Gary Kotton [Mon, 29 Dec 2014 09:38:25 +0000 (01:38 -0800)]
VMWare-NSXv: VMWare NSXv extensions
For Kilo, the vendor-specific code should be moved to stackforge repo,
excluding the extensions (https://review.openstack.org/#/c/134680/).
This patch adds the extensions VMWare NSXv plugin from
stackforge/vmware-nsx repo.
There are 2 new extensions:
1. advanced_service_providers - this is required to enabled the NSXv to provide
metadata support (there is no metadata agent)
2. vnic_index - the security group support for the NSXv requires the vNIC index
Carl Baldwin [Mon, 12 Jan 2015 16:36:40 +0000 (16:36 +0000)]
Create arping helper in ip_lib
In trying to restructure the L3 agent in to more modules, some helpers
like arping will be used by several modules. It is better to relocate
it to a common module which all of them will import and use.
Since there is only one spot which passed 'distributed=True', I chose
to break the utility in to two. Also, 'distributed' doesn't really
describe what that argument is for. So, I named the second utility
differently to indicate that it is for sending garps when proxyarp is
in use for the address on the interface.
Miguel Angel Ajo [Thu, 15 Jan 2015 00:23:29 +0000 (00:23 +0000)]
Call on dhcp-agent DhcpLocalProcess.restart() breaks dhcp
The bugfix implemented on Ib37651f7f802debd472ab292b148c2a2496063a3
creates the network_conf_dir only during __init__, and restart()
method calls disable(), then enable(), where disable will remove
the config directory and all configuration files.
Previous implementation re-created the network_conf_dir on the
interface_name setter (called from enable) with ensure_conf_dir=True.
Sukhdev [Sat, 10 Jan 2015 01:02:53 +0000 (17:02 -0800)]
Fixs shared networks in Arista ML2 driver
When a shared network is created, it is stored
in arista_provisioned_nets under the tenant_id of
owner of the network. Later, when a different
tenant launches an instance on the shared network,
above mentioned DB is looked to find the network
under requesting tenant's ID, and it is not found,
and hence, the request is rejected.
The fix is made such that when a network is not
found under the requesting tenant's ID, check if
this network is shared network. If yes, then
check the DB to ensure that owner tenant exists
in the DB. If yes, then this is a valid request
and do not reject it. Otherwise reject it - as an
unknown tenant or network is specified in the
request.
- Don't assume the path of mktemp command. It's /usr/bin/mktemp
for some platforms. eg. NetBSD. Also, always provide a template
as it's necessary for some platforms, eg. OS X. This snippet was
taken from the example in NetBSD's mktemp(1).
- Move a comment to the appropriate place.
- Improve a regex to ignore more comments.
- As the pattern for find -path is not a regex, no escape is necessary
for period.
When troubleshooting issues having to parse the \n mentally is kind of
difficult. Be nice to the user and have the newlines interpreted correctly.
It's fine if we waste some spaces in the logs, storage is cheap these days.
Kevin Benton [Tue, 13 Jan 2015 16:05:19 +0000 (08:05 -0800)]
Fix topic for provider security group update
Commit 8098b6bd20bb12520e438ef9125dc7b96664f712 accidentally changed
the topic for the provider security group update to a regular member
update. This resulted in the L2 agent not asking for the latest
security group rules after a DHCP port was created. If a regular
compute port was brought online and wired up by the L2 agent
before the DHCP port was created, the VM would never get its allow
rule to communicate with the DHCP server.
Kobi Samoray [Sun, 11 Jan 2015 09:28:42 +0000 (11:28 +0200)]
VMWare NSXv DB model bugfix
DB Model and migration for VMWare NSXv had two issues:
In DB migration, nsxv_security_group_section_mappings table is not dropped on downgrade.
In nsxv_models.py, tz_network_bindings_binding_type enum name should be
nsxv_tz_network_bindings_binding_type to match migration code.
* Remove references in tox.ini to removed rules.
* Remove custom @author check since it's now implemented in hacking.
* Move N323 to N322 that is freed due to @author check removal.
* Temporarily skip W292 (no newline at the end of file).
* Temporarily skip H238 (old style classes).
Wei Wang [Thu, 7 Aug 2014 08:16:37 +0000 (16:16 +0800)]
Use "if dict.get(key):" instead "if key in dict and dict[key]:"
Use "if dict.get(key):" instead of "if key in dict and dict[key]:"
which makes code more clear and intelligible. Note this patch doesn't
change judging conditions, all "is not None" are retained.
Ensure config directory created before updating leases
Under high load conditions dhcp-agent could try to start the
dhcp local process via reload_allocations. But it will fail since
the dhcp config directory for the specific network is not
created yet.
WeiHu [Tue, 30 Dec 2014 02:45:55 +0000 (10:45 +0800)]
Fix IPv6 Subnet Slaac Check
Currently, "is_slaac_subnet" method only checks "ipv6_address_mode".
This will let neutron allocate a stateful IPv6 address for instance
when ipv6_ra_mode set to "stateless" or "slaac", and "ipv6_address_mode"
unset. But actually, instance get IPv6 address prefix from radvd, and
auto configure IPv6 address by itself. This change will let "is_slaac_
subnet" also check ipv6_ra_mode attribute, which will no longer allow
fixed IPs on auto-address subnets and delete subnet will correctly delete
auto-address ports.
Sayaji [Mon, 1 Dec 2014 23:25:57 +0000 (15:25 -0800)]
Run only one instance of Nuage sync cycle at a time
Sync can run as part of Neutron and as a standalone tool.
So when sync is triggered through Neutron, someone can
trigger another sync cycle using the standalone tool.
Similarly when sync is triggered by standalone tool, Neutron
can trigger another sync cycle. This can lead to unexpected
sync behaviour .This fix will allow only one sync cycle at a
time and the other cycle will be blocked till the first one is
complete.
Russell Bryant [Thu, 18 Dec 2014 20:11:07 +0000 (20:11 +0000)]
Scope metadata rpc api using a messaging namespace
This patch does a couple of things. First it adds docstrings to the
client/server pair of the rpc interface used by the metadata service
to make calls back into the Neutron server. The docs tell you where
the other side of the interface is found in the code, and where docs
are that give more info on the rules for changing them.
The second thing done in this patch is to scope this interface using a
messaging namespace. Right now some plugins expose several interfaces
via the default namespace. This effectively means they are a single
API and should be managed with a single version stream. It's much
more managable to just treat these as separate interfaces and this
change makes that explicit and functionally true. Now when a method
is invoked, the only classes considered for handling that request will
be ones marked with the right namespace.
Russell Bryant [Wed, 17 Dec 2014 19:55:43 +0000 (19:55 +0000)]
Provide doc string pointers for the dhcp agent rpc api
There is an rpc interface defined for the Neutron plugin to be able to
execute methods in the DHCP agent. Provide docstring pointers in the
client and server side that tells you where to find the other side of
the interface.
No namespace usage is needed here. This API is the only one exposed
via the DHCP agent, so the default namespace used now is fine.
The DhcpAgent class was updated to explicitly define the
messaging.Target(). Previously it was using the equivalent one
defined in the Manager base class. Having it specified here makes it
more obvious that this is an rpc endpoint, and also provides the
obvious place that must have the version updated if the interface is
changed.
Break out config and entry point out of l3/agent file
This is done in order to show the split between a main() and
the agent's inner workings. At the same time the L3 agent for
Neutron is also being restructured and to this aim, its config
is also moved out of the agent file.
Keep main() for the time being until we get dependent
services updated.
Partially-Implements: bp restructure-l3-agent
Partially-Implements: bp core-vendor-decomposition
Cedric Brandily [Thu, 11 Dec 2014 13:10:30 +0000 (13:10 +0000)]
Correct l3-agent iptables rule for metadata proxy
2 iptables rules are defined to ensure the metadata proxy is reachable
from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697
* ACCEPT traffic to 127.0.0.1 on port 9697
The REDIRECT rule replaces destination ip by:
* 127.0.0.1 if the packet is local,
* router ip (the one on the input interface, metadata proxy case).
So ACCEPT rule filter is not matched ... the metadata proxy is only
reachable because INPUT policy is ACCEPT.
This change removes the destination constraint in the ACCEPT rule.
Brent Eagles [Fri, 10 Oct 2014 15:57:51 +0000 (13:27 -0230)]
Reset policies after RESOURCE_ATTRIBUTE_MAP is populated
The REST API relies on neutron-specific policy checking logic that is
only available after the extensions are loaded and the
RESOURCE_ATTRIBUTE_MAP is populated. This patch resets the policies
immediately after these steps are done. This ensures that in the event
the policies are prematurely loaded for any reason, the on-demand
loading of the policies will reload the policies and properly configure
the neutron specific checks on the next policy check.
Remove SELECT FOR UPDATE from delete_network and delete_subnet
delete_network and delete_subnet instead of using SELECT FOR UPDATE
delete the ports that are allowed to be auto deleted straight away.
Then a check is performed, if there are ports still associated
with the network or the subnet that cannot be autodeleted,
an exception is raised. The operation will be rolled back.
Ihar Hrachyshka [Wed, 7 Jan 2015 12:23:48 +0000 (13:23 +0100)]
Bump minimal dnsmasq version to 2.67
Versions prior to 2.67 did not support MAC address matching for IPv6 clients.
Quoting dnsmasq CHANGELOG:
"
version 2.67
[...]
Support identification of clients by MAC address in
DHCPv6. When using a relay, the relay must support RFC
6939 for this to work. It always works for directly
connected clients. Thanks to Vladislav Grishenko
for prompting this feature.
"
Assaf Muller [Tue, 23 Dec 2014 11:52:41 +0000 (13:52 +0200)]
Make L3 HA VIPs ordering consistent in keepalived.conf
Currently the order of VIPs in keepalived.conf is determined
by sorting the VIPs whenever one is added or removed. As it
turns out, keepalived doesn't like it when the primary VIP
changes. One side effect is that virtual routes, in our case
the router's default route, may be removed.
This patch fabricates an IP address on the router's HA interface
and uses it as the primary VIP.
Jakub Libosvar [Fri, 3 Oct 2014 12:02:55 +0000 (14:02 +0200)]
Add Process class helper to manage processes with namespace
This class extends Popen class with usage of namespace and root-helper.
Because of usage of root wrapper, this class re-uses get_child_pid() for
killing the child process. get_child_pid() is taken out of AsyncProcess
as a part of this patch.
Make lb mechanism driver use enable_security_group flag
This patch allows Neutron security groups to be enabled or
disabled with the enable_security_group flag when using the
linuxbridge ml2 mechanism driver.
Eugene Nikanorov [Tue, 23 Dec 2014 17:28:12 +0000 (20:28 +0300)]
Catch PortNotFound and SubnetNotFound during network_delete
In some cases PortNotFound exception during network_delete
could be caused by concurrent port deletion by DHCP agent.
This condition should not prevent network from deleting.
rajeev [Tue, 23 Dec 2014 18:49:19 +0000 (13:49 -0500)]
HA for DVR - schema migration and change
To support HA for DVR SNAT, default SNAT has to be schedulable
on multiple L3 agents. The csnat_l3_agent_bindings table is being
modified to include l3_agent_id in the primary key.
The migration script and Class definition update is included in
this patch. For modularity and code management, HA/DVR methods
that would make use of this change will be included in a different
patch.
The L3 agent metadata driver was added but then reverted
because it broke the functional job. The fix to the functional
job was merged, and this patch reverts the revert, thereby
adding the metadata driver back.
Matthew Thode [Wed, 10 Dec 2014 21:12:25 +0000 (15:12 -0600)]
moving vxlan module check to sanity checks and making practical
Instead of checking via modinfo (which only checks if a module is
available) this checks actual usage, which is a more reliable way of
testing real world problems.
Code Review / openstack-build / neutron-build.git / log