Ann Kamyshnikova [Fri, 12 Dec 2014 12:30:06 +0000 (15:30 +0300)]
Default security group table
This change prevents the race condition by enforcing a single default
security group via new table default_security_group. It has tenant_id
as primary key and security_group_id, which is id of default
security group. Migration that inroduces this table has sanity check that
verifies that there is no duplicate default security group in any
tenant.
This idea has come up from discussion in comments to
https://review.openstack.org/135006
Do not check twice IP allocations for auto-address subnets
For auto-address subnets such as those with SLAAC and DHCP_STATELESS
address modes it is ok to delete them even when there are active IP
allocations.
The current logic might trigger unexpected 409 errors if IP
allocations are made on these subnets concurrently with their
deletion.
This patch simply ensures the final check for active IP allocations is
not performed for this class of subnets; since all IP allocations will
be removed anyway, it does not make sense to check whether there are
allocations at all. In fact, doing this check might cause a failure
of the delete operation if an IP allocation is made concurrently.
This patch also factors out the logic for checking whether there are
IP allocations on the subnet to avoid code duplication.
Carl Baldwin [Wed, 28 Jan 2015 17:50:31 +0000 (17:50 +0000)]
Make the interface driver available to the router classes
Ultimately, it will only be the routers that need access to the
interface driver and the agent won't need to use it for anything.
However, it still makes sense for the agent to initialize it once and
pass it to each of the routers as they're created.
Multiple patches with multiple authors will be created to depend on
this addition.
Carl Baldwin [Tue, 20 Jan 2015 16:48:47 +0000 (16:48 +0000)]
Make agent config available to the router classes
Since the agent and the routers are all configured in the same config
file, the routers are going to need access to the agent's config.
This work will support multiple future patches.
Yoni Shafrir [Mon, 26 Jan 2015 07:32:55 +0000 (09:32 +0200)]
Allow 'max_l3_agents_per_router' to be set to '0'
Currently the field 'max_l3_agents_per_router' from
'neutron.conf' cannot be set to '0' even though the comments
and code indicate it is be supported. The value
means 'unlimited' agents per router is allowed on HA routers.
This patch adds a special handling for this value when validating
the config. When a value of '0' is used, the further validation
of max value is skipped.
Kyle Mestery [Mon, 26 Jan 2015 15:12:31 +0000 (15:12 +0000)]
Add abandon script from nova
This adds the abandon_old_reviews.sh from the nova repository into
Neutron. This is handy for cleaning up the neutron review queues
by abandoning stale reviews stuck in the queue with a helpful
message.
Miguel Angel Ajo [Tue, 27 Jan 2015 11:52:30 +0000 (11:52 +0000)]
Refactor the ProcessMonitor _exit_handler to ProcessMonitor
We allowed to provide an specific _exit_handler, but in
the end all the implementations are providing the same
one. So, now it's refactored back to the monitor, and
removed any YAGNI code.
Lucian Petrut [Mon, 26 Jan 2015 18:58:18 +0000 (20:58 +0200)]
Fixes Hyper-V agent root_helper issue
This patch I2aaa55e8e539e47427e56b4da42321cfcfcde622 introduced a
reference to the root_helper config option in the Hyper-V Neutron
agent without it being registered. For this reason,
the Hyper-V Neutron agent fails to start.
As the root helper is not used by the Hyper-V Neutron agent,
all the occurences within the agent can be safely removed.
Terry Wilson [Tue, 23 Dec 2014 20:49:15 +0000 (13:49 -0700)]
Add OVSDB abstract API
Abstract all existing run_vsctl calls to an abstract OVSDB API.
This will allow the future addition of a native OVSDB protocol
implementation of the API without breaking backward compatibility.
Jakub Libosvar [Fri, 3 Oct 2014 16:31:10 +0000 (18:31 +0200)]
Add functional tests for IptablesManager using tcp/udp
This commit adds tests for filter table using tcp and udp protocols.
Part of it is a NetcatTester class providing ability to test connection
between two veth pairs in namespaces.
Ihar Hrachyshka [Tue, 20 Jan 2015 14:18:36 +0000 (15:18 +0100)]
dhcp: move dnsmasq version check to sanity_check
We should avoid checking version numbers in runtime. In that way, we may
break some existing setups by minimal version bumps that are often not
critical for operation. One example is a recent version bump to support
IPv6 DHCP stateful address assignment mode. Even though old dnsmasq
version made this particular mode to fail to assign addresses to
instances, other IPv6 modes, and, even more importantly, all IPv4
networks continued to operate with no issues.
So let's move the fatal check from DHCP agent into sanity_check tool to
avoid potential breakages on neutron update.
In ideal world, we would make the check smarter. Since current version
cap is due to missing hwaddr matching for IPv6 clients for old dnsmasq
versions, we could preconfigure and start up dnsmasq server in a
namespace, and request a IPv6 lease from it. That would require a DHCP
IPv6 client installed though, and I'm not sure we can always expect it
to be present, so leaving it as-is for now.
Since DHCP drivers are pluggable, we cannot drop check_version method
from DhcpBase to support other drivers that may live in the wild.
Note: we could mark the method as deprecated if we really want to get
rid of it.
Russell Bryant [Fri, 23 Jan 2015 18:52:10 +0000 (13:52 -0500)]
Use DVRServerRpcApi instead of a mixin
Replace DVRServerRpcApiMixin with a standalone rpc client class,
DVRServerRpcApi. Also convert the one user of this code (the ovs
agent) to use it. This is a prerequisite to being able to put this
rpc interface into a messaging namespace.
Russell Bryant [Thu, 22 Jan 2015 20:03:19 +0000 (15:03 -0500)]
Scope secgroup rpc api using a messaging namespace
This patch scopes the agent to plugin security group rpc interface
using a messaging namespace. Right now some plugins expose several
interfaces via the default namespace. This effectively means they are
a single API and should be managed with a single version stream. It's
much more managable to just treat these as separate interfaces and
this change makes that explicit and functionally true. Now when a
method is invoked, the only classes considered for handling that
request will be ones marked with the right namespace.
Russell Bryant [Thu, 22 Jan 2015 15:18:17 +0000 (10:18 -0500)]
Add and use SecurityGroupAgentRpc
Add a new class, SecurityGroupAgentRpc, which is based on
SecurityGroupAgentRpcMixin. Most uses of SecurityGroupAgentRpcMixin
follow the same pattern, so this class makes it possible to cut
down on some duplicated code.
Make use of SecurityGroupAgentRpc in: linuxbridge, openvswitch, mlnx,
nec, ofagent, oneconvergence, sriovnicagent, bigswitch, and hyperv.
Ihar Hrachyshka [Sat, 17 Jan 2015 12:57:21 +0000 (13:57 +0100)]
tests: don't spread fixtures.TempDir throughout test cases
Instead, provide self.get_temp_file_path() utility method for tests
interested in creating temporary files.
There also cases when tests are interested in multiple separate
temporary directories. With this in mind, self.get_temp_file_path()
supports root= argument that allows to pass a different temporary
directory fixture than default.
While at it, consolidated cleanup setup for NEC temporary file in single
place.
Mike Kolesnik [Mon, 8 Dec 2014 08:03:05 +0000 (10:03 +0200)]
Extract l2pop/DVR controller logic to common method
Regular ports and DVR ports are treated almost the same, extract the
l2pop logic to treat them to a unified method that gets an argument if
the FDB entries are needed or not, in order to reduce code duplication.
YAMAMOTO Takashi [Fri, 21 Nov 2014 05:16:03 +0000 (14:16 +0900)]
attributes: Additional IP address validation
Introduce an additional IP address validation instead of assuming
that netaddr provides it. Namely, it ensures that an address
either has ':' (IPv6) or 3 periods like 'xx.xx.xx.xx'. (IPv4)
The "'1' * 59" test case recently introduced by
commit 1681f62ec91b6c3705a14393815542dc1746de71 fails on
some platforms because it's considered a valid address by
their inet_aton. Examples of such platforms: NetBSD, OS X
While one might argue it's a fault of the platforms, this is
a historical behavior which is probably too late to change there.
(The breakage has been hidden by later UT changes in
commit 35662d07628452d14306f5197871ad64f6396ff3 .
This commit includes a UT change to uncover the problem again.)
Assaf Muller [Thu, 18 Dec 2014 14:25:54 +0000 (16:25 +0200)]
Configure IPv6 LLADDR only on master L3 HA instance
HA standby routers must never transmit traffic from
any of their ports. This is because we allocate the same
port on all agents. For example, for a given external interface,
we place the same port with the same IP/MAC on every agent
the HA router is scheduled on. Thus, if a standby router
transmits data out of that interface, the physical switches
in the datacenter will re-learn the MAC address of the external
port, and place it on a port that's looking at a standby and
not at the master. This causes 100% packet loss for any incoming
traffic that should be going through the master instance of the
router.
Keepalived manages addresses on the router interfaces, and makes
sure that these addresses only live on the master. However, we
forgot about IPv6 link local addresses. They are generated
from the MAC address of the interface, and thus are identical on
all agents.
This patch tries to treat IPv6 link local addresses the same
as IPv4 addresses - define them as VIPs and let keepalived
move them around.
Elena Ezhova [Tue, 20 Jan 2015 16:19:43 +0000 (19:19 +0300)]
Add index on db "allocated" columns
ml2_vxlan_allocations, ml2_gre_allocations, ml2_vlan_allocations tables
have the 'allocated' field.
There are a lot of similar queries to these tables which look
like the following:
SELECT ml2_vxlan_allocations.vxlan_vni
AS ml2_vxlan_allocations_vxlan_vni,
ml2_vxlan_allocations.allocated
AS ml2_vxlan_allocations_allocated
FROM ml2_vxlan_allocations
WHERE ml2_vxlan_allocations.allocated = 0 LIMIT 1;
Performing such selects can take quite a lot of time and if a transaction
which performs allocation is executed in parallel, it can lead to
allocation failure and retry.
Adding an index on "allocated" column significantly improves
the performance. For ml2_vlan_allocations table created
an index on (physical_network, allocation) together.
Example for MySQL for execution of query
select * from ml2_vxlan_allocations where allocated = 0;
when on the table with ~3 mln entries, ~500K of which
have allocated = 0:
+-----------------------+---------------------+
|No index on "allocated"| Index on "allocated"|
+---------------------------------------------+
| 2.02 sec | 0.43 sec |
+-----------------------+---------------------+
Ihar Hrachyshka [Wed, 21 Jan 2015 15:44:06 +0000 (16:44 +0100)]
pep8: cleaned up excludes
Don't over-exclude files from pep8 automation. Specifically, tools/*
should maintain common Python style as any other Neutron code.
Don't exclude every single dot-file/dot-dir separately but instead
apply .* wildcard.
Drop rally-scenarios exclusion. First, the directory is now rally-jobs,
so exclusion didn't work. Second, it's better to also apply pep8 checks
for those files (there are some Python files inside the directory).
Miguel Angel Ajo [Thu, 21 Aug 2014 10:53:05 +0000 (12:53 +0200)]
Implements ProcessMonitor in the dhcp_agent
The ProcessMonitor class will watch over spawned external processes,
taking the administrator configured action in the case of any
of the external processes die unexpectedly.
It covers both the neutron-ns-metadata-proxy for isolated metadata
and dnsmasq in the dnsmasq driver.
ProcessMonitor has been extended to allow specific pid files
for backwards-compatible dnsmasq pid file location.
Sachi King [Mon, 8 Dec 2014 06:42:48 +0000 (17:42 +1100)]
If router is HA, get current_cidrs from keepalived object
When using L3 HA and keepalived neutron is no longer directly managing
the floating IP addresses itself. Neutron should not check against
which addresses are currently configured on the system, but the
addresses the keepalived object has configured.
Miguel Angel Ajo [Thu, 22 Jan 2015 14:17:30 +0000 (14:17 +0000)]
Move process monitor settings to neutron.conf AGENT section
Instead of defining specific settings on each agent configuration
file for later patches in the series, we provide a single
point of configuration in the AGENT section of the neutron.conf
file, which could yet be overriden per agent config file if needed.
Russell Bryant [Wed, 21 Jan 2015 21:39:37 +0000 (16:39 -0500)]
Drop SecurityGroupServerRpcApiMixin
The code base has now been migrated away from using this class, so it
can be removed. This was a prerequisite to being able to put this rpc
api into a messaging namespace.
Russell Bryant [Wed, 21 Jan 2015 20:57:31 +0000 (15:57 -0500)]
sriovnicagent: drop usage of SecurityGroupServerRpcApiMixin
Drop usage of SecurityGroupServerRpcApiMixin in sriovnicagent.
This is required to be able to eventually move this API into
a messaging namespace. It needs to use its own messaging client
instance, instead of a different one it gets after being used as
a mixin.
This patch separates the use of SecurityGroupAgentRpcMixin out to its
own class. This matches most of the rest of the code base. This
separation is needed to be able to eventually move this rpc API into
its own messaging namespace. Now that it's separate, a future change
can pass the new class an instance of SecurityGroupServerRpcApi
instead of assuming that the PluginApi instance includes
SecurityGroupServerRpcApiMixin.
Code Review / openstack-build / neutron-build.git / log