1102 Commits

Author SHA1 Message Date
Zuul
bffd23658e Merge "Migrate "dhcp_release" to oslo.privsep" 2020-07-08 16:01:21 +00:00
Zuul
4c2e78b0e2 Merge "Migrate "netstat" to oslo.privsep" 2020-07-02 13:39:34 +00:00
elajkat
a42d0d0301 Trivial: Change Health-check from filter to app_factory
[1] added healthcheck url to neutron API, but in review it was noted
that the used filter_factory is deprecated and app_factory is the
suggested instead, as Akihiro commented in [1], in [2] filter is marked
for removal.

[1]: https://review.opendev.org/724676
[2]: https://opendev.org/openstack/oslo.middleware/src/branch/master/oslo_middleware/healthcheck/__init__.py#L409

Change-Id: I28c26d3357c21483b7642958564d675cd5feaa31
2020-06-24 12:00:46 +02:00
Zuul
b1dba996b5 Merge "Remove "find" rootwrap filter" 2020-06-22 02:52:16 +00:00
Zuul
0580d03a2b Merge "Workaround for TCP checksum issue with ovs-dpdk and veth pair" 2020-06-20 18:58:11 +00:00
Rodolfo Alonso Hernandez
0c1818fbb0 Migrate "netstat" to oslo.privsep
Change-Id: If9e4c1513553c4bd10fd3b91c28c4d3f806ed816
Story: #2007686
Task: #40047
2020-06-19 14:59:11 +00:00
Rodolfo Alonso Hernandez
7143f2be1f Remove "find" rootwrap filter
This command is not used anymore.

Trivial-Fix

Change-Id: I684c58996154d14c79f5a065470ce9e34ce08670
2020-06-11 16:13:24 +00:00
Rodolfo Alonso Hernandez
e332054d63 Migrate "dhcp_release" to oslo.privsep
Story: #2007686
Task: #39976
Change-Id: I3414d06b9c6dfe549e79aab5fbe52c8f3ffd63f7
2020-06-09 09:11:31 +00:00
Alexander Vlasov
11838a2bc5 Workaround for TCP checksum issue with ovs-dpdk and veth pair
The need for this change stems from following issues:
1) When ovs_use_veth = False with ovs-dpdk issue with ovs
was observed - after vswitch restart interface is not comming up.
Meaning ovs-dpdk uses ovs internal ports and it is not able to bring
them up on restart.
2) When ovs_use_veth = True and ovs-dpkd is used, packets sent with
incorrect checksum due to the fact that ovs-dpdk does not do checksum
calculations for veth interface.

This commit allows to use second option and resolve checksum issue by
disabling checksum offload.

Closes-Bug: #1832021
Related-Bug: #1831935

Change-Id: Iecce8d2c6c2c46718cc1020c6e8f914cd4560e4b
2020-05-08 10:19:07 -05:00
Zuul
eca1ee4d76 Merge "Add a /healthcheck URL" 2020-05-03 20:26:22 +00:00
Thomas Goirand
133200014b Add a /healthcheck URL
The /healthcheck is helpful for operators to setup neutron-api
behind haproxy, or for doing monitoring.

Change-Id: I83b8c2afdd74b57184200daab54255e8cae9c27b
2020-04-30 17:27:19 +02:00
Brian Haley
4fb505891e Updates for python3.8
With the move to the Victoria job template in
https://review.opendev.org/#/c/722681/, the py37 jobs no
longer get run, so the check and gate job entries can
be removed.

Added a keepalived py38 KillFilter line to match the py36
and py37 ones.

Also updated TESTING.rst to use py38 in all examples.

Change-Id: Ief793b54d53c3239cfb24278e88e4f4189bbc2c2
2020-04-28 14:03:21 -04:00
Slawek Kaplonski
2273499155 Add rootwrap filter rule for radvd-kill script
In patch [1] support for custom kill scripts was added.
We also added rootwrap filter rules for such scripts to
kill dnsmasq, haproxy, dibbler and keepalived processes.
But we missed to add rule for radvd-kill so this patch
adds it (better late than never ;))

[1] https://review.opendev.org/#/c/661760/

Closes-Bug: #1873240

Change-Id: I8fa7176d1d9667c6b5cc95af0e31210d0f1c3662
2020-04-16 20:10:28 +00:00
Lucian Petrut
caa34c2797 Drop invalid rootwrap filters
A recent change introduced a couple of rootwrap filters that are
supposed to allow running ping within a network namespace.

Those filters will actually replace the "ip" command with "ping",
which leads to an invalid command.

Since those two filters are now superfluous, we're going to drop
them.

Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
Closes-Bug: #1864186
2020-02-21 13:21:20 +02:00
Zuul
1f02c4cf5f Merge ""ping"/"ping6" command support in rootwrap filters" 2020-02-20 02:31:17 +00:00
Rodolfo Alonso Hernandez
22ce84ab4d Revert "Add "ncat" rootwrap filter for debug"
This reverts commit 0ef4233d891f8fa42a073901051bf0310f61eebb.

This patch is introducing a redundant filter already present in
"testing.filters". The problem described in the related bug should
be solved in https://review.opendev.org/#/c/707697/.

Related-Bug: #1862927
Related-Bug: #1863213

Change-Id: I4de37364a6fb0184230a9742daced40e4edbfb30
2020-02-14 10:11:27 +00:00
Rodolfo Alonso Hernandez
cc3b9df426 "ping"/"ping6" command support in rootwrap filters
To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.

Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.

Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>

Those commands could be called from inside a namespace. The needed
filter is also added in this patch.

Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006
2020-02-13 11:58:01 +00:00
Rodolfo Alonso Hernandez
0ef4233d89 Add "ncat" rootwrap filter for debug
In [1], new tests to check "ncat" tool were added. The missing piece
of this patch was to add a new rootwrap filter to allow to execute
"ncat" binary as root and inside a namespace.

Closes-Bug: #1862927

[1]https://review.opendev.org/#/q/If8cf47a01dc353734ad07ca6cd4db7bec6c90fb6

Change-Id: I8e8e5cd8c4027cce58c7073002120d14f251463d
2020-02-12 11:43:27 +00:00
Zuul
7d5bb6d030 Merge "Remove python 3.5 from L3 rootwrap filters" 2020-01-26 23:56:06 +00:00
Zuul
4b48de8e88 Merge "Allow to kill keepalived state change monitor process" 2020-01-22 13:46:07 +00:00
Slawek Kaplonski
2f46aee345 Remove python 3.5 from L3 rootwrap filters
In L3 agent's rootwrap filters there are KillFilters
to allow killing of python processes (used to kill
neutron-keepalived-state-change-monitor script). There
was also filter for python3.5 but now Neutron supports
python3.6 and newer so python3.5 isn't needed there
anymore and this patch removes it from there.

Change-Id: I57fcc6b1c506dce9113b56ffee7d29a96fa7f251
2020-01-20 21:19:05 +01:00
Slawek Kaplonski
d6fccd247f Allow to kill keepalived state change monitor process
Usually Neutron stops neutron-keepalived-state-change-monitor process
gracefully with SIGTERM.
But in case if this will not stop process for some time, Neutron will
try to kill this process with SIGKILL (-9).
That was causing problem with rootwrap as kill filters for this process
allowed to send only "-15" to it.
Now it is possible to kill this process with "-9" too.

Change-Id: Id019fa7649bd1158f9d56e63f8dad108d0ca8c1f
Closes-bug: #1860326
2020-01-20 11:48:27 +01:00
Lucas Alvares Gomes
48ab58b46e [OVN] Change DevStack to use the local OVN driver
This patch is changing DevStack to deploy with the local OVN driver
(instead of the networking-ovn old repo).

A few tweaks were needed in the code in order to get it to work, more
precisely:

* OVN metadata configuration was pointing to some module variables that
  didn't exist.
* OVN metadata configuration generation was missing

Below is the following configuration needed in the local.conf to deploy
OVN:

[[local|localrc]]

enable_plugin neutron https://opendev.org/openstack/neutron

Q_AGENT=ovn
Q_ML2_PLUGIN_MECHANISM_DRIVERS=ovn,logger
Q_ML2_PLUGIN_TYPE_DRIVERS=local,flat,vlan,geneve
Q_ML2_TENANT_NETWORK_TYPE="geneve"

enable_service ovn-northd
enable_service ovn-controller
enable_service neutron-ovn-metadata-agent

disable_service n-net
enable_service q-svc

disable_service q-agt
disable_service q-l3
disable_service q-dhcp
disable_service q-meta

Change-Id: I0b899a33943550a53822d1d057cdee525cbbc6ec
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2020-01-16 09:28:43 +00:00
Maciej Józefczyk
65692127f6 [OVN] Move OVN commons to neutron tree
Move OVN related commons to neutron tree.

Previous paths in networking-ovn tree:
./networking_ovn/common/constants.py -> ./neutron/common/ovn/constants.py
./networking_ovn/common/exceptions.py -> ./neutron/common/ovn/exceptions.py
./networking_ovn/common/utils.py -> ./neutron/common/ovn/utils.py
./networking_ovn/common/hash_ring_manager.py -> neutron/common/ovn/hash_ring_manager.py
./networking_ovn/common/config.py -> ./neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py

Co-Authored-By: Gal Sagie <gal.sagie@huawei.com>
Co-Authored-By: Boden R <bodenvmw@gmail.com>
Co-Authored-By: Daniel Alvarez <dalvarez@redhat.com>
Co-Authored-By: Amitabha Biswas <abiswas@us.ibm.com>
Co-Authored-By: Chandra S Vejendla <csvejend@us.ibm.com>
Co-Authored-By: Babu Shanmugam <bschanmu@redhat.com>
Co-Authored-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
Co-Authored-By: Terry Wilson <twilson@redhat.com>
Co-Authored-By: Ramu Ramamurthy <ramu.ramamurthy@us.ibm.com>
Co-Authored-By: Maciej Józefczyk <mjozefcz@redhat.com>
Co-Authored-By: Gary Kotton <gkotton@vmware.com>
Co-Authored-By: Andrew Austin <aaustin@redhat.com>
Co-Authored-By: Miguel Angel Ajo <majopela@redhat.com>
Co-Authored-By: Brian Haley <bhaley@redhat.com>
Co-Authored-By: Dong Jun <dongj@dtdream.com>
Co-Authored-By: xurong00037997 <xu.rong@zte.com.cn>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>

Change-Id: Ib46bfdd14a150a324dbf28c6a50c839c5c824e35
Related-Blueprint: neutron-ovn-merge
2019-12-04 13:15:16 +00:00
Rodolfo Alonso Hernandez
7218873050 Set rootwrap daemon timeout for fullstack and functional tests
Set a big timeout for rootwrap daemon in functional and fullstack
tests. The value defined in 7800, the same as the Zuul jobs
timeout.

This timeout increase will prevent the daemon to close when
executing a test root command, as described in the bug. An
unexpected rootwrap daemon closure is not considered as a normal
event during the test execution.

The default value set in the configuration file is 600 seconds, the
same as daemon default value. This timeout is increased only when
OS_SUDO_TESTING=1, that means functional and fullstack tests, when
using the script "tools/deploy_rootwrap.sh".

Change-Id: I691300a4e9a7cccd8887bc8f95ba9cea32988bac
Closes-Bug: #1850558
2019-10-31 11:42:47 +00:00
Brian Haley
6842465260 Stop testing python 2
Since it's no longer supported past Train, lets stop
running the tests.

Updated docs and made some pep8 code tweaks as well.

Change-Id: I1c171ab906a3b4c66558163ad26947ebf710a276
2019-10-25 18:50:08 +00:00
Zuul
86e4f14115 Merge "Log the IPTables rules if "debug_iptables_rules"" 2019-10-19 01:56:23 +00:00
Rodolfo Alonso Hernandez
2bb241b7a2 Log the IPTables rules if "debug_iptables_rules"
If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.

Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:

* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables

In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.

[1] https://review.opendev.org/#/c/371523/

Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259
2019-09-23 09:58:36 +00:00
Rodolfo Alonso Hernandez
be7bb4d0f5 Kill all processes running in a namespace before deletion
In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.

Closes-Bug: #1838793

Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
2019-08-21 09:03:54 +00:00
Adrian Chiris
f9a750fcaf Prevent providing privsep-helper paths outside /etc
This commit aligns privsep filters with other projects
e.g nova[1], cinder[2] to prevent a malicious user from
invoking privsep-helper with an arbitrary configuration file
in case it took control over an unprivileged neutron process.

[1]4f261f98e1/etc/nova/rootwrap.d/compute.filters (L23)
[2]f5feb87ab8/etc/cinder/rootwrap.d/volume.filters (L41)

Change-Id: I0b4e8cdee0cbbc46547599e176efb4420ee1b318
2019-09-23 14:59:41 +03:00
Zuul
f17d0e19ae Merge "Remove rootwrap filters for TC commands in Linux Bridge" 2019-07-09 13:43:00 +00:00
Rodolfo Alonso Hernandez
fb7185bf35 Use Pyroute2 "add_tc_qdisc" function in l3_tc_lib
Change-Id: I67ddf9d9a6bb2d9d2e8ff0b6345a0118ec37d837
Related-Bug: #1492714
2019-07-05 08:13:07 +00:00
Rodolfo Alonso Hernandez
b6cbc95dcb Use Pyroute2 "list_tc_qdiscs" function in l3_tc_lib
Change-Id: Ifdccd02411e3c3bae441fc28ab8ed09ff746993c
Related-Bug: #1492714
2019-07-05 08:11:00 +00:00
Rodolfo Alonso Hernandez
7d62308eaa Remove rootwrap filters for TC commands in Linux Bridge
All neutron.agent.linux.tc_lib TC commands, used in Linux Bridge
agent, have been implemented using Pyroute2.

Change-Id: Idcac297b204900037b22ab25a516a161f4e78224
Related-Bug: #1560963
2019-07-04 21:17:46 +00:00
Zuul
c3e611eaf1 Merge "Add kill hooks for external processes" 2019-06-05 01:09:51 +00:00
Slawek Kaplonski
93015527f0 Add kill hooks for external processes
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.

Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
2019-06-03 14:39:51 +02:00
Harald Jensås
afff649a39 Notify ironic on port status changes
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.

Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
2019-05-27 13:38:42 +02:00
Slawek Kaplonski
4597dfc136 Add RHEL8 platform-python to the L3 rootwrap filters
In L3 rootwrap filters we have filter to kill
neutron-keepalived-state-change process.
As this process is run under python, in commit [1] we added
KillFilter rules to allow kill various Python processes.

In RHEL8 there are "system" and "user" python versions provided.
It is called "platform-python" and is placed in /usr/libexec dir.
Details about it are in [2].

So this patch adds to neutron-keepalived-state-change Kill filters also
/usr/libexec/platform-python and /usr/libexec/platform-python3.6 to
allow killing this process on RHEL8 based OS.

[1] https://review.opendev.org/#/c/636710/
[2] https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/

Change-Id: Iafdaf2c1a6e5c1f5de856ff99e04c72c911c5123
2019-05-17 10:15:45 +02:00
Miguel Lavalle
25c432a05a Add rootwrap filters to kill state change monitor
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.

Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
2019-03-13 07:40:15 -07:00
Ben Nemec
1cf30c552d Add oslo.privsep to config-generator list
We recently exposed the privsep opts for config generator use, so
projects that depend on oslo.privsep should include them in their
sample configs.

Change-Id: Ibaef2e2848855cd8ef987ec58457220911ad7c69
2019-03-01 16:54:20 +00:00
Brian Haley
3d70272f42 Rename README.policy.json.txt
README.policy.yaml.txt is a more appropriate name since
policy.json does not exist any more.

Change-Id: I89a425cb1552f8f6bc81d54f376b5e80bf71c1cc
2019-01-07 12:45:15 -05:00
Akihiro Motoki
f8984c6699 Convert policy.json into policy-in-code
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
2018-12-13 20:37:53 +00:00
Goutham Pratapa
31be154657 Add get_availability_zone rule to policy.json
"neutron availability-zone-list" checks for "get_availability_zone" rule
and policy.json doesn't contain it so adding it now.

Change-Id: I7e5e706c44136e0b565f3ee18e15f1166d82040d
2018-11-21 16:33:30 +05:30
Hongbin Lu
4e3fb31919 Introduce floating IP pool resource
Add support for listing floating ip pools (subnets).
A new API resource ``floatingip-pools`` is introduced.
This API endpoint can return a list floating ip pools
which are essentially mappings between network UUIDs and
subnet CIDRs. Users can use this API to find out the pool
to create the floating IPs.

Related patches:
* neutron-lib: https://review.openstack.org/#/c/556674/
* tempest-plugin: https://review.openstack.org/#/c/562038/

APIImpact add floatingip pools api
Change-Id: Iaa995630645042520df67d95271e14f11ffcff8c
Partial-Bug: #1653932
2018-10-04 15:53:53 +00:00
Zuul
e59013b9e8 Merge "Remove _migrate_python_ns_metadata_proxy_if_needed method" 2018-08-21 21:21:50 +00:00
Zuul
bc79f04613 Merge "Add delete rule for auto_allocated_topology" 2018-08-11 23:13:58 +00:00
Zuul
41f36fb9f4 Merge "Add osprofiler to api-paste pipeline" 2018-08-11 12:45:52 +00:00
Slawek Kaplonski
f046031456 Remove _migrate_python_ns_metadata_proxy_if_needed method
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.

Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
2018-08-04 09:53:00 +02:00
Mykola Yakovliev
9caf87bb0c Add delete rule for auto_allocated_topology
This patchset updates policy.json to cover delete action for
auto_allocated_topology introduced in Neutron API [0].

[0] https://developer.openstack.org/api-ref/network/v2/index.html#delete-the-auto-allocated-topology

Closes-bug: #1785349
Change-Id: If7b5c3262370057e6b40d96967d355cd0ee7e2d3
2018-08-04 00:45:51 +00:00
ZhaoBo
35d945e92f Add ext_parent policy check
Add common parent owner check for the resources which introduced by
service plugin.

Then port forwarding resource will share the same tenant_id with
floatingip. That means only the fip owner can create/update/get/delete
the associated port forwarding resource.

Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Change-Id: I450c674e55ca15e1d9a6a6224138f3305427da68
2018-08-01 02:45:42 +08:00