Miguel Angel Ajo [Tue, 18 Aug 2015 06:35:00 +0000 (08:35 +0200)]
Fix tenant access to qos policies
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.
Doug Wiegley [Mon, 17 Aug 2015 15:17:46 +0000 (09:17 -0600)]
Don't fatal error during initialization for missing service providers
Sometime during the split, code was added to fixup driver paths,
which imports service providers even for plugins which are not
in use. That, combined with neutron including default service
providers for VPN and LOADBALANCER, resulted in a really messy
mess in terms of removing VPN from the main neutron test suites.
This change stops the imports, so that if one of the services is
missing, neutron server can still start. It likely breaks the driver
path fixup, which can be fixed outside of this gate blockage.
This merge commit introduces QoS feature into Liberty release of
Neutron.
The feature is documented in: doc/source/devref/quality_of_service.rst
included with the merge patch.
It includes:
- QoS API service plugin with QoS policy and QoS bandwidth limit
(egress) rule support;
- core plugin mechanism to determine supported rule types, with its ML2
implementation;
- new agent extension manager;
- QoS agent extension with pluggable backend QoS drivers (Open vSwitch
and SR-IOV support is included).
To extend network and port core resources with qos_policy_id attribute,
a new ML2 extension driver (qos) was introduced that relies on the QoS
core resource extension (the idea is that eventually we'll get a core
resource extension manager that can be directly reused by core plugins).
Agent-server interaction is based on:
- get_device_details() method that is extended with qos_policy_id;
- a new push/pull mechanism that allows agents and servers to
communicate using oslo.versionedobjects based objects sent on the
wire.
The merge includes the following types of test coverage:
- unit tests;
- functional tests for OVS agent, QoS agent extension, and low level
ovs_lib changes;
- API tests to cover port/network qos_policy_id attribute and new QoS
resources.
This merge also disables qos extension API tests until the service is
enabled in master gate.
Local changes apart from conflicts:
- updated down_revision for qos migration to reflect master expand head;
- disabled qos API tests with gate_hook.sh until we have it enabled in
master gate;
- bumped oslo.versionedobjects requirement to reflect what is in
openstack/requirements' global-requirements.txt
Kevin Benton [Fri, 31 Jul 2015 01:07:03 +0000 (18:07 -0700)]
Use a conntrack zone per port in OVS
Conntrack zones per network are not adequate because VMs
on the same host communicating with each other cross iptables
twice. If conntrack is sharing the same zone for each cross,
the first one can remove the connection from the table on a RST
and then the second one marks the RST as invalid.
This patch adjusts the logic to use a conntrack zone per port
instead of per network. In order to avoid interrupting upgrades
or restarts, the initial zone map is built from the existing
iptables rules so existing port->zone mappings are maintained.
Ryan Moats [Fri, 14 Aug 2015 13:25:17 +0000 (08:25 -0500)]
Add dashboard folder and graphite dashboard to doc
Create a dashboard folder to hold HTML files that provide
dashboard views into various parts of neutron. This allows
the dashboards to be "living code" rather than frozen in
amber via shortened URLs.
The first dashboard example is a simple HTML file that
shows thumbnails of graphite plots of all neutron jobs
in the check pipeline. Clicking a thumbnail brings up
the larger graphite plot page.
Change-Id: I47e7718c2aae41c8308fd331377984e47a892294 Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
Kyle Mestery [Thu, 13 Aug 2015 16:33:18 +0000 (16:33 +0000)]
lieutenants: Add Neutron infra lieutenants
It's become clear we need to have a centralized contact point
(or points) for Neutron interactions with infra. Lets start out
by making that Doug and Armando for now. Note this list is
alphabetized by last name for those curious on the ordering.
DVR: do not reschedule router for down agents on compute nodes
Scheduling/unscheduling of DVR routers with l3 agents in 'dvr' mode
running on a compute nodes is done according to DVR serviced ports
created/deleted on that compute nodes. It doesn't make sense to reschedule
router from l3 agent on compute node even if it's down - no other l3 agent
can handle VMs running on that compute node.
Isaku Yamahata [Tue, 21 Oct 2014 02:30:32 +0000 (11:30 +0900)]
Replace internal calls of create_{network, subnet, port}
When API controller calls method create_{network, subnet, port),
it made sure that the necessary default values for attrs are filled properly
according to attr mapping.
However, internal calls to these methods do not follow the convention,
when extension codes miss these values, exceptions will be thrown.
This patch introduces helper functions to fix up arguments and replaces
the direct callers of those methods.
Co-Authored-By: gong yong sheng <gong.yongsheng@99cloud.net> Co-Authored-By: yalei wang <yalei.wang@intel.com>
Change-Id: Ibc6ff897a1a00665a403981a218100a698eb1c33
Closes-Bug: #1383546
This patch is clean up to prevent future breakage by eliminating
potentially dangerous code.
l3_db and related code use L2 plugin _get_subnet and related method
unnecessarily instead of get_subnet.
It's dangerous because _get_subnet returns ORM db object which allows
the caller to update db rows directly. So the caller of _get_subnet
may update subnet db without notifying L2 plugin unintentionally.
In that case, L2 plugin or ML2 mechanism driver will be confused.
This patch replaces _get_subnet and _get_subnets_by_network with
get_subnet, get_subnets_by_network where possible.
This patch is clean up to prevent future breakage by eliminating
potentially dangerous code.
l3_db uses L2 plugin _get_port method unnecessarily instead of get_port.
It's dangerous because _get_port returns ORM db object which allows
the caller to update db rows directly. So the caller of _get_port may
update port db without notifying L2 plugin unintentionally.
In that case, L2 plugin or ML2 mechanism driver will be confused.
This patch replace _get_port with get_port method where possible.
Kevin Benton [Thu, 13 Aug 2015 23:58:02 +0000 (16:58 -0700)]
Break down _bind_port_if_needed in ML2
Separate the looping and retry logic in _bind_port_if_needed
from the actual binding attempts. This also eliminates the
'while True' loop with a regular for loop counter to make it
a little easier to reason about.
A suggestion to do this came up in a code review for
I437290affd8eb87177d0626bf7935a165859cbdd because the function
was difficult to reason about.
Brian Haley [Thu, 13 Aug 2015 20:57:59 +0000 (16:57 -0400)]
Remove 'action' argument from _handle_fip_nat_rules()
There's only one caller of _handle_fip_nat_rules(), and they
always specify 'add_rules' as the argument, so it's not
necessary any more. Also, the interface passed must be valid
since the caller has already used it, and would have thrown
an exception before this call was made. Found during another
code review.
Guard against potential down_revision interleave by checking that each
revision has the only revision that corresponds to its location in the
migration tree, and that its parent also has that same single label.
John Schwarz [Wed, 12 Aug 2015 10:39:28 +0000 (13:39 +0300)]
Add configurable options for HA networks
The L3 HA mechanism creates a project network for HA (VRRP) traffic
among routers. The HA project network uses the first (default) network
type in 'tenant_network_types'. Depending on the environment, this
combination may not provide a desirable path for HA traffic. For
example, some operators may prefer to use a specific network for HA
traffic to prevent split-brain issues.
This patch adds configurable options that target the network_type and
the physical_network of the created HA network.
Henry Gessau [Sun, 5 Jul 2015 07:29:38 +0000 (03:29 -0400)]
Support for independent alembic branches in sub-projects
Sub-projects shall now register their independent alembic migrations
via entrypoints in setup.cfg, and neutron-db-manage will discover them
and run them automatically.
If a service or sub-project is specified explicitly, then
neutron-db-manage will run on only that service or sub-project.
The advanced services project are just special cases of sub-projects.
For example, specifying the CLI option '--service lbaas' is the same
as specifying '--subproject neutron-lbaas'.
Specifying no service or sub-project will cause neutron-db-manage to
run the command on neutron and all installed sub-projects.
Added and consolidated documentation into devref for alembic migrations.
Kanzhe Jiang [Thu, 13 Aug 2015 03:36:54 +0000 (20:36 -0700)]
Remove bigswitch mech_driver entry point definition
After vendor driver split, the entry point for bigswitch ml2
mechanism_driver is no longer valid. The new entry point is defined in
the networking-bigswitch stackforge repo.
Adolfo Duarte [Fri, 19 Jun 2015 02:50:13 +0000 (19:50 -0700)]
Preserve DVR FIP rule priority over Agent restarts
IP rule priorities assigned to DVR floating IPs need
to be preserved over L3 agent restarts. Reuse
the ItemAllocator class decomposed from Link Local IP
address allocation. Also move commn unit tests to
ItemAllocator class.
Improve callback registry devref documentation and usability
Latest developments have revealed that the registry can be misused
under certain circumstances, and that it can be harder to use by
projects that extend Neutron.
This patch improves the devref documentation so that developers know
what to expect.
John Davidge [Fri, 7 Aug 2015 15:27:47 +0000 (16:27 +0100)]
Fix update_subnet for prefix delegation
A misnamed function call and execution order issue was causing
update_subnet to fail when a PD enabled subnet received a new CIDR.
This patch fixes the issues, and introduces an rpc api test to
ensure the function works. This includes altering the process_prefix_update
RPC handler to expose the issue to the test.
Fix DVR interface delete by port when gateway is set
When removing a DVR interface by port, the subnet_id
passed to delete_csnat_router_interface_ports is None,
and so it deletes all the DVR SNAT ports for the
router.
This patch fixes this issue by passing in the right
subnet_id to the delete_csnat_router_interface_ports.
shihanzhang [Tue, 9 Jun 2015 09:47:39 +0000 (17:47 +0800)]
Destroy ipset when the corresponding rule is removed
if a security group has a rule which allow a remote group access,
but this remote group has no IPv4 and IPv6 members, L2 agent
should not clear the remote group in internal cache of sg_members,
because when above rule is deleted, L2 agent can get the remote group
id from the diff of pre_sg_members-sg_members, then destroy the ipset
set for remote group.
John Schwarz [Mon, 3 Aug 2015 15:55:31 +0000 (18:55 +0300)]
Forbid attaching rules if policy isn't accessible
Following up patch If06de416dfe0eb7115fd4be9feb461fae8e8358d, this patch
continues to make sure all access to QoS policies are attempted safely -
if the policy doesn't exist or it's not accessible (for tenant_id
reasons), then an exception will be raised instead.
Code Review / openstack-build / neutron-build.git / log