Dane LeBlanc [Tue, 24 Feb 2015 20:47:01 +0000 (15:47 -0500)]
Stop sending gratuitous arp when ip version is 6
This fix prevents calls to the arping utility for IPv6
addresses, thereby eliminating errors reported by arping
for IPv6 addresses.
The assumption is that NDP, DAD, and RAs are sufficient
for address resolution and duplicate address detection
for IPv6, and that unsolicited Neighbor Advertisements (NAs)
are not required for OpenStack services. If this turns out
not to be the case for some service/feature, then a separate
bug should be filed to add support for unsolicited NAs for
that service.
Jeremy Stanley [Wed, 20 May 2015 01:03:59 +0000 (01:03 +0000)]
Switch from MySQL-python to PyMySQL
As discussed in the Liberty Design Summit "Moving apps to Python 3"
cross-project workshop, the way forward in the near future is to
switch to the pure-python PyMySQL library as a default.
Jeremy Stanley [Tue, 9 Jun 2015 17:47:59 +0000 (17:47 +0000)]
Merge tag '2015.1.0'
This is a null-merge of the 2015.1.0 release tag back into the master
branch so that the 2015.1.0 tag will appear in the git commit history of
the master branch. It contains no actual changes to the master branch,
regardless of how our code review system's UI represents it. Please
ask in #openstack-infra if you have any questions, and otherwise try
to merge this as quickly as possible to avoid later conflicts on the
master branch.
Ihar Hrachyshka [Tue, 9 Jun 2015 10:46:54 +0000 (12:46 +0200)]
Make pep8 job succeed when /etc/neutron/neutron.conf is not installed
Currently, if /etc/neutron/neutron.conf is not installed in the system,
neutron-db-manage fails in oslo.config code when trying to determine the
default configuration file to use.
Test job should not rely on any contents inside /etc/.
Instead, pass --config-file with test-only configuration explicitly into
the utility.
neutron.conf.test was renamed into neutron.conf since for some reason
oslo.config does not support a name that does not have .conf at its
filename end.
Add a comment on _check_update_has_security_groups
Despite of its name, _check_update_has_security_groups can
handle create requests as well. There are plugins actually
using it for create. eg. ml2, vmware
get_admin_roles was introduced so that contextes generated from
within plugins could be used for policy checks. This was the case
up to the Havana release as several plugins invoked the policy
engine directly to authorize requests.
This was an incorrect behaviour and has now been fixed, meaning
that get_admin_roles is no longer need and can be safely removed.
This will result in a leaner and more reliable codebase. Indeed the
function being removed here was the cause of several bugs where the
policy engine was initialized too early in the server bootstrap
process.
While this patch removes the feature it does not remove the
load_admin_roles parameter from context.get_admin_context. Doing so
will break other projects such as neutron-lbaas. The parameter is
deprecated by this patch and an appropriate warning emitted.
As a consequence neutron's will now no longer perform policy checks
when context.is_admin=True. This flag is instead set either when
a context is explicitly created for granting admin privileges, or
when Neutron is operating in noauth mode. In the latter case every
request is treated by neutron as an admin request, and get_admin_roles
is simply ensuring the appropriate roles get pushed into the context
so that the policy engine will grant admin rights to the request.
This behaviour is probably just a waste of resource; also it is not
adding anything from a security perspective.
On the other hand not performing checks when context.is_admin is
True should not pose a security threat either in noauth mode or
with the keystone middleware. In the former case the software keeps
operating assuming admin rights for every requests, whereas in the
latter case the keystone middleware will always supply a context
with the appropriate roles, and there is no way for an attacker
to trick keystonemiddleware into generating a context for which
is_admin=True.
Finally, this patch also does some non-trivial changes in test_l3.py
as some tests were mocking context.to_dict ignoring the is_admin flag.
Kevin Benton [Thu, 4 Jun 2015 02:03:29 +0000 (19:03 -0700)]
Defer segment lookup in NetworkContext object
Avoid call to get network segments for network context objects until
a caller actually tries to lookup the segments. This optimizes cases
where the user of a port context never looks at the segments of the
associated network context (e.g. update_port_status).
shihanzhang [Tue, 26 May 2015 08:42:44 +0000 (16:42 +0800)]
Update ipset members when corresponding sg member is empty
if a security group has a rule with 'remote-group-id', the ports
in this security group should update its relevant ipset member
when the remote-group members is empty.
Send 'security_groups_member_updated' when port changes
With ml2 plugin, when a port's IP or security group changes, it
should send 'security_groups_member_updated' message to other l2
agents which have same security group with this changed port.
Assaf Muller [Sat, 6 Jun 2015 22:41:39 +0000 (18:41 -0400)]
Remove full stack log noise
"neutron-server isn't up yet" logs are useless because if
you time out when waiting for the server to start that information
will be in the trace. When you don't time out, the log is just spam.
Same reasoning for the "There are %d agents running!" log.
Also made the agents_count parameter mandatory for the
wait_until_env_is_up method because having a default of 0, or any
other default makes no sense. There's no reason to ever call that
method without specifying the agents_count. This method used
to be used with agents_count == 0 by the server to make sure
its up (And responding to REST calls), but the Neutron server
fixture now uses server_is_live method (Which calls list_networks)
instead.
Stephen Ma [Thu, 4 Jun 2015 20:09:23 +0000 (20:09 +0000)]
L3 agent should do report state before full sync at start
Sometimes the AgentNotFoundByTypeHost exception is reported during
L3-agent startup. The exception is generated when the first
get_routers RPC call is made. When the neutron server gets this
RPC call, it might not have handled the report state RPC call yet.
So the L3-agent hasn't been registered in the API server.
The result is a RPC Error exception. By the time the next
get_routers RPC call is made, the report state RPC call has already
been done and agent registered.
This patch modifies the L3 agent startup behavior to have the report
state done before the agent do the sync routers RPC call.
Cedric Brandily [Wed, 6 May 2015 20:40:39 +0000 (22:40 +0200)]
Clean only floating-ip related connection states
Currently init_l3 deletes connection states related to ALL ips deleted
in init_l3 but it's required only when floating-ips are deleted[1].
This change deletes only connection states related to floating-ips
deleted in init_l3 ... it avoids to delete connection states in dhcp
agents and on router internal ports!
[1] look at change Ia9bd7ae243a0859dcb97e2fa939f7d16f9c2456c
Carl Baldwin [Thu, 4 Jun 2015 22:25:44 +0000 (22:25 +0000)]
Refactor awkward logic in setup_dhcp_port
I noticed this logic as I was reviewing another patch set [1]. I
didn't like removing subnet ids from dhcp_enabled_subnet_ids and I
wasn't too keen on the ips_need_removal semantics that were kind of
forced by the existing structure of the code. I hope you find this
alternative much clearer. I like straight-forward code with less
indentation that doesn't use awkward booleans like ips_needs_removal.
Pavel Bondar [Fri, 5 Jun 2015 11:01:10 +0000 (14:01 +0300)]
Decompose db_base_plugin_v2.py part 2
This patch contains method moving with minor modifications like updating
class names. IPAM specific methods were moved into ipam_backend_mixin and
ipam_non_pluggable_backend.
ipam_backend_mixin - contains code common for both backends (pluggable and
non-pluggable).
ipam_non_pluggable_backend - contains code specific for non-pluggable
IPAM implementation.
Elena Ezhova [Thu, 4 Jun 2015 14:00:13 +0000 (17:00 +0300)]
Start linuxbridge neutron agent using a launcher
This change ports linuxbridge neutron agent on common/service code
that will allow to handle termination signals (SIGHUP, SIGTERM, SIGINT).
Note that this patch allows changing only logging options.
All other config options are not handled explicitly and changing
them using SIGHUP can lead to unpredictable circumstances.
So, until changing other options is handled it is highly recommended
to use SIGHUP for changing ONLY logging options.
Elena Ezhova [Mon, 1 Jun 2015 11:55:13 +0000 (14:55 +0300)]
Handle SIGHUP in ovs neutron agent
This change allows ovs neutron agent not to die on receiving SIGHUP
and reload its logging options.
Note that this patch allows changing only logging options.
All other config options are not handled explicitly and changing
them using SIGHUP can lead to unpredictable circumstances.
So, until changing other options is handled it is highly recommended
to use SIGHUP for changing ONLY logging options.
Jakub Libosvar [Wed, 27 May 2015 13:50:22 +0000 (13:50 +0000)]
Run RootHelperProcess always as root
The purpose of RootHelperProcess is to spawn processes running with root
id. Instantiating RootHelperProcess as non-root doesn't make sense. This
also implies NetcatTester always spawns 'netcat' process as root. The
reason why parameter existed here was due to refactor from passing
root_helper all over the place.
Test create port with specific value of port_security_enabled
Test create secure port with security_group attached
Test update port with port_security_enabled True\False
and with or without security groups
Test deleting port with port_security_enabled
Angus Lees [Thu, 4 Jun 2015 02:55:02 +0000 (12:55 +1000)]
pylint: enable `duplicate-key` check
This check attempts to detect dictionary literals with duplicate keys.
The rest of the Neutron tree has already had the few instances of this
cleaned[1] or moved into external vendor repos. Enabling the pylint
check will stop future occurrences.
[1] I29cd2b843a7905986de13a1ecfba0cb5797ccaf8
(Original patch I1aa221d2019853f905f2b8421dd45b0a3102baf0 by zhiyuan_cai)
Carl Baldwin [Wed, 3 Jun 2015 16:56:23 +0000 (16:56 +0000)]
Enhance utils.ensure_dir to be resilient to concurrent workers
In rare cases, concurrent workers may attempt to ensure a directory
exists. One may successfully create the directory while the other
gets an oserror that it already exists. This patch detects the
problem and returns successfully in both cases.
Carl Baldwin [Wed, 27 May 2015 20:12:27 +0000 (20:12 +0000)]
Use a single method to remove an address with its conntrack state
I just noticed a pattern and I thought I'd throw this up for
discussion. It has occurred to me that this addition sort of breaks
the ip_lib paradigm of wrapping ip commands without any additional
useful abstraction. Any better ideas?
Pavel Bondar [Wed, 3 Jun 2015 11:22:29 +0000 (14:22 +0300)]
Decompose db_base_plugin_v2.py
Moved private getters and simple helpers into db_base_plugin_common.
This change is part of bigger refactoring for supporting Pluggable IPAM.
Main purpose is to make getters accessible by IPAM code.
Russell Bryant [Tue, 2 Jun 2015 19:20:44 +0000 (15:20 -0400)]
Add sub-project lieutenants
A recent patch added the concept of Lieutenants for Neutron. This
same concept makes a lot of sense for identifying clear points of
contact for the various sub-projects under the Neutron tent. This
patch adds a table of the projects currently approved as part of
Neutron in the governance repo. I also made a guess on who the
lieutenant would be based on reviews in stackalytics (except for ones
that weren't in stackalytics).
Change-Id: Ibce5d6ba5e19dec59a10c88749557509136c4e41 Signed-off-by: Russell Bryant <rbryant@redhat.com>
Aman Kumar [Wed, 3 Jun 2015 06:49:40 +0000 (23:49 -0700)]
Make MockFixedIntervalLoopingCall class as a helper class
MockFixedIntervalLoopingCall class is used in both the classes
TestOvsNeutronAgent and TestOvsDvrNeutronAgent.
This patch removes the MockFixedIntervalLoopingCall from both the
places and make it as a helper class in test_ovs_neutron_agent.py.
So that it will be used everywhere in test_ovs_neutron_agent.py.
Kevin Benton [Wed, 3 Jun 2015 05:52:51 +0000 (05:52 +0000)]
Revert "Add VIF_DELETED notification event to Nova"
We need to wait until the nova support is added in
I998b6bb80cc0a81d665b61b8c4a424d7219c666f. Otherwise
this generates a ton of error messages in the nova api
log as well as on the neutron side.
Oleg Bondarev [Wed, 6 May 2015 09:50:11 +0000 (12:50 +0300)]
Wrap ML2 delete_port with db retry decorator
ML2 delete_port operation currently involves locking ports
and bindings tables which may lead to DBDeadlock errors in certain
cases when several ports are deleted concurrently.
That may happen due to specifics of Galera working in active-active
mode: it may throw deadlock errors when it fails to validate
a change with other members of the cluster.
The fix adds retries to delete port operation to overcome such
deadlocks
Code Review / openstack-build / neutron-build.git / log