Commit Graph

1274 Commits

Author SHA1 Message Date
Thomas Bachman e5b989b2e4 Use context session for port dictionary methods
Use db_api.get_session instead of the patched method to
get the top level session in the frame, but only for ports.

Change-Id: I9cf25efe7fe215b702a5f30d6fceea8c6b9d89ab
(cherry picked from commit de7faa13e0)
2020-08-18 14:12:20 +00:00
Thomas Bachman a10102b80c Fix missing DB migration
Commit a7903e971d wasn't backported
to stable/newton, but subsequent DB migrations were. This results
in the migration getting skipped when upgrading between stable
releases (e.g. newton to ocata). This patch fixes this by checking
to see if the table from that migration exists, and if not, runs
the original migration.

Change-Id: I09cb7796acc1396a8308900e813d2f5e5f896c8d
2020-05-27 20:58:46 +00:00
Thomas Bachman a54359cf97 Fix field sizes for VM names
The VM names table needs to increase the lengths, in order to support
the max sizes from their sources (Nova and Neutron).

Change-Id: Ie2cb0c596c01d6a9e31db3488f8213da002de846
(cherry picked from commit 37a7edc08a)
2020-05-18 19:49:24 +00:00
Zuul 36e46893ac Merge "[AIM] Insert remote_group_id to SG rules properly" into stable/ocata 2020-05-18 19:31:39 +00:00
Kent Wu e3b2457e36 [AIM] Sanitize the AIM tenant description field
APIC doesn't accept some special characters like "
or ' in the description field, so we have to sanitize
it before pushing it to AIM. We have done the similar
thing for display_name before. Also don't need to
overwrite the AIM tenant while creating it.

Change-Id: I189564336398c2a90687309444c7916df94f6eb4
2020-05-17 16:52:16 +00:00
Kent Wu f9a2c99659 [AIM] Insert remote_group_id to SG rules properly
Also add a migration script to do data migration for
those existing SG rules.

Change-Id: I215248125815382fb15a52030d071320c96c605b
(cherry picked from commit 9c1c46bc55)
(cherry picked from commit 0ed08e3162d12c315eae47a637c21690b3c00cb9)
2020-05-11 10:56:21 -07:00
Zuul ad0322c76c Merge "[AIM] Fixed external subnet ANY_CIDRs for l3out EPGs for SVI" into stable/ocata 2020-03-27 22:19:36 +00:00
Robert Kukura 73d5640ba4 [AIM] Retry L3 Plugin Operations
While testing https://review.opendev.org/#/c/704705/, which moves
calls to Neutron REST APIs from GBP policy driver precommit methods to
postcommit methods, which are outside transactions, it was discovered
that L3 Plugin operations such as add_router_interface are not retried
if a StaleDataError occurs. In the upstream l3_db module, these
methods have retry decorators, but those decorators have no effect
because the AIM l3_plugin methods call the inherited upstream methods
within transactions. We therefore add retry decorators to the AIM
l3_plugin methods.

Note that https://review.opendev.org/#/c/706631/ removes the top-level
transactions in these l3_plugin methods, so these retry decorators
will no longer be necessary when that patch is merged. But that patch
is not planned to be back-ported beyond stable/queens, so this fix
will still be needed in the older stable branches.

Change-Id: I6fedf3821a1a8babfc928ef21917ff4b69aac7c6
2020-03-27 16:07:08 +00:00
Robert Kukura 9c876051e8 [AIM] Fix most common random UT failures
Fix TestGbpDetailsForML2 UTs to avoid both allocating and specifying
fixed_ips for ports on the same subnet, which sometimes collided.

Fix test_preexisting_external_network UT to cascade-delete the
ExternalNetwork's ExternalSubnet, which sometime prevented the
ExternalNetwork from actually being deleted.

Change-Id: I7226129135a59d35fa8d76d132163b2241334fed
2020-03-24 16:05:44 +00:00
Iftikhar Rathore d76a149ba2 [AIM] Fixed external subnet ANY_CIDRs for l3out EPGs for SVI
The CIDR 0.0.0.0/0 does not work when using SVI and transit
routing. We need to use 0.0.0.0/1 and 128.0.0.0/1 instead.

Change-Id: I8e631b19bf2feffb2e306584d4954dcc891cacda
2020-03-23 22:26:46 +00:00
Thomas Bachman 18344dd4be Fix for unbinding baremetal VNIC ports
Unbinding baremetal VNIC ports before deleting them results in
removing the topology information from the binding:profile. This
prevents the static port from being deleted from the EPG when the
port is deleted. The topology information still exists in the port
context passed to the mechanism driver, under the "original" member.
This patch handles port unbinding by getting the topology infomration
from the original member, in order to identify the static port
to remove from the EPG.

Change-Id: I6a0e31a771cfc678d1f3bdaa576751f05f2c173a
2020-03-10 22:27:14 +00:00
Thomas Bachman a90aa7a3b8 Add suport for baremetal vnic_type
Bind ports of vnic_type baremetal to networks that have
opflex type static segments, using Hierarchical Port Binding
(HPB), with dynamically created VLAN type segments, as well
as networks with static or dynamic VLAN type segments.  This
includes static port configuration on EPGs or L3 Out policies
in ACI using untagged mode with native VLANs. Support for using
baremetal vnic_types with trunk ports must be addressed in a
separate patch.

Requirements for baremetal vnic_type port binding are:
1) binding:profile must have a local_link_informaiton element
2) local_link_information must contain a switch_info element
3) switch_info must be a string containing comma-
   delimitted key/value pairs, which are separated
   by a colon. Required key/value pairs are:
      o  apic_dn:<dn for static path>
      o  physical_network:<physnet for interface>
   The PhysDom for the interface can optionally be
   specified using the key/value pair:
      o  physical_domain:<name of the PhysDom for the interface>
   If the physical_domain is populated, it will be used to associate
   the named PhysDom with the EPG. If no physical_domain is provided,
   then the existing domain association behavior is used (i.e. the
   HostDomainMappingV2 entries in AIM are searched for applicable
   entries).

The local_link_information also may contain the port_id
and switch_id elements, which should specify the individual
port_id and switch_id that the baremetal VNIC connects to.
However, this information currently isn't used.

Once a VNIC type of baremetal is bound, the static path information
in the binding:profile is stored in AIM, either in an EPG or the
Interface Profile for an L3 Out policy in the case of SVI networks.

Change-Id: I43b1305de59f68d9114c5856f76a98cc72ceb18e
(cherry picked from commit 26f4d72d49)
2020-02-21 20:12:30 +00:00
Zuul 21e3fdbfdd Merge "Enable SVI networks with hosts running opflex agent" into stable/ocata 2020-02-21 17:33:27 +00:00
Sridar Kandaswamy b3fb219e3f Enable SVI networks with hosts running opflex agent
- Allow port binding on SVI networks with hosts running opflex agent
- Supported with vlan type networks (not opflex networks)
- Provides a flag indicating SVI network, the vlan id and the epg is
  set to a unique id (SVI network id) in response to get_gbp_details.
  This enables the opflex agent on the host to set up the data path
  appropriately.

Change-Id: Ia0a3e4354141b04693fda8c1079acbbc76f371d9
(cherry picked from commit 5aee410131)
(cherry picked from commit 0f3e3fb258)
2020-02-21 15:13:40 +00:00
Thomas Bachman d5c32b2b2e Refactor static path code
The static path code is refactored to improve readability, and
will be used in subsequent patches adding support for baremetal
VNIC types.

Change-Id: I3ac7659db7fa6e22c446a82b680c4ef52f64b183
2020-02-07 15:40:33 +00:00
noiro 03cd33ba0c Support named ip protocols for SecurityGroupRules
Along with numbered ip protocols mechanism Driver will now also support
named ip protocols for SecurityGroupRules

Change-Id: I888c2fbfd242b1838cf69ce07ee09650f790c1a1
2020-02-01 06:26:27 +00:00
Kent Wu 196e083370 Allow both FIP and SNAT on a single port
This should be allowed if this port has multiple IPs
either through AAP or multiple fixed_ips.

Currently once a FIP is associated to a port then it
will prevent SNAT from working anymore. This works
fine for ports having just 1 IP. However if a port is
configured with multiple IPs, then associating a FIP
to one of the IPs will break the existing SNAT
configuration for the other IPs.

Change-Id: I5bfc32a021ed6d438e227cd1c71d4701f81be296
2020-01-24 22:14:43 +00:00
Zuul e257850c85 Merge "Fix active-active AAP RPC query" into stable/ocata 2020-01-12 16:19:16 +00:00
Robert Kukura 6aa89a7a38 Fix active-active AAP RPC query
(cherry picked from commit 49f5044009)
(cherry picked from commit 4837e4502c)
Conflicts:
	gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/rpc.py

Change-Id: I44dc8b467b19a8c7cdd6d204b88fcd028d23504e
2020-01-10 17:01:41 +00:00
Robert Kukura 41acc492cb [AIM] Add extra provided/consumed contracts to network extension
Add apic:extra_provided_contracts and apic:extra_consumed_contracts
attributes to the cisco_apic network extension. The named contracts
are provided/consumed by the network's default EPG, in addition to any
applicable router contracts. At least one subnet on the network must
be attached as a router interface for the extra contracts to have any
effect on the network's connectivity. Attempting to specify extra
contracts for an external network or SVI network results is rejected
with an exception.

(cherry picked from commit 496f54b84a)
(cherry picked from commit 3e16a0c590)
(cherry picked from commit 525b9bbf24)
Conflicts:
	gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py

Change-Id: I784107f4e7d7d5d39377c583bcd2163c7688eb5b
2020-01-10 05:57:05 -05:00
Zuul c0592e496b Merge "Active active AAP feature" into stable/ocata 2020-01-09 17:35:44 +00:00
Kent Wu 9f1a1be76f Active active AAP feature
1. Introduced a new subnet extension attribute for this.
When its enabled, this subnet can't be connected to a router.
And to make things simple, this new attribute's value can't
be changed after creation.

2. VM port's active_active_aap mode in the EP file is dtermined
by checking this port's fixded_ip subnets one by one, and only
if the active_active_aap value is true for all the subnets then
we will mark it accordingly in this VM port's EP file. And when
active_active_aap is on, the owned address concept doesn't apply
to those AAPs.

3. An AAP can't be added to a port if this port's
active_active_aap mode is different than any of the other ports
(in the same network) whose AAPs is overlapping with this AAP.

4. Also added a helper function to create a subnet with those
extension attributes in the UT environment.

Change-Id: Icb3af7b33442eda739f93f9e6ca16174a26f5c21
(cherry picked from commit 88d3f0ab2a)
(cherry picked from commit 88ac1f4aa6)
(cherry picked from commit 543da14e2841783a1a7b850004a20265e9a0be8d)
2020-01-07 13:15:51 -08:00
Thomas Bachman 10a8da3f24 Support cache option for legacy GBP driver
The legacy GBP driver shares the cache code in the apic_aim
mechanism driver. This class uses an option that's only available
when the apic_aim mechanism driver is loaded. In order to ensure
backwards-compatibility for the legacy GBP driver, check to see
if the configuration options exist before trying to use it for
configuring the class.

Change-Id: I26aab66b725cea1971e8d212705d47a7890e4b42
2019-12-19 01:39:57 +00:00
Thomas Bachman 21240693fe Fix host ID length in VM names table
The host ID length of 36 characters doesn't support the IETF
standards in RFC 1035 section 2.3.1 and RFC 2181 section 11.
This patch is a DB migration to drop the existing table and
recreate it with the proper host length (neutron server
processes will recreate the table afterwards).

Change-Id: Iffbda0a548a4985088c05bf5bb5ae253acdbf338
2019-12-02 21:43:59 +00:00
ajgoyalnoiro 63db02b6b4 Update_proj_descr in apic when project description is updated in os
update mechanism driver to save project description on project creation
and project update into aim database.

Change-Id: Ibecd5bbad286f8f77b381171ca5a64ff7f4fc7ad
2019-11-26 16:42:00 -08:00
Zuul a8507b6283 Merge "Send port notifications when host_route is getting updated" into stable/ocata 2019-11-06 00:36:25 +00:00
Zuul cbecb38ade Merge "Provide a control knob to use the internal EP interface" into stable/ocata 2019-11-05 21:09:26 +00:00
Kent Wu 6af7d7958b Send port notifications when host_route is getting updated
Change-Id: I9f52a1ee4733f93befa9ea95603d8a57f8c8850a
2019-11-04 22:05:22 +00:00
Kent Wu 5046653d5f Provide a control knob to use the internal EP interface
By default neutron client is always using the public
interface. However one customer decided to disable the
public interface for some security reason and requested
a way to use the internal interface instead.

Change-Id: I829eb77a428fc5ee86911067ea5b6a0353301c20
2019-11-04 18:15:44 +00:00
Sridar Kandaswamy 35ddfeb0de Fix pep8 failures seen on submitted patches
Seems like with some possible change in infra we see some
pep8 failures. These are related to Python 3 checks. Handling these
so that code is functional in either Python 2.7 or Python 3 envs.
An attempt is made to be in line with handling this in other community
projects.

Change-Id: Iec4c919bebb70365f932f23b926aa80bf4da6048
(cherry picked from commit 409c1517ab)
2019-10-31 12:45:05 -07:00
Robert Kukura 3bab41a2cd [AIM] Fix HAIP RPC query
A condition in an outerjoin in the query for owned HAIP IP addresses
during the device details RPC was not having the intended effect,
resulting in data related to other networks using the same private
addresses being returned, so the condition is moved to a filter
instead.

Change-Id: I5aa9d93e5356580e8bff5d79cc343226ac74a2cb
2019-09-20 18:20:43 +00:00
Thomas Bachman a33dee9074 Fix implicit ICMPv6 Security Group Rules
The implicit security group rules only included a rule to allow
ICMPv6 ingress traffic. Furthermore, the security group rules
used reflexive connection tracking, which causes issues when
integrated with Open vSwitch rules (the router advertisement
messages would result in connection tracking returning an
"invalid" state). This patch adds bidirectional ICMPv6 to the
implicit rules, without the reflexive behavior, which will
allow the SLAAC process to succeed.

Change-Id: I19bfb63acaa76ce41200c4e71bc3b5c73f995748
2019-09-19 02:39:11 +00:00
Iftikhar Rathore 530c204900 Fixed snat port status to be ACTIVE and UP
This is a temporary fix till we add a real port bind for the SNAT port.
Also added UT for this fix

Change-Id: I7c9dfc7251327fb4c6edf33d20efd520bd493de9
2019-09-13 14:57:25 +00:00
Zuul ac7617da16 Merge "Some refactoring regarding merge aim statuses" into stable/ocata 2019-09-13 01:08:38 +00:00
Zuul 58c4fa7907 Merge "Verify aim_epg exists before proceeding" into stable/ocata 2019-09-12 23:21:53 +00:00
Zuul b64745a6be Merge "Revert "Make DHCP provisioning blocks conditional"" into stable/ocata 2019-09-12 20:54:15 +00:00
ajgoyal 91c3a49a36 Verify aim_epg exists before proceeding
While updating port properties, it is possible that the
network has already been removed.

Change-Id: Icbc702fe04869cd40c44bc8eb8ba80982fc629db
(cherry picked from commit 73ddfc4dcf)
2019-09-12 19:25:41 +00:00
Thomas Bachman 67850b80c1 Revert "Make DHCP provisioning blocks conditional"
This reverts commit 166ae568aa.

Change-Id: Ie7ed5c99618d54b663f49efb15fe11280a77fed7
2019-09-12 16:25:48 +00:00
Kent Wu 9e69bfeb73 Some refactoring regarding merge aim statuses
Put those common codes into a function.

Change-Id: I921d1b64b7c33aa05ce541bad6f571599d1e7c82
(cherry picked from commit d9ca10d5a5)
(cherry picked from commit 2477e719f224b3635d4401e3294799ddb0b85f48)
(cherry picked from commit da2d018d67b963edf8976f54f7ce438a07baa9da)
2019-09-04 13:26:43 -07:00
Kent Wu 552af8ece1 Bulk extension support for routers
Change-Id: I64f1853f1e82c301a2d967ef30f7493e7695ab82
(cherry picked from commit d5ae8404e5)
(cherry picked from commit 7887af548b0e44648540e8a5999f45fbf6ad596c)
(cherry picked from commit aa320132fa2ed2f1a4e9408513c87bb7c8fc3e11)
2019-08-31 16:27:23 +00:00
Robert Kukura d91b8fd153 [AIM] Eliminate redundant router extension content
Don't include AIM Subnet or VRF information in the Neutron router
resource's apic:distinguished_names or apic:synchronization_state
extension attributes, since this same information is reflected in the
similar extension attributes of the Neutron subnet and network
resources, respectively. The AIM Contract and Subject information
remain in the router extension attributes.

Change-Id: I8db6a66904ad6a607b2e58ade532c7232ac42788
2019-08-29 14:12:13 +00:00
Zuul efefa4868a Merge "Adding icmp_code and icmp_type for SG rule" into stable/ocata 2019-08-08 18:47:00 +00:00
Zuul ddd78e73b7 Merge "A VM could be associated with multiple ports" into stable/ocata 2019-08-08 00:35:42 +00:00
ajay goyal b3e5abe05a Adding icmp_code and icmp_type for SG rule
Change-Id: Ibcb64c3cd3232b81d4ab32228ba330a3a88a506f
(cherry picked from commit 1f6ba97795)
2019-08-07 23:41:05 +00:00
Kent Wu 647da5e17b Optimize the extend_router_dict() call
1. Only query the needed fields instead of the whole DB objects
to avoid the unnecessary join operations done at the
sqlalchemy layer.
2. Use the default lazy loading for the AddressScopeMapping to
address_scope relationship to avoid the unnecessary loadings.

Change-Id: Ie5bb9d1278cadeb97b5aabfe6cf2d0641acbaeca
(cherry picked from commit 1d0494e8ed)
(cherry picked from commit bfab33ec993cf383fec931a3809fc0e7d78ca035)
(cherry picked from commit e0b77722df31e59dea2eca1b3152d4cb08be284b)
2019-08-07 14:36:49 -07:00
Kent Wu abf38eb9af A VM could be associated with multiple ports
This could happen for example if a VM is associated
with 2 different ports which are under 2 different
subnets/networks respectively.

Change-Id: I0afb1fdc972a4d8b4a966c9b527037ac0c9bfd41
2019-08-07 20:28:47 +00:00
Zuul 60ed099e43 Merge "[AIM] Prevent overlapping CIDRs in routed VRF" into stable/ocata 2019-08-01 23:11:57 +00:00
Robert Kukura edb8138276 [AIM] Enhance gbp-validate to detect routed subnet overlap
The gbp-validate tool will now fail validation if multiple routed
subnets that map to the same VRF overlap. Note that, unlike the
similar rejection of attempts to add or remove interfaces that result
in overlap, this is not subjet to the allow_routed_vrf_subnet_overlap
config variable, and applies to scoped as well as unscoped subnets.

Change-Id: I01346b94a491e6866bcf9581fe53028889d244ba
2019-08-01 19:30:04 +00:00
Robert Kukura 76a69bfba9 [AIM] Prevent overlapping CIDRs in routed VRF
Reject adding or removing a router interface if the operation would
result in overlapping AIM Subnets within a routed AIM VRF. This can be
temporarily disabled, if necessary, by setting the
allow_routed_vrf_subnet_overlap config variable to True. Setting this
will also result in a warning being logged at startup.

A followup patch will add similar checking to the gbp-validate tool,
which should be run immediately after upgrading an existing deployment
to a new version with this feature, to make sure no overlap already
exists. If it does, it may be necessary to disable this checking until
existing overlap can be cleaned up.

Change-Id: I2de7fee0d31719293654dbe6fff032cfe1f91b9d
(cherry picked from commit 1bb8958101)
2019-08-01 15:54:57 +00:00
Thomas Bachman c4bb97aa29 Disallow external subnets as router interfaces
Upstream neutron doesn't prevent subnets on external networks from
being used for router interfaces. The AIM mechanism driver treats
the boundary between unscoped internal and external networks as
a boundary for NAT. This makes the semantics confusing if subnets
on external networks are used as router interfaces and gateways,
and is therefore disallowed.

Change-Id: I164d655648c77f9a1fa12dc8927d64a5d50be356
2019-07-30 21:45:37 +00:00