YAMAMOTO Takashi [Tue, 17 Feb 2015 05:11:11 +0000 (14:11 +0900)]
OVS UT: Fix some confusions between local vlan id and segmentation id
Also, use different values for them to expose mistakes.
Details:
There are two kinds of vlan ids involved here:
* local vlan id, which is managed by each agents in a node-local manner.
* segmentation id, which is managed by the corresponding ML2 type driver.
These tests use the distinct variables for them.
(LV_ID and LS_ID respectively)
However, these variables are misused in some places, relying on the fact
that their values are same. (42)
Brian Haley [Tue, 17 Feb 2015 20:57:10 +0000 (15:57 -0500)]
Un-break tox for unit tests
Running 'tox -e py27 $some_unit_test' is always failing now
with tox 1.6.0, with this being printed at the beginning:
ERROR: InvocationError: could not find executable 'dsvm-functional:'
Seems commit 540e4d791ff2573aae38810f4c39f2d6f46d8898
(Automate host configuration for functional testing)
added some code to tox.ini that requires version 1.8 or later,
so make that the minimum.
Fix FIP agent gw port delete based on external net
Today the FIP agent gateway port for DVR is deleted
based on the host. When there are multiple external
networks, then the port deletion for the second
external network may fail.
So the current fix checks for the valid host and
external network id and then deletes the FIP agent
gw port if it is the last one to be deleted.
Lucian Petrut [Tue, 27 Jan 2015 13:23:27 +0000 (15:23 +0200)]
Hyper-V: Fixes security groups issue
After this patch If19be8579ca734a899cdd673c919eee8165aaa0e refactored
securitygroups_rpc, prepare_devices_filter attempts to use methods
unimplemented by the HyperV security groups driver.
For this reason, binding ports fails with NotImplementedError if
security groups are enabled.
Until the HyperV security groups driver reaches parity, the
use_enhanced_rpc property should be set to False on the
HyperVSecurityAgent, falling back to the old behaviour.
Miguel Angel Ajo [Thu, 12 Feb 2015 14:32:58 +0000 (14:32 +0000)]
Setup br-tun in secure fail mode to avoid broadcast storms
When not creating br-tun in secure fail mode, there are chances to
get a broadcast storm from br-tun.
For example, this occurs when at least three nodes have the br-tun
OpenFlow rules reset in and a broadcast/multicast packet enters br-tun.
This can happen if:
* openvswitch is restarted, until the agent reloads the Openflow rules.
* during neutron-openvswitch-agent restart, br-tun is reset, and there
is a few seconds timeframe where tunnel endpoints are plugged and OF
rules are reset.
Secure fail mode doesn't forward traffic by default if no rule is hit.
Assaf Muller [Fri, 13 Feb 2015 16:35:02 +0000 (11:35 -0500)]
Delete qg device during DVR-SNAT router deletion
In the DVR SNAT case, the 'qg' device was not deleted because
of patch:
https://review.openstack.org/#/c/151882/
During functional testing, the device is deleted
during the external bridge deletion. Because that happens after
the SNAT namespace is already deleted, it can cause a kernel
panic or ovs-vswitchd crash for certain OVS versions.
Also added assertions that all router interfaces were properly
cleaned up during functional testing, and enabled the unit tests
to catch this type of error.
Maru Newby [Fri, 9 Jan 2015 15:02:59 +0000 (15:02 +0000)]
Automate host configuration for functional testing
This change adds a new script, configure_for_func_testing.sh, that
automates configuration of a host to support functional testing. The
script's functionality is consumed by a refactored version of
gate_hook.sh, and both minimizes runtime and removes the previous
dependency on the devstack-gate repo.
Additionally, the dsvm-functional tox env is no longer dependent on
devstack to deploy neutron's rootwrap configuration system-wide.
Rootwrap configuration is now deployed to the target tox venv on each
tox invocation.
Robert Kukura [Fri, 22 Aug 2014 09:01:03 +0000 (05:01 -0400)]
ML2: Hierarchical port binding
The ML2 port binding logic is modified to support hierarchical
bindings. If a mechanism driver's bind_port() calls continue_binding()
rather than set_binding(), the supplied dynamic segments are used for
another level of binding.
Robert Kukura [Thu, 21 Aug 2014 19:46:11 +0000 (15:46 -0400)]
ML2: DB changes for hierarchical port binding
To support hierarchical port binding, the driver and segment columns
are moved from the ml2_port_bindings and ml2_dvr_port_bindings tables
to a new ml2_port_binding_levels table. This new table can store
multiple levels of binding information for each port. It has the host
as part of its primary key so that it can be used for both normal and
DVR port bindings.
The cap_port_filter column is also removed from the
ml2_dvr_port_bindings table, since the adjacent driver and segment
columns are being moved, and this can trivially be done via the same
DB migration. It was included in the table by mistake and was never
used.
The logic required for hierarchical port binding will be implemented
in a dependent patch.
Assaf Muller [Wed, 11 Feb 2015 15:55:19 +0000 (10:55 -0500)]
Cleanup in keepalived tests
A recent patch introduced a new keepalived manager utility
function which returns the keepalived.conf file contents,
but the keepalived functional test was not updated to use it.
Also, a bunch of unneeded logging configuration was removed from
this test.
Additionally, the keepalived configuration functional test
in the L3 agent testing module compares expected configuration
to an in-memory representation of the configuration that will
be persisted to disk. It's better to compare the expected
configuation with what was actually written to disk.
Terry Wilson [Wed, 21 Jan 2015 20:19:06 +0000 (14:19 -0600)]
Add run_as_root option to utils.execute
This change adds the run_as_root option that exists in the
processutils.execute method. This option makes it possible
to just look up the root_helper from the config when
necessary, while still making it possible to not use any
privilege escalation.
Currently, processutils.execute exposes some eventlet issues
in the neutron codebase, otherwise this patch would just move
us over to using it.
Henry Gessau [Sat, 31 Jan 2015 17:57:49 +0000 (12:57 -0500)]
Move NCS mech driver to its new home
The NCS driver is scheduled for decomposition, and in the targetted vendor repo
the files are in a new location in the tree. Before we can decompose the driver
we must move it to its new location in the neutron tree.
A future patch will decompose (thin) the driver and add requirements.txt.
Ihar Hrachyshka [Wed, 11 Feb 2015 16:10:10 +0000 (17:10 +0100)]
keepalived: use sh instead of bash for notifier scripts
Those scripts are pretty trivial, calling external commands and using
kill -s and $(...) construction. All that is available in POSIX shell,
so let's not use bash in shebang and utilize more performant shell in
case /bin/sh != /bin/bash (valid for Debian based systems).
Terry Wilson [Thu, 22 Jan 2015 10:07:50 +0000 (04:07 -0600)]
Use ovsdb-api neutral column/value mappings
The format ('column:field', 'value') for map-type ovsdb values is
ovs-vsctl-specific. The updated implementation-neutral way to do
this is ('column', {'field': 'value'}).
Russell Bryant [Tue, 10 Feb 2015 21:15:59 +0000 (16:15 -0500)]
Scope state reporting rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by an agent to report
state back to the plugin. The docs tell you where the other side of
the interface is found in the code, and where docs are that give more
info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Yoni Shafrir [Wed, 4 Feb 2015 05:42:13 +0000 (07:42 +0200)]
Remove use of keepalived 'vrrp_sync_group' as it is unused
Now keepalived configuration wraps the VRRP instances with a
'vrrp_sync_group'. The VRRP sync group functionality is only
relevant when more then one VR instance is contained in it.
In that case the VRs in the group will have the same state.
Our use of keepalived uses a single instance per router.
This patch simply removes the 'vrrp_sync_group'.
In this patch VR instances are used on their own and they now
hold the 'notify_scripts'.
Note that the same VRRP functionality is preserved with this
patch.
Another motiviation for this patch, aside from removing
useless configuration, is to lay the foundation for a future
patch that will the related bug by adding 'track_script'
that are not supported with 'vrrp_sync_group'.
Russell Bryant [Fri, 23 Jan 2015 19:48:07 +0000 (14:48 -0500)]
Scope dvr rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by the ovs agent
to make dvr related calls back into the Neutron server. The docs
tell you where the other side of the interface is found in the code,
and where docs are that give more info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Henry Gessau [Sun, 8 Feb 2015 02:19:06 +0000 (21:19 -0500)]
Refactor radvd control in the l3-agent
Several of parameters used by radvd are known when a router is created
and do not need to be passed around every time an RA method is
called. Also, we want to easily check the state of radvd for a router.
Use an object to keep track of the data and state of an radvd process.
Terry Wilson [Thu, 22 Jan 2015 19:52:43 +0000 (13:52 -0600)]
monkey patch stdlib before importing other modules
Some oslo libraries assume that stdlib is already patched when
they are imported (e.g. oslo_concurrency.processutils tests the
'time' module for monkey_patching to detect which 'subprocess'
module to import.
This can cause issues when things like test frameworks import
modules that monkey_patch, as the order imports are made can break
this kind of check. It is always good to monkey patch as soon as
possible, hence trying to do the patching in neutron/__init__.py.
This is an alternative to https://review.openstack.org/#/c/153225/
which just patches neutron/tests/__init__.py. Unfortunately, just
monkey_patching in tests/__init__.py didn't fix all of the issues
I ran into. For example, tempest tests were failing with timeouts.
Jakub Libosvar [Tue, 3 Feb 2015 13:33:39 +0000 (14:33 +0100)]
Don't crash when adding duplicate gre allocation
This patch catches DBDuplicateError when initializing ML2 GRE type
driver and allocation already exists in DB. Because current allocations
are queried and then only those that doesn't exist in database are
added, DBDuplicateError should never occur.
But the race can happen when running multiple neutron-servers and one
of servers adds allocations between allocations are queried and added.
Fix lack of device ownership enforcement for DVR routers
The enforcement rule was applied to centralized router interfaces, to avoid
a potential security vulnerabilty.
Even though DVR routers are fundamentally different from centralized routers,
there is no good reason as to why the rule should be skipped for DVR interfaces.
This patch sanitizes the insanity a bit and closes this potential loophole by
preventing the operation for DVR routers too.
Code Review / openstack-build / neutron-build.git / log