It appears that this library is typically run as the root user
which shouldn't require 'run_as_root'. When running as an
unprivileged user the required permissions can be granted by
specifying 'AmbientCapabilities = CAP_NET_ADMIN' in the service,
rather than 'CapabilityBoundingSet'.
An alternative approach would be to specify a 'root_helper' or to
switch to oslo.privsep, but these don't fully solve the problem
as the 'pyroute2' library also requires 'CAP_NET_ADMIN'.
Closes-Bug: #1852105
Change-Id: I9d0942f1cfc06cc3a7585683a030516096297767
On port binding/unbinding, Kuryr catches exception raised from
pyroute2 and re-raise a new exception. As a result, the detailed
information contained in the original exception loses. This patch
adds a logging to record the original exception message and trace.
Related-Bug: #1776035
Change-Id: I4b13724a460d84a2b953f750b8b88c0f60cee97d
The driver is for binding/unbinding SR-IOV port. Basically,
what it does is setting the vlan id for the VF interface.
Change-Id: Ife43b57a11c9aac9c0bece84adf719e62f708fda
Partial-Implements: blueprint sriov-binding
Add support to enable isolation of container's traffic within
host(nova instances) using vlan segmentations.
Partially Implements blueprint containers-in-instances
Change-Id: If4800594adfac27a8f30dedac4787d79c8634b65
Currently ipaddress is being set from nova instance port and thus
making vm ip and container ip same. Fix this by using container port
dict for getting container IP.
Another change is renaming 'nested_port', which is actually Nova
instance port, to 'vm_port', for the sake of avoiding ambiguity.
Change-Id: I9ea93c88c2889c5a6b7eff230ffdfb87b96b0e25
Closes-bug: #1641537
When neutron configured with linux bridge driver, kuryr will bind
port error. The linux bridge name should be "brq"+network_id[0,11].
Change-Id: I07be68bbfe7b1384f4e946664aed41546ff9ddce
Closes-bug: #1638041
This patch introduces a new hierarchy of drivers to perform the port
binding and unbinding in a similar fashion as how it is done with
Neutron plugins.
The initial three drivers are:
* veth: The one that we have been using up until now and that uses
the usr/libexec/kuryr/* scripts to bind the host side
* ipvlan: L2 ipvlan motivated mostly container-in-vm use cases so that
the instance interface will have linked devices that get addresses
of other ports of the same subnet.
* macvlan: bridged mode ipvlan for OSes that do not support vlan.
Co-Authored-by: Louise Daly <louise.m.daly@intel.com>
Implements: blueprint driver-binding-ipvlan
Change-Id: I1d94ab324ab2a65a6d3e782e23ea6c59b110ff67