Ihar Hrachyshka [Tue, 9 Jun 2015 08:57:29 +0000 (10:57 +0200)]
Enable all deprecation warnings for test runs
We would like to catch all deprecation warnings during test runs to be
notified in advance about potential problems with next library releases
we depend on.
get_admin_roles was introduced so that contextes generated from
within plugins could be used for policy checks. This was the case
up to the Havana release as several plugins invoked the policy
engine directly to authorize requests.
This was an incorrect behaviour and has now been fixed, meaning
that get_admin_roles is no longer need and can be safely removed.
This will result in a leaner and more reliable codebase. Indeed the
function being removed here was the cause of several bugs where the
policy engine was initialized too early in the server bootstrap
process.
While this patch removes the feature it does not remove the
load_admin_roles parameter from context.get_admin_context. Doing so
will break other projects such as neutron-lbaas. The parameter is
deprecated by this patch and an appropriate warning emitted.
As a consequence neutron's will now no longer perform policy checks
when context.is_admin=True. This flag is instead set either when
a context is explicitly created for granting admin privileges, or
when Neutron is operating in noauth mode. In the latter case every
request is treated by neutron as an admin request, and get_admin_roles
is simply ensuring the appropriate roles get pushed into the context
so that the policy engine will grant admin rights to the request.
This behaviour is probably just a waste of resource; also it is not
adding anything from a security perspective.
On the other hand not performing checks when context.is_admin is
True should not pose a security threat either in noauth mode or
with the keystone middleware. In the former case the software keeps
operating assuming admin rights for every requests, whereas in the
latter case the keystone middleware will always supply a context
with the appropriate roles, and there is no way for an attacker
to trick keystonemiddleware into generating a context for which
is_admin=True.
Finally, this patch also does some non-trivial changes in test_l3.py
as some tests were mocking context.to_dict ignoring the is_admin flag.
Carl Baldwin [Wed, 27 May 2015 20:12:27 +0000 (20:12 +0000)]
Use a single method to remove an address with its conntrack state
I just noticed a pattern and I thought I'd throw this up for
discussion. It has occurred to me that this addition sort of breaks
the ip_lib paradigm of wrapping ip commands without any additional
useful abstraction. Any better ideas?
Russell Bryant [Tue, 2 Jun 2015 19:20:44 +0000 (15:20 -0400)]
Add sub-project lieutenants
A recent patch added the concept of Lieutenants for Neutron. This
same concept makes a lot of sense for identifying clear points of
contact for the various sub-projects under the Neutron tent. This
patch adds a table of the projects currently approved as part of
Neutron in the governance repo. I also made a guess on who the
lieutenant would be based on reviews in stackalytics (except for ones
that weren't in stackalytics).
Change-Id: Ibce5d6ba5e19dec59a10c88749557509136c4e41 Signed-off-by: Russell Bryant <rbryant@redhat.com>
Aman Kumar [Wed, 3 Jun 2015 06:49:40 +0000 (23:49 -0700)]
Make MockFixedIntervalLoopingCall class as a helper class
MockFixedIntervalLoopingCall class is used in both the classes
TestOvsNeutronAgent and TestOvsDvrNeutronAgent.
This patch removes the MockFixedIntervalLoopingCall from both the
places and make it as a helper class in test_ovs_neutron_agent.py.
So that it will be used everywhere in test_ovs_neutron_agent.py.
Kevin Benton [Wed, 3 Jun 2015 05:52:51 +0000 (05:52 +0000)]
Revert "Add VIF_DELETED notification event to Nova"
We need to wait until the nova support is added in
I998b6bb80cc0a81d665b61b8c4a424d7219c666f. Otherwise
this generates a ton of error messages in the nova api
log as well as on the neutron side.
Oleg Bondarev [Wed, 6 May 2015 09:50:11 +0000 (12:50 +0300)]
Wrap ML2 delete_port with db retry decorator
ML2 delete_port operation currently involves locking ports
and bindings tables which may lead to DBDeadlock errors in certain
cases when several ports are deleted concurrently.
That may happen due to specifics of Galera working in active-active
mode: it may throw deadlock errors when it fails to validate
a change with other members of the cluster.
The fix adds retries to delete port operation to overcome such
deadlocks
Eugene Nikanorov [Tue, 26 May 2015 16:17:20 +0000 (20:17 +0400)]
Catch broad exception in methods used in FixedIntervalLoopingCall
Unlike other places where it might make sense to catch specific
exceptions, methods that are used to check L3 and DHCP agents
liveness via FixedIntervalLoopingCall should never allow exceptions
to leak to calling method and interrupt the loop.
Further improvement of FixedIntervalLoopingCall might be needed,
but for the sake of easy backporting it makes sense to fix the issue
in neutron before pushing refactoring to 3rd-party library.
Assaf Muller [Tue, 2 Jun 2015 16:21:11 +0000 (12:21 -0400)]
Add devref that explains fullstack testing and its direction
The goal of this doc is to communicate what are full stack tests,
how they benefit you and when would you write such a test.
Additionally I'd like to communicate the way forward, and gather
feedback about any areas in the code that can benefit from full
stack tests, and any additional thoughts!
Assaf Muller [Mon, 1 Jun 2015 21:05:56 +0000 (17:05 -0400)]
Remove get_dhcp_port RPC method
This method was last used in Icehouse. I think we can safely
remove all of its code and tests. Icehouse to Liberty rolling
upgrades are in no way expected to work so I just bumped
the RPC version and removed all traces of the code.
Cedric Brandily [Sat, 30 May 2015 18:41:29 +0000 (20:41 +0200)]
Refactor type_tunnel/gre/vxlan to reduce duplicate code
gre and vxlan type drivers have similar implementations for multiple
methods:
* get_endpoint_by_host
* get_endpoint_by_ip
* delete_endpoint
* get_endpoints
* add_endpoint
This change abstracts these methods and moves the abstractions to the
new class EndpointTunnelTypeDriver.
Gal Sagie [Tue, 2 Jun 2015 05:49:10 +0000 (08:49 +0300)]
Update rootwrap.conf to add /usr/local/bin
When working with OVN i found on Fedora 21 that
my ovs-vsctl is installed in /usr/local/bin, since this wasnt in
rootwrap DHCP didnt work properly.
This change adds it to rootwrap
Windows VMs try to resolve metadata ip 169.254.169.254 as
local address by default, which results in very slow access
to metadata url during boot.
Injecting direct route to metadata ip through a subnet's default
gateway helps Windows to avoid wasting time on mac resolution.
So this patch injects host route for metadata ip for networks plugged
into a router.
Assaf Muller [Fri, 29 May 2015 23:17:34 +0000 (19:17 -0400)]
Modify ipset functional tests to pass on older machines
Production code uses ipset exclusively in the root namespace,
however functional testing uses ipset in namespace for isolation.
This poses an issue as ipset is not supported in namespaces on
all kernels and distributions (I'm looking at you CentOS/RHEL 7.1).
This patch changes the ipset functional tests to work in the root
namespace while taking care of cleanups.
Kevin Benton [Fri, 1 May 2015 00:14:44 +0000 (17:14 -0700)]
Don't delete port from bridge on delete_port event
Commit d6a55c17360d1aa8ca91849199987ae71e8600ee added
logic to the OVS agent to delete a port from the integration
bridge when a port was deleted on the Neutron side. However,
this led to several races where whoever created the initial
port (e.g. Nova, L3 agent, DHCP agent) would be trying to
remove the port from the bridge at the same time. These
would result in ugly exceptions on one side or the other.
The original commit was trying to address the problem where
the port would maintain connectivity even though it was removed
from the integration bridge.
This patch addresses both cases by removing the iptables rules
for the deleted port and putting it in the dead VLAN so it loses
connectivity. However, it still leaves the port attached to the
integration bridge so the original creator can delete it.
Cedric Brandily [Tue, 26 May 2015 12:29:15 +0000 (14:29 +0200)]
Enable random hash seeds
Neutron tests have been updated in order to support random hash seed. It
allows to remove PYTHONHASHSEED=0 in tox.ini and remove hashtest tox
environment.
Joe Gordon [Fri, 29 May 2015 21:28:34 +0000 (14:28 -0700)]
Fix formatting of core-reviewers doc
Fix some RST formatting issues with the core-reviewers policy document.
When reading the RST rendered version of that document at
http://docs.openstack.org/developer/neutron/policies/core-reviewers.html
I noticed a few rendering issues where were bothering me, so I fixed
them.
Adrien Vergé [Fri, 29 May 2015 20:54:33 +0000 (22:54 +0200)]
Get completely rid of contextlib.nested
`contextlib.nested` is deprecated since Python 2.7 and incompatible with
Python 3. This patch removes all its occurences by using the helper
script at [1].
This is a necessary step to allow us running all unit tests with
Python 3 (not just a small subset as it is done now).
Adrien Vergé [Mon, 25 May 2015 16:46:03 +0000 (18:46 +0200)]
Fix indentation errors in tests
They are some missing/extra indentations in tests source code. This
results in variables used out their scope (which remains unnoticed as
long as `with` contexts do not fail), and prevent refactoring scripts
(such as the one for getting rid of `contextlib.nested` [1]) from
performing well.
This simple patch fixes these indentation errors.
[1]: See change I8d1de09ff38ed0af9fb56f423a2c43476408e0fb
Cedric Brandily [Wed, 27 May 2015 06:53:00 +0000 (08:53 +0200)]
Improve test_set_members_deleting_less_than_5
In test_set_members_deleting_less_than_5[1], 3 ips are deleted from
ipset but test_set_members_deleting_less_than_5 checked that the
first one was deleted because the call ordering was non-trivial.
The test was successful because
assert_has_calls(expected_calls, any_order=False) allows extra calls
before and after expected_calls.
A parent change[2] forces the call ordering, this allows to check that
the 3 ips are deleted.
Cedric Brandily [Tue, 26 May 2015 14:38:26 +0000 (14:38 +0000)]
Sort _get_new/deleted_set_ips responses in unittests
This fixes the test_set_members_adding/deleting_less_than_5 unit test
that breaks with a randomized PYTHONHASHSEED (see the bug report).
The test assumed that the _get_new/deleted_set_ips from
neutron.agent.linux.ipset_manager return elements in a particular order.
Found with PYTHONHASHSEED=1.
The fix refactors the test case to force sorted responses from
_get_new/deleted_set_ips during unittests.
Note: There are several other unrelated unit tests that also break with
a randomized PYTHONHASHSEED, but they are not addressed here. They will
be addressed in separate patches.
Oleg Bondarev [Thu, 14 May 2015 12:09:24 +0000 (15:09 +0300)]
Cleanup stale metadata processes on l3 agent sync
Currently l3 agent only cleans up stale namespaces.
The fix adds checking and deleting stale metadata processes
to NamespaceManager class responsible for clearing stale
namespaces
shihanzhang [Tue, 26 May 2015 01:29:58 +0000 (09:29 +0800)]
Fix ovs agent restore local_vlan_map failed
when ovs agent restart, it will restore the local_vlan_map, but in
some condition, if a device does not be set tag in ovsdb, the function
'db_get_val("Port", port.port_name, "tag")' will return a empty list,
it does not need 'provision_local_vlan' for this device.
Kevin Benton [Thu, 28 May 2015 23:48:04 +0000 (16:48 -0700)]
Use correct time delta function
The .seconds attribute of a timedetla object cannot be taken in
isolation because it can overflow into days. For example, a -1 second
difference will become -1 day and 86399 seconds.
This became a problem when the agent clock was slightly ahead of
the server clock. When calling (server_time - agent_time).seconds
in this scenario, it would go below 0 in the daily seconds and
wraparound to 86399 seconds and -1 day.
This patch corrects the issue by using a method in timeutils that
ends up calling total_seconds(), which was designed for this usecase.
It also restores the formatting that was removed in patch:
Ibfc30444b7a167fb18ae9051a775266236d4ecce
Cedric Brandily [Wed, 27 May 2015 18:30:28 +0000 (20:30 +0200)]
Do not assume order of security group rules
This fixes the unit tests[1] that breaks with a randomized
PYTHONHASHSEED (see the bug report).
The test assumed that the security_group_rules_for_devices method from
neutron.agent.securitygroups_rpc returned security group rules in a
particular order. Found with PYTHONHASHSEED=2.
The fix refactors the test case to handle unsorted security group rules.
Note: There are several other unrelated unit tests that also break with
a randomized PYTHONHASHSEED, but they are not addressed here. They will
be addressed in separate patches.
Code Review / openstack-build / neutron-build.git / log