Sachi King [Mon, 8 Dec 2014 06:42:48 +0000 (17:42 +1100)]
If router is HA, get current_cidrs from keepalived object
When using L3 HA and keepalived neutron is no longer directly managing
the floating IP addresses itself. Neutron should not check against
which addresses are currently configured on the system, but the
addresses the keepalived object has configured.
Wei Wang [Thu, 7 Aug 2014 08:16:37 +0000 (16:16 +0800)]
Use "if dict.get(key):" instead "if key in dict and dict[key]:"
Use "if dict.get(key):" instead of "if key in dict and dict[key]:"
which makes code more clear and intelligible. Note this patch doesn't
change judging conditions, all "is not None" are retained.
WeiHu [Tue, 30 Dec 2014 02:45:55 +0000 (10:45 +0800)]
Fix IPv6 Subnet Slaac Check
Currently, "is_slaac_subnet" method only checks "ipv6_address_mode".
This will let neutron allocate a stateful IPv6 address for instance
when ipv6_ra_mode set to "stateless" or "slaac", and "ipv6_address_mode"
unset. But actually, instance get IPv6 address prefix from radvd, and
auto configure IPv6 address by itself. This change will let "is_slaac_
subnet" also check ipv6_ra_mode attribute, which will no longer allow
fixed IPs on auto-address subnets and delete subnet will correctly delete
auto-address ports.
Russell Bryant [Thu, 18 Dec 2014 20:11:07 +0000 (20:11 +0000)]
Scope metadata rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by the metadata service
to make calls back into the Neutron server. The docs tell you where
the other side of the interface is found in the code, and where docs
are that give more info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Russell Bryant [Wed, 17 Dec 2014 19:55:43 +0000 (19:55 +0000)]
Provide doc string pointers for the dhcp agent rpc api
There is an rpc interface defined for the Neutron plugin to be able to
execute methods in the DHCP agent. Provide docstring pointers in the
client and server side that tells you where to find the other side of
the interface.
No namespace usage is needed here. This API is the only one exposed
via the DHCP agent, so the default namespace used now is fine.
The DhcpAgent class was updated to explicitly define the
messaging.Target(). Previously it was using the equivalent one
defined in the Manager base class. Having it specified here makes it
more obvious that this is an rpc endpoint, and also provides the
obvious place that must have the version updated if the interface is
changed.
Break out config and entry point out of l3/agent file
This is done in order to show the split between a main() and
the agent's inner workings. At the same time the L3 agent for
Neutron is also being restructured and to this aim, its config
is also moved out of the agent file.
Keep main() for the time being until we get dependent
services updated.
Partially-Implements: bp restructure-l3-agent
Partially-Implements: bp core-vendor-decomposition
Cedric Brandily [Thu, 11 Dec 2014 13:10:30 +0000 (13:10 +0000)]
Correct l3-agent iptables rule for metadata proxy
2 iptables rules are defined to ensure the metadata proxy is reachable
from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697
* ACCEPT traffic to 127.0.0.1 on port 9697
The REDIRECT rule replaces destination ip by:
* 127.0.0.1 if the packet is local,
* router ip (the one on the input interface, metadata proxy case).
So ACCEPT rule filter is not matched ... the metadata proxy is only
reachable because INPUT policy is ACCEPT.
This change removes the destination constraint in the ACCEPT rule.
Brent Eagles [Fri, 10 Oct 2014 15:57:51 +0000 (13:27 -0230)]
Reset policies after RESOURCE_ATTRIBUTE_MAP is populated
The REST API relies on neutron-specific policy checking logic that is
only available after the extensions are loaded and the
RESOURCE_ATTRIBUTE_MAP is populated. This patch resets the policies
immediately after these steps are done. This ensures that in the event
the policies are prematurely loaded for any reason, the on-demand
loading of the policies will reload the policies and properly configure
the neutron specific checks on the next policy check.
Remove SELECT FOR UPDATE from delete_network and delete_subnet
delete_network and delete_subnet instead of using SELECT FOR UPDATE
delete the ports that are allowed to be auto deleted straight away.
Then a check is performed, if there are ports still associated
with the network or the subnet that cannot be autodeleted,
an exception is raised. The operation will be rolled back.
Ihar Hrachyshka [Wed, 7 Jan 2015 12:23:48 +0000 (13:23 +0100)]
Bump minimal dnsmasq version to 2.67
Versions prior to 2.67 did not support MAC address matching for IPv6 clients.
Quoting dnsmasq CHANGELOG:
"
version 2.67
[...]
Support identification of clients by MAC address in
DHCPv6. When using a relay, the relay must support RFC
6939 for this to work. It always works for directly
connected clients. Thanks to Vladislav Grishenko
for prompting this feature.
"
Assaf Muller [Tue, 23 Dec 2014 11:52:41 +0000 (13:52 +0200)]
Make L3 HA VIPs ordering consistent in keepalived.conf
Currently the order of VIPs in keepalived.conf is determined
by sorting the VIPs whenever one is added or removed. As it
turns out, keepalived doesn't like it when the primary VIP
changes. One side effect is that virtual routes, in our case
the router's default route, may be removed.
This patch fabricates an IP address on the router's HA interface
and uses it as the primary VIP.
Jakub Libosvar [Fri, 3 Oct 2014 12:02:55 +0000 (14:02 +0200)]
Add Process class helper to manage processes with namespace
This class extends Popen class with usage of namespace and root-helper.
Because of usage of root wrapper, this class re-uses get_child_pid() for
killing the child process. get_child_pid() is taken out of AsyncProcess
as a part of this patch.
Make lb mechanism driver use enable_security_group flag
This patch allows Neutron security groups to be enabled or
disabled with the enable_security_group flag when using the
linuxbridge ml2 mechanism driver.
Eugene Nikanorov [Tue, 23 Dec 2014 17:28:12 +0000 (20:28 +0300)]
Catch PortNotFound and SubnetNotFound during network_delete
In some cases PortNotFound exception during network_delete
could be caused by concurrent port deletion by DHCP agent.
This condition should not prevent network from deleting.
rajeev [Tue, 23 Dec 2014 18:49:19 +0000 (13:49 -0500)]
HA for DVR - schema migration and change
To support HA for DVR SNAT, default SNAT has to be schedulable
on multiple L3 agents. The csnat_l3_agent_bindings table is being
modified to include l3_agent_id in the primary key.
The migration script and Class definition update is included in
this patch. For modularity and code management, HA/DVR methods
that would make use of this change will be included in a different
patch.
The L3 agent metadata driver was added but then reverted
because it broke the functional job. The fix to the functional
job was merged, and this patch reverts the revert, thereby
adding the metadata driver back.
Matthew Thode [Wed, 10 Dec 2014 21:12:25 +0000 (15:12 -0600)]
moving vxlan module check to sanity checks and making practical
Instead of checking via modinfo (which only checks if a module is
available) this checks actual usage, which is a more reliable way of
testing real world problems.
sridhargaddam [Mon, 24 Nov 2014 10:17:36 +0000 (10:17 +0000)]
Validate IPv6 subnet while associating to Router
Currently Neutron allows attaching a subnet (configured to use an external
router, by only setting ipv6_address_mode and leaving ipv6_ra_mode unset)
to Neutron Router. Ideally Neutron should not allow this operation and
should return an appropriate error message to the user.
Kobi Samoray [Thu, 25 Dec 2014 10:06:16 +0000 (12:06 +0200)]
VMWare-NSXv: VMWare NSXv database models
For Kilo, the vendor-specific code should be moved to stackforge repo,
excluding the database models (https://review.openstack.org/#/c/134680/).
This patch adds the database model for VMWare NSXv plugin from
stackforge/vmware-nsx repo.
James Page [Tue, 6 Jan 2015 12:01:40 +0000 (12:01 +0000)]
Deal with PEP-0476 certificate chaining checking
PEP-0476 introduced more thorough certificate chain verfication
for HTTPS connectivity; this was introduced in Python 2.7.9, and
breaks a number of unit tests in the neutron codebase.
Disable certificate chain verification for keystone SSL tests
using the backwards compatible SSLContext provided for this
purpose.
Maru Newby [Tue, 25 Mar 2014 08:04:50 +0000 (01:04 -0700)]
Add support for retargetable functional api testing
This patch introduces the concept of a 'retargetable' functional api
test. Such a test targets an abstract client class, and by varying
the implementation of the client, the test can target multiple
backends.
The test added by this patch (test_network_lifecycle) can be run
against the programmatic plugin api (for configured plugins) via both
tox -e functional and tox -e dsvm-functional. The latter env is used
by the gating neutron-dsvm-functional job.
The test can also be run against a live Neutron service via 'tox -e api'
which will soon be run as part of the check queue by the
neutron-dsvm-api job [1]. Running this tox env requires
devstack-deployed Neutron and Tempest.
The intention is to refactor the existing plugin tests
(e.g. NeutronDbPluginV2TestCase) to use this model. Functional tests
don't have to isolate functionality - they just need to exercise it -
so fewer tests will be required. The new tests will be able to target
plugins directly rather than through the wsgi stack, so execution time
will be decreased. The refactored tests should be easier to maintain
and take less time to run.
Perhaps best of all, since the same tests will be able to target a
deployed service in the neutron-dsvm-api job, the deployed behaviour
of api changes will finally be able to gate merges to the Neutron
tree.
Notable parts of the change:
- tests/api
- base_v2 - defines the client interface (BaseNeutronClient)
and the base class (BaseTestApi) for the
retargetable test (test_network_lifecycle)
- test_v2_rest - implements the client interface for the tempest
rest client and configures the retargetable test
with scenarios for json serialization
- tests/functional/api
- test_v2_plugin - implements the client interface for the
programmatic plugin api and configures the
retargetable test with scenarios targeting the
linuxbridge and openvswitch plugins
- tests/unit
- refactor bits of the existing plugin tests for reuse
1: https://review.openstack.org/#/c/82226/
Implements: bp retargetable-functional-testing
Change-Id: Ib5470040c0fa91ec143f38d273e1e259b3adfb2e
Tweak gate hooks scripts to handle both functional and api jobs
With this change both the API and Functional job will benefit
from the use of gate hooks. This is especially useful to make
the API job emit the test results the same way other jobs do.
NOTE: Changes are applied to both contrib directories under
neutron/tests and neutron/tests/functional; these two directories
are supposed to be in sync until change [1] merges, after which
we can drop neutron/tests/functional/contrib, in favor of
neutron/tests/contrib. This was done because of the symlink issue
caused by [2].
Maru Newby [Tue, 6 Jan 2015 00:42:52 +0000 (00:42 +0000)]
Replace mention of nose with nose2 in devref
Documentation for the nose test runner was previously included in the
testing section of the developer reference. Due to nose's lack of
support for the load_tests protocol - required to support
testscenarios-based generative testing - the documentation has been
updated to suggest the load_tests-supporting nose2 instead.
Itsuro Oda [Tue, 6 Jan 2015 00:35:25 +0000 (09:35 +0900)]
Skip adding ips from non dhcp enabled subnets to hosts file
If a network had a mix of dhcp and non dhcp enabled subnets,
then ips from all subnets were added to the hosts file.
This fix ensures only ips from dhcp enabled subnets are added.
Add developer documentation for plugins/drivers contributions
This is the initial step to provide documentation and
how-to for developers interested in contributing plugins and
drivers according to the core-vendor-decomp proposal.
This patch deletes the floating agent gw port
on floatingip disassociate.
A recent change in the neutron trunk broke
this functionality. This was introduced by
the patch that addressed the re-order
operations in (l3_dvr) update floating ip.
Sam Betts [Mon, 20 Oct 2014 12:26:33 +0000 (13:26 +0100)]
Ensure test_metaplugin handles random hashseeds
2 tests fail in test_metaplugin when using hashseed 2701526934 this is
down to the nature of using dictionaries and sets in Python having
unpredictable ordering when retrieving data stored in them. This patch
ensures that no matter the order fake1 and fake2 get placed into
self.plugins that the test can assert both possible scenarios.
Kevin Benton [Sun, 4 Jan 2015 09:47:01 +0000 (01:47 -0800)]
Ignore non-existent ports during OVS intf list
A recent commit[1] to pass the list of port names directly to
ovs-vsctl during a list operation introduced a new possible
failure condition where one of the names might refer to a port
which no longer exists. By default this causes ovs-vsctl to quit
in a fit of rage[2].
Previously, all interfaces were retrieved and the ones that were a
subset of the name list were processed. The name list could contain
extra non-existent names (e.g. recently deleted interfaces).
This patch just passes the '--if-exists' flag to the 'list Interface'
command to match the same previous behavior.
Abhishek Talwar [Wed, 24 Dec 2014 04:34:32 +0000 (10:04 +0530)]
Confusing message deleting default security group
Trying to delete default security group from a non-admin
user gives an error "Removing default security group not
allowed. (HTTP 400).
But this message is not clear as the user does not get to
know why is he not allowed to remove the default security
group.
So updated the error message to give a more optimal message
to the user.
Angus Lees [Tue, 23 Dec 2014 00:13:27 +0000 (11:13 +1100)]
Enable the "not-callable" pylint check
This check catches attempts to call variables that pylint believes are
not functions. A trivial example would be:
# Trivial example caught by this check:
foo = dict()
print foo('bar') # <- oops, meant foo['bar']
This change enables the "not-callable" pylint check, after disabling a
few cases where the alert triggers but the usage was intended (defining
decorators).
Angus Lees [Mon, 22 Dec 2014 04:41:28 +0000 (15:41 +1100)]
ovs_dvr: Use lazy logging interpolation
There are a small number of examples of "eager" interpolation in
neutron:
logging.debug("foo %s" % arg)
These should be converted to perform the interpolation lazily within
the logging function, since if the severity is below the logging level
then the interpolation can be skipped entirely.
This change addresses all such examples found in ovs agent via a pylint
test. Other occurrences are addressed elsewhere.
Maru Newby [Tue, 28 Oct 2014 19:50:31 +0000 (19:50 +0000)]
Add a constant for router interface device owners
In the absense of a port object that includes a check for whether a
given port is implementing a router interface, this change adds the
ROUTER_INTERFACE_OWNERS tuple containing the relevant DEVICE_OWNER_*
constants.
This change was suggested by https://review.openstack.org/#/c/129865/
Code Review / openstack-build / neutron-build.git / log