With this change is the is_admin parameter is set to True when
creating a context, the is_advsvc property is set to True as well,
without executing a pointless check with policy engine.
Jakub Libosvar [Wed, 29 Apr 2015 10:04:03 +0000 (12:04 +0200)]
Don't use iterator in search for tunnel type
Changing dictionary size while using iterator causes RuntimeError. This
can happen in local vlan mapping under certain program flows. This patch
changes iteritems() to values() that returns list and thus preventing
from failure if local vlan mapping changes during creating tunnels.
Sam Betts [Wed, 29 Apr 2015 15:15:35 +0000 (16:15 +0100)]
Ensure mocks for lla allocator _write in test_agent
The test test_create_dvr_fip_interfaces_for_restart_l3agent_case was
causing a file fip-linklocal-networks to be created when the tests are
run, this patch ensures that the correct part of the LinkLocalAllocator
is patched to prevent this in the test case.
Gal Sagie [Wed, 29 Apr 2015 04:49:16 +0000 (07:49 +0300)]
Rename delete_gateway method name
Fix last comments from bug #1435012
Some comments were left out and the patch is already merged.
This patch address these comments.
Rename method and remove an unneeded comment
lijianlj [Thu, 29 Jan 2015 06:41:20 +0000 (14:41 +0800)]
Add icmpv6 to sg_supported_protocols
support using icmpv6 (protocol num 58) in the protocol option, when creating
a security group rule.At this time, port_range_min/port_range_max represent
icmpv6 type/code, and you can use only port_range_min to specify just one type.
eg:neutron security-group-rule-create --direction ingress \
--ethertype ipv6 --protocol icmpv6 --port-range-min 134 SECURITY_GROUP
Gal Sagie [Mon, 30 Mar 2015 07:40:36 +0000 (10:40 +0300)]
Suppress exception when trying to remove non existing device in SNAT redirect
L3 service plugin first calls to remove_router_interface from the L2 OVS agent
which delete this port from OVS and then the service plugin calls
to remove the router interface from L3 agent.
Catch the exception thrown on the delete gateway, if its due to device doesn't exists
ignore the exception
Support multiple IPv6 prefixes on internal router ports for an HA Router
As part of BP multiple IPv6 prefixes, we can have multiple IPv6 prefixes on
router internal ports. Patch, I7d4e8194815e626f1cfa267f77a3f2475fdfa3d1, adds
the necessary support for a legacy router.
For an HA router, instead of configuring the addresses on the router internal
ports we should be updating the keepalived config file and let keepalived
configure the addresses depending on the state of the router.
Following are the observations with the current code for an HA router.
1. IPv6 addresses are configured on the router internal ports (i.e., qr-xxx)
irrespective of the state of the router. As the same IP is configured on multiple
ports you will notice dadfailed status on the ports.
2. Keepalived configuration is not updated with the new IPv6 addresses.
This patch addresses the above issues for an HA Router.
Currently a HA router can be successfully created even when
there is not enough active l3 agent. Current code only checks
existing l3 agents but does not check if the agent is already
down.
This patch fixes this problem by checking only active l3 agents
when getting the number of agents for scheduling HA router.
Kevin Benton [Fri, 17 Apr 2015 11:54:41 +0000 (04:54 -0700)]
Eliminate extra queries used to retrieve gw_ports
The _get_sync_routers method was calling get_routers and
then getting the gateway ports from the db in a separate
get_ports call. This extra call is unnecessary since is
already an SQL relationship directly between the router
and it's gw_port.
This patch eliminates all of the additional gw_port retrieval
logic by replacing the get_routers call with a _get_collection
call to make use of the gw_port object already present on
each router object.
Kevin Benton [Fri, 17 Apr 2015 11:09:48 +0000 (04:09 -0700)]
Don't update port with host id of None
In the L3 RPC code if the host for a port is not
present, it ends up calling update_port with the
host_id set to None. This does not update the host
id at all because it's treated as an unset attribute
which leads to the same thing happening on the next
iteration. These pointless update calls are expensive
because they involve a semaphore and calls to mechanism
drivers.
This patch adjusts the logic to only send a port
update if it actually has a host to ensure is on
the port.
lzklibj [Sat, 21 Mar 2015 16:58:15 +0000 (09:58 -0700)]
fix l3-agent restart with last runtime fip for dvr
In DVR enabled environment, after we associated a floating
IP to a VM, when we restart L3-agent on the same compute
node, the L3-agent will miss to create rtr_fip_subnet for
router_info. The previous floating IP can still work, but
new associated floating IPs to VMs related to the same router
on this L3-agent will fail to configure and not work. This
patch will fix this.
The method create_dvr_fip_interfaces in dvr_router.py will
invoke fip_ns.create_rtr_2_fip_link, and the later one will
create rtr_fip_subnet, consider VMs related to the same router
will share the same rtr_fip_subnet, so processing here should
run only once for those VMs, once rtr_fip_subnet is created.
Current code will check dist_fip_count then decide to invoke
fip_ns.create_rtr_2_fip_link or not.
dist_fip_count should be zero if a router related VMs never
have been associated with any floating IPs before. But if a
router has floating IPs associated to its related VMs, after
it is restared, dist_fip_count will be non-zero, and this is
the point this patch try to fix. And for case rtr_fip_subnet
has been created, both dist_fip_count and is_fisrt will be
false, and fip_ns.create_rtr_2_fip_link will be no more need
to be invoked.
Kevin Benton [Fri, 17 Apr 2015 11:51:26 +0000 (04:51 -0700)]
Replace unnecessary call to get_sync_routers
Replaces a call to get_sync_routers with a single-column
router DB query in a method that doesn't use any of the
gateway information get_sync_routers spends extra
time populating.
Cedric Brandily [Thu, 5 Mar 2015 21:43:09 +0000 (21:43 +0000)]
Replace BaseLinuxTestCase by BaseSudoTestCase
BaseLinuxTestCase provides 2 methods which are used once/three time(s),
this change inlines these methods and removes BaseLinuxTestCase and
replaces it by BaseSudoTestCase.
This change removes a useless cleanup in RecursivePermDirFixture:
previously RecursivePermDirFixture reverts permission changes on
directories, but the cleanup is useless as directories are provided
by TempDir.
Kevin Benton [Fri, 24 Apr 2015 13:52:21 +0000 (06:52 -0700)]
Add missing interface to populate subnets method
Change Ib46f685d72eb61ecbaa2869e28fb173cd6d49552 introduced
and optimization to defer the lookup of interface subnet info
until all of the router interfaces were collected. However,
it didn't add the DVR SNAT interface to the list of interfaces
to populate subnet info so it broke DVR.
This patch corrects the behavior by adding the DVR SNAT interface
to the list of ports that need subnet info populated.
Elena Ezhova [Tue, 7 Apr 2015 11:54:45 +0000 (14:54 +0300)]
Refactor socket ssl wrapping
Move socket wrapping into a separate method in order to separate
its logic from other action done in _get_socket. Now, ssl wrapping
is applied to the socket returned by _get_socket method.
Additionally checks for ssl config options are now performed during
init and not each time wrap_socket is called.
Kevin Benton [Fri, 24 Apr 2015 07:35:31 +0000 (00:35 -0700)]
Don't resync on DHCP agent setup failure
There are various cases where the DHCP agent will try to
create a DHCP port for a network and there will be a failure.
This has primarily been caused by a lack of available IP addresses
in the allocation pool. Trying to fix all availability corner cases
on the server side will be very difficult due to race conditions between
multiple ports being created, the dhcp_agents_per_network parameter, etc.
This patch just stops the resync attempt on the agent side if a failure
is caused by an IP address generation problem. Future updates to the subnet
will cause another attempt so if the tenant does fix the issue they will
get DHCP service.
Aaron Rosen [Wed, 4 Mar 2015 21:34:26 +0000 (13:34 -0800)]
Allow plugin to specify router_id
It is useful to allow the backend to specify the uuid that we want neutron to
use. We currently do this same thing for networks. This patch enables the same
behavior for routers as well.
sridhargaddam [Mon, 8 Dec 2014 16:11:38 +0000 (16:11 +0000)]
Neutron to Drop Router Advts from VM ports
As part of Spoofing filter chain Neutron drops all the outbound
traffic where MAC/IP does not match the IP address assigned
to the VM ports (inc' allowed_address_pairs). Along with this,
we also drop traffic associated to dhcp[v6] server (i.e., do
not allow a VM to run dhcp[v6] server). Currently we do not
have any rules to drop Router Advts from VM ports. This can create
issues in the network as other devices in the network may not have
any protection for this kind of stuff.
Even if we allow RAs from the VM ports, because of the Anti-Spoofing
rules that are applied, a VM cannot act as a IPv6 router (i.e., it
cannot forward IPv6 traffic). So there is no point in allowing Router
Advts from VMs assuming that it would be useful in Service VM use-cases.
In order to properly implement IPv6 router as a Service VM, one needs
to use the port_security_extension [1] which allows us to disable
security group rules/anti-spoofing filters on the VM ports.
The test_ha_router_failover tests were not being unmocked. This
is because the same object was being mocked twice, but unmocked
once. The mock.patch.stopall call in the tests base class was rewinding
the value of the object from the second mock to the first mock.
Follow up tests in the same worker were using namespace
names defined via the first mock in the failover test.
This routine in policy.py used to have a backward compatibility
check to ensure proper behaviour even when the policy.json file
did not have a specific 'context_is_admin' policy.
However, this backward compatibility check does not work. It
appears indeed that it has been broken for several release cycles;
it is also possible that actually it never worked.
When the 'context_is_admin' policy is not in the policy.json file
the enforcer simply ends up evaluating whatever is the default
policy configured there.
Therefore this patch:
- Removes the backward compatibility check, since it does not work
- Fails, for safety, check_is_admin if 'context_is_admin' policy is
not specified
- Fixeds check_is_advsvc in the same way (the backward compatibility
check never made any sense for this function)
- Fixes unit tests adding appropriate tests for check_is_admin and
check_is_advsvc
Currently radvd is spawned in all the HA routers irrespective of the
state of the router. This approach has the following issues.
1. While processing the internal router ports (i.e., qr-xxx), ha_router
removes the LLA of the interface and adds it as a VIP to Keepalived conf.
Radvd daemon is spawned after this operation in the router namespace
(if the port is associated with any IPv6 subnets). Radvd notices that
qr-xxx interface does not have the LLA, so does not transmit any Router
Advts. In this state, VMs fail to acquire IPv6 addresses because of the
missing RAs. Radvd does not recover even after keepalived configures the
LLA of the interface. The only solution is to restart/reload radvd daemon.
Currently keepalived-state-change monitor does not do any radvd related
operations when a state transition happens. So we endup in this state
forever.
2. For all the routers in Backup state, qr-xxx interface does not have LLA
as it is managed by keepalived and configured only on the Master HA router.
In such agents syslog is flooded with the messages [1] and this can cause
loss of other useful info.
[1] - resetting ipv6-allrouters membership on qr-2e373555-97
This patch implements the following.
1. If the router is already in the Master state, we configure the LLA as a VIP
in keepalived conf but do not delete the LLA of the internal interface.
2. We spawn radvd only if the router is in the Master State.
3. Keepalived-state-change monitor takes care of enabling/disabling radvd upon
state transitions.
Restrict subnet create/update to avoid DHCP resync
As we know, IPs in subnet CIDR are used for
1) Broadcast port
2) Gateway port
3) DHCP port if enable_dhcp is True, or update to True
4) Others go into allocation_pools
Above 1) to 3) are created by default, which means if CIDR doesn't
have that much of IPs, subnet create/update will cause a DHCP resync.
This fix is to add some restricts to the issue:
A) When subnet create, if enable_dhcp is True, /31 and /32
cidrs are forbidden for IPv4 subnets while /127 and /128 cidrs are
forbidden for IPv6 subnets.
B) When subnet update, if enable_dhcp is changing to True and there are no
more IPs in allocation_pools, the request should be denied.
Change-Id: I2e4a4d5841b9ad908f02b7d0795cba07596c023d Co-authored-by: Andrew Boik <dboik@cisco.com>
Closes-Bug: #1443798
This fix let flows in br-tun automatically recover from an Exception,
which is an ideal situation.
Simplly improve a missed flag will make sure OVS restart properly
after we walked out of Exception loop.
Code Review / openstack-build / neutron-build.git / log