Set nonlocal_bind to 1 to allow starting applications in both
routers (like ipsec from vpnaas). nonlocal_bin 0 prevens us from
starting ipsec in both routers simulteniously as process can't bind
to non existing address which was worarkunded in [1]
by setting dependency on python process during failover.
This revert [2] completely, which was partially reverted by [3].
[1] https://review.opendev.org/c/openstack/neutron-vpnaas/+/823904
[2] https://review.opendev.org/393886
[3] https://review.opendev.org/c/openstack/neutron/+/752360
Related-Bug: 1999761
Change-Id: I18a15aa3ca745b2b794610350f538d02575ccbe0
This option is deprecated and marked to be deleted in Ocata. So
as we are now in Stein development cycle I think that it's good time
to remove it.
Change-Id: I07474713206c218710544ad98c08caaa37dbf53a
Currently the metadata proxy binds to default 0.0.0.0, which does not
add any advantage (metadata requests are not sent to random IP
addresses), and may allow access to cloud information from
third parties.
This changes the generated configuration to bind to METADATA_DEFAULT_IP
address instead.
This is not enabled in other metadata proxy configuration (in the L3
agent), as this would require net.ipv4.ip_nonlocal_bind everywhere
(currently only enabled for DVR) or transparent mode in haproxy (which
requires net.ipv4.ip_nonlocal_bind anyway)
Changed set_ip_nonlocal_bind_for_namespace() to support setting the
value in both the given and root namespace correctly, since it was
only used from inside the neutron codebase according to codesearch.
Change-Id: I388391cf697dade1a163d15ab568b33134f7b2d9
Co-Authored-By: Andrey Arapov <andrey.arapov@nixaid.com>
Closes-Bug: #1745618
This is the most common use pattern for the method, so it makes sense to
make it default.
(Actually, it may be that there are no usage for the arguments
whatsoever, but better safe than sorry.)
NeutronLibImpact this change potentially breaks callers of get_devices
that may want to get the automatic devices by default. Those imaginary
callers may need to set exclude_gre_devices and/or exclude_loopback to
True from now on.
Change-Id: Ic32b8abc7f8502b8907ae21c996e13cb8fd5401d
Related-Bug: #1604115
Agents and netns_cleanup tool attempt to clean up devices from
namespaces before destroying namespaces, but they should skip doing it
for gre devices that are automatic and show up depending on kernel
modules loaded.
Change-Id: Ie95890ed92ac73ec8e2d118a9727b9e1624a5178
Related-Bug: #1604115
When running DVR, it's possible for traffic to get confused and sent
through SNAT thanks to the way conntrack tracks "new" connections. This
patch sets "nf_connctrack_tcp_loose" inside the SNAT namespace to more
intelligently handle SNAT traffic (and ignore what should be FIP
traffic) - basically, don't track a connection where we didn't
see the initial SYN.
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
Change-Id: Ia5b8bd3794d22808ee1718d429f0bbdbe61e94ec
Closes-Bug: 1620824
Since the refactor is complete, let's clean these up and
use neutron-lib constants instead.
Trivialfix
Change-Id: Ic69d59d53ee78a4c6eb0104583755c4145fb8e46
[1] allow us to identify the stale snat namespace and delete the
namespace when the gateway is cleared as the agent restarts. But Method
SnatNamespace.delete unplugs 'sg-XXX' devices only, leads to stale
port remaining in ovs bridge.
This patch identify the stale external device and unplug it.
[1] https://review.openstack.org/#/c/326729/
Change-Id: I27fff32aeeecdc599a578637f390dc1d73f0171b
Closes-Bug: #1649092
We rely on keepalived to send gratuitous ARPs when floating IP is added.
Older versions of keepalived up to 1.2.20 (exclusive) contain bug [1] where
keepalived does not send GARP on receiving SIGHUP. Unfortunately, newer
versions containing the fix are not packaged yet for some distributions
like RHEL or CentOS or Ubuntu Xenial, so this patch adds a workaround for
such distributions until new packages are available.
The patch also sets net.ipv4.ip_nonlocal_bind kernel parameter to 0 for
Snat and HA router namespaces in order to avoid sending gratuitous ARPs
for IP addresses that are not bound to the interface anymore - possibly
because of failover or removal. Note that kernel < 3.19 contain a bug
where this knob is missing. In case it attempts to set the parameter and
it's missing on the system, it doesn't set the knob in root
namespace like it's done for fip namespaces, but only issues a warning
message.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1391553
Change-Id: Ieab53624dc34dc687a0e8eebd84778f7fc95dd77
Closes-bug: 1639315
Remove deprecation warnings for various constants
and exceptions that have moved to neutron_lib.
Fix miscellaneous other deprecations.
Uses constants instead of l3_constants when importing
neutron-lib constants.
Co-Authored By: Henry Gessau <gessau@gmail.com>
Co-Authored By: Gary Kotton <gkotton@vmware.com>
Change-Id: Ib0e8ff5c3e23677c1009241a1818cbc8a3430c38
Router namespace absence may lead to infinite loop in l3 agent trying
to delete the router.
This patch adds checks before going into namespace to prevent RuntimeError
and following infinite loop.
Closes-Bug: #1606844
Change-Id: Iae95ccb8eeb06d0fd5fc7d71e63408b3f843b371
When we manually move a router from one dvr_snat node to
another dvr_snat node the snat_namespace should be removed in
the originating node by the agent and will be re-created in the
destination node by the destination agent.
But when the agent dies, the router_update message reaches the
agent after the agent restarts. At this time the agent should
remove the snat_namespace since it is no more hosted by the
current agent.
Even though we do have logic in agent to take care of cleaning
up the snat namespaces if the gw_port_host does not match with the
existing agent host, in this particular use case the self.snat_namespace
is always set to 'None' in the dvr_edge_router init call when agent
restarts.
This patch fixes the above issue by initializing the snat namespace
object during the router_init. Since we do have a valid snat
namespace object and if the gw_port_host mismatches, the agent
should clean up the namespace.
Change-Id: I30524dc77b743429ef70941479c9b6cccb21c23c
Closes-Bug: #1557909
This adjusts the _device_to_port_id function in ML2
to recognize other interfaces that belong to Neutron
under different name prefixes.
Adds unit tests to achieve full converage of _device_to_port_id
method.
Closes-Bug: #1443710
Change-Id: I80284ee67e5876cf5689e49e1592ca1351ae5fa1
Creating these utilities allows functional tests to mock them out more
easily to in order to change the namespace identification and cleanup
behavior.
Change-Id: I76cb2dc43a0ca4a7ea27c2ea71b27068b92154ce
Related-Bug: #1446261
It's mostly a matter of changing imports to a new location.
Non-obvious changes needed:
* pass overwrite= argument to oslo_context since oslo.log reads context
from its thread local store and not local.store from incubator
* don't store context at local.store now that there is no code that
would consume it
* LOG.deprecated() -> versionutils.report_deprecated_feature()
* dropped LOG.audit check from hacking rule since now the method does
not exist
* WritableLogger is now located in oslo_log.loggers
Dropped log module from the tree. Also dropped local module that is now
of no use (and obsolete, as per oslo team).
Added versionutils back to openstack-common.conf since now we use the
module directly from neutron code and not just as a dependency of some
other oslo-incubator module.
Note: tempest tests are expected to be broken now, so instead of fixing
all the oslo.log related issues for the subtree in this patch, I only
added TODOs with directions for later fix.
Closes-Bug: #1425013
Change-Id: I310e059a815377579de6bb2aa204de168e72571e
Creates classes representing the 3 types of namespaces handled by the L3 agent:
router, snat and fip.
The scope of this change is:
- Creation and deletion methods are provided for each namespace class
- Creation and deletion of router and snat namespaces are moved to the router
classes. These namespaces are now members of the corresponding router class
- Invocation of Fip namespace creation and deletion is left in the agent, since
the agent owns it
- A context manager is provided to move the namespaces (router and snat)
cleanup code out of the agent
A follow up patchset will add methods to create and delete interfaces in the
namespaces. These methods are intended to be used by the router classes
Change-Id: I54b14e593ded6b2990d57a3ae9d598a699ae133e
Partially-Implements: bp restructure-l3-agent