Miguel Angel Ajo [Tue, 17 Feb 2015 12:28:46 +0000 (12:28 +0000)]
Remove error logs for a common situation (non created ipsets)
The log message was initially added by me as part of a
iptables_firewall refactor.
Ipsets for empty IP address lists aren't currently created,
that means that we can't reference empty security groups
(as ipsets) via iptable rules, and that's a normal condition,
not an error.
Maru Newby [Fri, 9 Jan 2015 15:02:59 +0000 (15:02 +0000)]
Automate host configuration for functional testing
This change adds a new script, configure_for_func_testing.sh, that
automates configuration of a host to support functional testing. The
script's functionality is consumed by a refactored version of
gate_hook.sh, and both minimizes runtime and removes the previous
dependency on the devstack-gate repo.
Additionally, the dsvm-functional tox env is no longer dependent on
devstack to deploy neutron's rootwrap configuration system-wide.
Rootwrap configuration is now deployed to the target tox venv on each
tox invocation.
Robert Kukura [Fri, 22 Aug 2014 09:01:03 +0000 (05:01 -0400)]
ML2: Hierarchical port binding
The ML2 port binding logic is modified to support hierarchical
bindings. If a mechanism driver's bind_port() calls continue_binding()
rather than set_binding(), the supplied dynamic segments are used for
another level of binding.
Robert Kukura [Thu, 21 Aug 2014 19:46:11 +0000 (15:46 -0400)]
ML2: DB changes for hierarchical port binding
To support hierarchical port binding, the driver and segment columns
are moved from the ml2_port_bindings and ml2_dvr_port_bindings tables
to a new ml2_port_binding_levels table. This new table can store
multiple levels of binding information for each port. It has the host
as part of its primary key so that it can be used for both normal and
DVR port bindings.
The cap_port_filter column is also removed from the
ml2_dvr_port_bindings table, since the adjacent driver and segment
columns are being moved, and this can trivially be done via the same
DB migration. It was included in the table by mistake and was never
used.
The logic required for hierarchical port binding will be implemented
in a dependent patch.
Assaf Muller [Wed, 11 Feb 2015 15:55:19 +0000 (10:55 -0500)]
Cleanup in keepalived tests
A recent patch introduced a new keepalived manager utility
function which returns the keepalived.conf file contents,
but the keepalived functional test was not updated to use it.
Also, a bunch of unneeded logging configuration was removed from
this test.
Additionally, the keepalived configuration functional test
in the L3 agent testing module compares expected configuration
to an in-memory representation of the configuration that will
be persisted to disk. It's better to compare the expected
configuation with what was actually written to disk.
Henry Gessau [Sat, 31 Jan 2015 17:57:49 +0000 (12:57 -0500)]
Move NCS mech driver to its new home
The NCS driver is scheduled for decomposition, and in the targetted vendor repo
the files are in a new location in the tree. Before we can decompose the driver
we must move it to its new location in the neutron tree.
A future patch will decompose (thin) the driver and add requirements.txt.
Ihar Hrachyshka [Wed, 11 Feb 2015 16:10:10 +0000 (17:10 +0100)]
keepalived: use sh instead of bash for notifier scripts
Those scripts are pretty trivial, calling external commands and using
kill -s and $(...) construction. All that is available in POSIX shell,
so let's not use bash in shebang and utilize more performant shell in
case /bin/sh != /bin/bash (valid for Debian based systems).
Terry Wilson [Thu, 22 Jan 2015 10:07:50 +0000 (04:07 -0600)]
Use ovsdb-api neutral column/value mappings
The format ('column:field', 'value') for map-type ovsdb values is
ovs-vsctl-specific. The updated implementation-neutral way to do
this is ('column', {'field': 'value'}).
Russell Bryant [Tue, 10 Feb 2015 21:15:59 +0000 (16:15 -0500)]
Scope state reporting rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by an agent to report
state back to the plugin. The docs tell you where the other side of
the interface is found in the code, and where docs are that give more
info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Yoni Shafrir [Wed, 4 Feb 2015 05:42:13 +0000 (07:42 +0200)]
Remove use of keepalived 'vrrp_sync_group' as it is unused
Now keepalived configuration wraps the VRRP instances with a
'vrrp_sync_group'. The VRRP sync group functionality is only
relevant when more then one VR instance is contained in it.
In that case the VRs in the group will have the same state.
Our use of keepalived uses a single instance per router.
This patch simply removes the 'vrrp_sync_group'.
In this patch VR instances are used on their own and they now
hold the 'notify_scripts'.
Note that the same VRRP functionality is preserved with this
patch.
Another motiviation for this patch, aside from removing
useless configuration, is to lay the foundation for a future
patch that will the related bug by adding 'track_script'
that are not supported with 'vrrp_sync_group'.
Russell Bryant [Fri, 23 Jan 2015 19:48:07 +0000 (14:48 -0500)]
Scope dvr rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by the ovs agent
to make dvr related calls back into the Neutron server. The docs
tell you where the other side of the interface is found in the code,
and where docs are that give more info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Henry Gessau [Sun, 8 Feb 2015 02:19:06 +0000 (21:19 -0500)]
Refactor radvd control in the l3-agent
Several of parameters used by radvd are known when a router is created
and do not need to be passed around every time an RA method is
called. Also, we want to easily check the state of radvd for a router.
Use an object to keep track of the data and state of an radvd process.
Terry Wilson [Thu, 22 Jan 2015 19:52:43 +0000 (13:52 -0600)]
monkey patch stdlib before importing other modules
Some oslo libraries assume that stdlib is already patched when
they are imported (e.g. oslo_concurrency.processutils tests the
'time' module for monkey_patching to detect which 'subprocess'
module to import.
This can cause issues when things like test frameworks import
modules that monkey_patch, as the order imports are made can break
this kind of check. It is always good to monkey patch as soon as
possible, hence trying to do the patching in neutron/__init__.py.
This is an alternative to https://review.openstack.org/#/c/153225/
which just patches neutron/tests/__init__.py. Unfortunately, just
monkey_patching in tests/__init__.py didn't fix all of the issues
I ran into. For example, tempest tests were failing with timeouts.
Jakub Libosvar [Tue, 3 Feb 2015 13:33:39 +0000 (14:33 +0100)]
Don't crash when adding duplicate gre allocation
This patch catches DBDuplicateError when initializing ML2 GRE type
driver and allocation already exists in DB. Because current allocations
are queried and then only those that doesn't exist in database are
added, DBDuplicateError should never occur.
But the race can happen when running multiple neutron-servers and one
of servers adds allocations between allocations are queried and added.
Fix lack of device ownership enforcement for DVR routers
The enforcement rule was applied to centralized router interfaces, to avoid
a potential security vulnerabilty.
Even though DVR routers are fundamentally different from centralized routers,
there is no good reason as to why the rule should be skipped for DVR interfaces.
This patch sanitizes the insanity a bit and closes this potential loophole by
preventing the operation for DVR routers too.
This exception is an overkill, and can be safely removed. The tests
affected were not designed to cover any regression as they were asserting
that the mocked Exception was being raised, defeating the very purpose of
catching the regression; they have been revised to ensure that the checks
are not misplaced in future revision of the code, or that they behave the
way they are supposed to.
Ihar Hrachyshka [Tue, 11 Nov 2014 16:15:37 +0000 (17:15 +0100)]
Check conntrack rule cleanup on floating IP disassociate
Check that conntrack rule is cleaned up immediately after floating IP is
disassociated.
Extend NetcatTester class to allow to specify different addresses for
client and server sides of connection. Fixed the class not to pass -k
option for UDP connections (otherwise the test fails when used with nmap
netcat implementation).
Chengli XU [Wed, 25 Jun 2014 14:26:04 +0000 (22:26 +0800)]
l2-pop shouldn't notify agent about inactive ports
When an agent starts, or the first port of an agent becomes active,
l2 population mechanism driver will notify the agent of all ports on other agents.
It should not notify about inactive ports.
Basically, this patch-set is needed for fixing the bug 1332450.
Carl Baldwin [Mon, 2 Feb 2015 23:34:24 +0000 (23:34 +0000)]
Use weak ref to avoid deleting fip namespace through agent
By using a weak ref in the agent to keep track of the fip namespaces,
we avoid having to call a method directly on the agent to delete a fip
namespace. When the last router removes the last floating ip, the
fip_ns is marked destroyed and the router's strong reference is
removed. This allows the garbage collector to reap it. When the
agent goes looking for the fip namespace instance again, it will check
to see that it has not been garbage collected and that it has not been
destroyed before using it.
The goal here is to avoid having to ask the agent to delete a fip
namespace. We know to delete a fip namespace when all of the floating
ips are gone. We delete floating ips in the context of processing a
router. So, having to call back out to the agent to destroy the fip
namespace is preventing some of this code from being moved in to the
router context.
With the decomp running at full steam, some questions have been
raised on Gerrit, IRC or the mailing list. This patch adds more
details on how to go about unit testing and some current limitations
of 3rd party systems.
Code Review / openstack-build / neutron-build.git / log