This patch checks if a metadata access network is still present when
removing a router in the NVP plugin. If yes, the network is detached
from the router and then destroyed, thus ensuring a safe completion of
the operation as well as removal of metadata access network resources.
Aaron Rosen [Wed, 6 Mar 2013 20:21:08 +0000 (12:21 -0800)]
Add explicit egress rules to nvp security profile
The following commit 7e26074b changed the previous behavior of quantum
security groups by explicitly adding egress rules to the security profile.
When these rules are removed the vm is no longer able to send traffic out.
This patch adds these rules for NVP. One thing to note in the patch
is that now a bunk rule of IPv4 127.0.0.1/32 is added to each security
profile. The reason for this is by default NVP security profiles allow
all egress traffic until a rule is added and then it just lets traffic
matching those rules out. Adding this bunk rule achieves this behavior
that quantum now uses.
Currently the format of error message returned by quota extension was
different with quantum other resource. Other resource will return as
json(eg, '{"QuantumError": "error message"}'). But quota extension only
return messages without any format.
'quantum.api.v2.resource.Resource' provider error messages processing.
So wrap quota controller with it.
By the way, fix some small stuff:
* Use specific exception 'QuotaTenantNotFound' instead of generic exception.
* Correct error message.
* Use attribute mapping checking the request body.
The patch set shows the defualt quotas that exist in
the configuration file. This is if the DB_QUOTA_DRIVER
is not configured. In this case the user is required
to update the configuration file and restart the service.
now that dhcp-agent also uses ns-metadata-proxy, we need to make sure
those rootwrap filters are installed in scenarios where dhcp-agent is
installed by l3-agent is not.
Aaron Rosen [Wed, 6 Mar 2013 23:02:12 +0000 (15:02 -0800)]
isolated network metadata does not work with nvp plugin
This patch removes the not self.conf.enable_metadata_network
check before adding METADATA_DEFAULT_IP to ip_cidrs. This result
of this is that the dhcp agent interface will have
169.254.169.254/16 on it even if the network is
enable_metadata_network=True which doesn't matter and happens anyway if one
sets enable_meta_network=False. This change only effects the nvp plugin
as this is the only one that uses the enable_metadata_network flag.
Aaron Rosen [Wed, 6 Mar 2013 01:48:35 +0000 (17:48 -0800)]
Fix syntax error in credential.py and missing __init__.py
This patch fixes a syntax error in credential.py and resolves
the following import error:
In [1]: from quantum.plugins.cisco.extensions import _credential_view as a
---------------------------------------------------------------------------
ImportError Traceback (most recent call last)
/opt/stack/quantum/<ipython-input-1-ef3f11a361d0> in <module>()
----> 1 from quantum.plugins.cisco.extensions import _credential_view as a
return of call to os.path.abspath('../../..') depends on the setup of
nose working directory. Change to return the directory where
test_config.py resides
Davanum Srinivas [Tue, 26 Feb 2013 20:43:50 +0000 (15:43 -0500)]
Prevent DoS through XML entity expansion
Add a ProtectedXMLParser that overrides the
doctype declaration handler. The handler simply
throws an exception and prevents any further
parsing of the incoming xml.
Jason Zhang [Thu, 6 Dec 2012 19:39:34 +0000 (11:39 -0800)]
Setup device alias by device flavor information.
The router interface cannot be deleted since the MetaPlugin
cannot get the flavor information from the port which has
been deleted.
The solution is setting up the alias for each device based
on the flavor information, so the MetaPlugin still can get
the flavor information from the device itself even the
port has been deleted.
Also the router interface cannot be deleted since the
l3_port_check flag is not passed by MetaPlugin.
This patch alters the prevent_l3_port_deletion logic.
PortInUse is raised only if the port has a device owner in
(router_interface, router_gateway, floatingip) and an IP
address.
If no IP address is found on the port the port itself can
be considered stale and therefore deleted as any association
with l3 entities would be void.
The combination of the plugin without agent extension support
and L3NATAgentWithStateReport results in an error:
"AttributeError: No such RPC function 'report_state'".
This patch changes l3_agent_manager to be L3NATAgent instead of
L3NATAgentWithStateReport since all plugins do not support
L3NATAgentWithStateReport and having this as the default breaks
all current deployments that upgrade source without changing
their config files.
gongysh [Fri, 1 Mar 2013 08:23:32 +0000 (16:23 +0800)]
Move network schedule to first port creation.
blueprint quantum-scheduler
we remove scheduling network
to dhcp agent when creating network so that we can give admin
the chance to allocate the given network to a given dhcp agent after
network creation.
Sumit Naiksatam [Fri, 1 Mar 2013 06:00:32 +0000 (22:00 -0800)]
Host route to metadata server with Bigswitch/Floodlight Plugin
Host route to metadata server was not getting propagated
to VM when using the Big Switch/Floodlight plugin. The
reason being the update to the subnet (with the host
route information) was not being picked up by the dhcp
agent. This is being fixed here by sending a notification
to the dhcp agent when the host route is added to the subnet.
Akihiro MOTOKI [Thu, 28 Feb 2013 22:19:20 +0000 (07:19 +0900)]
Ensure max length of iptables chain name w/o prefix is up to 11 chars.
The maximum length of Linux iptables chain name must be less than or
equal to 28 characters. In iptables_manager binary_name up to 16 chars
is used as a prefix and a '-' follows it, so a chain name passed to
iptables_manager must be less than 12 character long. Accordingky
MAX_CHAIN_LEN should be changed from 28 to 12. Also this commit
introduces a method to get a chain name with valid length.
Since iptables_firewall module constructs a rule by directly using
a chain name, iptable_firewall also must take care of the length.
Code Review / openstack-build / neutron-build.git / log