Set a big timeout for rootwrap daemon in functional and fullstack
tests. The value defined in 7800, the same as the Zuul jobs
timeout.
This timeout increase will prevent the daemon to close when
executing a test root command, as described in the bug. An
unexpected rootwrap daemon closure is not considered as a normal
event during the test execution.
The default value set in the configuration file is 600 seconds, the
same as daemon default value. This timeout is increased only when
OS_SUDO_TESTING=1, that means functional and fullstack tests, when
using the script "tools/deploy_rootwrap.sh".
Change-Id: I691300a4e9a7cccd8887bc8f95ba9cea32988bac
Closes-Bug: #1850558
Since it's no longer supported past Train, lets stop
running the tests.
Updated docs and made some pep8 code tweaks as well.
Change-Id: I1c171ab906a3b4c66558163ad26947ebf710a276
If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.
Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.
[1] https://review.opendev.org/#/c/371523/
Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259
In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.
Closes-Bug: #1838793
Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
All neutron.agent.linux.tc_lib TC commands, used in Linux Bridge
agent, have been implemented using Pyroute2.
Change-Id: Idcac297b204900037b22ab25a516a161f4e78224
Related-Bug: #1560963
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.
Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.
Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
In L3 rootwrap filters we have filter to kill
neutron-keepalived-state-change process.
As this process is run under python, in commit [1] we added
KillFilter rules to allow kill various Python processes.
In RHEL8 there are "system" and "user" python versions provided.
It is called "platform-python" and is placed in /usr/libexec dir.
Details about it are in [2].
So this patch adds to neutron-keepalived-state-change Kill filters also
/usr/libexec/platform-python and /usr/libexec/platform-python3.6 to
allow killing this process on RHEL8 based OS.
[1] https://review.opendev.org/#/c/636710/
[2] https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/
Change-Id: Iafdaf2c1a6e5c1f5de856ff99e04c72c911c5123
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.
Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
We recently exposed the privsep opts for config generator use, so
projects that depend on oslo.privsep should include them in their
sample configs.
Change-Id: Ibaef2e2848855cd8ef987ec58457220911ad7c69
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.
NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.
2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.
Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
"neutron availability-zone-list" checks for "get_availability_zone" rule
and policy.json doesn't contain it so adding it now.
Change-Id: I7e5e706c44136e0b565f3ee18e15f1166d82040d
Add support for listing floating ip pools (subnets).
A new API resource ``floatingip-pools`` is introduced.
This API endpoint can return a list floating ip pools
which are essentially mappings between network UUIDs and
subnet CIDRs. Users can use this API to find out the pool
to create the floating IPs.
Related patches:
* neutron-lib: https://review.openstack.org/#/c/556674/
* tempest-plugin: https://review.openstack.org/#/c/562038/
APIImpact add floatingip pools api
Change-Id: Iaa995630645042520df67d95271e14f11ffcff8c
Partial-Bug: #1653932
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.
Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
Add common parent owner check for the resources which introduced by
service plugin.
Then port forwarding resource will share the same tenant_id with
floatingip. That means only the fip owner can create/update/get/delete
the associated port forwarding resource.
Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Change-Id: I450c674e55ca15e1d9a6a6224138f3305427da68
This patch implements the plugin.
This patch introduces an new service plugin for port forwarding resources,
named 'pf_plugin', and supports create/update/delete port forwarding
operation towards a free Floating IP.
This patch including some works below:
* Introduces portforwarding extension and the base class of plugin
* Introduces portforwarding plugin, support CRUD port forwarding
resources
* Add the policy of portforwarding
The race issue fix in:
https://review.openstack.org/#/c/574673/
Fip extend port forwarding field addition in:
https://review.openstack.org/#/c/575326/
Partially-Implements: blueprint port-forwarding
Change-Id: Ibc446f8234bff80d5b16c988f900d3940245ba89
Partial-Bug: #1491317
This patchset adds missing policy actions to the policy.json
file for several reasons:
1) It signals to operators all the policy actions that are
enforced in the system. With the governance spec [0]
urging projects toward policy in code documentation,
it makes sense to document all policy actions in the
policy.json as Neutron doesn't have policy in code.
2) It is consistent with Neutron's policy enforcement
documentation [1]:
"For each attribute which has been explicitly specified in the
request create a rule matching policy names in the form
<operation>_<resource>:<attribute> rule"
So it makes sense to capture each policy that is enforced,
including all those with these special attributes.
3) Why include "update_router:external_gateway_info" but not
"create_router:external_gateway_info"? This is inconsistent.
4) It makes it difficult to validate Neutron's policy via Patrole
if the policies aren't contained in the policy.json -- how else
is it possible to determine which policies to expect if they
aren't documented anywhere?
[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
[1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow
Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df
Currently the L3 agent qos extension does not set the mtu for
tc filter rules, the default value is 2kb. Tc filter rules use
such mtu will result in an inaccurate bandwidth.
So in order to improve the precision, we set the mtu to 64kb.
For the test results, you can read the bug description.
For more information you can read the linux tc man page:
[1] https://linux.die.net/man/8/tc-tbf
[2] http://man7.org/linux/man-pages/man8/tc-police.8.html
Closes-Bug: #1777598
Change-Id: I7a167ec6139ccc55988b34f82080a182116d02a3
Grouped similar items into create/get/update/delete
order so they are easier to find, as some were even
in separate blocks.
Trivialfix
Change-Id: I283cd31fadf26f00fb18ccffea19a6b59d4277a1
Currently if a new port is created by a tenant with whom
the network is shared (tenant is not the owner but has
network shared via RBAC) , the port is allocated on the default
subnet. This patch allows the tenant to create/update a port on
any subnet which is actually a part of a shared network, owned by
another tenant.
Tempest test in [1]
[1]: https://review.openstack.org/521413
Change-Id: I1046f6b13e68b1e274cc8f62f5b30aa5f8d71cdc
Closes-Bug: #1543756
This is the TC lib utils for L3 IP QoS implementation.
For more detail please see [1]: L3 agent side TC rules.
[1] https://review.openstack.org/#/c/374506/
Partially-Implements blueprint: floating-ip-rate-limit
Related-Bug: #1596611
Change-Id: Icfec83ca6dc31d7283d9c6c6ef0997d5e60daae6
Allow ovs agent to run bridge command.
This is necessary because FDB extension uses bridge to update the FDB table.
Closes-Bug: #1730407
Change-Id: I0897f1efcf36fc7f6f06e80c3b29c0e1fa14b141
The versions endpoint is now handled by Pecan
and there is no way to reach this old endpoint
now that we have dropped the web_framework option.
Change-Id: I5d493623b107f125cb9426310f2e43612c94bb7f
Sysctl was missing from the linuxbridge plugin rootwrap
configuration file. This was causing failures in the
linuxbridge agent when networks are created:
Rootwrap error running command: ['sysctl', '-w', 'net.ipv6.conf.eth0/557.disable_ipv6=1']:
NOTE: this bug was hidden by the fact that sysctl was
covered by the iptables-firewall.filters until recently,
when it was removed (see https://review.openstack.org/#/c/436315/).
Change-Id: Id20175df30d4d6039fb42e722d03f39521f6a499
Closes-Bug: #1715194
Drops unit tests related to fwaas policies.
Tests related to get_firewall_policy/rule are also unnecessary.
They have been migrated to neutron-fwaas already.
Closes-Bug: #1703347
Depends-On: I6dc6b2295a605444c918e44949f4b1485177e82e
Change-Id: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
This patch introduces the logging api definition and initial
implementation of LoggingApiPlugin. The api definition code will
be removed after [1] has been merged on neutron lib.
[1]https://review.openstack.org/#/c/415817/
Co-Authored-By: Yushiro FURUKAWA <y.furukawa_2@jp.fujitsu.com>
Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
Change-Id: Iace31506502de25da9dce5fcfdbfe2c726bea27f
In Ocata, notification_drivers were deprecated in favor of
the new QoSDriver architecture.
This patch removes backwards compatible support for notification
drivers along with its testing.
Change-Id: I5f747635be3fd66b70326d9f94c85a6736286bd2
Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.
This has some downsides:
1) It makes it harder to override these policy actions
2) It is inconsistent
3) The policy.json should be a "golden copy" of all the
policy actions enforced by the system.
4) It makes it harder to RBAC test Neutron
(because it is very difficult to determine which
policy actions are valid and which are not).
The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
- create_security_group
- delete_security_group
- delete_security_group_rule
- get_security_group_rules
- get_security_groups
- get_security_group_rule
- get_security_group
- update_security_group
- update_router
- update_router:external_gateway_info
- update_router:external_gateway_info:network_id
Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
Implements the port data plane status extension. Third parties
can report via Neutron API issues in the underlying data plane
affecting connectivity from/to Neutron ports.
Supported statuses:
- None: no status being reported; default value
- ACTIVE: all is up and running
- DOWN: no traffic can flow from/to the Neutron port
Setting attribute available to admin or any user with specific role
(default role: data_plane_integrator).
ML2 extension driver loaded on request via configuration:
[ml2]
extension_drivers = data_plane_status
Related-Bug: #1598081
Related-Bug: #1575146
DocImpact: users can get status of the underlying port data plane;
attribute writable by admin users and users granted the
'data-plane-integrator' role.
APIImpact: port now has data_plane_status attr, set on port update
Implements: blueprint port-data-plane-status
Depends-On: I04eef902b3310f799b1ce7ea44ed7cf77c74da04
Change-Id: Ic9e1e3ed9e3d4b88a4292114f4cb4192ac4b3502
When neutron is deployed with hypervisor is XenServer, current
implementation will grab port's iface-id via xapi, but this isn't
the proper way:
Port's iface-id is already set when creating VM or hot plugging
VIFs in nova project, so there is no need to grab it via xapi
Change-Id: Ie07527cc89ac81ff1e3519db66925cee482f77a4
Closes-Bug: #1649747
The following enhancements are added:
-- PD keeps track of status of neutron routers: active or
standalone (master), or standby (not master),
-- PD DHCP clients are only spawned in the active router. In the
standby router, PD keeps track of the assigned prefixes, but
doesn't spawn DHCP clients.
-- When switchover occurs, on the router becoming standby, PD
clients are "killed" so that they don't send prefix withdrawals
to the DHCP server. On the router becoming active, PD spawns DHCP
clients with the assigned prefixes configured as hints in the
DHCP client's configuration
Closes-Bug: #1651465
Change-Id: I17df98128c7a88e72e31251687f30f569df6b860