Sylvain Afchain [Wed, 6 Aug 2014 12:32:51 +0000 (15:32 +0300)]
Add HA support to the l3 agent
* Add HA mixins used by RouterInfo and LNAT3Agent
* For HA routers: Internal, external and floating IP addresses are no
longer configured by the agent. Instead the interfaces and addresses
are passed to a keepalived configuration, which configures the
addresses when the router transitions to the master state.
* Only the master instance of the router opens the metadata proxy.
This happens due to keepalived notification scripts that are
called upon state transitions.
* Extra routes are handled via keepalived virtual routes and are
no longer configured by the agent.
* HA routers create a 'HA device' on a VRRP-traffic only HA-network.
* Functional testing: Add two new tests to the L3 agent:
1) Translation of a router configuration to a keepalived
configuration.
2) HA specific events when creating a HA router - Assert that
keepalived is up, etc.
Kevin Benton [Sun, 14 Sep 2014 09:22:57 +0000 (02:22 -0700)]
Fix a test_db_plugin unit test side_effect usage
One of the unit tests didn't correctly use the side_effect
parameter for a mock to return different responses to multiple
calls, which resulted in an extra try-except block and an inline
note. This commit fixes the side_effect and removes the extra
catching code.
Fix KeyError on missing gw_port_host for L3 agent in DVR mode
The order of Mixin imports broke the MRO, which caused some methods
in the L3 hierarchy to be ignored. In particular, _build_routers_list
for DVR was no longer called, which led to the stacktrace observed on
the L3 agent side.
Pritesh Kothari [Thu, 21 Aug 2014 06:51:16 +0000 (23:51 -0700)]
Remove the Cisco Nexus monolithic plugin
The Cisco Nexus monolithic plugin does not work without the Open
vSwitch plugin. The Open vSwitch plugin is scheduled to be removed
as per #1323729. This patch removes the Nexus Hardware switch
related plugin code. The N1KV virtual switch related code will
still remain in the tree as it doesn't depend on Open vSwitch
plugin.
Sylvain Afchain [Mon, 20 Jan 2014 22:38:29 +0000 (23:38 +0100)]
Add a new scheduler for the l3 HA
This patch updates all schedulers in order to support the
scheduling of HA routers. It also refactors and adds tests for
the auto scheduling part.
The schedulers aren't expected to work when creating a router
that's both distributed and highly available. Specific issues
will be reported as bugs and fixed in a future patch.
This patch amends migrations added after the icehouse release
and before the healing migration.
Migrations are changed in a way that they are not anymore
dependent on configuration parameters but are anyway aware of
the fact that the database has not yet been healed.
To this aim, amended migrations now will need to inspect the
current schema and cannot be anymore be used in offline mode;
this is consistent with the behaviour of the healing migration.
This patch does not remove the logic for generating and
managing configuration-dependent migrations. For this reason
upgrade and downgrade routines still accept the active_plugins
parameter, which will not be used.
This patch replaces folsom initial state and all migrations
from folsom to havana, with a new, configuration independent
initial db state, corresponding to the havana release.
In order to avoid large modules, "init ops" modules have been
created for all plugins, service plugins, and extensions.
Some migrations after the havana release were amended or
removed to reflect the new initial state being introduced.
shihanzhang [Mon, 4 Aug 2014 09:31:01 +0000 (17:31 +0800)]
Adds ipset support for Security Groups
Iptables chain is linear storage and filtering, when iptables rules are
large, the load of l2 agent is heavy, this patch introduces ipset to
security group for improving the security group performance.
In router remove path process_router(), processing of floating ips
is getting skipped. This change adds processing of floating ips
if the external gateway for the router was previously set. Since
DVR uses FIP namespaces and agent gateway ports, this change ensures
such ports and namespaces are removed.
ofagent has code for agent-on-DomU support inherited from OVS agent.
However, it's incomplete and broken. Because ofagent uses a direct
OpenFlow channel instead of ovs-ofctl command to program a switch,
the method to use the special rootwrap can not work.
The Arista ML2 plugin was not passing the admin tenant name to EOS without which
it is not possible to authenticate with keystone using just the admin name
and password. This patch passes the admin tenant name along with the admin
credentials.
Cedric Brandily [Wed, 27 Aug 2014 09:35:41 +0000 (11:35 +0200)]
Remove useless check in _rpc_update_firewall
Firewall_db_mixin.update_firewall returns an updated firewall or raises
an error (if the firewall is not found), that's why checking if its
result is evaluated to False is not required
Henry Gessau [Wed, 10 Sep 2014 03:50:09 +0000 (23:50 -0400)]
Use renamed _fail_second_call() in cisco nexus tests
In commit 5e4b0c6fc6670ea036d801ce53444272bc311929 NeutronDbPluginV2TestCase
_do_side_effect() was renamed to _fail_second_call(), but the nexus test cases
were not updated. The tests still worked because they check for
HTTPInternalServerError which is the end result of the server encountering
"AttributeError: object has no attribute '_do_side_effect'". So the fault
injection still worked, but not in the way intended.
Note: the monolithic nexus plugin is not updated here since it is being
removed from the tree.
Sylvain Afchain [Mon, 26 May 2014 12:28:06 +0000 (14:28 +0200)]
Add L3 VRRP HA base classes
Add L3 HA base classes on the plugin side. A new admin-only ha
attribute is added to the API router resource. Conversion from
or to HA router is possible. Each tenant gets a single network
used for HA traffic. The tenant_id for that network is set to
'' so that it isn't visible via the CLI or GUI. A new table
is added to map a tenant to its HA network. Specific HA
attributes are added to the extra router attributes table.
Finally, each HA router gets a port on the HA network, per
l3 agent it is scheduled on. A new table is added to track
these bindings. A new table is added in order to track
VRID allocations.
DVR integration is not expected to work. Any issues will
be reported as bugs and handled after the feature merges.
Migrating a router to HA or from HA works server side
but is not expected to work (Yet) agent side. This will be
dealt with as a bug in the future.
Don't allow user to set firewall rule with port and no protocol
Creating firewall rules specifying a destination port and/or a source
port without a protocol, generates rules without src or dest port
restriction. This was a real security issue for cloud users.
This patch generates a 400 Bad request "Source/destination port
requires a protocol" in case of creation/update of firewall rules
specifying a destination port and/or a source port and without protocol.
Kevin Benton [Wed, 25 Jun 2014 06:12:43 +0000 (06:12 +0000)]
UTs: Disable auto deletion of ports/subnets/nets
Change the behavior of the unit test context managers
for ports, networks, and subnets to skip the deletion
of the objects they create.
Adds explicit delete calls to the tests that require
deletion of the objects.
This is the first patch in a series to eliminate the
automatic deletion of objects created during tests to
improve test performance and make testing more explicit.
Sam Betts [Fri, 5 Sep 2014 15:16:01 +0000 (16:16 +0100)]
Remove second call to get_subnets in delete_subnet
delete_subnet made calls to both get_subnet and _get_subnet,
get_subnet uses _get_subnet so multiple database requests were being
made, this patch removes the call to get_subnet and directly calls
_make_subnet_dict using the result of _get_subnet
Changes to support FWaaS in a DVR based environment
Implementation of Spec to address the changes required for FWaaS
to work with DVR to handle:
* Perimeter Firewall support on N - S traffic
* Ensure that E - W DVR traffic is not broken.
Michael Smith [Tue, 2 Sep 2014 17:07:04 +0000 (17:07 +0000)]
Call unbind_snat_servicenode from schedule router
Refactor to move the call to plugin.unbind_snat_servicenode from
schedule_snat_router to _schedule_router. This is a move to pave the
way for removing hints from schedule router.
NSX: Correct allowed_address_pair return value on create_port
This patch fixes the NSX plugin to return [] rather than None for a
port does not have any allowed_address_pairs when a create_port api
call is made. Currently the NSX plugin is failing every patch because
now tempest is checking for this value to be [].
Factory method provided by the library should be used to create a server
object. This allows to change servers internal implementation without
touching end users.
Also removed custom dispatcher. Its only purpose was to log messages.
If logging is configured accordingly all incoming messages will be
logged from oslo/messaging/_drivers/amqpdriver.py [1]
Michael Smith [Tue, 2 Sep 2014 17:05:12 +0000 (17:05 +0000)]
Remove subnet_id from check_ports_exist_on_l3agent
Refactor check_ports_exist_on_l3agent so that subnet_id no longer
needs to be passed. Instead it calls get_subnet_ids_on_router. This
helps to pave the way for removing hints from schedule router.
Code Review / openstack-build / neutron-build.git / log