2019-09-23 14:59:41 +03:00
Zuul
f17d0e19ae Merge "Remove rootwrap filters for TC commands in Linux Bridge" 2019-07-09 13:43:00 +00:00
Rodolfo Alonso Hernandez
fb7185bf35 Use Pyroute2 "add_tc_qdisc" function in l3_tc_lib
Change-Id: I67ddf9d9a6bb2d9d2e8ff0b6345a0118ec37d837
Related-Bug: #1492714
2019-07-05 08:13:07 +00:00
Rodolfo Alonso Hernandez
b6cbc95dcb Use Pyroute2 "list_tc_qdiscs" function in l3_tc_lib
Change-Id: Ifdccd02411e3c3bae441fc28ab8ed09ff746993c
Related-Bug: #1492714
2019-07-05 08:11:00 +00:00
Rodolfo Alonso Hernandez
7d62308eaa Remove rootwrap filters for TC commands in Linux Bridge
All neutron.agent.linux.tc_lib TC commands, used in Linux Bridge
agent, have been implemented using Pyroute2.

Change-Id: Idcac297b204900037b22ab25a516a161f4e78224
Related-Bug: #1560963
2019-07-04 21:17:46 +00:00
Zuul
c3e611eaf1 Merge "Add kill hooks for external processes" 2019-06-05 01:09:51 +00:00
Slawek Kaplonski
93015527f0 Add kill hooks for external processes
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.

Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
2019-06-03 14:39:51 +02:00
Harald Jensås
afff649a39 Notify ironic on port status changes
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.

Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
2019-05-27 13:38:42 +02:00
Slawek Kaplonski
4597dfc136 Add RHEL8 platform-python to the L3 rootwrap filters
In L3 rootwrap filters we have filter to kill
neutron-keepalived-state-change process.
As this process is run under python, in commit [1] we added
KillFilter rules to allow kill various Python processes.

In RHEL8 there are "system" and "user" python versions provided.
It is called "platform-python" and is placed in /usr/libexec dir.
Details about it are in [2].

So this patch adds to neutron-keepalived-state-change Kill filters also
/usr/libexec/platform-python and /usr/libexec/platform-python3.6 to
allow killing this process on RHEL8 based OS.

[1] https://review.opendev.org/#/c/636710/
[2] https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/

Change-Id: Iafdaf2c1a6e5c1f5de856ff99e04c72c911c5123
2019-05-17 10:15:45 +02:00
Miguel Lavalle
25c432a05a Add rootwrap filters to kill state change monitor
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.

Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
2019-03-13 07:40:15 -07:00
Ben Nemec
1cf30c552d Add oslo.privsep to config-generator list
We recently exposed the privsep opts for config generator use, so
projects that depend on oslo.privsep should include them in their
sample configs.

Change-Id: Ibaef2e2848855cd8ef987ec58457220911ad7c69
2019-03-01 16:54:20 +00:00
Brian Haley
3d70272f42 Rename README.policy.json.txt
README.policy.yaml.txt is a more appropriate name since
policy.json does not exist any more.

Change-Id: I89a425cb1552f8f6bc81d54f376b5e80bf71c1cc
2019-01-07 12:45:15 -05:00
Akihiro Motoki
f8984c6699 Convert policy.json into policy-in-code
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
2018-12-13 20:37:53 +00:00
Goutham Pratapa
31be154657 Add get_availability_zone rule to policy.json
"neutron availability-zone-list" checks for "get_availability_zone" rule
and policy.json doesn't contain it so adding it now.

Change-Id: I7e5e706c44136e0b565f3ee18e15f1166d82040d
2018-11-21 16:33:30 +05:30
Hongbin Lu
4e3fb31919 Introduce floating IP pool resource
Add support for listing floating ip pools (subnets).
A new API resource ``floatingip-pools`` is introduced.
This API endpoint can return a list floating ip pools
which are essentially mappings between network UUIDs and
subnet CIDRs. Users can use this API to find out the pool
to create the floating IPs.

Related patches:
* neutron-lib: https://review.openstack.org/#/c/556674/
* tempest-plugin: https://review.openstack.org/#/c/562038/

APIImpact add floatingip pools api
Change-Id: Iaa995630645042520df67d95271e14f11ffcff8c
Partial-Bug: #1653932
2018-10-04 15:53:53 +00:00
Zuul
e59013b9e8 Merge "Remove _migrate_python_ns_metadata_proxy_if_needed method" 2018-08-21 21:21:50 +00:00
Zuul
bc79f04613 Merge "Add delete rule for auto_allocated_topology" 2018-08-11 23:13:58 +00:00
Zuul
41f36fb9f4 Merge "Add osprofiler to api-paste pipeline" 2018-08-11 12:45:52 +00:00
Slawek Kaplonski
f046031456 Remove _migrate_python_ns_metadata_proxy_if_needed method
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.

Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
2018-08-04 09:53:00 +02:00
Mykola Yakovliev
9caf87bb0c Add delete rule for auto_allocated_topology
This patchset updates policy.json to cover delete action for
auto_allocated_topology introduced in Neutron API [0].

[0] https://developer.openstack.org/api-ref/network/v2/index.html#delete-the-auto-allocated-topology

Closes-bug: #1785349
Change-Id: If7b5c3262370057e6b40d96967d355cd0ee7e2d3
2018-08-04 00:45:51 +00:00
ZhaoBo
35d945e92f Add ext_parent policy check
Add common parent owner check for the resources which introduced by
service plugin.

Then port forwarding resource will share the same tenant_id with
floatingip. That means only the fip owner can create/update/get/delete
the associated port forwarding resource.

Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Change-Id: I450c674e55ca15e1d9a6a6224138f3305427da68
2018-08-01 02:45:42 +08:00
ZhaoBo
21ae99d5b3 [server side] Floating IP port forwarding plugin
This patch implements the plugin.
This patch introduces an new service plugin for port forwarding resources,
named 'pf_plugin', and supports create/update/delete port forwarding
operation towards a free Floating IP.

This patch including some works below:
* Introduces portforwarding extension and the base class of plugin
* Introduces portforwarding plugin, support CRUD port forwarding
resources
* Add the policy of portforwarding

The race issue fix in:
https://review.openstack.org/#/c/574673/

Fip extend port forwarding field addition in:
https://review.openstack.org/#/c/575326/

Partially-Implements: blueprint port-forwarding
Change-Id: Ibc446f8234bff80d5b16c988f900d3940245ba89
Partial-Bug: #1491317
2018-07-26 11:43:34 +08:00
Felipe Monteiro
41fe927c80 Add missing policy actions to policy.json file
This patchset adds missing policy actions to the policy.json
file for several reasons:

1) It signals to operators all the policy actions that are
   enforced in the system. With the governance spec [0]
   urging projects toward policy in code documentation,
   it makes sense to document all policy actions in the
   policy.json as Neutron doesn't have policy in code.

2) It is consistent with Neutron's policy enforcement
   documentation [1]:

   "For each attribute which has been explicitly specified in the
    request create a rule matching policy names in the form
    <operation>_<resource>:<attribute> rule"

    So it makes sense to capture each policy that is enforced,
    including all those with these special attributes.

3) Why include "update_router:external_gateway_info" but not
   "create_router:external_gateway_info"? This is inconsistent.

4) It makes it difficult to validate Neutron's policy via Patrole
   if the policies aren't contained in the policy.json -- how else
   is it possible to determine which policies to expect if they
   aren't documented anywhere?

[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
[1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow

Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df
2018-07-18 02:17:16 +01:00
Jonathan Rosser
0fe31bc8ae Add osprofiler to api-paste pipeline
The osprofiler filter is included in the standard pipelines for
nova, glance, cinder, heat, magnum [1], but is missing for neutron.

This means when a deployment uses profiling, there is a gap in the
data collected when the neutron API is executing.

[1] https://github.com/openstack/openstack-ansible-os_nova/blob/master/templates/api-paste.ini.j2#L31-L32

Change-Id: I8e45888968cde8ca29548447d0b0bc00ae569fc1
Closes-Bug: #1781619
2018-07-17 20:58:25 +00:00
LIU Yulong
5ddb2a4762 Make L3 IP tc filter rate limit more accurate
Currently the L3 agent qos extension does not set the mtu for
tc filter rules, the default value is 2kb. Tc filter rules use
such mtu will result in an inaccurate bandwidth.

So in order to improve the precision, we set the mtu to 64kb.
For the test results, you can read the bug description.

For more information you can read the linux tc man page:
[1] https://linux.die.net/man/8/tc-tbf
[2] http://man7.org/linux/man-pages/man8/tc-police.8.html

Closes-Bug: #1777598
Change-Id: I7a167ec6139ccc55988b34f82080a182116d02a3
2018-06-20 02:21:28 +00:00
Brian Haley
3ad91f61f2 Remove deprecated IVS interface driver
This was marked deprecated in Queens for removal in Rocky,
https://review.openstack.org/#/c/505401/

Change-Id: I77fa59ae1819e87ab8ccc1fa5f0db86de3b90e2e
2018-04-26 20:15:46 +00:00
Brian Haley
06dab9d3b3 Re-order items in policy.json
Grouped similar items into create/get/update/delete
order so they are easier to find, as some were even
in separate blocks.

Trivialfix

Change-Id: I283cd31fadf26f00fb18ccffea19a6b59d4277a1
2018-04-17 14:26:01 +00:00
Reedip
8236e83dec Allow port create/update by shared nw owners
Currently if a new port is created by a tenant with whom
the network is shared (tenant is not the owner but has
network shared via RBAC) , the port is allocated on the default
subnet. This patch allows the tenant to create/update a port on
any subnet which is actually a part of a shared network, owned by
another tenant.
Tempest test in [1]

[1]: https://review.openstack.org/521413
Change-Id: I1046f6b13e68b1e274cc8f62f5b30aa5f8d71cdc
Closes-Bug: #1543756
2017-12-12 04:12:54 +00:00
LIU Yulong
f40128b437 [L3][QoS] Adding L3 rate limit TC lib
This is the TC lib utils for L3 IP QoS implementation.
For more detail please see [1]: L3 agent side TC rules.

[1] https://review.openstack.org/#/c/374506/

Partially-Implements blueprint: floating-ip-rate-limit
Related-Bug: #1596611
Change-Id: Icfec83ca6dc31d7283d9c6c6ef0997d5e60daae6
2017-11-15 09:44:05 +00:00
Edan David
04b31bb72a Fix typo "extention" -> "extension"
Change-Id: Ib3d8edfc8319cbb9c15610b1d81b8ff400ce5e71
2017-11-09 07:05:56 -05:00
Edan David
c6d8ccb640 Enable bridge command for openvswitch agent
Allow ovs agent to run bridge command.
This is necessary because FDB extension uses bridge to update the FDB table.

Closes-Bug: #1730407

Change-Id: I0897f1efcf36fc7f6f06e80c3b29c0e1fa14b141
2017-11-08 02:03:44 -05:00
Kevin Benton
de82ded117 Remove dead versions code
The versions endpoint is now handled by Pecan
and there is no way to reach this old endpoint
now that we have dropped the web_framework option.

Change-Id: I5d493623b107f125cb9426310f2e43612c94bb7f
2017-09-19 14:54:33 -07:00
Stefan Nica
f1b43395e7 linuxbridge-agent: add missing sysctl rootwrap entry
Sysctl was missing from the linuxbridge plugin rootwrap
configuration file. This was causing failures in the
linuxbridge agent when networks are created:

Rootwrap error running command: ['sysctl', '-w', 'net.ipv6.conf.eth0/557.disable_ipv6=1']:

NOTE: this bug was hidden by the fact that sysctl was
covered by the iptables-firewall.filters until recently,
when it was removed (see https://review.openstack.org/#/c/436315/).

Change-Id: Id20175df30d4d6039fb42e722d03f39521f6a499
Closes-Bug: #1715194
2017-09-05 18:59:30 +02:00
Jenkins
8538db828a Merge "Remove neutron-fwaas specific policies" 2017-07-26 08:49:43 +00:00
Akihiro Motoki
a52f3af266 Remove neutron-fwaas specific policies
Drops unit tests related to fwaas policies.

Tests related to get_firewall_policy/rule are also unnecessary.
They have been migrated to neutron-fwaas already.

Closes-Bug: #1703347
Depends-On: I6dc6b2295a605444c918e44949f4b1485177e82e
Change-Id: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
2017-07-16 17:56:25 +00:00
Nguyen Phuong An
913c9e78b9 [log]: implement logging plugin
This patch introduces the logging api definition and initial
implementation of LoggingApiPlugin. The api definition code will
be removed after [1] has been merged on neutron lib.

[1]https://review.openstack.org/#/c/415817/

Co-Authored-By: Yushiro FURUKAWA <y.furukawa_2@jp.fujitsu.com>

Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
Change-Id: Iace31506502de25da9dce5fcfdbfe2c726bea27f
2017-07-12 13:30:50 +07:00
Miguel Angel Ajo
6037e53f07 Remove deprecated support for QoS notification_drivers
In Ocata, notification_drivers were deprecated in favor of
the new QoSDriver architecture.

This patch removes backwards compatible support for notification
drivers along with its testing.

Change-Id: I5f747635be3fd66b70326d9f94c85a6736286bd2
2017-04-17 06:32:01 -07:00
Jenkins
fc5aafaf57 Merge "Adding missing neutron policies to policy.json" 2017-04-17 05:17:21 +00:00
Felipe Monteiro
8fad40bd2f Adding missing neutron policies to policy.json
Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.

This has some downsides:
  1) It makes it harder to override these policy actions
  2) It is inconsistent
  3) The policy.json should be a "golden copy" of all the
     policy actions enforced by the system.
  4) It makes it harder to RBAC test Neutron
     (because it is very difficult to determine which
      policy actions are valid and which are not).

The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
  - create_security_group
  - delete_security_group
  - delete_security_group_rule
  - get_security_group_rules
  - get_security_groups
  - get_security_group_rule
  - get_security_group
  - update_security_group
  - update_router
  - update_router:external_gateway_info
  - update_router:external_gateway_info:network_id

Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
2017-04-12 16:05:35 +01:00
Carlos Goncalves
89de63de05 Port data plane status extension implementation
Implements the port data plane status extension. Third parties
can report via Neutron API issues in the underlying data plane
affecting connectivity from/to Neutron ports.

Supported statuses:
  - None: no status being reported; default value
  - ACTIVE: all is up and running
  - DOWN: no traffic can flow from/to the Neutron port

Setting attribute available to admin or any user with specific role
(default role: data_plane_integrator).

ML2 extension driver loaded on request via configuration:

  [ml2]
  extension_drivers = data_plane_status

Related-Bug: #1598081
Related-Bug: #1575146

DocImpact: users can get status of the underlying port data plane;
attribute writable by admin users and users granted the
'data-plane-integrator' role.
APIImpact: port now has data_plane_status attr, set on port update

Implements: blueprint port-data-plane-status

Depends-On: I04eef902b3310f799b1ce7ea44ed7cf77c74da04
Change-Id: Ic9e1e3ed9e3d4b88a4292114f4cb4192ac4b3502
2017-04-11 19:56:13 +00:00
Huan Xie
3d58ce44d4 Deal with port commonly when hypervisor is XenServer
When neutron is deployed with hypervisor is XenServer, current
implementation will grab port's iface-id via xapi, but this isn't
the proper way:
Port's iface-id is already set when creating VM or hot plugging
VIFs in nova project, so there is no need to grab it via xapi

Change-Id: Ie07527cc89ac81ff1e3519db66925cee482f77a4
Closes-Bug: #1649747
2017-03-30 22:33:14 -07:00
Jenkins
6dba921f2d Merge "Add PD support in HA router" 2017-03-15 07:25:35 +00:00
Robert Li
bb3c0e8285 Add PD support in HA router
The following enhancements are added:
  -- PD keeps track of status of neutron routers: active or
     standalone (master), or standby (not master),
  -- PD DHCP clients are only spawned in the active router. In the
     standby router, PD keeps track of the assigned prefixes, but
     doesn't spawn DHCP clients.
  -- When switchover occurs, on the router becoming standby, PD
     clients are "killed" so that they don't send prefix withdrawals
     to the DHCP server. On the router becoming active, PD spawns DHCP
     clients with the assigned prefixes configured as hints in the
     DHCP client's configuration

Closes-Bug: #1651465
Change-Id: I17df98128c7a88e72e31251687f30f569df6b860
2017-03-15 04:31:09 +00:00
Jenkins
b29339f28f Merge "iptables: stop 'fixing' kernel sysctl bridge firewalling knobs" 2017-03-15 02:45:53 +00:00