Disable port creation when invalid MAC address is provided
When a port is manually created with an invalid mac address like
'00:00:00:00:00:00' and associated to neutron router, we see an
exception in L3-agent logs. Since we do not have any valid use-case
to have a port with a mac_address of all zeros, this patch disables
the corresponding port creation/updation request.
Along with all zeros MAC, validation aganist broadcast MAC is also
included in this patch.
Enforce specific order for firewall.(un)filtered_ports and devices
Lots of tests in the file rely on specific order of devices and ports
with which they are iterated thru inside firewall implementation. This
is needed to match a regexp against iptables output generated by the
firewall driver.
In production code, those .(un)filtered_ports dictionaries are
unordered, and it would be not wise to enforce the order for them just
for the sake of those unit tests.
Instead, we 'patch' the agent firewall with ordered versions of dict for
those attributes.
Also enforce specific order for device_info dictionaries we pass into
firewall.
The failure was easily reproducible with PYTHONHASHSEED=111, and after
the fix, it's gone.
While at it, stop making assumptions about stable order of dict.values()
between multiple dictionaries with the same keys. It may actually work
for now, but it seems fragile. Overall simplified regex construction
code a bit, f.e. killing some dead or redundant code.
Dan Prince [Thu, 9 Jul 2015 19:31:13 +0000 (15:31 -0400)]
get_vif_ports: ignore non-Interface ports
This patch updates get_vif_ports so that it skips
ports which aren't in the 'Interfaces' table.
This fixes an issue where neutron-ovs-cleanup would
fail if any sort of OVS bond was on the bridge getting
cleaned up. This is because bonds don't have the same
attributes as ports, and thus fail subsequent ovs-vsctl
queries.
Wei Wang [Thu, 25 Sep 2014 09:49:59 +0000 (17:49 +0800)]
Fix duplicate entry catch for allowed address pairs
If None is submitted as a MAC address in an allowed_address_pair,
the port MAC will be used. So if two entries are submitted with the
same IP and one's MAC is None while the others is the port's MAC,
they will pass the API duplication check and fail to insert into the DB
due to a unique constraint violation.
This patch catches the db error and turns it into the same exception
the API uses on duplicate entries.
The new version of mock is now released which has the fix to
make mock.patch.stopall behave deterministically. The code to
stop double-mocking is no longer required.
Other fixes:
'assert_has_calls' that have changed behavior in the new version
(no longer accepts single calls).
Calls to non-existent assert methods that did not exist and were
silently passing.
Use of autospec on a class with decorated functions.
Arista ML2 Mech driver for VLANs presently does
not filter out non-vlan type networks (e.g vxlan).
This fix will simply ignore the request if a
non-vlan based network request is seen.
Sean M. Collins [Fri, 26 Jun 2015 17:14:41 +0000 (11:14 -0600)]
Make IPAM more pythonic
__init__.py is usually an empty file, or contains platform specific
code to make the package function. One more use is to have __init__.py
contain import statements, to import functions and classes, for convenience.
get_snat_candidates() is about DVR routers scheduling and hence
should be a method of L3_DVRsch_db_mixin.
This commit does not modify anything, just moves.
Pavel Bondar [Wed, 4 Feb 2015 13:13:28 +0000 (16:13 +0300)]
Allow IPAM backend switch
Changed inheritance chain for NeutronDbPluginV2 to allow switching from
non-pluggable to pluggable IPAM implementation.
IpamNonPluggableBackend methods are called on it's instance,
instead of previous way where IpamNonPluggableBackend was parent for
NeutronDbPluginV2.
It allows switching IPAM implementation in set_ipam_backend
(IpamNonPluggableBackend to IpamPluggableBackend).
All methods that became public in IpamNonPluggableBackend were renamed.
This is refactoring step before Pluggable IPAM can be applied.
Move update_security_group_on_port to SecurityGroupDbMixin
Previously this function lived in SecurityGroupServerRpcMixin. This
patch moves this function to SecurityGroupDbMixin so plugins who don't
use SecurityGroupServerRpcMixin can leverage this function. This patch
has no affect to anyone using SecurityGroupServerRpcMixin as that inherits
from SecurityGroupDbMixin.
In Arista ML2 driver Reconfigure VLAN on VM migration
Whenever a VM moves from one compute node to the other, the VLAN on the old
switch interface was not removed and the VLAN was not being provisioned on the
new switch interface. With this patch, the VLANs are provisioned correctly.
Carl Baldwin [Tue, 7 Jul 2015 16:41:03 +0000 (16:41 +0000)]
Add IP_ANY dict to ease choosing between IPv4 and IPv6 "any" address
I'm working on a new patch that will add one more case where we need
to choose between 0.0.0.0/0 and ::/0 based on the ip version. I
thought I'd add a new constant and simplify a couple of existing uses.
The result of get_sorts was a 'zip object' in Python 3, and it was later used
as a list, which fails. Just cast the result to a list to fix this issue.
Pavel Bondar [Thu, 2 Jul 2015 08:35:18 +0000 (11:35 +0300)]
Track allocation_pools in SubnetRequest
To keep pluggable and non-pluggable ipam implementation consistent
non-pluggable one has to be switched to track allocation_pools and
gateway_ip using SubnetRequests.
SubnetRequest requires allocation_pools to be list of IPRanges.
Previously allocation_pools were tracked as list of dicts.
So allocation_pools generating and validating was moved before
SubnetRequest is created.
Kevin Benton [Tue, 30 Jun 2015 04:05:08 +0000 (21:05 -0700)]
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Carl Baldwin [Tue, 30 Jun 2015 20:22:46 +0000 (20:22 +0000)]
Refactor init_l3 to separate router port use case
Future work will extend init_l3 with more code specific to router
ports. It makes sense to separate these out in to one basic method
with basic L3 and another for router port specific logic.
This dictionary does not belong to the plugins directory as it captures
API business, but practically speaking it does not even deserve to exist
and can be removed altogether.
This is patch one in a series that aims at addressing this monkey business.
A missing entry causes a KeyError that leads the server to blow up during
startup. We can fallback on an empty path (like some services do), in case
the prefix is not specified.
Furthermore, we can be declarative with this property, the same way we are
with properties like aliases, bulk support, etc.
Carl Baldwin [Tue, 30 Jun 2015 20:23:39 +0000 (20:23 +0000)]
Refactor IpRuleCommand to take more arguments
The iproute2 rule command takes more arguments than the ones supported
by this wrapper. Particularly, for address scopes, we're interested
in iif and fwmark. Instead of adding these piecemeal, this change
makes the wrapper flexible to pass any of them using kwargs.
Callers of add / delete are updated to pass keyword arguments for
table and priority since they are no longer required positional
arguments. This looks better anyway.
devref: document API status for neutron.openstack.common.*
Make sure we document the fact that neutron.openstack.common.* contents
are not meant to be used by external repositories (except, temporarily,
*aas repos).
If I could bootstrap the oslo-incubator subtree from scratch, I would
put it under neutron._openstack, to indicate that it's for internal
usage only. But we can't do it now, so instead I update devref.
Pavel Bondar [Thu, 25 Jun 2015 13:32:22 +0000 (16:32 +0300)]
Collapse create_subnet into single method
Previously create_subnet called different methods for subnet allocation
with subnetpool and without it.
_create_subnet_from_implicit_pool and _create_subnet_from_pool
were collapsed into single method _create_subnet.
This is intermediate step for supporting pluggable ipam.
Kevin Benton [Thu, 2 Jul 2015 08:45:46 +0000 (01:45 -0700)]
Downgrade log level for gone port on status update
If a port is deleted immediately before a status update arrives
from the L2 agent, the port will be missing from the DB. The current
code was logging this at the warning level, but this occurs during
normal operations so it should only be a debug event.
Kevin Benton [Wed, 1 Jul 2015 20:06:38 +0000 (13:06 -0700)]
Change the half of the bridge name used for ports
The code to generate the names of the patch ports
was based on a chunk of the bridge name starting from
the beginning. With the long suffix, this ended up
excluding all of the random characters in the name.
(e.g. br-int374623235 would create an interface br-in-patch-tun).
This meant that if two tests using patch interfaces ran together,
they would have a name collision and one would fail.
This patch updates the patch port name generation to use the
randomized back portion of the name.
Patch 4e77442d5 added a retry decorator to the API layer
to catch DB deadlock errors. However, when they occur, the
retried operation ends up being ineffective because the original
body has been altered, which leads the notification and validation
layers to barf exceptions due to unrecognized/unserializable elements.
This ultimately results to an error reported to the user.
To address this, let's make a deep copy of the request body, before
we pass it down to the lower layers. This allows the decorator to
work on a pristine copy of the body on every attempt. The performance
impact for this should be negligible.