Aaron Rosen [Sun, 10 Mar 2013 21:09:28 +0000 (14:09 -0700)]
port_security migration does not migrate data
The port security migration previously created the correct table structure but
it did not migrate the old data into this table. This patch adds code that
copies the id fields from networks and ports into portsecuritybindings
and networksecuritybindings tables.
One thing to note is that in grizzly when a port is created on a network that
has port_security_enabled=True, the port will also be created with
port_security_enabled=True. But since ports in NVP were not previously
created with the mac/ip security address pairs we have to set existing ports
and networks port_security_enabled value to be False. One could easily
write a script to set these values to True after applying this migration.
Roman Podolyaka [Tue, 5 Mar 2013 16:53:51 +0000 (18:53 +0200)]
Fix detection of deleted networks in DHCP agent.
The DHCP-agent uses an in-memory networks cache to find out which networks must
be deleted and which ones must be updated. In a case of agent restart the networks
cache is empty and it's not possible to cleanup DHCP-processes serving networks
which were deleted while the DHCP-agent was down. The proposed fix fills the networks
cache when the agent starts using a list of networks which have existing config files.
Several plugins added l3 support in the grizzly release. This means that
when upgrading from the folsom data model, the relevant data model changes
should be applied.
In order to do so this patch refactors the initial migration in order
to be able to reuse the upgrade_l3 and downgrade_l3 routines.
Due to a bug in setting up external ports the Hyper-V agent fails to work in
scenarios with VLAN and flat networks.
Furthermore, a warning message on Hyper-V 2012 indicates that external
port settings are ignored. As a result the agent can be simplified by
avoiding vswitch external ports configurations.
Raise an exception causing a 409 error to be returned if port_id or
subnet_id specified in request body do not exist before further
processing the operation (which will cause a 500 error to be
returned to the user)
This patch checks if a metadata access network is still present when
removing a router in the NVP plugin. If yes, the network is detached
from the router and then destroyed, thus ensuring a safe completion of
the operation as well as removal of metadata access network resources.
This patch simply causes a 409 to be returned when attempting to
delete a subnet which has IPs on ports whose device_owner is
network:router_interface
This does not address a similar problem that arises when the ips for
a port owned by a router_interface are updated. This problem is hidden
when updating a port which has been assigned the gateway_ip by an
exception in the IP recycling process. However, it will hit when the
port was explicitly added to the router, since it will have an ip
different from the subnet's gateway ip.
Aaron Rosen [Fri, 8 Mar 2013 18:02:31 +0000 (10:02 -0800)]
Update to Quantum Client 2.2.0
This patch updates tools/pip-requires to use the python-quantumclient 2.2
It also limits the version to <3.0.0 to prevent breaking something accidently
when 3.0.0 is released.
Aaron Rosen [Wed, 6 Mar 2013 20:21:08 +0000 (12:21 -0800)]
Add explicit egress rules to nvp security profile
The following commit 7e26074b changed the previous behavior of quantum
security groups by explicitly adding egress rules to the security profile.
When these rules are removed the vm is no longer able to send traffic out.
This patch adds these rules for NVP. One thing to note in the patch
is that now a bunk rule of IPv4 127.0.0.1/32 is added to each security
profile. The reason for this is by default NVP security profiles allow
all egress traffic until a rule is added and then it just lets traffic
matching those rules out. Adding this bunk rule achieves this behavior
that quantum now uses.
Dan Prince [Thu, 7 Mar 2013 17:41:30 +0000 (12:41 -0500)]
Update tox.ini to support RHEL 6.x.
In order to support running unit tests on RHEL 6.x we need to patch
eventlet with contrib/redhat-eventlet.patch. We already
have support for this in the tools/install_venv_common.py but we
need to make a couple changes to allow tox to consume this:
1) Sync in the latest intall_venv_common.py from oslo. This changes
patch to use the -N option (ignore already applied patches) and
makes it safe to call the patching function more than once.
2) Add a new patch_tox_venv.py script in tools.
3) Update tox.ini to call patch_tox_venv.py before it runs tests and
coverage.
NOTE: This will hopefully go away eventually once this patch lands:
Akihiro MOTOKI [Wed, 13 Feb 2013 13:42:29 +0000 (22:42 +0900)]
Disable secgroup extension when Noop Firewall driver is used
When Noop Firewall driver is used, Quantum security group actually does
nothing in OVS and Linux Bridge plugin. It would be better to disable
security group extension for such case to avoid confusion.
By this we can determine whether quantum security group is enabled
by checking the extension list.
This commit changes OVS/LB/NEC/Ryu plugins with agent firewall_driver
based security group implementation.
Currently the format of error message returned by quota extension was
different with quantum other resource. Other resource will return as
json(eg, '{"QuantumError": "error message"}'). But quota extension only
return messages without any format.
'quantum.api.v2.resource.Resource' provider error messages processing.
So wrap quota controller with it.
By the way, fix some small stuff:
* Use specific exception 'QuotaTenantNotFound' instead of generic exception.
* Correct error message.
* Use attribute mapping checking the request body.
The patch set shows the defualt quotas that exist in
the configuration file. This is if the DB_QUOTA_DRIVER
is not configured. In this case the user is required
to update the configuration file and restart the service.
now that dhcp-agent also uses ns-metadata-proxy, we need to make sure
those rootwrap filters are installed in scenarios where dhcp-agent is
installed by l3-agent is not.
Aaron Rosen [Wed, 6 Mar 2013 23:02:12 +0000 (15:02 -0800)]
isolated network metadata does not work with nvp plugin
This patch removes the not self.conf.enable_metadata_network
check before adding METADATA_DEFAULT_IP to ip_cidrs. This result
of this is that the dhcp agent interface will have
169.254.169.254/16 on it even if the network is
enable_metadata_network=True which doesn't matter and happens anyway if one
sets enable_meta_network=False. This change only effects the nvp plugin
as this is the only one that uses the enable_metadata_network flag.
Aaron Rosen [Wed, 6 Mar 2013 01:48:35 +0000 (17:48 -0800)]
Fix syntax error in credential.py and missing __init__.py
This patch fixes a syntax error in credential.py and resolves
the following import error:
In [1]: from quantum.plugins.cisco.extensions import _credential_view as a
---------------------------------------------------------------------------
ImportError Traceback (most recent call last)
/opt/stack/quantum/<ipython-input-1-ef3f11a361d0> in <module>()
----> 1 from quantum.plugins.cisco.extensions import _credential_view as a
return of call to os.path.abspath('../../..') depends on the setup of
nose working directory. Change to return the directory where
test_config.py resides
Davanum Srinivas [Tue, 26 Feb 2013 20:43:50 +0000 (15:43 -0500)]
Prevent DoS through XML entity expansion
Add a ProtectedXMLParser that overrides the
doctype declaration handler. The handler simply
throws an exception and prevents any further
parsing of the incoming xml.
Jason Zhang [Thu, 6 Dec 2012 19:39:34 +0000 (11:39 -0800)]
Setup device alias by device flavor information.
The router interface cannot be deleted since the MetaPlugin
cannot get the flavor information from the port which has
been deleted.
The solution is setting up the alias for each device based
on the flavor information, so the MetaPlugin still can get
the flavor information from the device itself even the
port has been deleted.
Also the router interface cannot be deleted since the
l3_port_check flag is not passed by MetaPlugin.
This patch alters the prevent_l3_port_deletion logic.
PortInUse is raised only if the port has a device owner in
(router_interface, router_gateway, floatingip) and an IP
address.
If no IP address is found on the port the port itself can
be considered stale and therefore deleted as any association
with l3 entities would be void.
Code Review / openstack-build / neutron-build.git / log