The upstream commit [0] removed the _get_subnet method
from the common DB plugin. However, this method is still
in use by the group-based-policy project. As a workaround,
we re-add this method to our specialization of the core
plugin. This should be replaced at some point by a method
that follows upstream.
[0]: //review.opendev.org/c/openstack/neutron/+/742829.
Change-Id: I64615d499cca206a840a6d70477513132077fd50
The AIM BridgeDomain resource was being configured with an
explicit value of the ep_move_detect_mode parameter. This was
done to address a workaround needed for older hardware. Now
that the older hardware is no longer supported, AIM has been
changed to disable this value by default, which means that the
AIM mechanism driver no longer needs to set this value explicilty.
Change-Id: I41036952c46bfd72e0c9ed2416fcf3af6294c9ad
Add support for setting the scope of a subnet by configuring
'apic:advertised_externally' and 'apic:shared_between_vrfs'.
Change-Id: Ieedaec28098c4f6d4e6b3c3c97f0c8f86cf072a4
This reverts commit 953997a9a8.
The patch reverts the change of warn to warning in alembic_mgrations.
The alembic utils library only has warn, and not warning, so this
patch isn't needed.
Change-Id: Ibd16c88ea33ae668316506c58348ce2b5c1a53d6
Fix the bug where remote ip's version is not being checked against
the ethertype before adding it to security group rule's remote_ips
in security_group_rule_create_procommit.
Change-Id: I10df6ed562e1af66b89c14c0769b670b2f61d9a0
The order of the admin_owner_or_network_owner alias in the
policy.json file can trigger DB queries for the network
resource in order to complete the policy checks, even in
cases where those checw aren't needed. This changes the
order of the policy rule to ensure that checks for the
tenant ID owner are made before looking at the tenant ID
of the network.
Change-Id: Ic3a7c99ff69c652bd1df4d43a98f298da876b4ba
Support for having networks with and without the multi_ext_nets extension
to share the same L3Outside.
Change-Id: Ia2daff31059437ed83813d93d98865131f2919b5
The multi external networks extention allows multiple external networks
to be associated with a single L3Outside.
Change-Id: Ib872d8661fae321270130b4986d7d21249919ae6
The patch in [0] added support for the no-NAT CIDRs extension. This
covered the case where the agents would get extension details when a
network was created, as well as when a network was connected or
disconnected from a neutron router. However, it missed the case where
the extension on the ntwork itself was updated. This patch addresses
that gap.
The patch also adds UT coverage of the extension for AIM validation
(there is no mapping to an AIM resource, but the extension was added
to the UT for completeness).
[0]: https://review.opendev.org/c/x/group-based-policy/+/875317
Change-Id: Ibf3df8a0d48b9ba9a68c17ad70251a611aa40cab
The patch in [0] created a DB query to support a new no-NAT CIDRs
extension. This DB query was incorrect, as it used unrelated joins.
This patch fixes the DB query to ensure related joins are used.
There also was an issue with the _query_vrf_subnets method before
the extension was added. It was possible that a single subnetpool
with multiple prefixes could have been used to allocate multiple
subnets. The current query would have returned the same subnetpool
ID for each prefix, leading to duplicates in the returned list. This
patch fixes that issue by ensuring that the returned values from
the query are distinct.
[0]: https://review.opendev.org/c/x/group-based-policy/+/875317
Change-Id: I7870ad58bc4d9098b4aa12a0cefbfe027d982564
The no-NAT CIDRs extension is applied to the network resource
in neutron. When applied, it affects the list of subnets that
should be reachable without NAT that are delivered in the RPC
calls to agents. The agents can then use this information to
ensure that specific destination CIDRs will never use NAT.
The extension can be applied to both tenant and external/public
networks. The extension should be used judiciously, as placing
it on a network will cause those CIDRs to be added to all RPC
calls requesting subnets within that VRF (e.g. the extension
could be added to a shared network or to a network that uses
a subnetpool relating to a shared address scope, which would
be seen by all other networks that report to that same address
scope or shared network).
Change-Id: Idb39b75ff6d611a1dd413f26055622310cdf0df7
This patch is a vehicle for cleaning up the stable branches. The
patch to master addresses a fix that was missed when [1] was merged.
That patch was created to enable the stable/ussuri branch, but it
included a PEP8 fix which should have been a separate patch that could
have been backported through the stable branches. This patch adds the
missing fix (addresses an alias with import namespace). The backports
of this patch will include the portion of the original PEP8 fix in [1]
starting from before stable/ussuri (i.e. train through newton).
Backports of this patch will add fixes to address other issues recently
found with stable branches due to end-of-life in other projects, such
as neutron.
[1]: https://review.opendev.org/c/x/group-based-policy/+/752338
Change-Id: Idfd8ccc60ed6cd0fffe63064faa3e7eb46cf8cbe
This reverts commit d1ff11cb8e.
Reason for revert: Patch fails on downstream branches due to SQL query.
Change-Id: I36245cfea6398314b540e6d0b80ece2ee9ad9074
The no-NAT CIDRs extension is applied to the network resource
in neutron. When applied, it affects the list of subnets that
should be reachable without NAT that are delivered in the RPC
calls to agents. The agents can then use this information to
ensure that specific destination CIDRs will never use NAT.
The extension can be applied to both tenant and external/public
networks. The extension should be used judiciously, as placing
it on a network will cause those CIDRs to be added to all RPC
calls requesting subnets within that VRF (e.g. the extension
could be added to a shared network or to a network that uses
a subnetpool relating to a shared address scope, which would
be seen by all other networks that report to that same address
scope or shared network).
Change-Id: Ic2cdd501933cc21c286ca36218361aadef1878b8
The notification listener for Keystone was subscribing using a pool
value other than "None". The semantics for oslo.messaging notification
listeners is that there has to be at least one listener whose pool value
is set to "None" in order to ensure that the notifications are consumed.
In order to support both environments (i.e. installations where there
are other listeners whose value is already set to "None", and
installations where there are no listeners whose value is set to
"None"), the pool value is configurable, with a default value of "None".
This ensures that the default behavior is that the notification
messages are consumed, but allows for other consumers, while still
ensuring that our notification listener will receive the messages.
Change-Id: I706ee3c4e88cb8d6ad492c1b97fe48b0392b8033
Contract references in aci-integration-module (AIM) were previously
created or destroyed by modifying list members of the ExternalNetwork
resource. This caused problems when the ExternalNetwork was monitored
state but the contract references were meant to be configured state,
as the view of the monitored universe/state could be inconsistent from
time to time, causing the contract references to inadvertently get
deleted.
A recent commit (9076bd8738e27052e75ec53052e509c54c4b91ea) in AIM made
the contract references top-level resources, so that their creation or
removal can only be made directly. The aim_lib module was changed to
support passing lists of provided and consumed contracts expclicitly,
in order to adopt these changes.
Change-Id: I14b01bea751823c3e3b70df3e7f41ea5babd9522
A recent change upstream has broken the python39 job.
Remove voting rights for this gate temporarily, as
python39 currently isn't being deployed.
Change-Id: Ib664e576f306d16afc20a1a4d62c8105cece2877
The error happens when the FIP is dissociated from the port
and ports get deleted, which are using the VIP port's fixed
IP address as an allowed-address-pairs. The expected behavior
is that dissociation succeeds, and the final status of the
dissociated FIP is “DOWN”. Instead, they are seeing the
dissociation fail with an HTTP 404, and the final FIP status
is “ACTIVE”.
fix here is to catch and ignore "port not found" exceptions.
Change-Id: I7769371b41f390adf668f976fad9ec209b5acf69
Fixed spelling errors in the comment pertaining to HAIPAddressToPortAssociation in data_migrations.py.
Change-Id: Ie51fabeec357206dff4abc51b3b8434dbc4e067e