Carl Baldwin [Tue, 7 Jul 2015 16:41:03 +0000 (16:41 +0000)]
Add IP_ANY dict to ease choosing between IPv4 and IPv6 "any" address
I'm working on a new patch that will add one more case where we need
to choose between 0.0.0.0/0 and ::/0 based on the ip version. I
thought I'd add a new constant and simplify a couple of existing uses.
The result of get_sorts was a 'zip object' in Python 3, and it was later used
as a list, which fails. Just cast the result to a list to fix this issue.
Pavel Bondar [Thu, 2 Jul 2015 08:35:18 +0000 (11:35 +0300)]
Track allocation_pools in SubnetRequest
To keep pluggable and non-pluggable ipam implementation consistent
non-pluggable one has to be switched to track allocation_pools and
gateway_ip using SubnetRequests.
SubnetRequest requires allocation_pools to be list of IPRanges.
Previously allocation_pools were tracked as list of dicts.
So allocation_pools generating and validating was moved before
SubnetRequest is created.
Kevin Benton [Tue, 30 Jun 2015 04:05:08 +0000 (21:05 -0700)]
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Carl Baldwin [Tue, 30 Jun 2015 20:22:46 +0000 (20:22 +0000)]
Refactor init_l3 to separate router port use case
Future work will extend init_l3 with more code specific to router
ports. It makes sense to separate these out in to one basic method
with basic L3 and another for router port specific logic.
This dictionary does not belong to the plugins directory as it captures
API business, but practically speaking it does not even deserve to exist
and can be removed altogether.
This is patch one in a series that aims at addressing this monkey business.
A missing entry causes a KeyError that leads the server to blow up during
startup. We can fallback on an empty path (like some services do), in case
the prefix is not specified.
Furthermore, we can be declarative with this property, the same way we are
with properties like aliases, bulk support, etc.
Carl Baldwin [Tue, 30 Jun 2015 20:23:39 +0000 (20:23 +0000)]
Refactor IpRuleCommand to take more arguments
The iproute2 rule command takes more arguments than the ones supported
by this wrapper. Particularly, for address scopes, we're interested
in iif and fwmark. Instead of adding these piecemeal, this change
makes the wrapper flexible to pass any of them using kwargs.
Callers of add / delete are updated to pass keyword arguments for
table and priority since they are no longer required positional
arguments. This looks better anyway.
devref: document API status for neutron.openstack.common.*
Make sure we document the fact that neutron.openstack.common.* contents
are not meant to be used by external repositories (except, temporarily,
*aas repos).
If I could bootstrap the oslo-incubator subtree from scratch, I would
put it under neutron._openstack, to indicate that it's for internal
usage only. But we can't do it now, so instead I update devref.
Pavel Bondar [Thu, 25 Jun 2015 13:32:22 +0000 (16:32 +0300)]
Collapse create_subnet into single method
Previously create_subnet called different methods for subnet allocation
with subnetpool and without it.
_create_subnet_from_implicit_pool and _create_subnet_from_pool
were collapsed into single method _create_subnet.
This is intermediate step for supporting pluggable ipam.
Kevin Benton [Thu, 2 Jul 2015 08:45:46 +0000 (01:45 -0700)]
Downgrade log level for gone port on status update
If a port is deleted immediately before a status update arrives
from the L2 agent, the port will be missing from the DB. The current
code was logging this at the warning level, but this occurs during
normal operations so it should only be a debug event.
Kevin Benton [Wed, 1 Jul 2015 20:06:38 +0000 (13:06 -0700)]
Change the half of the bridge name used for ports
The code to generate the names of the patch ports
was based on a chunk of the bridge name starting from
the beginning. With the long suffix, this ended up
excluding all of the random characters in the name.
(e.g. br-int374623235 would create an interface br-in-patch-tun).
This meant that if two tests using patch interfaces ran together,
they would have a name collision and one would fail.
This patch updates the patch port name generation to use the
randomized back portion of the name.
Patch 4e77442d5 added a retry decorator to the API layer
to catch DB deadlock errors. However, when they occur, the
retried operation ends up being ineffective because the original
body has been altered, which leads the notification and validation
layers to barf exceptions due to unrecognized/unserializable elements.
This ultimately results to an error reported to the user.
To address this, let's make a deep copy of the request body, before
we pass it down to the lower layers. This allows the decorator to
work on a pristine copy of the body on every attempt. The performance
impact for this should be negligible.
Robert Collins [Mon, 29 Jun 2015 21:40:17 +0000 (09:40 +1200)]
Improve fixture usage.
There were two broad issues with fixtures.
Firstly, the 'SafeFixture' workaround for resource leaks in fixtures
<1.3 is not needed if we depend on fixtures>=1.3.1. While testtools
may raise a TypeError when trying to query a fixture that failed to
setup, this is only ever a cascading failure - it will not cause
tests to fail, cause leaks, or cause tests to incorrectly pass. That
will be fixed in testtools soon to stop it happening (but as it cannot
affect whether a test passes or fails or leaks happen there is no
reason to wait for that). Leaks are seen with fixtures 1.3.0 still
because eventlet raises a BaseException subclass rather than an
Exception subclass, and fixtures 1.3.0 didn't handle that - 1.3.1 does.
Secondly, some of the fixtures had race conditions where things were
started and then cleanups scheduled. Where possible I've fixed those,
but some of them require more significant work to fully address.
Assaf Muller [Tue, 30 Jun 2015 17:22:17 +0000 (13:22 -0400)]
Disable pylint job
Disabling pylint until it gets unbroken. Pylint 1.4.1 is using
logilab-common, which had a release on the 30th, breaking pylint.
Pylint developers are planning a logilab-common release tomorrow
which should unbreak pylint once again, at which point I'll
re-enable pylint.
Sean M. Collins [Tue, 30 Jun 2015 16:06:07 +0000 (12:06 -0400)]
Remove bridge cleanup call
Remove the bridge cleanup call to delete bridges, since we are seeing
race conditions where bridges are deleted, then new interfaces are
created and are attempting to plug into the bridge before it is
recreated.
Russell Bryant [Tue, 26 May 2015 21:07:37 +0000 (17:07 -0400)]
Move windows requirements to requirements.txt
Commit 276028cca26af573c14938255e40c58358eabd4a added these
requirements to setup.py from a custom build hook. These requirements
can now be expressed in requirements.txt. We need to move them there
so that the global requirements sync job can continue to keep setup.py
in sync with the global version.
Kevin Benton [Tue, 30 Jun 2015 05:24:22 +0000 (22:24 -0700)]
Increase ping count on ARP spoof test
The other IPv4 tests all have a count of 2 to tolerate
ping failures due to slow ARP response/interface setup/etc.
This patch increases test_arp_spoof_allowed_address_pairs_0cidr
to 2 to match.
Kevin Benton [Fri, 29 May 2015 06:13:19 +0000 (23:13 -0700)]
Read vif port information in bulk
During startup, the agent was making many calls per port
to read information about the current VLAN, external ID, etc.
This resulted in hundreds of calls just to read information about
a relatively small number of ports.
This patch addresses that by converting a few key functions to
lookup information for all of the ports at once.
Performance improvement on dev laptop for 250 ports from agent
start to port ACTIVE status:
before: 1m21s
after: 1m06s
Assaf Muller [Mon, 29 Jun 2015 15:38:51 +0000 (11:38 -0400)]
Remove failing SafeFixture tests
The fixtures 1.3 release attempted to fix the fixtures resource
leak issue, but failed to do so completely. Our own SafeFixture
is still needed: The 1.3 release broke our SafeFixture tests,
but not the usage of SafeFixture itself. This patch removes
those failing tests for now to unbreak the gate. Jakub reported
a bug on fixtures 1.3:
https://bugs.launchpad.net/python-fixtures/+bug/1469759
We will continue to use SafeFixture until that bug is fixed
in fixtures, at which point we will be able to require
fixtures > 1.3.
Code Review / openstack-build / neutron-build.git / log