Carl Baldwin [Thu, 9 Jul 2015 21:26:49 +0000 (21:26 +0000)]
Remove self.snat_ports, a dvr thing, from router base class
This was overlooked in splitting out dvr code from the router base
class. It is dvr only. Also, it doesn't need to be an instance
variable and was not use consistently.
Description:
Presently Neutron doesn't validate the address family of floating IP
addresses or the internal addresses they are associated with. It merely
associates the first IP of the floating IP's port with the first IP of
the internal port, unless a specified fixed IP is specified. This can
lead to incorrect or poorly defined behavior when IPv6 is present.
The existing L3 agent implementation only manages IPv4 NAT rules. While
IPv6 NAT and NAT protocol translation are possible, the existing
implementation does not support these configurations.
Presently a floating IP can be created on an IPv6 only external network
or associated with an IPv6 fixed IP, but the L3 agent is unable to bind
these configurations.
Implementation:
When creating and updating a floating IP, only consider IPv4 addresses
on both the floating IPs port and the internal port he floating IP is
associated with. Additionally disallow creating floating IPs on networks
without any IPv4 subnets, since these floating IPs could not be
allocated an IPv4 address.
Enforce specific order for firewall.(un)filtered_ports and devices
Lots of tests in the file rely on specific order of devices and ports
with which they are iterated thru inside firewall implementation. This
is needed to match a regexp against iptables output generated by the
firewall driver.
In production code, those .(un)filtered_ports dictionaries are
unordered, and it would be not wise to enforce the order for them just
for the sake of those unit tests.
Instead, we 'patch' the agent firewall with ordered versions of dict for
those attributes.
Also enforce specific order for device_info dictionaries we pass into
firewall.
The failure was easily reproducible with PYTHONHASHSEED=111, and after
the fix, it's gone.
While at it, stop making assumptions about stable order of dict.values()
between multiple dictionaries with the same keys. It may actually work
for now, but it seems fragile. Overall simplified regex construction
code a bit, f.e. killing some dead or redundant code.
Carl Baldwin [Thu, 9 Jul 2015 21:14:39 +0000 (21:14 +0000)]
Use _is_this_snat_host and remove _get_gw_port_host
The _is_this_snat_host utility should be used consistently. After
replacing a call to _get_gw_port_host with _is_this_snat_host,
_get_gw_port_host is left as just a simple helper method for
_is_this_snat_host. The indirection is excessive and so they are
combined.
Dan Prince [Thu, 9 Jul 2015 19:31:13 +0000 (15:31 -0400)]
get_vif_ports: ignore non-Interface ports
This patch updates get_vif_ports so that it skips
ports which aren't in the 'Interfaces' table.
This fixes an issue where neutron-ovs-cleanup would
fail if any sort of OVS bond was on the bridge getting
cleaned up. This is because bonds don't have the same
attributes as ports, and thus fail subsequent ovs-vsctl
queries.
Wei Wang [Thu, 25 Sep 2014 09:49:59 +0000 (17:49 +0800)]
Fix duplicate entry catch for allowed address pairs
If None is submitted as a MAC address in an allowed_address_pair,
the port MAC will be used. So if two entries are submitted with the
same IP and one's MAC is None while the others is the port's MAC,
they will pass the API duplication check and fail to insert into the DB
due to a unique constraint violation.
This patch catches the db error and turns it into the same exception
the API uses on duplicate entries.
The new version of mock is now released which has the fix to
make mock.patch.stopall behave deterministically. The code to
stop double-mocking is no longer required.
Other fixes:
'assert_has_calls' that have changed behavior in the new version
(no longer accepts single calls).
Calls to non-existent assert methods that did not exist and were
silently passing.
Use of autospec on a class with decorated functions.
Arista ML2 Mech driver for VLANs presently does
not filter out non-vlan type networks (e.g vxlan).
This fix will simply ignore the request if a
non-vlan based network request is seen.
Sean M. Collins [Fri, 26 Jun 2015 17:14:41 +0000 (11:14 -0600)]
Make IPAM more pythonic
__init__.py is usually an empty file, or contains platform specific
code to make the package function. One more use is to have __init__.py
contain import statements, to import functions and classes, for convenience.
get_snat_candidates() is about DVR routers scheduling and hence
should be a method of L3_DVRsch_db_mixin.
This commit does not modify anything, just moves.
Pavel Bondar [Wed, 4 Feb 2015 13:13:28 +0000 (16:13 +0300)]
Allow IPAM backend switch
Changed inheritance chain for NeutronDbPluginV2 to allow switching from
non-pluggable to pluggable IPAM implementation.
IpamNonPluggableBackend methods are called on it's instance,
instead of previous way where IpamNonPluggableBackend was parent for
NeutronDbPluginV2.
It allows switching IPAM implementation in set_ipam_backend
(IpamNonPluggableBackend to IpamPluggableBackend).
All methods that became public in IpamNonPluggableBackend were renamed.
This is refactoring step before Pluggable IPAM can be applied.
Move update_security_group_on_port to SecurityGroupDbMixin
Previously this function lived in SecurityGroupServerRpcMixin. This
patch moves this function to SecurityGroupDbMixin so plugins who don't
use SecurityGroupServerRpcMixin can leverage this function. This patch
has no affect to anyone using SecurityGroupServerRpcMixin as that inherits
from SecurityGroupDbMixin.
In Arista ML2 driver Reconfigure VLAN on VM migration
Whenever a VM moves from one compute node to the other, the VLAN on the old
switch interface was not removed and the VLAN was not being provisioned on the
new switch interface. With this patch, the VLANs are provisioned correctly.
Add sub-project lieutenant for networking-plumgrid
Since networking-plumgrid has been approved [1] in
governance to be part of Neutron. So as per the
concept of Lieutenants for Neutron, this patch defines
clear point of contact for networking-plumgrid.
Carl Baldwin [Tue, 7 Jul 2015 16:41:03 +0000 (16:41 +0000)]
Add IP_ANY dict to ease choosing between IPv4 and IPv6 "any" address
I'm working on a new patch that will add one more case where we need
to choose between 0.0.0.0/0 and ::/0 based on the ip version. I
thought I'd add a new constant and simplify a couple of existing uses.
The result of get_sorts was a 'zip object' in Python 3, and it was later used
as a list, which fails. Just cast the result to a list to fix this issue.
Pavel Bondar [Thu, 2 Jul 2015 08:35:18 +0000 (11:35 +0300)]
Track allocation_pools in SubnetRequest
To keep pluggable and non-pluggable ipam implementation consistent
non-pluggable one has to be switched to track allocation_pools and
gateway_ip using SubnetRequests.
SubnetRequest requires allocation_pools to be list of IPRanges.
Previously allocation_pools were tracked as list of dicts.
So allocation_pools generating and validating was moved before
SubnetRequest is created.
Kevin Benton [Tue, 30 Jun 2015 04:05:08 +0000 (21:05 -0700)]
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Carl Baldwin [Tue, 30 Jun 2015 20:22:46 +0000 (20:22 +0000)]
Refactor init_l3 to separate router port use case
Future work will extend init_l3 with more code specific to router
ports. It makes sense to separate these out in to one basic method
with basic L3 and another for router port specific logic.
During l3 agent periodic resync NamespaceManager takes care
of cleaning up stale router namespaces. This is true
for qrouter- and snat- namespaces. However stale fip-
namespaces also need to be cleaned up.
The patch adds fip-ns handling to the NamespaceManager.
This dictionary does not belong to the plugins directory as it captures
API business, but practically speaking it does not even deserve to exist
and can be removed altogether.
This is patch one in a series that aims at addressing this monkey business.
A missing entry causes a KeyError that leads the server to blow up during
startup. We can fallback on an empty path (like some services do), in case
the prefix is not specified.
Furthermore, we can be declarative with this property, the same way we are
with properties like aliases, bulk support, etc.
Carl Baldwin [Tue, 30 Jun 2015 20:23:39 +0000 (20:23 +0000)]
Refactor IpRuleCommand to take more arguments
The iproute2 rule command takes more arguments than the ones supported
by this wrapper. Particularly, for address scopes, we're interested
in iif and fwmark. Instead of adding these piecemeal, this change
makes the wrapper flexible to pass any of them using kwargs.
Callers of add / delete are updated to pass keyword arguments for
table and priority since they are no longer required positional
arguments. This looks better anyway.
Brian Haley [Thu, 2 Jul 2015 19:56:51 +0000 (15:56 -0400)]
Install more-specific ICMPv6 rule in DVR routers
The Openflow rule added in install_dvr_process_ipv6() is dropping
all ICMPv6 traffic, not just the Router Advertisement the comment
mentions. This is causing things like ping6 to fail to VMs on DVR
compute nodes because the reply packets are getting dropped in the
local DVR router before being sent to br-tun.
devref: document API status for neutron.openstack.common.*
Make sure we document the fact that neutron.openstack.common.* contents
are not meant to be used by external repositories (except, temporarily,
*aas repos).
If I could bootstrap the oslo-incubator subtree from scratch, I would
put it under neutron._openstack, to indicate that it's for internal
usage only. But we can't do it now, so instead I update devref.
Pavel Bondar [Thu, 25 Jun 2015 13:32:22 +0000 (16:32 +0300)]
Collapse create_subnet into single method
Previously create_subnet called different methods for subnet allocation
with subnetpool and without it.
_create_subnet_from_implicit_pool and _create_subnet_from_pool
were collapsed into single method _create_subnet.
This is intermediate step for supporting pluggable ipam.
Kevin Benton [Thu, 2 Jul 2015 08:45:46 +0000 (01:45 -0700)]
Downgrade log level for gone port on status update
If a port is deleted immediately before a status update arrives
from the L2 agent, the port will be missing from the DB. The current
code was logging this at the warning level, but this occurs during
normal operations so it should only be a debug event.
Code Review / openstack-build / neutron-build.git / log