We push a v6 host route to make the guest send its metadata requests
in the direction of our router. We redirect it to haproxy which
mangles the headers and sends the request along to metadata-agent.
Apparently the supported list of dhcp options for dhcpv6 is quite
short in dnsmasq (cf. dnsmasq --help dhcp6) - not including anything
like classless-static-route for dhcpv4. So we must rely solely on
radvd to push host routes to the guest.
Metadata access over IPv6 is supposed to work both on dual-stack and
v6-only networks.
The following v6 subnet modes are supposed to work:
--ipv6-ra-mode slaac --ipv6-address-mode slaac
--ipv6-ra-mode dhcpv6-stateless --ipv6-address-mode dhcpv6-stateless
--ipv6-ra-mode dhcpv6-stateful --ipv6-address-mode dhcpv6-stateful
Change-Id: I28f2914b1b67659af2db7240eae730ac43daccd2
Partial-Bug: #1460177
In some deployments, the "neutron" user does not have the permissions
to modify the kernel interfaces. In those cases the radvd user should
be defined. This patch introduces a new config option: "radvd_user".
This config option is the username passed to radvd, used to drop root
privileges and change user ID to username and group ID to the primary
group of username. If no user specified (by default is an empty string),
the user executing the L3 agent will be passed. If "root" specified,
because radvd is spawned as root, no "username" parameter will be
passed.
Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
Closes-Bug: #1844688
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.
NeutronLibImpact
Depends-On: https://review.openstack.org/#/c/647836/
Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
Reduces E128 warnings by ~260 to just ~900,
no way we're getting rid of all of them at once (or ever).
Files under neutron/tests still have a ton of E128 warnings.
Change-Id: I9137150ccf129bf443e33428267cd4bc9c323b54
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
radvd needs to run as root, but has the capability to drop privileges on
linux hosts. Currently, radvd process is not using this feature and
this can be considered a serious risk.
In addition, some distributions like SUSE, radvd process runs as a non
privileged user by default, causing radvd failure to daemonize
because it can't write the pid in the corresponding neutron folder and
break the IPv6 functionality.
This patch allows radvd process to run with the same user used by
neutron. In order to allow this, it changes the radvd config file
permissions to 444 because radvd doesn't allow that this file can be
writeable by self/group. The readonly mode is not a problem updating the
file because of the way the neutron_lib replace_file function handles
the files operations.
Closes-Bug: #1777922
Change-Id: Ic5d976ba71a966a537d1f31888f82997a7ccb0de
Signed-off-by: aojeagarcia <aojeagarcia@suse.com>
Refactoring neutron agent linux and ovsdb config opts
to be in neutron/conf/agent so that all the config options
reside in a centralized location. This simplifies the
process of looking up the config opts and provides an easy
way to import.
NeutronLibImpact
Change-Id: Ib1e0e63dec2985c417412d1ecc68e2a74ef87182
Partial-Bug: #1563069
It was deprecated in Newton timeframe. Now we just clean it up from the
tree.
DocImpact: Any advertise_mtu option notions in documentation should be
removed.
UpgradeImpact: After upgrade, all DHCPv4 subnets will see the MTU option
served via corresponding DHCPv4 option. Also, all IPv6 subnets connected
to routers will see MTU set in Router Advertisement messages.
NeutronLibImpact: This patch will break any 3party plugins that directly
access the configuration option.
Change-Id: I31e15018fe764de0fe4d6de7da3c1d9f2cc1d532
Make use of the file utility replace_file from neutron-lib.
The utility replace_file in neutron is marked as deprecated.
Change-Id: I7e3ed10a22012be9511e43e4dc3bf73076b2954e
Remove deprecation warnings for various constants
and exceptions that have moved to neutron_lib.
Fix miscellaneous other deprecations.
Uses constants instead of l3_constants when importing
neutron-lib constants.
Co-Authored By: Henry Gessau <gessau@gmail.com>
Co-Authored By: Gary Kotton <gkotton@vmware.com>
Change-Id: Ib0e8ff5c3e23677c1009241a1818cbc8a3430c38
RFC4861 allows us to specify the Link MTU using IPv6 RAs.
When advertise_mtu is set in the config, this patch supports
advertising the LinkMTU using Router Advertisements.
Partially Implements: blueprint mtu-selection-and-advertisement
Closes-Bug: #1495444
Change-Id: I50d40cd3b8eabf1899461a80e729d5bd1e727f28
The current values of min:3 and max:10 mean radvd is sending
an RA about every 7 seconds, which can be excessive when we
have thousands of routers. Let's relax it by 10x since most
VMs will send a Router Solicition at boot, obviating the need
for a small interval.
Related-Bug: #1532338
Change-Id: Ie0a411f67d10ec1469841d70fb643409f77be56f
Currently a global setting that is applied for all managed radvd
processes. Per-process setting could be done in the future.
For large clouds, it may be useful to increase the intervals, to reduce
multicast storms.
Co-Authored-By: Brian Haley <brian.haley@hpe.com>
DocImpact Router advertisement intervals for radvd are now configurable
Related-Bug: #1532338
Change-Id: I6cc313599f0ee12f7d51d073a22321221fca263f
In order for the l3-agent to see the RA and PD config options,
it needs to register them when it starts. Noticed this when I
went to override something for a test and it wouldn't work.
It now passes the config down to radvd on start so the correct
values are picked-up.
Change-Id: Iec0e0d16eed4f12af77fcd4f0b93b641b1146293
Related-Bug: #1532338
When an IPv6 subnet's ipv6_ra_mode is set to DHCPV6_STATEFUL,
the hosts on that subnet rely on router advertisement for the
prefix length. This is important for subnets where the lengths
of the prefixes are not 64.
Closes-Bug: #1531093
Change-Id: Ied8d390a05ee1a2e544e39e887abf11c8a56abc3
RFC6106 standardizes IPv6 Router Advertisements to support
Recursive DNS server information. RDNSS info allows an IPv6
host to configure the DNS information via RA messages without
needing DHCPv6 for the DNS configuration.
This patch configures RADVD daemon to include RDNSS entries in
the Router Advertisements when the IPv6 subnet has dns_nameservers.
Closes-Bug: #1495465
Change-Id: Ia516d40b1c7a83cd7046b2b7f42d1204f44288a9
neutron.agent.linux.utils:replace_file() and
neutron.common.utils:replace_file() have same functionality.
This is the 1st patch in the series of 4 patches.
It modifies neutron.common.utils:replace_file(),
so it can be used by all components as a replacement
for neutron.agent.linux.utils:replace_file().
New keyword parameter 'file_mode=0o644' is added
to neutron.common.utils:replace_file().
Partial-bug: #1504477
Change-Id: Id1a7f1236786e8606c91bb9925cd9ac8e95892b3
During the refactoring of external process management radvd lost
its root privileges.
Closes-bug: 1448813
Change-Id: I84883fe81684afafac9b024282a03f447c8f825a
(Patch set #3 for the multiple-ipv6-prefixes blueprint)
Provides support for adding multiple IPv6 subnets to an internal router
port. The limitation of one IPv4 subnet per internal router port
remains, though a port may contain one IPv4 subnet with any number of
IPv6 subnets.
This changes the behavior of both the router-interface-add and
router-interface-delete APIs. When router-interface-add is called with
an IPv6 subnet, the subnet will be added to an existing internal port
on the router with the same network ID if the existing port already has
one or more IPv6 subnets. Otherwise, a new port will be created on the
router for that subnet. When calling the router-interface-add with a
port (one that has already been created using the port-create command),
that port will be added to the router if it meets the following
conditions:
1. The port has no more than one IPv4 subnet.
2. If the port has any IPv6 subnets, it must not have the same
network ID as an existing port on the router if the existing
port has any IPv6 subnets.
If the router-interface-delete command is called with a subnet, that
subnet will be removed from the router port to which it belongs. If the
subnet is the last subnet on a port, the port itself will be deleted
from the router. If the router-interface-delete command is called with
a port, that port will be deleted from the router.
This change also allows the RADVD configuration to support advertising
multiple prefixes on a single router interface.
DocImpact
Change-Id: I7d4e8194815e626f1cfa267f77a3f2475fdfa3d1
Closes-Bug: #1439824
Partially-implements: blueprint multiple-ipv6-prefixes
(Patch set #2 for multiple-ipv6-prefixes blueprint)
This patchset adds support for dual-stack gateway ports on Neutron
routers. Some background on the changes included in this patchset:
- The L3 driver's init_l3() method has been changed to accept a list
of gateway IPs, rather than a single gateway IP.
- The Neutron port dictionary's singular 'subnet' entry has been
replaced with a 'subnets' list, since ports can now be associated
with multiple subnets.
- The Neutron port dictionary no longer has a (singular) 'ip_cidr'
entry, since a port can now be associated with multiple IP CIDRs
(e.g. up to one IP CIDR per IP family on gateway ports).
Instead, a 'prefixlen' entry has been added to the Neutron
fixed_ips dictionary, so that the port's (multiple) IP CIDRs can
be derived from the matching 'ip_address' and 'prefixlen' pairs
in the port's fixed_ips.
Change-Id: I150da5938e79eeef0c947ddb1a4282e37d0515ee
Partially-implements: blueprint multiple-ipv6-prefixes
It's mostly a matter of changing imports to a new location.
Non-obvious changes needed:
* pass overwrite= argument to oslo_context since oslo.log reads context
from its thread local store and not local.store from incubator
* don't store context at local.store now that there is no code that
would consume it
* LOG.deprecated() -> versionutils.report_deprecated_feature()
* dropped LOG.audit check from hacking rule since now the method does
not exist
* WritableLogger is now located in oslo_log.loggers
Dropped log module from the tree. Also dropped local module that is now
of no use (and obsolete, as per oslo team).
Added versionutils back to openstack-common.conf since now we use the
module directly from neutron code and not just as a dependency of some
other oslo-incubator module.
Note: tempest tests are expected to be broken now, so instead of fixing
all the oslo.log related issues for the subtree in this patch, I only
added TODOs with directions for later fix.
Closes-Bug: #1425013
Change-Id: I310e059a815377579de6bb2aa204de168e72571e
Refactor the ProcessMonitor API to reduce coupling to
ProcessManager, and stop replicating the whole API and
behavior of ProcessManager.
We introduced an abstract MonitoredProcess class to reduce
coupling, and allow other kinds of external processes
to be monitored too.
Partially Implements: blueprint agent-child-processes-status
Co-Authored-By: Mike Kolesnik <mkolesni@redhat.com>
Change-Id: I0da6071037f9728cc20403324e36c32116bcf00d
Several of parameters used by radvd are known when a router is created
and do not need to be passed around every time an RA method is
called. Also, we want to easily check the state of radvd for a router.
Use an object to keep track of the data and state of an radvd process.
Related-blueprint: restructure-l3-agent
Change-Id: I6bcad9d84af5a5b148df7520f582392a8b56a2ec
Oslo project decided to move away from using oslo.* namespace for all their
libraries [1], so we should migrate to new import path.
This patch applies new paths for:
- oslo.config
- oslo.db
- oslo.i18n
- oslo.messaging
- oslo.middleware
- oslo.rootwrap
- oslo.serialization
- oslo.utils
Added hacking check to enforce new import paths for all oslo libraries.
Updated setup.cfg entry points.
We'll cleanup old imports from oslo-incubator modules on demand or
if/when oslo officially deprecates old namespace in one of the next
cycles.
[1]: https://blueprints.launchpad.net/oslo-incubator/+spec/drop-namespace-packages
Depends-On: https://review.openstack.org/#/c/147248/
Depends-On: https://review.openstack.org/#/c/152292/
Depends-On: https://review.openstack.org/#/c/147240/
Closes-Bug: #1409733
Change-Id: If0dce29a0980206ace9866112be529436194d47e
for DHCP_STATEFUL
RADVD process is configured so that it sends
managed flag in RA for the subnets with
ra_mode set to DHCP_STATEFUL. UT case is
updated to check the presence of managed
flag in config file of RADVD for
DHCP_STATEFUL.
Change-Id: If685846c0c0f67bf4c40f4f268b9d03bfa2b1654
Closes-Bug: #1377843
The ProcessMonitor class will watch over spawned external processes,
taking the administrator configured action in the case of any
of the external processes dying unexpectedly.
It covers both the neutron-ns-metadata-proxy for non-ha routers
and the IPv6 radvd external processes. Keepalived +
neutron-ns-metadata-proxy needs to be covered in a second follow up
patch when neutron-ns-metadata-proxy is handled by the l3-agent
(instead keepalived) in the ha-routers.
Implements: blueprint agent-child-processes-status
Change-Id: Id6cc4786d837b96c61429d51485bc86ae37872cb
In case of DHCPv6 stateless subnets, we should inform DHCP clients about
other configuration values available from DHCP server. This is done by
setting O (other) flag in RAs, which is controlled by AdvOtherConfigFlag
setting in radvd case.
Since radvd configuration file becomes quite complex, migrated its
generation to Jinja2.
Added a basic unit test that checks that flag is set for stateless mode
and not SLAAC. For stateful, it doesn't really matter whether other flag
is set, so no need to expect any value of it.
No more unit tests seem to be needed: conditional prefix generation is
already covered in test_l3_agent, and other statements are common for
all ipv6_ra_modes.
Change-Id: I1ddad3e1f5efce2b6da4ec00b9294e08fe1e85dd
Closes-Bug: #1397022
Since radvd 2.0, the daemon does not use daemon_fork() function from
libdaemon, but instead calls Linux daemon() function directly. It also
passes (1, 1) arguments when logging method (-m) is either stderr (the
default) or stderr_syslog. The second argument's value = 1 means that
stderr is not closed and left there for (some) log messages.
For neutron, it means that corresponding execute() call that spawns
radvd and expects the invoked process to close stderr does not ever get
completed. The current thread that spawned radvd is locked waiting for
radvd to exit, which does not ever occur unless the process crashes or
receives a signal.
Since L3 agent gives exclusive access to updates queue for each router
to one of processing threads only, it means that the thread that got to
serve a radvd-powered subnet will not proceed and not update any new
ports or other changes to the router anymore.
Passing -m syslog makes radvd 2.0+ close stderr and return to execute()
caller, proceeding with router update processing. The same arguments
should work for old (pre 2.0) versions of radvd too, so passing them
unconditionally.
We could instead use -m logfile and pass appropriate -l <logfile>
argument to radvd to make it log to a log file located in router's
namespace storage path. Though that would be not in line with what
dnsmasq processes currently do for dhcp agent, where we log all messages
to syslog, so sticking to syslog for radvd for consistency.
Change-Id: I131db0639bc46d332ed48faa2bbe68a214264062
Closes-Bug: #1398779
Launch radvd from inside l3 agent when any router port has an IPv6 address. If
slaac is used for IPv6 addresses, advertise the prefix associated with the port;
otherwise, advertise default route only.
Change-Id: Ib8b0b3e71f7af9afa769c41357c66f88f4326807
Implements: blueprint neutron-ipv6-radvd-ra
Co-Authored-By: Henry Gessau <gessau@cisco.com>
Jiaping LI