DvrLocalRouter._load_used_fip_information() is called during the class
init however in some cases it tries to access a network namespace which
hasn't yet been created. This results in NetworkNamespaceNotFound.
This change ensures that we instead create any FIP priority rules after
the network namespace has been created by calling
_load_used_fip_information() from the initialize function rather than
in the class instantiation.
Closes-Bug: #2025129
Change-Id: I41ffffeca433faab2244ff3d1876ca078ce5ebfb
This patch also removes the pylint disablement message control
statements and imports NetNS and IPRoute from the new locations
in pyroute2.
Trivial-Fix
Change-Id: I298a7da767473c236ddf03c5702a2904d4870284
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/agent and neutron/privileged/agent.
Trivialfix
Change-Id: Ib94257481e62b99b3d7648ae5137af5411b4867a
When dvr router is processing internal ports it is checking all
ports connected to the subnet and adding permanent arp entries for
all fixed IPs and allowed address pairs from those ports in the qrouter
namespace.
But port can have fixed IPs from different subnets, e.g. from IPv4 and
IPv6 subnet and until now Neutron wasn't checking subnet_id of the
fixed_ip address nor ip version of the allowed address pair's IP
address. That resulted in adding arp entries for all IPs through all
interfaces, e.g. IPv4 address was added as it's reachable through
interface connected to the IPv6 subnet.
This patch adds checking of the subnet_id for fixed_ips and ip version
for the allowed address pairs configured on the port to avoid that
problem.
Closes-Bug: #1936980
Change-Id: Id5afad7af74d69f8b4159163d23807a1cf032733
In allowed address pairs of the port there can be given not single IP
address but whole CIDR. In such case ARP entries for IPs from such
cidr will not be added in the DVR router namespace.
Closes-Bug: #1934912
Change-Id: I7bdefea943379125f93b116bb899446b874d9505
When the L3 agent starts, reads the floating IP rule priority from
a state file created by "FipRulePriorityAllocator". In case of not
having all floating IPs registers in this file, the method:
- Creates a new priority for this floating IP.
- Creates the "ip rule" in the namespace.
- Adds a new entry in "self.floating_ips_dict".
All "ip rules" present in the namespace that do not match the
registered fixed IP address ("from") and the priority assigned
are deleted.
Closes-Bug: #1891673
Closes-Bug: #1929821
Change-Id: Ia3fbde3304ab5f3c309dc62dbf58274afbcf4614
In some cases, the arp entry of snat port is not updated
in qrouter namespace. l3-agent calls get_ports_by_subnet()
while setting arps for the subnet. And the snat port is
not returned if it is still unbound. One of the scenario
this is observed is when router is created, external
gateway set and internal subnet attached to router in
quick succession.
This patch retrieves snat port details from router info
as well and updates arp entry for snat port.
Closes-Bug: #1933092
Change-Id: I7ee797b4b930306cf6360922d855f8b24f1b813d
Since version 0.6.2, pyroute2 library dynamically imports the needed
modules when loaded. A static analysis will fail when checking the
import references.
Change-Id: I5aaf9494a2d5c2533199e6b92d4df8fe785f83a3
Closes-Bug: #1930750
When new dvr router is going to be created on the node, L3 agent
asks server for list of ports plugged to the subnets, to populate
arp entries for all fixed IPs from those ports.
There was missing info about allowed address pairs there, so those
IPs were not populated in the qrouter namespace.
Now it's added and L3 agent can add those arp entries to the qrouter
namespaces too.
Closes-Bug: #1928466
Change-Id: I5d6c72c271ff450d9e43b3e33a99dd59d727882d
This is a leftover of the "ip route" command migration to Pyroute2.
A new paremeter, "proto", is added to the IP route add and list
commands. The default protocol used is "static".
Story: #2007686
Task: #41284
Related-Bug: #1492714
Change-Id: I319fd0611d3e8a3a09d6d4e077a17a622f74f51c
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch replaces some "IpNetnsCommand" command execution
methods.
Change-Id: Ic5fdf221a2a2cd0951539b0e040d2a941feee287
Story: #2007686
Task: #41558
Any IPv6 traffic wants to go in/out directly on the DVR compute node
will be dropped by the mis-configured scope mark iptables rule. This
patch addresses this issue.
Closes-Bug: #1895401
Change-Id: Iee045e963e05f83d497e73bb39bb64c522f19543
The information needed to delete ip rules associated
with fips is held in memory between add and remove so
a restart of the l3-agent results in any fips that
existed before the restart having their ip rules
persist after the fips are removed. This patch
enures that an agent restart reloads this information
so that ip rules associated with a fip are correctly
removed when the fip is removed.
Change-Id: If656a703c996ccc7719b1b09d793c5bbdfd6f3c1
Closes-Bug: #1891673
With python 3.x, six.text_type and six.string_type
are just str.
Also removed a six.integer_type since it was the only
one left in a file.
Another step in removing all of six usage from neutron.
Change-Id: I5208dc41bff1983ecd323286f427296b722da62a
This could be time-consuming if there are lots of ports
under the router. So this patch moves the same device
check out of the loop.
Closes-Bug: #1856839
Change-Id: I2da856712aaafb77878628c52d19e0a5c7cdee0f
Removed E125 (continuation line does not distinguish itself
from next logical line) from the ignore list and fixed all
the indentation issues. Didn't think it was going to be
close to 100 files when I started.
Change-Id: I0a6f5efec4b7d8d3632dd9dbb43e0ab58af9dff3
We have a problem with SNAT with too many connections using the
same source and destination on the network nodes.
In addition we can see in the conntrack table that the who
"instert_failed" increases.
This might be a generic problem with conntrack and linux.
We suspect that we encounter the following "limitation / bug"
in the kernel.
There seems to be a workaround to alleviate this behavior by
setting the -random-fully flag in iptables for port consumption.
This patch fixes the problem by adding the --random-fully to
the SNAT rules.
Change-Id: I246c1f56df889bad9c7e140b56c3614124d80a19
Closes-Bug: #1814002
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.
NeutronLibImpact
Depends-On: https://review.openstack.org/#/c/647836/
Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
Reduces E128 warnings by ~260 to just ~900,
no way we're getting rid of all of them at once (or ever).
Files under neutron/tests still have a ton of E128 warnings.
Change-Id: I9137150ccf129bf443e33428267cd4bc9c323b54
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Changed migrate_centralized_floating_ip() to return a
status in DvrLocalRouter class. Also changed the parent
method in RouterInfo class to return FLOATINGIP_STATUS_NOCHANGE,
which will cause the agent to not send an updated status for
the floating IP.
Also changed floating_ip_added_dist() to not use an
intermediate variable and just return directly.
Change-Id: I7dc4934308da95cf00a36b4ef1020aac7cef7d99
Closes-bug: #1816874
The listed revision no longer supports python2, but afaik, we are
always running under python3 for those tests anyway.
Change-Id: Iba94d73eeb65fb21f5d098afe0fbe4348dbea850
With DVR routers, if a port is associated with a FloatingIP,
before it is used by a VM, the FloatingIP will be initially
started at the Network Node SNAT Namespace, since the port
is not bound to any host.
Then when the port is attached to a VM, the port gets its
host binding, and then the FloatingIP setup should be migrated
to the Compute host and the original FloatingIP in the Network
Node SNAT Namespace should be cleared.
But the original FloatingIP setup in SNAT Namespace was not
cleared by the agent.
This patch addresses the issue.
Change-Id: I55a16bcc0020087aa1abe76f5bc85cd64ccdaecd
Closes-Bug: #1796491
For L3 DVR HA router, the centralized floating IP nat rules are not
installed in every HA node snat namespace. So, install the rules to
all the router snat-namespace on every scheduled HA router host.
Closes-Bug: #1793527
Change-Id: I08132510b3ed374a3f85146498f3624a103873d7
Sometimes we have seen the 'fg' ports within the fip-namespace
either goes down, not created in time or getting deleted due to
some race conditions.
When this happens, the code tries to recover itself after couple
of exceptions when there is a router_update message.
But after recovery we could see that the fip-namespace is
recreated and the 'fg-' port is plugged in and active, but the
'fpr' and the 'rfp' ports are missing which leads to the
FloatingIP failure.
This patch will fix this issue by checking for the missing devices
in all router_updates.
Change-Id: I78c7ea9f3b6a1cf5b208286eb372da05dc1ba379
Closes-Bug: #1776984
This reverts commit fbe308bdc1.
This does not help the ARP update for the unbound Allowed-address-pair
IP, since the temporary ARP update (NUD: reachable) goes to incomplete
state when the router tries to re-ARP for the IP, before it responds to
a VM, since DVR routers does not allow the ARP requests to flow through
the br-tun.
Closes-bug: #1773999
Change-Id: I9977c8cbbbc1e68565249e7f80c59319fe967300
Fixed all pep8 E265 errors and changed tox.ini to no longer
ignore them. Also removed an N536 comment missed from a
previous change.
Change-Id: Ie6db8406c3b884c95b2a54a7598ea83476b8dba1
All FloatingIP for DVR_NO_EXTERNAL agents will be configured
in the SNAT Namespace. So there is no need to configure the
address scope related routes in the router namespace when the
agent is configured as DVR_NO_EXTERNAL.
Change-Id: I009dae9e7f485641f2f19dce8dd575da04bfb044
Related-Bug: #1753434
If a distributed router has interfaces on multiple tenant networks, with
'fast exit' functionality policy based rules are created in qrouter
namespace for every tenant network subnet and 'from <cidr>' is included
into an 'ip rule' command invocation.
When a port on a tenant network is deleted 'from <cidr>' part is not
included and a first rule matching specified parameters gets deleted.
For example with the following layout
ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
80000: from 192.168.100.0/24 lookup 16
80000: from 192.168.200.0/24 lookup 16
and neutron l3 agent will use this command
ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
del priority 80000 table 16 type unicast
and 192.168.100.0/24 rule will get deleted even if you actually removed
a port on 192.168.200.0.
This results in an extra rule present and not cleaned up and the right
rule removed. It is only recreated if a router is disabled and enabled
again.
additional changes:
1) Floating IP rules are identified by priority only as implemented
currently - for this reason this change adds fixed_ip to the rule
removal code. Rule priorities are 32-bit values in iproute2 so,
in theory, those should be not be used to cover IPv6.
2) IP protocol information for 'from all' rules is currently
derived from link-local address IP version. The same approach
is preserved by using version-specific /0 addresses without
changing the API provided by ip_lib.
Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
Closes-Bug: #1759956
Allowed_address_pair IP when associated with a network port will
inherit the services MAC.
Right now the ARP entry is updated with the last MAC that it is
associated with. But when allowed_address_pair IPs are used in
the context of VRRP the MAC keeps switching between the MASTER
and SLAVE. VRRP instance sends out GARP, but the ARP entry in the
router namespace is not getting updated based on the GARP.
This might cause the VRRP IP and the service using the IP to fail.
Since we having been adding the ARP entry with NUD state as
PERMANENT, the ARP entries are set for ever and does not adopt the
GARP sent out by the VRRP instance.
This will cause instances associated with DVR routers to have a
service interruption.
So the proposed patch will add the ARP entry for the Allowed address
pair with NUD for 'REACHABLE'.
This allows the Allowed_address_pair IP MAC to be updated on the
fly.
Change-Id: I43c3471f5d259e8c2ee1685398a06a4680c0bfcd
Closes-Bug: #1608400
The L3_AGENT_MODE_DVR_NO_EXTERNAL and DVR_SNAT_BOUND constants were
rehomed into neutron-lib with Ieb9374f5483a0ab2306592ab901686ca374db1c8
This patch consumes them by removing them from neutron and using the
constants from neutron-lib instead.
NeutronLibImpact
Change-Id: Ib63a523721a2fa3d1a978a729de28e6a2e560ef6
Prevents the MAC address of the VIP address of an LBaaS or
LBaaSv2 instance from populating in the DVR router ARP table
Change-Id: If49aaa48a5e95ccd0a236db984d3984a6e44c87c
Closes-Bug: 1733852
Change network namespace add/delete/list code to use
pyroute2 library instead of calling /sbin/ip.
Also changed all in-tree callers to use the new calls.
Closes-bug: #1717582
Related-bug: #1492714
Change-Id: Id802e77543177fbb95ff15c2c7361172e8824633
With the current change in allowing the unbound fip
to be associated with the snat node, we are seeing
that all floating IPs that are associated with an
unbound port are created at the snat node.
This is also applicable for floating IPs that are
created just before associating the port to a VM.
We have seen such scenarios in the test cases.
This is the right behavior as per design. But when
the port is bound to a host, the floating IP should
be migrated to the respective host.
This patch fixes the issue by sending notification to
the respective node, when the port is bound and also
clear the fip from the snat node.
Closes-Bug: #1718788
Change-Id: I6b1f3ffc3c3336035632f6a82d3a87b3be57b403
The agent is not currently checking for the host bound
before configuring the floatingip. That leads to
floatingips being configured on multiple hosts.
This is a partial fix on the agent side to prevent
configuring a floatingip ip that is not bound to
this host.
Related-Bug: #1712412
Related-Bug: #1713927
Change-Id: I1bc8c42425f97234f56412a2f109a996d9f896de
We thought _get_floatingips_bound_to_host is not needed but removing the
method caused sending garps for fip that doesn't belong to node during
the full-sync.
This patch just replaces dict lookup with get() method, so fips are
filtered based on presence on the host and if host is not set on fip, it
won't raise a KeyError.
Co-Authored-By: Swaminathan Vasudevan <SVasudevan@suse.com>
Related-bug: #1712412
Related-bug: #1713927
Change-Id: I0fbc772d757fb13b788f9df8d6d7d28d288d054a
Adam Oswick