Cedric Brandily [Tue, 17 Mar 2015 15:20:07 +0000 (15:20 +0000)]
Allow metadata proxy running with nobody user/group
Currently metadata proxy cannot run with nobody user/group as metadata
proxy requires to connect to metadata_proxy_socket when queried.
This change allows to run metadata proxy with nobody user/group by
allowing to choose the metadata_proxy_socket mode with the new option
metadata_proxy_socket_mode (4 choices) in order to adapt socket
permissions to metadata proxy user/group.
This change refactors also where options are defined to enable
metadata_proxy_user/group options in the metadata agent.
In practice:
* if metadata_proxy_user is agent effective user or root, then:
* metadata proxy is allowed to use rootwrap (unsecure)
* set metadata_proxy_socket_mode = user (0o644)
* else if metadata_proxy_group is agent effective group, then:
* metadata proxy is not allowed to use rootwrap (secure)
* set metadata_proxy_socket_mode = group (0o664)
* set metadata_proxy_log_watch = false
* else:
* metadata proxy has lowest permissions (securest) but metadata proxy
socket can be opened by everyone
* set metadata_proxy_socket_mode = all (0o666)
* set metadata_proxy_log_watch = false
An alternative is to set metadata_proxy_socket_mode = deduce, in such
case metadata agent uses previous rules to choose the correct mode.
The example retargetable test that previously ran as part of the
functional suite is now skipped due to the fullstack example's db
fixture usage causing the test to fail if it the fullstack example
runs first on the same worker.
The unit test reorg is about moving files around so a test module is
clearly associated with the code module it targets, but the test
modules in this change needed to be manually merged because they both
targeted the same module.
test_api_v2 is also updated to use the path of neutron/tests/base.py
as the root of path to test implementations of extensions.
With subnetpool, we can create subnet with subnetpool.
User can specify CIDR or prefixlen for subnet allocation.
If neither is specified, CIDR will be chosen from the
pool using the default-prefixlen of the pool.
Paul Michali [Wed, 1 Apr 2015 17:47:43 +0000 (13:47 -0400)]
Refactoring cleanup for L3 agent callbacks
This commit completes the refactoring of the L3 agent callback mechanism.
The goal here is to also use the neutron/callbacks/ mechanism for L3 agent
notifications, instead of have two mechanisms.
[1] modified the L3 agent to send notifiactions for router create, udpate,
and delete events, using the neutron/callbacks/ mechanism.
[2] modified VPN to use this new mechanism, instead of the L3EventObservers
mechanism. Note:
[3] modified FW repo to no longer depended on the L3EventObserver and
related objects (it doesn't currently use the event notifications).
This commit removes the notifications for the L3EventObservers mechanism,
removed the related modules and tests, and adds in tests to verify that the
new notifications are called for the different events.
Once [1] and [2] are upstreamed, this commit can proceed.
Andrew Boik [Mon, 23 Mar 2015 15:21:11 +0000 (11:21 -0400)]
Support multiple IPv6 prefixes on internal router ports
(Patch set #3 for the multiple-ipv6-prefixes blueprint)
Provides support for adding multiple IPv6 subnets to an internal router
port. The limitation of one IPv4 subnet per internal router port
remains, though a port may contain one IPv4 subnet with any number of
IPv6 subnets.
This changes the behavior of both the router-interface-add and
router-interface-delete APIs. When router-interface-add is called with
an IPv6 subnet, the subnet will be added to an existing internal port
on the router with the same network ID if the existing port already has
one or more IPv6 subnets. Otherwise, a new port will be created on the
router for that subnet. When calling the router-interface-add with a
port (one that has already been created using the port-create command),
that port will be added to the router if it meets the following
conditions:
1. The port has no more than one IPv4 subnet.
2. If the port has any IPv6 subnets, it must not have the same
network ID as an existing port on the router if the existing
port has any IPv6 subnets.
If the router-interface-delete command is called with a subnet, that
subnet will be removed from the router port to which it belongs. If the
subnet is the last subnet on a port, the port itself will be deleted
from the router. If the router-interface-delete command is called with
a port, that port will be deleted from the router.
This change also allows the RADVD configuration to support advertising
multiple prefixes on a single router interface.
The ovsdb monitor test was using a timeout of 60s for monitor start.
This change sets the timeout to the global timeout value if it is
greater (it's 90s currently).
Regarding https://review.openstack.org/#/c/145829/
The old code of DnsMasq will always get root_helper from
neutron.agent.dhcp.agent.
However, new code will only set run_as_root when namespace
is used. That will cause permission error when namespace
is disabled and dnsmasq need to be started.
Tim Swanson [Tue, 31 Mar 2015 16:13:16 +0000 (12:13 -0400)]
Move network MTU from core REST API to extension API
The network MTU was added to the core REST API via
https://review.openstack.org/#/c/154921. This commit
reverts that change and adds the network MTU to the
extension API.
Paul Michali [Thu, 26 Mar 2015 12:01:58 +0000 (08:01 -0400)]
Refactoring of L3 agent notifications for router
The goal of this refactoring is to reduce duplication by
replacing the L3EventObservers mechanism (a specific
mechanism for L3 agent notifications), with the
CallbacksManager mechanism (a more general mechanism
currently in use), so that there is one method
used.
This is the first part of refactoring the L3 agent so that
it uses the new neutron.callbacks mechanism. To do this,
duplicate calls will be made for notifications related to
the router, only using the new callback mechanism.
This commit does two things. First, it puts in place the
notifiers for the new callback mechanism. Second, it updates
the metatdata proxy agent (which is in the same repo) to
use the new callback mechanism.
Later commits will update other repos from the old to new
callback mechanism, and to then remove the old callback
mechanism, once no longer used.
Currently if the quota_port, quota_network, quota_subnet values
in the neutron.conf are set to a negative value not equal to -1,
neutron reports the values as is to consumers like Nova.
Nova treats -1 as the infinite quota indicator and doesn't expect
neutron to return any other non-negative value.
The fix allows the flexibility of having any negative number for the
quota parameters in the neutron.conf file and allows the nova boot
to succeed subsequently. The fix would report any negative value
as -1 for port, subnet and network.
According to changes [1,2], API tests' new home is under neutron/tests/api.
Change 92d2054f8a slipped through the cracks. It seems also that wrong
imports lead to tests silently dropped (i.e. not executed). This patch
rectifies the issue.
Dane LeBlanc [Tue, 3 Mar 2015 03:03:10 +0000 (22:03 -0500)]
IPv6 SLAAC subnet create should update ports on net
If ports are first created on a network, and then an IPv6 SLAAC
or DHCPv6-stateless subnet is created on that network, then the
ports created prior to the subnet create are not getting
automatically updated (associated) with addresses for the
SLAAC/DHCPv6-stateless subnet, as required.
Cedric Brandily [Tue, 3 Mar 2015 22:26:52 +0000 (22:26 +0000)]
Allow metadata proxy to log with nobody user/group
Currently metadata proxy cannot run with nobody user/group as
metadata proxy (as other services) uses WatchedFileHandler handler to
log to file which does not support permissions drop (the process must
be able to r/w after permissions drop to "watch" the file).
This change allows to enable/disable log watch in metadata proxies with
the new option metadata_proxy_log_watch. It should be disabled when
metadata_proxy_user/group is not allowed to read/write metadata proxy
log files. Option default value is deduced from metadata_proxy_user:
* True if metadata_proxy_user is agent effective user id/name,
* False otherwise.
When log watch is disabled and logrotate is enabled on metadata proxy
logging files, 'copytruncate' logrotate option must be used otherwise
metadata proxy logs will be lost after the first log rotation.
A recent change added a new api test to the old location that is no
longer used for discovery. This change moves it to
neutron/tests/api/admin to ensure that it can be discovered and run.
Carl Baldwin [Thu, 26 Mar 2015 18:10:10 +0000 (18:10 +0000)]
Implement default subnet pool configuration settings
The default_ipv6_subnet_pool option was added [1] as an integration
point between prefix delegation work and subnet allocation work. This
patch completes the integration with subnet allocation. This
addresses the use case where a deployer wants all ipv6 addresses to
come -- by default -- from a globally routable pool of ipv6 addresses.
In a deployment with this option set, an API user can still access the
old behavior by passing None explicitly as subnetpool_id when creating
a subnet.
This patch also adds the default_ipv4_subnet_pool for completeness.
Kyle Mestery [Fri, 13 Mar 2015 14:54:37 +0000 (14:54 +0000)]
Update core reviewer responsibilities
This patch more clearly lays out who can merge code into the plethora
of Neutron repositories. It also clarifies a few things with the
existing text in places.
Remove "Arguments dropped when creating context" logging
This log was previously reduced from warning to debug.
Cinder removed it entirely in:
https://bugs.launchpad.net/cinder/+bug/1329156
The root cause is this:
Agent heartbeats use an admin context. The context is serialized
with its to_dict method, which exposes 'tenant' and 'project_name'
(These are properties of the class that are calculated from other
attributes). In the controller, this dict is used to initialize a
ContextBase, which does not accept tenant and project_name as arguments,
de facto sending those values as key word arguments.
We can either handle 'tenant' and 'project_name' specially, fix
it any other way, or drop the logging entirely. Is this logging
ever useful?
Henry Gessau [Fri, 27 Mar 2015 02:54:21 +0000 (22:54 -0400)]
Modify a different agent in test_update_agent_description
API test_update_agent_description modifies an agent's description, and
test_list_agent assumes the first agent is never modified. We make
sure that an agent other than the first one is modified.
Maru Newby [Tue, 24 Mar 2015 16:21:57 +0000 (16:21 +0000)]
Move API tests to neutron.test.api
To make api test development simpler, move the tests to
neutron.tests.api. The neutron.tests.tempest subtree will remain
while work continues to transition the required functionality to
tempest-lib.
Ryan Tidwell [Mon, 16 Mar 2015 18:02:13 +0000 (11:02 -0700)]
Simple subnetpool allocation quotas
Enables enforcement of allocation quotas on subnet pools. The quota
is pool-wide, with the value of allocation_quota applied to every
tenant who uses the pool. allocation_quota must be non-negative,
and is an optional attribute. If not supplied, no quotas are
enforced. Quotas are measured in prefix space allocated. For IPv4
subnet pools, the quota is measured in units of /32 ie each tenant
can allocate up to X /32's from the pool. For IPv6 subnet pools, the
quota is measured in units of /64 ie each tenant can allocate up to
X /64's from the pool. For backward-compatibility, allocation quotas
are not applied to the implicit (AKA null) pool. Standard subnet
quotas will continue to be applied to all requests.
Ryan Tidwell [Thu, 19 Feb 2015 23:29:08 +0000 (15:29 -0800)]
Subnet allocation from a subnet pool
Contains API changes, model changes, and logic required to enable a subnet to
be allocated from a subnet pool. Users can request a subnet allocation by
supplying subnetpool_id and optionally prefixlen or cidr. If cidr is
specified, an attempt is made to allocate the given CIDR from the pool. If
prefixlen is specified, an attempt is made to allocate any CIDR with the
given prefix length from the pool. If neither is specified, a CIDR is chosen
from the pool using the default prefix length for the pool.
Maru Newby [Tue, 24 Mar 2015 01:30:11 +0000 (01:30 +0000)]
Simplify retargetable test framework
The retargetable testing prototype previously relied on each test case
defining the 'scenarios' attribute used to parametize testing with
testscenarios. Anticipating the requirement to retrofit the imported
tempest api test cases, this change moves scenario definition to a
base class since scenarios are common across all api tests.
This change also sets the retargetable test to skip when invoked
against rest. Tempest uses class-level setup for auth and this needs
to be broken out into fixtures before the retargetable testing will
work again.
Itsuro Oda [Wed, 25 Feb 2015 04:34:04 +0000 (13:34 +0900)]
Make floatingip reachable from the same network
The problem is that if one tries to communicate from a tenant network
to floatingip which attached to a port on the same network, the
communication fails.
This problem is a regression cased by [1].
[1] https://review.openstack.org/131905/
Before [1] SNAT rule is as follows:
-s %(internal_cidr)s -j SNAT --to-source ...
(for each internal interface)
After [1] SNAT rule is as follows:
-o %(interface_name)s -j SNAT --to-source ...
(for an external interface)
The new rule was considered a super-set of the packets going out to
the external interface compared to the old rules. This is true but
there is a lack of consideration.
Note that the packet is 'going out to external interface' OR 'DNATed'
at this point since the rule:
! -o %(interdace_name)s -m conntrack ! --ctstate DNAT -j ACCEPT
was applied already. So we should consider the following three cases.
1) going out to external interface
should be SNATed. It is OK under the new rule but there was a lack
of rules for packets from indirectly connected to the router under the
old rules. ([1] fixed this.)
2) DNATed (and going out to internal interface)
2-1) came in from internal interface
should be SNATed because the return traffic needs to go through the
router to complete the conntrack association and to reverse the effect
of DNAT on the return packets. If a packet is not SNATed, the return
packet may be sent directly to the private IP of the initiator.
The old rules done SNAT in this case but the new rule doesn't.
2-2) came in from external interface
nothing to do.
This patch adds a rule for the case 2-1).
This patch also adds mangle rules to examine whether a packet came from
external interface.
Allow router-gateway-set to work even without an assigned
subnet with the net_id so as to enable IPv6 L3 routing
using the assigned LLA for the gateway.
The goal is to allow for IPv6 routing using just
the allocated LLA address for the gateway port to be
used as the external gateway to connect to the upstream
router. For this purpose router-gateway-set no
longer has a requirement of an assigned subnet.
A new config has also been added to the l3_agent.ini
to allow the user to set a valid ipv6_gateway address
to be used as the gateway for the default ::/0 route
If the ipv6_gateway config is not set and a gateway
is still created without a subnet, the gateway interface
will be configured to accept router advertisements (RAs)
from the upstream router so as to build the default route.
Unit test changes and additions reflect these changes.
Ihar Hrachyshka [Wed, 18 Mar 2015 13:21:57 +0000 (14:21 +0100)]
tests: don't rely on configuration files outside tests directory
etc/... may be non existent in some build environments. It's also pip
does not install those files under site-packages neutron module, so
paths relative to python files don't work.
So instead of using relative paths to etc/... contents, maintain our own
version of configuration files. It means we need to maintain tests only
policy.json file too, in addition to neutron.conf.test and
api-paste.ini.test.
Ideally, we would make etc/policy.json copied under site-packages in
addition to /etc/neutron/. In that way, we would not maintain a copy of
policy.json file in two places.
Though it seems that setuputils does not have a good way to install
files under site-packages that would consider all the differences
between python environments (specifically, different prefixes used in
different systems).
Note: it's not *absolutely* needed to update the test policy.json file
on each next policy update, though it will be needed in cases when we
want to test policy changes in unit tests. So adding a check to make
sure files are identical.
Kevin Benton [Wed, 17 Sep 2014 03:36:42 +0000 (20:36 -0700)]
Set floating IP port status to "N/A"
The status of the port associated with a floating IP
would always show as DOWN. This caused confusion to
operators that weren't aware that this is expected behavior
since the port is only used for an IP allocation.
This commit sets the port status to "N/A" to reflect the fact
that the port associated with a floating IP has no operational
status.
Code Review / openstack-build / neutron-build.git / log