Add support for the ussuri stable branch.
* Removed use of services in devstack (e.g. FWaaS and LBaas), which
were only used by the deprecated legacy plugin.
* https://review.opendev.org/#/c/572767/ changed the return
value of _get_security_groups_on_port from a list of security
group IDs to a list of security group OVOs. The monkey patch
of this method has been updated to be consistent with this
upstream change.
* https://review.opendev.org/#/c/703143/ removed the upstream
get_binding_levels, which is replaced by the corresponding
OVO call, get_binding_level_objs.
* https://review.opendev.org/#/c/709122/ broke the __repr__
method in the AddressScope model class. This patch works
around this by using the dictionary representation instead.
* https://review.opendev.org/#/c/679399/ made the MTU field
of networks non-nullable, and sets it to a constant if not
set explicitly. This broke GBP APIs which create networks
as part of their implementation. This patch adds a monkey
patch to pass in a value of 0, if one wasn't specified.
* Fixed alias uncovered by PEP8 checks.
Change-Id: I219bc9a5c2034499e59788ab11ef0ae310e97e1e
The scenario will start a ping on the remote server using
floating IP in a seperate thread and start tracking the
connectivity with the remote server.
The ingress ICMP rule on the server will be deleted
and at same time then the test asserts if
connectivity breaks or not.
The testcase will pass if ping stops working after
deletion of the rule.
Change-Id: I0e45a44cf20f68136720cd508cbea28a820f8ce0
Adds validation and repair framework that calls into mechanism, policy
and SFC drivers to validate mappings to Neutron resources and to AIM
resources. The mappings from all standard Neutron resources to AIM are
currently handled. New unit tests are provided for validation of each
resource, and validation calls are added to several existing unit
tests.
A simple command line interface is used to perform validation,
optionally repairing invalid state. This is run using 'gbp-validate
<neutron-server args> [--repair]'. The same arguments that are passed
to specify the configuration of neutron-server must be passed to
gbp-validate.
Validation of GBP and SFC resources and of SVI networks is not yet
implemented. Attempting to validate deployments where these resources
exist intentionally fails, even when repair is enabled, so that valid
deployments are not corrupted. Proper validation of these resources
will be addressed in followup patches.
For isomorphic address scopes with a non-pre-existing VRF, the VRF's
display name currently depends on the order in which the address
scopes were created. This will be addressed in a followup patch.
EPG domain association, static paths, and other aspects of port
binding are not yet validated. This will be addressed in a followup
patch.
Migration from the old APIC plugin to the unified plugin will require
associating existing subnets with subnetpools and rebinding all port,
which will also be addressed in a followup patch.
A simply neutron_aim exercise script is added to the AIM gate job that
runs gbp-validate with Neutron resources. Once validation of GBP
resources is implemented, similar gbp-validate calls will be added to
the gbp_aim exercise script.
Change-Id: I0c3fe9e2629f76ecca8b3c8a93f9534b2d946e14
Based on the openstack networking-sfc project API:
- Introducing an SFC driver that maps the SFC model (port pairs,
port pair groups, port chains) to the AIM Service Graph model;
- Introducing a FlowClassifier driver that maps the FLOWC model (flow
classifier) to the AIM Service Graph model;
- Adding some registry notifications to the AIM MD and the FLOWC driver
for business logic validation.
Current divergence/limitations from the upstream SFC API:
- Added 2 l7_parameters to the flow classifier API,
source_logica_network and destination_logical_network. Representing
the networks involved in the traffic redirection mechanism;
- Every valid flow classifier must include the l7_parameters as
mentioned above. Internal networks and SVI networks are valid values,
but --external networks are excluded;
When SVI networks are specified, the corresponding source/destination
IP prefix must be specified in the API;
- Any other FlowClassifier parameter other than the ones mentioned
above will be ignored;
- On port binding, the chain will fix itself;
- Trunk ports are supported on port-pairs;
- On PPGs, all the Port Pairs must be in the same network pair;
- Ports in Port Pairs must have a univocally retrievable APIC Domain;
- Ports in Port Pairs can't be in the same network;
- Flowc src/dst networks must be distinct;
- Flowc can't be updated if in use by a chain;
- Networks partecipating a port chain must be in the same VRF;
- Src and Dst networks in a chain must be in the same tenant
(temporarily);
- Port Pair's ports' network can't be external or SVI;
- Port Pair's ports' networks can't be re-used in the same PPG.
Change-Id: If40595584ef46f1ac2aa0cf7525e16447f491f48
Ensure that all unit test modules can be run independently or in any
combination. A new all_models module is imported before Neutron's
SqlFixture loads DB schema from model files that derive from Neutron's
model_base.BASE_V2. Code that otherwise loads the schema for these
models is eliminated. Note that AIM and NFP models do not derive from
Neutron's base class, and are handled by their own fixtures.
Change-Id: I0b1c20429f75f77929a78b75c7e361bcc5e9b6b7
The apic host agent and metadata namespace proxy agent were
moved to the python-opflex-agent repository in order to improve
packaging.
Change-Id: Ib4efe99e060ad15a39829cea239aba8af212850e
The legacy plugin was deprecated in stable/newton, and
is removed in ocata. This patch removes the references to
the apic-ml2-driver library, which should only be required
by the legacy driver.
Change-Id: I027edc9b74137cd242fab6243536c8331b42ccda
This introduces driver for Vmware NSX Policy.
The driver assumes nsx_v3 core plugin.
It implements direct configuration of NSX Policy endpoint for security
and inherits connectivity functionality from resource mapping driver.
On startup, the driver will configure NSX Policy enforcement point to be
the NSX manager core plugin is running against.
The driver implements the following resource mapping:
Openstack project => NSX Policy domain
GBP group = > NSX Policy group + communication maps
GBP classifier => NSX Policy service
GBP rule set => NSX Policy communication profile
Change-Id: I0d5593b458f7e51c21fc2b34d1ab4d898abb6c51
This plugin is subsumed by the Node Composition plugin
starting in the liberty cycle.
Switching to the NCP as default invalidated some UTs (since
NCP does not support more than one service_chain_spec
per service_chain_instance). These tests are being skipped.
Change-Id: I03383145eaa72681695e12649f731ba1a6b8bad8
This change adds APIC-specific extension attribute,
reuse_bd, that can be specified while creating an
L2 policy. The value should be the ID of another
L2 policy in the same L3 policy. If the option is
specified, the APIC driver uses the same BridgeDomain,
service EPG etc as the target L2 policy.
Closes-bug: 1642784
Change-Id: I23dad698a1f8d2f588575bf15e34ea78cd50c04c
Signed-off-by: Amit Bose <amitbose@gmail.com>
This changeset contains the changes in devstack installation,
NFP tools, and NFP integration test in gate to support,
(1) single ini file changes.
(2) LBaaS V2 service configuration.
(3) Daemonizing the processes in the controller.
(4) APIC specific configuration in setup script.
(5) NFP controller default user 'ubuntu' changed to 'admin'
Change-Id: Ifdce8d876728e1424a6ca292b262b35f5574a40b
This patch defines a new extension: cisco_apic_gbp_allowed_vm_name,
for the apic policy drivers. An extension attribute:
allowed_vm_names, that extends the L3 Policy definition, is
being introduced in this extension.
A corresponding extension driver: apic_allowed_vm_name, that processes
this extension, is also being added. This extension driver should be
configured for this extension to be available. The driver name should be
added to the existing list of extension drivers under:
[group_policy]
extension_drivers=<existing_ext_drivers>,apic_allowed_vm_name
The allowed_vm_names attribute is a list of regexes. Each regex can
be up to 255 characters long.
While during the port-binding phase, we will also enforce the regex
checking against the VM name from Nova. Only those VM names matching
one of those regexes will be allowed.
A CLI option: --allowed_vm_names will be provided for the
L3 Policy create and update operations. This CLI option will accept
a comma separated string as the option value.
Change-Id: I4602919df9a0458eb255b93399c70f64dfeeb863
This patch defines a new extension: cisco_apic_gbp_segmentation_label,
for the apic policy drivers. An extension attribute:
segmentation_labels, that extends the Policy Target definition, is
being introduced in this extension.
A corresponding extension driver: apic_segmentation_label, that processes
this extension, is also being added. This extension driver should be
configured for this extension to be available. The driver name should be
added to the existing list of extension drivers under:
[group_policy]
extension_drivers=<existing_ext_drivers>,apic_segmentation_label
The segementation_labels attribute is a list of strings. Each string can
be upto 255 characters long. These labels are not interpreted by GBP
but are instead passed downstream by the apic policy driver. It is
assumed that these are defined outside of OpenStack and the backend
system can appropriately interpret them.
The get_gbp_details() RPC call implemented by the apic policy driver
will return the segmentation_labels in its body if the
'segmentation_labels' attribute is populated for the policy_target.
A CLI option: --segmentation-labels will be provided for the
policy_target create and update operations. This CLI option will accept
a comma separated string as the option value.
Change-Id: I360bf9f7f1d4bdca76d4f16b7535a6416f430830
Implements an L3 service plugin, apic_aim_l3, that, in conjunction
with the apic_aim mechanism driver, maps each Neutron router to an AIM
Contract and ContractSubject whose DNs and status are exposed via
extended attributes similar to those on the core Neutron resources. An
"any" Filter and FilterEntry are created per-tenant, and referenced in
this contract, allowing all traffic from EPGs providing and consuming
this contract to be routed.
The add_router_interface and remove_router_interface methods are stubs
that will be implemented in the next patch set. They will manage the
mapping of router interfaces to AIM Subnets, along with having the
default EPGs associated with those interfaces provide and consume the
router's Contract.
The corresponding GBP policy driver's extension is renamed
apic_aim_gbp for consistency with the apic_aim and apic_aim_l3
extensions at the Neutron level, and all extensions are now in the
gbpservice.neutron.extensions module.
The GBP policy driver's unit tests are updated to account for the
Filter and FilterEntry resources created by the mechanism driver.
The apic_aim unit tests wipe the AIM DB in tearDown, and use the
aci_integration_manager branch of the apicapi repo.
The GBP devstack plugin, when ENABLE_APIC_AIM=True, configures neutron
to use the apic_aim_l3 service plugin, and installs the
aci_integration_manager branch of the apicapi repo.
Change-Id: I1b7f0c80e66d55d58c27fe9e4cb461f62aec3c42
Add mechanism driver and extension driver support the the SubnetPool
and AddressScope resources, including ensure_tenant.
Change-Id: Icb00eb223d1e503f946ffba54de51e89ba260a1d
Add the ini files and entry points required for NFP install.
Change-Id: I2d0c2eb825d002347a9f77f5dfda96718ab764e1
Implements: blueprint gbp-network-services-framework
This adds a AIM specific extension to reflect the APIC DN for
a GBP resource that maps to an AIM resource. This patch implements
this only for the PTG resource.
This also sets the status of the PTG based on the AIM EPG status.
This also updates the devstack setup to include the aim_mapping
GBP policy driver configuration.
Change-Id: I30f5e5e63b3b172eb79c8a9934eb662928d13f6c
This is the first, in what is expected to be a series patches (not
necessarily sequential), that implements a new GBP Policy Driver. This
new Policy Driver is meant to be used in conjunction with the new
APIC mechanism driver, and the ACI Integration Module (AIM) library
that are being developed in parallel. This new Policy Driver is being
called the AIM Mapping driver.
The are at least a couple of goals that are foremost in the design of
this driver -
(1) Transactional consistency - the driver performs all orchestration
operations in the pre-commit hook that is part of the same transaction
as that which is created by the GBP plugin in response to the API call.
Apart from the implementation in this new driver, some refactoring of
the local_api module was required to optionally avoid creating a new
transaction every time the driver orchestrated changes to other parts
of the policy model, and/or Neutron resources.
(2) Asynchronous behavior - the driver will not directly interact
with external backends. As stated before, it will interface with Neutron
and/or AIM, and appropriately populate the status of the GBP resources
using the status and status_details attributes available for each GBP
resource (this does not happen in this patch).
The AIM driver attempts to reuse as much of the existing implementation
as possible. Towards this end, some parts of the Implicit Policy, and
the Resource Mapping drivers have been refactored to allow the code to
be shared and reused. The AIM driver effectively reuses these two existing
policy drivers as libraries, but is self-sufficient and should be the
only one configured.
Wherever possible, an attempt is being made to implement the mapping to
the Neutron resources in a base class, which in future, can help to build
a replacement for the current Resource Mapping driver with the same
transactional consistency goal.
A new “ensure_tenant” hook is being added to the Policy Driver interface.
This allows each driver to perform the tenant related bookkeeping prior
to proceeding with any orchestration for a resource itself. The hook is
invoked from the GBP plugin for the create operation of each resource.
This invocation happens prior to the transaction that is started to
create the resource.
The APIC mechanism driver uses a name-mapper module to map GBP resource
names to qualified names that are used by the AIM library. This AIM
policy driver holds a reference to that same name-mapper module (and
subsequently the cache that it uses) to perform name mapping for the
GBP resources.
In addition to the UTs that test the new code, specific UTs have been
added for validating the transactional consistency by testing the
rollback of created/updated/deleted resources if a downstream
operation fails.
Change-Id: I945d700c1a5e670de48d9c0d22e456e2d45f78a8
This is a very preliminary version of a new APIC mechanism driver
utilizing the ACI Integration Module (AIM) library concurrently being
developed. A corresponding extension driver exposes details regarding
the mapping of the Neutron resources to APIC. These drivers require
the Ml2Plus extended driver APIs.
See the apic-aim-ml2-driver devref for implementation details and for
devstack configuration instructions.
Change-Id: I82df32f0880d6a0d53b305f6c6391fcbea049d1b
The ML2Plus core plugin extends the ML2 plugin with several driver API
features that are needed for APIC AIM support. An extended
MechanismDriver abstract base class adds an ensure_tenant() method
that is called before any transaction creating a new resource, and
(soon) adds precommit and postcommit calls for operations on
additional resources such as address scope. An extended
ExtensionDriver base class will support extending those additional
resources.
ML2 configuration is unchanged, and compatibility is maintained with
all existing ML2 drivers.
Change-Id: I4d4fcd1d368650ba5b5c1e13b973a349c0917eaf
OpenStack projects are no longer being tested under Python 2.6, so
remove the trove classifier implying that this project supports 2.6.
Change-Id: Idb7825de73f25e427bb08b21c680e3324dc51bff
TSCP for APIC mapping, with ability to have the plumbing
resources owned by a particular admin user
Partially implements blueprint node-centric-chain-plugin
Change-Id: Id90ecd78e7dd5c692a4f98655a727a16f74ed73e
All SC related operations (create/delete/update chains) will now
exist on a separated gbp mapping driver. This driver will likely
run as the last of the driver chain (ipd rmd and cmd).
Partially implements blueprint node-centric-chain-plugin
Change-Id: I1f329101f32640058ed5250e8fe49a53b1f3deee
With the introduction of NCP, one single chain will have only
one provider but multiple consumers. This reduces
the number of instances (and consumed resources).
Partially implements blueprint node-centric-chain-plugin
Change-Id: I2bef4d7c6d8e578b8cd4b6555820630f1eecf05f
Driver extension that allows users to specify a 'proxied_group_id'
during PTG creation. Whenever a PTG proxies another group, it is
expected to intercept all the traffic before sending it to the
original destination. Proxy groups can modify the traffic if needed.
This is a useful construct for the Traffic Stitching Plumber.
Partially implements blueprint node-centric-chain-plugin
Change-Id: Idc185df5b0c7e61ef800ca449911656a8c1d2b87
Adds a L3 plugin that relays the Floating IP CRUD
to the plugin driver.
This is currently required for the APIC functioning,
and hence APIC-specific.
Change-Id: Ieeb648c7c502eb5072ef6886dcab7d455e8f0bff
Closes-bug: bug/1495203
This patch adds a heat api based node driver for NCP plugin
which instantiates advanced services using heat.
Partially implements blueprint node-centric-chain-plugin
Change-Id: Ie177bdf220ae8259afee3319e0fb37eb12f03ee3
This plumber simply provides chain drivers with the
Service Targets they requested for, without making
any modification depending on the rest of the chain.
Partially implements blueprint node-centric-chain-plugin
Change-Id: I9030b4b43f87dc250e263eeaf58576f1b5bef40a
The Node Composition Plugin (NCP) is introduced here in
its most simple form: The interaction with the Node Drivers
is still completely missing.
This patch is intended to collect the whole internal API
between the NCP and the Node Drivers, taking also
into account the new NodeDriverContext.
Partially implements blueprint node-centric-chain-plugin
Change-Id: I0f791d2be8b5ef5d9bf7a297e0dbdc0248350edd
With the introduction of the new servicechain plugin, some sort
of path reorganization is required so that the code doesn't become
confusing as new plugins are implemented.
The existing servicechain_plugin has been renamed "MSC" for
Modular Service Chain. The name recalls ML2 because of the MSC
structure being inspired by it.
The old entry point name is not removed from setup.cfg for backward
compatibility, still need to figure out a way to rename the configuration
files properly having the same goal in mind.
Partially implements blueprint node-centric-chain-plugin
Change-Id: I4f8db6f5fa30479aad283b07e499901af000a6c5
Top level gbp directory is renamed to gbpservice. This results
in a changes to all gbp imports and other build artifacts.
Change-Id: I87cbb7c91b4206c1b8a0caa4ab7a7dc2e8f3e25e
Closes-bug: 1406623
Define a ODL mechanism driver for GBP
Provide methods to:
create_port_postcommit
bind_port
Change-Id: Iaf9a74f08324c22b6c09e709bd6a5d8a2320f779
Implements: blueprint gbp-odl-driver
Author: Yi Yang <yyos1999@gmail.com>
Co-Authored-By: Yapeng Wu <yapengwu@gmail.com>
Define an ODL mapping driver, provide methods to:
create/delete l3-policy
create/delete l2-policy
create/delete policy target group
create/delete policy target, associated with rule sets
create/delete policy action
create DHCP PT if needed
Add UT for ODL mapping driver
Change-Id: I78c4a20d7280ef60b612884214a746d8ad014f09
Signed-off-by: Yi Yang <yyos1999@gmail.com>
Author: Yi Yang <yyos1999@gmail.com>
Co-Authored-By: Yapeng Wu <yapengwu@gmail.com>
Nuage's Virtualized Services Platform(VSP) supports
policy based orchestration which fits well with
newly defined group based policy framework in openstack.
It will enrich the VSP solution by extending its usage through openstack.
And also allow openstack user to take advantage of Nuage's
fully baked policy driven, application centric service architecture.
Change-Id: I5db30f25e73a877d5096949134341fc43b226f40
Implements: blueprint nuage-gbp
Adds support for extension drivers, similar to those in ML2, to the
GBP service plugin. All GBP resource types can be extended.
Partially-implements: blueprint gbp-extension-drivers
Change-Id: If4e522233fae4442bb179ddabd9ac6295ca6f431
This patch adds the implementation of Service Chain driver for
One Convergence NVSD Controller
Change-Id: I10fd4c51cf13bd9c0a54f9168048d510e0e07d06
Implements: blueprint gbp-oc-nvsd-servicechain-driver