John Kasperski [Fri, 7 Aug 2015 14:15:33 +0000 (09:15 -0500)]
Validate updated allocation pool before using it
The allocation pool specified during subnet-update is being
used in gateway validation checks before the allocation pool
is ever validated. Errors indicating that the gateway IP is
invalid are returned when it is the allocation pool that is
actually in error.
Additional testing of the allocation pool is also being added
to the subnet-update unit tests.
Kevin Benton [Thu, 30 Jul 2015 00:28:50 +0000 (17:28 -0700)]
Validate interface_mappings on Linux bridge init
Verify that the interfaces actually exist that are defined in
interface_mappings on Linux bridge startup. If they do not, exit
immediately similar to how OVS handles incorrect bridge_mappings.
This prevents an unfriendly exception in the rpc setup routine.
Initialize ancillary_port_info dict as blank in OVS agent
The first assignment of ancillary_port_info was from the scan_ancillary_ports
function which could result in an exception and result in ancillary_port_info
being unbound for the port stats scan below.
This patch just initializes ancillary_port_info as an empty dict so the port
stats will always have an input.
Assaf Muller [Thu, 7 May 2015 06:02:59 +0000 (09:02 +0300)]
Enable fullstack multinode tests, add L3 HA test exemplar
* Created a 'resources' subdir and moved all fixture files
to it.
* Split ML2ConfigFixture to the server-side ml2 configuration
fixture, and the OVS agent configuration fixture.
* Neutron process logs were using H:M:S format as their file name,
but when starting multiple agents of the same type my machine
was fast enough to do that in the same second so that different
processes were outputting to the same log file. No good!
Added ms to the log name format. I also changed the log time
from UTC to local timezone.
* Renamed and moved 'FullstackFixture' to neutron/tests/fullstack/
resources/environment.Environment
* Added a 'Host' abstraction that groups agents that report with
the same 'host' value. Hosts may be interconnected by the
environment via shared bridges.
* The 'Environment' class will accept global
attributes (This will be later filled with stuff like tunneling,
l2pop or other environment-level flags), and in this patch accepts
a list of host attributes (Configuration that may differ between
hosts like the l3 agent mode [legacy, dvr, dvr_snat]).
* Made OVS agent and L3 agent fixtures expose their bridges
so that I could interconnect them.
* Added a super simple L3 HA test to show that this entire thing
works.
John Davidge [Thu, 16 Jul 2015 17:26:24 +0000 (18:26 +0100)]
DB, IPAM & RPC changes for IPv6 Prefix Delegation
This patch includes the DB, IPAM & RPC changes needed for the IPv6 Prefix
Delegation feature.
To enable this feature, the subnetpool_id attribute of subnets has been
modified to allow for a special subnetpool identifier - "prefix_delegation".
WORKFLOW:
1. Admin sets default_ipv6_subnet_pool in neutron.conf to "prefix_delegation"
2. User creates a new IPv6 subnet without a CIDR or subnetpool ID
3. User creates an interface between this subnet and a router with an existing
external interface
The agent-side changes will follow in separate patches.
A documentation patch is up for review here:
https://review.openstack.org/#/c/178739
Video guides for configuring and using this feature are available on
YouTube:
Cyril Roelandt [Wed, 5 Aug 2015 09:39:50 +0000 (11:39 +0200)]
Python 3: convert dict_keys object to list
This makes sure we use the same types in Python 2 and 3, prevents TypeErrors
from happening, and should have no performance impact since the the lists are
quite small anyway.
Henry Gessau [Wed, 5 Aug 2015 01:29:46 +0000 (21:29 -0400)]
Remove VPN from API tests
Change Idd5524ed0b602408be5a53830981a8ab974b390c removed the
VPN service from devstack installations in the gate, so now we
can no longer test VPN APIs from neutron. The tests will be
added to the vpnaas repo's API test suite.
Cyril Roelandt [Tue, 4 Aug 2015 12:27:48 +0000 (14:27 +0200)]
Python 3: fix test_ovs_tunnel
In Python 3, this happens:
>>> d = {}
>>> a = d.values()
>>> b = d.values()
>>> a == b
False
And anyway we're not really willing to pass dict_values objects around; we are
expecting lists, just like in Python 2, so let's just do the conversion.
Support subnetpool association to an address scope
This patch supports the following
- create a subnetpool with address scope
- update a subnetpool
- to associate with an address scope
- to change the association to another address scope
- to remove the association with the address scope
Enable set DNS and DHCP log of dnsmasq for dhcp agent
Add a new configuration named 'dnsmasq_base_log_dir'
in dhcp_agent.ini.
This entry should be a path of log file. It should
like this:
dnsmasq_base_log_dir=/tmp
And the DNS and DHCP log will be written into the file
"/tmp/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/dhcp_dns_log".
The dir path will be created if the given path doesn't exists.
Install arp spoofing protection flow after setting port tag
when ovs-agent set a tag for a port, it will first remove all
flows on this port, because it should guarantee that no drop_port
flow installed by port_dead remains, so arp spoofing protection
flow must be installed after it.
Move 1c844d1677f7 expand migration to appropriate branch
Commit cb60d0bb4e0cc0cba68f59fdf5f4e89d6ec52950 added an expand
migration. Howewer it indicated a contract migration as its
ancestor (2a16083502f3). As a result the migration was treated
by alembic as a contract one, even if it was defined in the
'expand' directory.
This patch 'rebases' this migration on top of the expand branch
HEAD. This might impact trunk chasers which have already executed
migration 1c844d1677f7 as a part of the contract branch.
shihanzhang [Mon, 1 Jun 2015 08:17:37 +0000 (16:17 +0800)]
Fix ipset can't be destroyed when last rule is deleted
when it deletes a security group all rules, it should
include this sg information in RPC method
'security_group_info_for_devices', otherwise the ports
in this sg can't corrcectly update their iptables and
ipset sets.
Move away nested transaction from _ensure_default_security_group
This patch remove the nested transaction started in
_ensure_default_security_group, before calling create_security_group.
Instead, a nested transaction will be started inside
create_security_group.
The purpose of this change is to reduce the time period in which the db
transaction is open (to avoid races, db lock timeouts, etc), when creating
the default security-group.
OVSBridge was inheriting db_list from BaseOVS, which was
returning the information of all the ports on the machine,
not only the ones belonging to the bridge.
The OVSNeutronAgent was using that method with the assumption
that ports were filtered by bridge.
To avoid confusion, this patch add a new method to OVSBridge
get_ports_attributes to query the info for all the ports
belonging to the bridge.
db_list is removed from BaseOVS since that method is already
available in ovsdb/api.py
ovs_lib methods that use db_list are refactored accordingly.
Since this option is configured in the DEFAULT section of nsx.ini,
the name of the option clashes with that in the networking_l2gw repo.
Proposal is to prefix our option with "nsx_" to avoid such interference.
Unfortunately this module was not moved to openstack/vmware-nsx
during decomposition and therefore this patch is being proposed on
the neutron repository.
Sam Betts [Thu, 16 Jul 2015 13:08:59 +0000 (14:08 +0100)]
Fix order of calls in update_port
https://review.openstack.org/#/c/196908 introduced some extra logic to
do with DVR to update_port, however it changed the ordering of some of
the calls, this patch ensures that the calls that need to happen before
precommit happen in the right place.
Kevin Benton [Wed, 29 Jul 2015 23:32:43 +0000 (16:32 -0700)]
Check that VXLAN is not in use in LB VXLAN check
The Linux bridge VXLAN supported check was only checking that the
test interface didn't exist instead of checking that both the interface
and the VXLAN didn't exist. This caused it to fail on startup if
a VXLAN interface existed under a different name using one of the
VXLANs that the agent tried to test support with.
This patch adds a check to ensure that the VXLAN ID isn't in use as well.
Kevin Benton [Tue, 28 Jul 2015 23:15:34 +0000 (16:15 -0700)]
Initialize port_info dict as blank in OVS agent
The first assignment of port_info was from the scan_ports function
which could result in an exception and result in port_info being
unbound for the port stats scan below.
This patch just initializes port_info as an empty dict so the port
stats will always have an input.
Cedric Brandily [Thu, 28 May 2015 16:35:17 +0000 (18:35 +0200)]
Ensure non-overlapping cidrs in subnetpools with galera
This change enables galera support in _lock_subnetpool[1]. It uses an
update to disallow 2 transactions performing concurrent subnet
allocation in the same subnetpool to succeed: the 2 transactions will
conflict because they update the same row so the db (including Galera
multi-writer cluster) will discard the last transaction and
Controller.create[2] will catch and retry the "discarded" allocation.
This change adds the "hash" attribute in "subnetpools" table to enable
previous update.
John Kasperski [Thu, 30 Jul 2015 04:52:01 +0000 (23:52 -0500)]
Prevent update alloc pool over existing gateway ip
The gateway IP for a subnet is not allowed to be listed in the
allocation pool for that subnet. This restriction is checked and
enforced at subnet-create time.
During subnet-update, it is only partially checked. An
exception is returned if the update request tries to place the gateway
IP in an existing allocation pool OR if both gateway and allocation
pool are being changed and the gateway is located in the new pool.
If only the allocation pool is being updated, no check is made to
verify that the new allocation pool does not contain the existing
gateway IP.
- Make sriov agent to set the spoofchecking on VFs
according to port_security_enabled attribute of the port.
- Extend vf management sanity check to probe spoof checking
capability
When a network with a dhcp_enabled subnet is scheduled on a dhcp
agent, dhcp driver creates the network:dhcp port for the subnet.
However, the port info is not updated in dhcp agents internal cache.
Subsequently if the user deletes the network:dhcp port, the port is
properly deleted on the server side (i.e., in the database) and when
the port_delete_end notification is sent to the dhcp agent, it simply
ignores it as the port entry would be missing in the cache. This patch
fixes this issue by updating the dhcp agents cache when dhcp driver
creates the network:dhcp port for the subnets.
Currently, there is no dns servers prioritization for subnets
for Neutron.
Generally speaking, it is useful to keep the order of dns
nameservers consistent. Add a new column named 'order' in table
'dnsnameservers' and add nameserver into DB one by one.
John Nielsen [Wed, 22 Jul 2015 18:43:04 +0000 (12:43 -0600)]
Extend vxlan_group option to allow a range of group addresses
If vxlan_group is specified in CIDR notation, it is interpreted as a
range of group addresses. VXLAN VNIs are mapped to group addresses in
a many-to-one round robin fashion, or one-to-one if a large enough
range is provided. Since VNIs are 24 bits, a /8 such as 239.0.0.0/8
allows each VNI to use a unique multicast group. (239.0.0.0/8 also
happens to be the "site-local" multicast range.)
With multiple VNIs on a single multicast group, it is likely that
VTEPs will unnecessarily receive broadcast/unknown/multicast
datagrams for VNIs in which they do not participate. Using a range of
groups mitigates or eliminates this issue. It is thus an alternative
to the l2_population extension and driver for environments where both
multicast and linuxbridge are used.
The default setting is unchanged, but the comments in the ini file
suggest 239.0.0.0/8 as an alternative. Administrators are free to use
any valid multicast range that can be expressed in CIDR notation, and
should choose a size and starting address that make sense for their
environment.
Enable resource usage tracking for reference plugins.
Specify which resources should be tracked when initializing
the ML2 and l3_router plugins. This will enable usage tracking
for the following resources:
- Networks
- Ports
- Subnets
- Subnet pools
- Security groups
- Security group rules
- Routers
- Floating IPs
Code Review / openstack-build / neutron-build.git / log