In [1] we finally got rid of the unfinished lib/neutron module and kept
only lib/neutron-legacy. It's renamed to lib/neutron now and it's the
only neutron related module in Devstack.
So this patch removes left over todo comments about things to do when
migration to the new lib/neutron module will be finished.
[1] https://review.opendev.org/c/openstack/devstack/+/865014
Change-Id: I7913f4b0426624c1486efd027d6c412dfa296a06
This reverts commit caae7b6a6f.
Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].
Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False
[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728
Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
It also changes devstack plugin to set fwaas L3 agent extension in
"agent" section of config file. Previously it was set in "AGENT"
section and it looks that it makes the difference when running on
Python 3.
Change-Id: If177e682e00e38eeb75a7ad77cf5796a04fe831b
We dropped FWaaS v1 support in Stein and FWaaS v2 is the only choice.
Let's enable q-fwaas-v2 by default in devstack plugin.
We no longer need to specify q-fwaas-v2 explicitly in local.conf.
I believe it simplifies local.conf.
Change-Id: I84fbf6d0ec47f9d47ae2068abb3c981b4572aafa
Validate the service/agent is enable before trying to set its
configuration file. Certain deployment does not use OVS or l3 agents
like Contrail.
Change-Id: I8ad30f1754ca7560c341ff67fe2a446f1280e124
Closes-Bug: #1815609
As German Eichberger's email at
https://markmail.org/message/2kva4b3lwgddyeau. So This patch intend to
removes source code related FWaaS V1.
Change-Id: I4e440c854e5aa11193d38946e659481f4fefded2
This commit converts the existing neutron-fwaas policy.json
into policy-in-code.
policy.json for testing is also removed. As a result, setup_config()
in neutron_fwaas.tests.base.NeutronDbPluginV2TestCase is no longer
required now (as the content of setup_config() is now same as that
in neutron).
Partially Implements: blueprint neutron-policy-in-code
Change-Id: I67be3a21f19e3f793312d64d358452ee4531c080
This commit enables to load neutron_fwaas.conf for neutron-server
correctly and 'FIREWALL_V2' will be registered into service_provider.
Closes-Bug: #1786413
Co-Authored-By: Cao Xuan Hoang <hoangcx@vn.fujitsu.com>
Change-Id: I9401a797f1aff1b7c603b8795f9c603289e4589e
This patch adds a python binding for libnetfilter_log, it can be used
to capture NFLOG packets in network namespace from logging service in
FWaaS v2.
NFLogWrapper should be covered by functional test. Functional tests
should be added in the future.
Co-Authored-By: Kim Bao Long <longkb@vn.fujitsu.com>
Partial-Bug: #1720727
Change-Id: I2bf0beac5ba373d47c226927d1922f3eb59af501
This patch introduces L3 logging agent extension for firewall group.
It also configures the extension for devstack when log plugin is
enabled.
Co-Authored-By: Kim Bao Long <longkb@vn.fujitsu.com>
Partial-Bug: #1720727
Change-Id: I4d9af5325f157fbb35ea6fdb25723268856a0db4
Currently, pep8 ignores D000 check because of error:
"D000 Cannot analyze code. Pygments package not found."
Pygments is supported from:
https://review.openstack.org/#/c/568729/
This patch also changed code-block type from "none" to "ini"
as D000 check does not allow the "none" type.
Change-Id: I05d1d41160ad86589308912ff81c4294983069ff
This patch removes all related DB code from the FWaaS service plugin v2
and creates service driver interfaces that can be used by different
backend drivers.
The default backend driver still based on the Neutron DB model
and agent RPC interface (for l3 and l2 agents) and was moved
to 'service_drivers.agents.agents.FwaasAgentDriver'. It inherits from the
firewall backend driver DB interface
'service_drivers.driver_api.FwaasDriverDB' to maintain the DB. It
is in charge to implement all RPC API and messages.
If we need to implement a backend driver which depends on the Neutron DB
but not on the agent RPC service, we just have to inherit from the DB
interface and if we like to develop a backend driver which not depends
on the Neutron DB model, we can inherit from the base driver interface
'service_driver.driver_api.FwaasDriver'.
That patch only modifies the service plugin 'firewall_v2', it does not
modify the Firewall v1 service plugin.
The backend DB driver provides an interface composed to a pre and post
commit hooks for each FWaaSv2 API actions which permits to the driver to
be warn anytimes. All that commit hooks methods does not do anything by
default and the backend driver needs to overide needed hooks.
The driver does not needs to implements all of them,
Closes-Bug: #1702312
Change-Id: I4ebd24f1b13eb823c4d63452fd37cace5bcf5481
We hit an error if you use neutron-legacy and enable 'neutron'
devstack plugin. [1] in devstack/settings in the neutron repo
overrides NEUTRON_CORE_PLUGIN_CONF_PATH defined in devstack
lib/neutron.
This is required to keep backward-compatibility as long as we
use neutron-legacy because NEUTRON_CORE_PLUGIN_CONF_PATH and
variables derived from it in neutron-legacy are assumed to
relative and used to access config files inside a repository.
[1] bc150cdbf8/devstack/settings (L8)
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: I462af133ed8c34448f4ee8593a423b5f0b942da1
This patch adds a doc8 check of .rst files to the current pep8 check.
It includes fixes to the .rst files that didn't pass the check.
Change-Id: I9d6d604e7a21540728c4f44afc9be5577d02805f
This patch adds L2 agent extension for FWaaS v2 to handle
create/update/delete firewall groups on ports. It also
handles applying firewall group on port, when a port is
added/created/deleted.
DocImpact
Depends-On: Ifd6758617ab8fd49e69ad1a0483fefa479d7b8e7
Co-Authored-By: Paddu Krishnan <kprad1@yahoo.com>
Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>¬
Co-Authored-By: Inessa Vasilevskaya <ivasilevskaya@mirantis.com>
Partial-Implements: blueprint fwaas-api-2.0
Change-Id: I9f172be46ee590b99313106fa262019a2583774a
When specifying a service plugin, we can use entrypoint names
instead of full class paths.
It shorten the line length of service_plugins in neutron.conf
and improves the readability :)
Change-Id: I420a4c6fa39001600fa52e9443a3140162e9bb0a
Currently DevStack configures iptables v1 firewall driver for
both FWaaS versions. In case of V2 it means that all calls to
firewall group related driver methods are handled by the
FwaasDriverBase metaclass and are actually no-op.
Also updated FWaaS V2 scenario test to configure firewall rule
that'd allow SSH.
Change-Id: I0bdb4998f21d65564a30b6faa0250aad68f5c7b2
Operators can configure service_provider and
other configuration of firewall using this file.
Change-Id: Icf957d9103f8ceb61709036fa4818af798e3fcd7
Closes-Bug: #1560892
Now that we supported new netlink_conntrack driver option
beside current conntrack driver.
We use conntrack driver as default as usual. We can config
this option to netlink_conntrack in lage scale system in
order to update firewall more faster.
Change-Id: Ica235f731040614e7d6a07c3c3dba6450789e7ae
Use https instead of http to ensure the safety without containing our
account/password information
Change-Id: Icfd103180b477e6be591868a9e98fc8a57fea2fd
This patch adds fwaas-privsep.filters to FWaaS repository to be
easier to maintain. It also helps avoid making Neutron be inversely
depended on FWaaS when perform privsep configuration as in
https://review.openstack.org/#/c/392014/.
Change-Id: I71308130fbcc861a167371339c89a47410b8d09a
The developer documentation was not generated properly.
The devstack entries to local.conf were not rendered correctly.
This patch is fixing the .rst tagging when defining 'code-block'.
Change-Id: I4d178ff8f813e890854d7ec0c239673c01146f3d
This reverts commit 8bf87a0b05.
Becauase setting NETWORK_API_EXTENSIONS unconditionally
interferes other subprojects. (networking-midonet gate is
broken due to this.)
We can't hardcode the list of extensions here because a devstack
plugin can be used with other devstack plugins. This stuff
actually belongs to gate, where we know our exact configuration,
thus the list of extensions.
Also, skip fwaas v2 tempest tests for now.
(Otherwise v1 tempest job would fail.)
Closes-Bug: #1643844
Change-Id: I300e1eee1314440c22e2b30b683969b83e84ea5f
The NETWORK_API_EXTENSIONS environment variable needs to be controlled
so that the fwaas or fwaas_v2 extensions can be properly added. This is
necessary because the tempest tests for v1 and v2 trigger based on what
extensions are loaded. Without this, NETWORK_API_EXTENSIONS would
default to 'all', and the fwaas_v2 tests would run when fwaas v1 is
loaded and vice versa.
Change-Id: I12d765c38c1cfc7c397fef4497e9f11f260f4517
Needed-By: I8b8ddf2a9cc4d2f18c4b32917630c2a26ee0d713
Needed-By: I9fc39c5adcf136fce520c329f48cbad60cd21861
This sets up a new devstack keyword - q-fwaas-v1 - in addition to the
existing q-fwaas plugin. The q-fwaas keyword configures the devstack
plugin to support FWaaS v2. FWaaS v2 is the future, and should be the
default for development at this point. But the new keyword, q-fwaas-v1,
will set things up for FWaaS v1, and there is also q-fwaas-v2 to
explicitly select FWaaS v2.
Also ensure that /etc/neutron/policy.d gets set up for FWaaS
policy.json.
Depends-On: I88be1670a42fcca4aba3b643a1c5a072ce0d1035
Needed-By: I07a4e5a54c0ad862de791b655445e01f805981e4
Change-Id: If35ca26028ddedcf1bc22dd8749cb11c69a1ccbb
This updates the FWaaS v2 L3 code to move away from an inheritance-based
model and use the new L3 agent extension framework.
This change rolls back [1] which is the inheritance-based model.
[1] https://review.openstack.org/315826
Partial-Implements: blueprint fwaas-api-2.0
Co-Authored-By: Nate Johnston <nate_johnston@cable.comcast.com>
Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>
Depends-On: I85f89accbeefd820130335674fd56cb54f1449de
Change-Id: Ib29b96e73d09530cbf627a98180fb1a591e42e3f
Start by just running the cookiecutter code - documented at [1]. Then
scrape out the fwaas/firewall code from DevStack and stick it where it
looks like it should be in the plugin.
[1]: http://git.openstack.org/cgit/openstack-dev/devstack-plugin-cookiecutter/tree/README.rst
Related-Change: Ic60cd1fa90c19dfac00be583e2ddc5633dbb68a3
Co-Authored-By: Nate Johnston <Nate_Johnston@cable.comcast.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Co-Authored-By: Kyle Mestery <mestery@mestery.com>
Change-Id: If6c6e032689392fecc8c24517666128c8c103a7b
Signed-of-by: Kyle Mestery <mestery@mestery.com>