Commit Graph

1130 Commits

Author SHA1 Message Date
Slawek Kaplonski a644b3c62b [S-RBAC] Change policies for port's binding:profile field
According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.

Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.

Finally this new policy for create/update_port:binding:profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.

[1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port

Closes-Bug: #2052937
Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895
2024-02-16 16:10:43 +01:00
Brian Haley 0611735715 Remove ovn.ini example file
The ovn.ini file is a hold-over from the networking-ovn
tree. The docs all reference configuring OVN (and OVS)
options in ml2_conf.ini, so remove the old file and add
the neutron.ml2.ovn namespace to
etc/oslo-config-generator/ml2_conf.ini.

Trivialfix

Change-Id: I26dedc80e07aedffb1713560d4431b7a334b70b5
2023-09-06 15:19:30 -04:00
Takashi Kajinami 395dd237d1 Fix missing oslo.versionedobjects library option
This ensures the options for oslo.versionedobjects library are
included in the file generated by oslo-config-generator.

Change-Id: Ib6352323557d968527bcc7b31e3ac14f619c41fa
2023-08-08 15:06:02 +09:00
Takashi Kajinami 289ae97c1c Add missing osprofiler options
osprofiler was integrated to Neutron a while ago[1] but the options
for this library have not been added to neutron.conf properly.

This ensures the options are rendered by oslo-config-generator.

[1] 9a43f58f4d

Change-Id: Ice1b3f701ac244e17d855484263199f8a0b8310b
2023-02-28 18:06:17 +09:00
Rodolfo Alonso Hernandez abfa8940b1 [OVN] Fix the OVN Agent config file location
The "ovn_agent.ini" file should be in "/etc/neutron/plugins/ml2",
same as any other ML2 mechanism driver agent configuration.

Related-Bug: #1998608
Change-Id: I3f0e948202b522df162ed67fe669a6ff8e90ab41
2023-02-02 13:26:35 +01:00
Rodolfo Alonso Hernandez d0c7bb653a [OVN] Implementation of OVN Neutron Agent
This patch implements the OVN Neutron Agent executable, the extension
manager engine, the agent extension abstract class and the configuration
section.

Related-Bug: #1998608
Change-Id: I94bb98217e03f9ac314cb9723da277a23368649c
2023-01-26 07:41:38 +01:00
Rodolfo Alonso Hernandez 3d575f8bd0 Add an env variable "PROCESS_TAG" in ``ProcessManager``
Added a new environment variable "PROCESS_TAG" in ``ProcessManager``.
This environment variable could be read by the process executed and
is unique per process. This environment variable can be used to tag
the running process; for example, a container manager can use this
tag to mark the a container.

This feature will be used by TripleO to identify the running containers
with a unique tag. This will make the "kill" process easier; it will
be needed just to find the container running with this tag.

Closes-Bug: #1991000
Change-Id: I234c661720a8b1ceadb5333181890806f79dc21a
2022-12-24 10:30:16 +01:00
Takashi Kajinami 67bd2badc9 Fix missing [designate] options
This change ensures the [designate] options, which is used by
the designate external DNS driver, are rendered into neutron.conf
generated by oslo-config-generator.

Change-Id: I56a1079fbfc044532aee64f4fbdec50d9524a580
2022-11-22 12:00:50 +09:00
Miguel Lavalle 7f0413c84c Implement experimental features framework
During the Zed PTG it was decided to handle unsupported features in
Neutron as experimental. See section titled "When we say something is
not supported?", day 2 in [1]. The agreement was:

"We keep existing jobs for linuxbridge driver for example, but when the
tests start to fail we skip them and finally we stop the job also.
To make it clear for operators we add warning logs highlighting that the
given feature/driver is experimental, and introduce cfg option to enable
such features explicitly."

This commit implements this agreement, initially with Linuxbridge

Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/845646

[1] https://lists.openstack.org/pipermail/openstack-discuss/2022-April/028164.html

Change-Id: Ib18efa3f472736b58c8967847b1061da0e3897d7
2022-06-30 17:59:49 -05:00
Takashi Kajinami eee92f5eaf Sync rootwrap.conf from oslo.rootwrap
The current rootwrap.conf file is outdated and doesn't include some
parameters. This change updates the content to make it consistent with
the latest example file in oslo.rootwrap.

Change-Id: I0b40b0bea4bbcbc78490dbfa3877cdd3a26ac298
2022-01-03 09:17:04 +09:00
Takashi Kajinami d6b1dd4a93 Include oslo.cache options in neutron.conf
Neutorn uses oslo.cache library for caching. This change ensures that
options of the library are included in neutron.conf generated by
oslo-config-generator.
This change also removes cache_utils module from neutron.opts because
the module is not used in that file.

Closes-Bug: #1940790
Change-Id: I9ccd145d5ea1a1e0033eb43b609cc6428ea95f23
2021-08-23 11:54:12 +09:00
Takashi Kajinami c75df16e50 Add missing options to generated neutron.conf
This change adds missing oslo.config.opts endpoints to the config file
to generated neutron.conf, so that the following options are included
in the neutron.conf generated by the oslo-config-generator command.

1) Some options of the oslo.service library, related to periodic tasks
   and base service implementation

2) Options of the oslo.reports library

3) Options of the healthcheck middleware from oslo.middleware

Closes-Bug: #1940009
Change-Id: I9f4763efc02e5cacca3a00e9f101f83d3f3fb1e7
2021-08-16 17:46:01 +09:00
ramishra ec550f5f52 Add fake_project_id middleware for noauth
This adds a middleware for noauth that would inject a fake
project_id for create requests. This would ensure that api
consumers don't have to provide a fake project_id in requests.

Closes-Bug: #1934039
Change-Id: I5e1de571034be41f1147c130fce66e6cf70b1369
2021-07-05 21:18:09 +05:30
David Vallee Delisle 89fd50d0f9 Adding placement auth options to oslo.config entry_points
To assist with automated configuration validation, we need entry points
for oslo.config.opts for placement auth options.

Change-Id: Ibaaa1600e6a14f3308024c4e22e3489ee21e7244
2021-05-10 09:00:57 -04:00
Rodolfo Alonso Hernandez be6ee6f397 Remove not needed rootwrap filters
This patch moves all remaining filters to a single file. Since [1],
the number of processes executed using rootwrap have been reduced to
a small set.

[1]https://storyboard.openstack.org/#!/story/2007686

Story: #2007686
Task: #41284

Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6
2021-04-02 10:49:07 +00:00
Rodolfo Alonso Hernandez ee00bddce7 Remove rootwrap execution (6)
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates the "kill_process" method to privsep and
removes the unneeded rootwrap filters.

Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf
Story: #2007686
Task: #41558
2021-03-05 10:03:22 +00:00
Rodolfo Alonso Hernandez 5a419cbc84 Remove rootwrap execution (5)
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.

Story: #2007686
Task: #41558

Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
2021-02-19 08:47:17 +00:00
Rodolfo Alonso Hernandez 6c75316ca0 Remove rootwrap execution (4)
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates any "iptables" and "ipset" command related
to privsep.

Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c
Story: #2007686
Task: #41558
2021-02-08 10:05:51 +00:00
Rodolfo Alonso Hernandez a7bedd7428 Remove rootwrap execution (3)
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates the execution of "ebtables" command to
privsep.

Story: #2007686
Task: #41558

Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
2021-02-06 16:26:20 +00:00
Takashi Kajinami 459716e644 Ensure XenAPI options are loaded
Options for XenAPI support are supposed to have been deprecated, but
actually they were removed by the deprecation patch[1]. This change is
a partial revert of that patch[1], and ensures that these options are
loaded, so that warning messages about these deprecated options appear
in logs.

This change also removes these deprecated options from the example
rootwrap conf file.

[1] a6dbf97242

Change-Id: Id024dabf276e492268e723e526d7a787156eb9c1
2021-01-03 20:53:01 +09:00
Rodolfo Alonso Hernandez a6dbf97242 Deprecate XenAPI support
The configuration options are now marked as deprecated for
removal in X release.

Any related code is deleted. Neutron does not support XenAPI,
same as Nova [1][2].

[1]https://review.opendev.org/#/c/749304/
[2]https://review.opendev.org/#/c/749309/

Change-Id: Ifdb2200a5dac3508fdf8907bdd1f4547dff35341
Story: #2007686
Task: #41269
2020-12-09 20:15:39 +00:00
Zuul 0ff17b1605 Merge "Remove "find" rule from rootwrap filters" 2020-12-06 14:37:14 +00:00
Zuul 5f4ced7d9e Merge "Check project_id/tenant_id in API call" 2020-12-04 06:31:57 +00:00
Rodolfo Alonso Hernandez 55f5c78053 Remove "ovs-vsctl" support from rootwrap
This command is executed from scripts and in sanity checks, but not
from any Neutron service.

Change-Id: If82e89bf7b233559513ab44eadebb445648f0684
Story: #2007686
Task: #41282
2020-11-23 16:23:36 +00:00
Slawek Kaplonski af1ade69e7 Remove "find" rule from rootwrap filters
It isn't used anymore by Neutron.

Change-Id: I6f28077e1df8ab65cca834044e47383f38bbb443
2020-11-19 20:59:40 +00:00
Rodolfo Alonso Hernandez 2df49fa879 Check project_id/tenant_id in API call
When project_id/tenant_id is present in an API call, Neutron
checks first if this project exists. If not, a HTTPNotFound
will be thrown.

This patch is tested in neutron-tempest-plugin:
https://review.opendev.org/#/c/754390/

Closes-Bug: #1896588

Change-Id: I6276490d4df69ec0f2c9a1492b9b03d1130c7c05
2020-11-04 11:29:35 +00:00
Zuul 8441737127 Merge "Migrate "ethtool" to oslo.privsep" 2020-08-14 22:58:44 +00:00
Zuul bffd23658e Merge "Migrate "dhcp_release" to oslo.privsep" 2020-07-08 16:01:21 +00:00
Rodolfo Alonso Hernandez b52e2e6f16 Migrate "ethtool" to oslo.privsep
Story: #2007686
Task: #40290

Change-Id: I78cc06c635e806b50ca2cc631732d55e430dd2f1
2020-07-07 17:45:54 +00:00
Zuul 4c2e78b0e2 Merge "Migrate "netstat" to oslo.privsep" 2020-07-02 13:39:34 +00:00
elajkat a42d0d0301 Trivial: Change Health-check from filter to app_factory
[1] added healthcheck url to neutron API, but in review it was noted
that the used filter_factory is deprecated and app_factory is the
suggested instead, as Akihiro commented in [1], in [2] filter is marked
for removal.

[1]: https://review.opendev.org/724676
[2]: https://opendev.org/openstack/oslo.middleware/src/branch/master/oslo_middleware/healthcheck/__init__.py#L409

Change-Id: I28c26d3357c21483b7642958564d675cd5feaa31
2020-06-24 12:00:46 +02:00
Zuul b1dba996b5 Merge "Remove "find" rootwrap filter" 2020-06-22 02:52:16 +00:00
Zuul 0580d03a2b Merge "Workaround for TCP checksum issue with ovs-dpdk and veth pair" 2020-06-20 18:58:11 +00:00
Rodolfo Alonso Hernandez 0c1818fbb0 Migrate "netstat" to oslo.privsep
Change-Id: If9e4c1513553c4bd10fd3b91c28c4d3f806ed816
Story: #2007686
Task: #40047
2020-06-19 14:59:11 +00:00
Rodolfo Alonso Hernandez 7143f2be1f Remove "find" rootwrap filter
This command is not used anymore.

Trivial-Fix

Change-Id: I684c58996154d14c79f5a065470ce9e34ce08670
2020-06-11 16:13:24 +00:00
Rodolfo Alonso Hernandez e332054d63 Migrate "dhcp_release" to oslo.privsep
Story: #2007686
Task: #39976
Change-Id: I3414d06b9c6dfe549e79aab5fbe52c8f3ffd63f7
2020-06-09 09:11:31 +00:00
Alexander Vlasov 11838a2bc5 Workaround for TCP checksum issue with ovs-dpdk and veth pair
The need for this change stems from following issues:
1) When ovs_use_veth = False with ovs-dpdk issue with ovs
was observed - after vswitch restart interface is not comming up.
Meaning ovs-dpdk uses ovs internal ports and it is not able to bring
them up on restart.
2) When ovs_use_veth = True and ovs-dpkd is used, packets sent with
incorrect checksum due to the fact that ovs-dpdk does not do checksum
calculations for veth interface.

This commit allows to use second option and resolve checksum issue by
disabling checksum offload.

Closes-Bug: #1832021
Related-Bug: #1831935

Change-Id: Iecce8d2c6c2c46718cc1020c6e8f914cd4560e4b
2020-05-08 10:19:07 -05:00
Zuul eca1ee4d76 Merge "Add a /healthcheck URL" 2020-05-03 20:26:22 +00:00
Thomas Goirand 133200014b Add a /healthcheck URL
The /healthcheck is helpful for operators to setup neutron-api
behind haproxy, or for doing monitoring.

Change-Id: I83b8c2afdd74b57184200daab54255e8cae9c27b
2020-04-30 17:27:19 +02:00
Brian Haley 4fb505891e Updates for python3.8
With the move to the Victoria job template in
https://review.opendev.org/#/c/722681/, the py37 jobs no
longer get run, so the check and gate job entries can
be removed.

Added a keepalived py38 KillFilter line to match the py36
and py37 ones.

Also updated TESTING.rst to use py38 in all examples.

Change-Id: Ief793b54d53c3239cfb24278e88e4f4189bbc2c2
2020-04-28 14:03:21 -04:00
Slawek Kaplonski 2273499155 Add rootwrap filter rule for radvd-kill script
In patch [1] support for custom kill scripts was added.
We also added rootwrap filter rules for such scripts to
kill dnsmasq, haproxy, dibbler and keepalived processes.
But we missed to add rule for radvd-kill so this patch
adds it (better late than never ;))

[1] https://review.opendev.org/#/c/661760/

Closes-Bug: #1873240

Change-Id: I8fa7176d1d9667c6b5cc95af0e31210d0f1c3662
2020-04-16 20:10:28 +00:00
Lucian Petrut caa34c2797 Drop invalid rootwrap filters
A recent change introduced a couple of rootwrap filters that are
supposed to allow running ping within a network namespace.

Those filters will actually replace the "ip" command with "ping",
which leads to an invalid command.

Since those two filters are now superfluous, we're going to drop
them.

Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
Closes-Bug: #1864186
2020-02-21 13:21:20 +02:00
Zuul 1f02c4cf5f Merge ""ping"/"ping6" command support in rootwrap filters" 2020-02-20 02:31:17 +00:00
Rodolfo Alonso Hernandez 22ce84ab4d Revert "Add "ncat" rootwrap filter for debug"
This reverts commit 0ef4233d89.

This patch is introducing a redundant filter already present in
"testing.filters". The problem described in the related bug should
be solved in https://review.opendev.org/#/c/707697/.

Related-Bug: #1862927
Related-Bug: #1863213

Change-Id: I4de37364a6fb0184230a9742daced40e4edbfb30
2020-02-14 10:11:27 +00:00
Rodolfo Alonso Hernandez cc3b9df426 "ping"/"ping6" command support in rootwrap filters
To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.

Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.

Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>

Those commands could be called from inside a namespace. The needed
filter is also added in this patch.

Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006
2020-02-13 11:58:01 +00:00
Rodolfo Alonso Hernandez 0ef4233d89 Add "ncat" rootwrap filter for debug
In [1], new tests to check "ncat" tool were added. The missing piece
of this patch was to add a new rootwrap filter to allow to execute
"ncat" binary as root and inside a namespace.

Closes-Bug: #1862927

[1]https://review.opendev.org/#/q/If8cf47a01dc353734ad07ca6cd4db7bec6c90fb6

Change-Id: I8e8e5cd8c4027cce58c7073002120d14f251463d
2020-02-12 11:43:27 +00:00
Zuul 7d5bb6d030 Merge "Remove python 3.5 from L3 rootwrap filters" 2020-01-26 23:56:06 +00:00
Zuul 4b48de8e88 Merge "Allow to kill keepalived state change monitor process" 2020-01-22 13:46:07 +00:00
Slawek Kaplonski 2f46aee345 Remove python 3.5 from L3 rootwrap filters
In L3 agent's rootwrap filters there are KillFilters
to allow killing of python processes (used to kill
neutron-keepalived-state-change-monitor script). There
was also filter for python3.5 but now Neutron supports
python3.6 and newer so python3.5 isn't needed there
anymore and this patch removes it from there.

Change-Id: I57fcc6b1c506dce9113b56ffee7d29a96fa7f251
2020-01-20 21:19:05 +01:00
Slawek Kaplonski d6fccd247f Allow to kill keepalived state change monitor process
Usually Neutron stops neutron-keepalived-state-change-monitor process
gracefully with SIGTERM.
But in case if this will not stop process for some time, Neutron will
try to kill this process with SIGKILL (-9).
That was causing problem with rootwrap as kill filters for this process
allowed to send only "-15" to it.
Now it is possible to kill this process with "-9" too.

Change-Id: Id019fa7649bd1158f9d56e63f8dad108d0ca8c1f
Closes-bug: #1860326
2020-01-20 11:48:27 +01:00