This reverts commit: b83fedbd78a441cf34d53dba35a3ccff7d8f4ac5.
Since port is set to dead by default after the commits of:
7aae31c9f9ed938760ca0be3c461826b598c7004
0ddca284542aed89df4a22607a2da03f193f083c
And we add the local vlan tag to the port right after it is
bound to aviod trunk port flood issue:
c63ebef2d58e15f4388cf064066f77b503a2f841
So that _add_port_tag_info function is not necessary anymore,
and we will save a large OVSDB read action which is dumping
the entire table of Port, for hosts with a huge number of
ports this is time-comsuming. So removed it.
Related-Bug: #1968896
Related-Bug: #1952567
Change-Id: Iefd765d497c7e2d4bb093052478185125b907025
Port admin state down will add 4095 tag to it while
it is adding a drop flow for this ofport.
When port is back UP again, remove the drop flow.
Closes-bug: #1968896
Change-Id: Ie8f67def69ae0e5d425d0e6fc43e35373a96bd88
Before this patch, when migrating from ML2/OVS to ML2/OVN, we
removed the VIF details that are not used by OVN. However, this
changes how the VIFs are plugged if the hybrid iptables firewall
was used.
In order to not break the migration, we want to keep whatever
plugging was used in ML2/OVS. For this reason, this patch is
leaving the VIF details untouched.
The consequence is that, after migration, whatever workloads
used the hybrid plugging will remain like that. Newly created
VIFs will be plugged to the OVS bridge directly. As a result,
the migration to OVN won't require moving to the OVS firewall
first while in ML2/OVS.
This patch is also removing the constraint that prevented the
migration if the hybrid firewall was used.
Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Change-Id: Iad4fae7af54cc502ac0ba02a911cdd4fefa13535
After the monitor_cond_since/update3 support patch in ovs
(46d44cf3be0), directly setting table.condition is broken. This
isn't something that was every truly supported. Prior to that
patch, using Idl.cond_change() before a connection was made
did not work, but after that patch it does.
This patch uses the old behavior when the OVS library does not
have the ConditionState object, and uses cond_change() otherwise.
Related-Bug: #1965819
Change-Id: I0503037b803a3c99fb7988bc20394c111ac456db
If an "ovn-controller" ends not gracefully, the node "Chassis" and
"Chassis_Private" registers will remain in the OVN SB database.
Because there is no a mandatory procedure to delete the "Chassis"
and "Chassis_Private" registers, the administrator can manually
delete, from the OVN SB database, any register in any order.
If the "Chassis" register is deleted and the Neutron server restarted,
the updated "Chassis_Private" register will be read from the database.
That won't contain the "Chassis" information as this register has been
deleted. In this case, the ``NeutronAgent`` returns ``DeletedChassis``,
an empty chassis register with no information.
NOTE: the sequence of actions ("Chassis" register deletion, Neutron
server restart) must be follow to reproduce this issue. If the
"Chassis" register is deleted, the Neutron server OVN agent local cache
won't update the stored information and will keep the previous value.
It is when the Neutron server is restarted when the OVN agent local
cache is retrieved again; at this time the "Chassis_Private" register
won't have any related "Chassis" register.
Closes-Bug: #1951149
Change-Id: I17aa53cea6aba8ea83187c99102a6f25fd33cfff
In the DHCP agent, if an exception is raised during the driver call,
"DhcpAgent.schedule_resync" is called. Before this patch, the
exception instance was passed instead of a string. This instance
reference was stored in the dictionary "needs_resync_reasons" and
used in "_periodic_resync_helper" to resync the DHCP agent
information.
The call to "sync_state" passed the dictionary ".keys()" method. In
python2.7 when that was implemented, this method was creating a list
with the dictionary keys. In python3, this method is a generator
that holds the dictionary content.
This patch breaks this reference chain in two points (actually only
one is needed):
- "sync_state" now passes a list created from the mentioned generator.
- The dictionary "needs_resync_reasons" now stores the exception
strings only, instead of the exception instance.
Closes-Bug: #1969270
Change-Id: I07e9818021283d321fc32066be7e0f8e2b81e639
Importing some modules lead to registering config options that may
collide with config options from a project that calls the import. This
patch wraps the side effect that registers config options into a
function that needs to be called in case the caller wants to register
the options.
This solution is also not perfect as it guards the common options to be
registered only once even if the function is called multiple times. This
is to solve problems in unittests, ideally we should always call the
function just once even in our testing suites.
Resolves-Bug: #1968606
Change-Id: Ic1532eb8de887ff1b1085206df11f53e22f7f524
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
In the policy_enforcement module if policy.enforce() will raise
PolicyNotAuthorized exception, there is additional check if user is
trying to modify own or someone else resource. In case when user is not
allowed to show resource even, error 404 is raised to "hide" any
information about requested resource.
But that was also the case for POST (create resource) requests and 404
error when user is trying e.g. create network is confusing.
So this patch modifies that logic and in case of "create_" actions it
will return 403 if user was not authorized to do such operation.
Closes-Bug: #1965294
Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
This patch should finally complete phase 1 of Secure RBAC community
goal [1] where it was agreed that there will be just 4 personas:
* ADMIN
* PROJECT_ADMIN
* PROJECT_MEMBER
* PROJECT_READER
System scope personas will be added in next phases of the community
goal.
To complete phase 1 in Neutron, this patch removes hardcoded system scope
from the check strings in system scope personas - that way it can be
controlled by the config option and enforced by oslo_policy only when
enabled.
It also skips all SYSTEM_MEMBER and SYSTEM_READER related unit tests. We
can re-enable them in the future where we will have those personas
working in Neutron.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: Iafa8ec1d9710ff404450ad0a64baf56a0f993756
This Will help in troubleshooting failures related to high
memory or cpu usage.
Related-Bug: #1966394
Change-Id: I74b0d53bfc54b71d3e8b2d46739a944e5f5a6b6f
security_groups_db._check_security_group is supposed to check the
security_group_id of the _create_security_group_rule payload.
When using an integer e.g. 0, as security_group_id, the check
succededs because mysql accepts following query:
SELECT * FROM securitygroups WHERE id in (0)
Forcing validation of security_group_id as uuid fixes the problem
Closes-Bug: #1968343
Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
The parameter "data" passed to the method "ha_state_change" is not
a router but a dictionary with "router_id" info.
The method "NDPProxyAgentExtension._process_router" requires the
router ID and the "enable_ndp_proxy" value, stored in the agent
router cache.
Closes-Bug: #1967839
Related-Bug: #1877301
Change-Id: Iab163e69f7e3641e2e1a451374231b6ccfa74c3e
The goal of this patch is to make the Neutron code compliant
with SQLAlchemy 2.0.
All SQL transactions must be executed inside an explicit
writer/reader context. SQLAlchemy no longer will create an
implicit transaction if the session has no active transaction.
A warning message, only available in debug mode, is added. When
an ORM session calls "do_orm_execute", if there is no active
transaction, a warning message with a traceback will be logged
to help to debug the regression introduced.
Related-Bug: #1964575
Change-Id: I3da37fee205b8d67d10673075b9130147d9eab5f
[1] changed the signature of set_device_rate to be alligned with how
pyroute2 expects rate parameters, some method which calls
set_device_rate needs to be changed also to use the new dict format for
calling it.
[1]: https://review.opendev.org/q/Ibbb6d938355440c42850812e368224b76b1fce19
Related-Bug: #1962844
Closes-Bug: #1968206
Change-Id: I7256747f45308b011edbb0f8c802439ea277423d
Based on discussions during the Zed PTG (see [1]) mark Prefix Delegation
as experimental.
Add warning to cfg option ipv6_pd_enabled and to IPv6 documentation's
PD section that the feature has low test coverage, and dibbler is
concluded (the tool used for notifing Neutron that a prefix was changed)
see: [2].
[1]: https://etherpad.opendev.org/p/neutron-zed-ptg#L208
[2]: https://github.com/tomaszmrugalski/dibbler#project-status
Related-Bug: #1916428
Change-Id: Ia712eb6f5b6f947aeab89ba7c018771eb4104e37
Those jobs from periodic pipeline were run on Centos Stream 8
so far but lets switch them to new Centos Stream 9.
Change-Id: I9d87d1c6d2c5415a4bd602cb6968db4d155f15e1
