This patch removes the compatibility with OVN under v20.09. That
implies the OVN Southbound definition has "Chassis_Private" table.
Any previous check is removed from the code.
This patch also adds a sanity check, testing that the OVN Southbound
database definition is greater or equal to 2.9.0 [1].
The testing OVN NB and SB schemas are updated to the files contained in
OVN v22.09. The new testing NB schema version is 6.3.9; the new testing
SB schema version is 20.25.0.
[1]4adc10f581
Closes-Bug: #2002839
Change-Id: Iec8854749a1df81eb6a7154d3f951e176c69156d
Most code uses convert_version_to_tuple() from
oslo_utils.versionutils to determine minimum version
numbers, but there were two places that used the
packaging.version class instead. Change to always
use the same code throughout the tree.
Also added a flake8 enforcement check for it so we
don't regress.
TrivialFix
Change-Id: Ida4dcd504562646f0a450160e57680a44c387b1d
dnsmasq 2.86 has a known issue where it segfaults
with configuration refresh. 2.87 has the fix included.
This patch adds a sanity check to warn users if running
a buggy version.
Related-Bug: #2026757
Change-Id: Id4f26c8a9aa6c18b9471349131a5a2b63d375772
This reverts commit be4e150de9.
Reason for revert: some CI gates (devstack for example) are still
using some OS (Ubuntu Focal) that provide older OVN version. On
these jobs we are not manually compiling OVN.
Change-Id: Ia716f73dffa94c9fecbcc1a7dd0f10cb62639671
This patch removes the compatibility with OVN under v20.09. That
implies the OVN Southbound definition has "Chassis_Private" table.
Any previous check is removed from the code.
This patch also adds a sanity check, testing that the OVN Southbound
database definition is greater or equal to 2.9.0 [1].
The testing OVN NB and SB schemas are updated to the files contained in
OVN v22.09. The new testing NB schema version is 6.3.9; the new testing
SB schema version is 20.25.0.
[1]4adc10f581
Closes-Bug: #2002839
Change-Id: If64c967b89099946165bfaf66247def4881af832
The output of this method should be compared to a 3 element
tuple.
This patch changes the minimum versions of the supported
features to have 3 elements too. This are the version changes
and their justifications:
* OVN_NB_DB_SCHEMA_GATEWAY_CHASSIS = '5.7.0'
Version reported in LP#2008077
* OVN_NB_DB_SCHEMA_PORT_GROUP = '5.11.0'
Version reported in LP#1946023
* OVN_NB_DB_SCHEMA_STATELESS_NAT = '5.17.0'
Version reported in LP#1949494
* OVN_SB_DB_SCHEMA_VIRTUAL_PORT = '2.5.0'
Version reported in LP#1949496
* OVN_LOCALNET_LEARN_FDB = '22.09.0'
Version reported in LP#1946023. In fact, the version
supporting this feature is older.
Closes-Bug: #2017878
Change-Id: Idc19b30e2453b4d68473b488dba226dc48be9efe
In OVN 22.09, the option "localnet_learn_fdb" was added so that
localnet ports can learn MAC addresses and store them in the FDB
table. This avoids flooding issues for VMs on provider networks
when port security is disabled
Closes-Bug: #2012069
Change-Id: I93574b4fe9a79b649bfe755cf7e0697ccc7eb83a
While creating bridges, pass the optional argument 'datapath_type'.
This parameter is read from openvswitch.ini conf file.
Closes-Bug: #1842517
Change-Id: I05f0484636e4da6290c750a1eabd5f9d09588008
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some of them, about 10%.
Feel free to reject if we think it will cause too much
trouble with cherry-picks, else I'll slowly work my way
through the rest of the tree.
Trivialfix
Change-Id: I3d484d11e273cb8ee617f9445a069887e7b2b89f
Library "distutils" will be marked as deprecated in Python 3.10:
https://peps.python.org/pep-0386/
This patch does the following replacements, that provide the same
functionality and API:
- distutils.version.StrictVersion -> packaging.version.Version
- distutils.spawn.find_executable -> shutil.which
Closes-Bug: #1973780
Change-Id: Iad96ad3e7055f71c629efbe80070adbe297cd7aa
Added a check for OVN SB schema, looking for "virtual_parent" in
"Port_Binding" table (added in OVN SB schema 2.5).
This patch removes the code to support OVN without virtual ports.
It is assumed that "virtual_parent" field is present in "Port_Binding"
table.
Closes-Bug: #1949496
Change-Id: I3d01f58dca570537b5e754b331ca4809a7161ae2
Added a check for OVN NB schema, looking for "options" field in "NAT"
table (added in OVN NB schema 5.17).
This patch removes the code to support OVN without stateless NAT rules.
It is assumed that "options" field in "NAT" table is always present.
Closes-Bug: #1949494
Change-Id: Ib3b6dd68009ab635627168b11626d7e7c548ee2f
"IPWrapper.add_vxlan" method must have "dev" parameter as possitional
argument. A VXLAN interface must be always created on top of an existing
network device:
https://www.kernel.org/doc/Documentation/networking/vxlan.txt
Closes-Bug: #1954316
Change-Id: Ia082f8531ffcc1599206124774599dcdb500274a
Added a check for OVN NB schema, looking for "Port_Group" table
(added in OVN NB schema 5.11).
This patch removes the code to support OVN without "Port_Group"
table. It is assumed that this table is always present.
Closes-Bug: #1946023
Change-Id: If193ff5bc6e1421f4fa9db3779872a82a36c8b69
Some NICs do not support ip-link vf "min_tx_rate" parameter. This is
not an API issue (ip-link or Pyroute2); the parameter is already
supported. The error is returned by the specific NIC driver.
A sanity check is implemented, reading the SR-IOV configured devices
("physical_device_mappings") and the excluded VFs ("exclude_devices").
Change-Id: If70de0a7112777ac4011ad42af0ac98969765011
Closes-Bug: #1918464
Sanity checks functions which are checking if vxlan and geneve tunnels
are available in openvswitch are now passing all mandatory parameters
to the ovs_lib.OVSBridge.add_tunnel_port method.
Previously port_name was missing.
Closes-Bug: #1905568
Change-Id: Iae86705f1d30c89dc5482261d852b45787bd8782
Patch [1] added option "no_track" to the keepalived's config file which
is generated by L3 agent in HA mode.
This was added to handle properly keepalived 2.x and interfaces which
are in DOWN state in the backup nodes.
But this "no_track" option is not compatible with keepalived 1.x series
which is available e.g. on Ubuntu 18.04.
As there is no easy way to check automatically if keepalived supports or
not this config flag, this patch introduces new config option
"keepalived_use_no_track".
If this config option will be set to False, neutron L3 agent will not
add "no_track" to the keepalived's config.
As master branch is moving to gate on Ubuntu 20.04 where keepalived 2.x
is already available, this new config option default value is set to
True.
[1] https://review.opendev.org/#/c/721799/
Change-Id: I2dfdb9f56de28d56ca0f240ff34fa7c3a12e339b
Closes-Bug: #1890400
As spotted in Focal testing patch [0], pep8 test fails with many
C0321 false-positives, reported in pylint as current version does not
support python 3.8 [1]
Use a newer version of pylint and astroid, fixing or disabling some of
the new checks: no-else-*, unnecessary-comprehension, import-outside-toplevel
[0] https://review.opendev.org/#/c/738163/
[1] https://github.com/PyCQA/pylint/issues/2737
Change-Id: Ie646b7093aa8634fd950c136a0eba9adcf56591c
Recent changes in some versions of iproute2 CLI output (v4.18),
have invalidated the regular expression used to parse the
"ip link" output.
To solve this problem and avoid future ones, pyroute2 is used to
retrieve the virtual functions information and set the VF attributes
(spoofcheck, min_tx_rate, max_tx_rate and link_state).
pyroute2 extended the "ip link" support to retrieve this information,
adding "ext_mask=1" in the get command. If no virtual functions are
present in this particular network interface, the added method,
"get_link_vfs", will return an empty list.
The set commands can return a "InterfaceOperationNotSupported" in
case the operation is not supported. For min_tx_rate, if the driver
does not support to set a minimum bandwidth, an "InvalidArgument"
(from a pyroute2.NetlinkError(22)) exception will be raised.
Change-Id: I680da4f64bd114f1caecaaeedbf8a4b1915a0849
Closes-Bug: #1878042
Adds a new bool option dnsmasq_enable_addr6_list, when
enabled configuration for dnsmasq will be created with a
single dhcp-host entry specifying a list of ip addresses
allocated for a port.
Previously the dnsmasq dhcp-agent driver would write a
separate dhcp-host entry for each fixed-ip of a port in
the dnsmasq hosts file. The result of the previous
behaviour is that dnsmasq will only use one of the config
entries, i.e the first one matching the mac identifier.
The trade-off is that only a single dns_assignment will
be used for IPv6 addresses within the same subnet. (But
in practice, this was always the case since only the
first config entry would be used by dnsmasq.)
Why is this neccecary:
This is done to enable ironic provisioning over IPv6
using DHCPv6-stateful. For background info, please
read dnsmasq-discuss thread:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2020q1/thread.html#13671
Closes-Bug: #1861032
Change-Id: I833840e7daed2efa7efaece27cfd1ba28e0feb90
When openvswitch firewall driver is used, it is required to load
nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM
working properly.
This patch adds such info in ovs firewall documentation as it should be
deployer decision to load or not load this module.
This patch also adds sanity check which checks if nf_conntrack_proto_gre
module is loaded or not, and can warn user when this module is not
loaded.
It also adds loading of this kernel module in neutron devstack plugin.
Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869
Closes-Bug: #1828053
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.
NeutronLibImpact
Depends-On: https://review.openstack.org/#/c/647836/
Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
Reduces E128 warnings by ~260 to just ~900,
no way we're getting rid of all of them at once (or ever).
Files under neutron/tests still have a ton of E128 warnings.
Change-Id: I9137150ccf129bf443e33428267cd4bc9c323b54
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
[1] https://bugs.launchpad.net/neutron/+bug/1501206
Closes-Bug: 1501206
Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
neutron-lib contains a number of the plugin related constants from
neutron.plugins.common.constants. This patch consumes those constants
from neutron-lib and removes them from neutron. In addition the notion
of the dummy plugin service type is moved strictly into the test
package of neutron since it's not a real service plugin.
NeutronLibImpact
Change-Id: I767c626f3fe6159ab3abd6a7ae3cb9893b79bf66
Change network namespace add/delete/list code to use
pyroute2 library instead of calling /sbin/ip.
Also changed all in-tree callers to use the new calls.
Closes-bug: #1717582
Related-bug: #1492714
Change-Id: Id802e77543177fbb95ff15c2c7361172e8824633
In commit [1] (some explanation in [2] ) VRRP initialisation is enhanced
to read source IP address(to use when sending VRRP packets) from the
HA interface or from keepalived config("unicast_src_ip" parameter).
If it is unable to find IP address, VRRP initialisation will fail with
error "Cannot find an IP address to use for interface".
In the test, we set vrrp->family to AF_INET by setting vip to
169.254.0.1/24 through config, but not providing source IPv4 address(i.e
no 'unicast_src_ip' option or no IP on HA interface), making the test
to fail with [1]. To fix that, we set the IP address on HA interface.
Note: Commit [1] is added in Keepalived version 1.2.20.
Tested the fix on both Keepalived v1.2.19 and Keepalived v1.2.20.
[1] https://github.com/acassen/keepalived/commit/37488e57
[2] https://github.com/acassen/keepalived/issues/445
Closes-bug: #1712388
Change-Id: I260c0e6810ed54c93f93621afa6ab13855ef2428
Since Pike log messages should not be translated.
This patch removes calls to i18n _LC, _LI, _LE, _LW from
logging logic throughout the code. Translators definition
from neutron._i18n is removed as well.
This patch also removes log translation verification from
ignore directive in tox.ini.
Change-Id: If9aa76fcf121c0e61a7c08088006c5873faee56e
n8g-sfc currently has its own variant of OVSBridge to allow the use
of priority in a delete_flows call
This change is meant to make this available outside n8g-sfc and
simplify n8g-sfc code.
This change adds a 'strict' boolean parameter to mod_flow and delete_flows
that results in ovs-ofctl to be run with --strict for del-flows and
mod-flows actions. When strict is set, the use of priority is allowed
and hence not rejected anymore.
Note that for batched actions in a deffered bridge, we disallow mixing
calls with strict and without strict, which can't be translated in one CLI
call.
Needed-By: I3bf939590dd43bff685f133bff86eb7e9068de91
Change-Id: I289d546780f10dc1002ab6bc2e1b38c9ef2d728f
Recent mailing-list issue showed we never sanity check
for the conntrack command being installed.
Trivialfix
Change-Id: If7fd8541cdefa3123cc2031683c8139b16576cab
Since one of the main reasons for the sanity check system was to
avoid doing runtime checks, importing a sanity check to do a
runtime check encourages bad behavior. This moves the check to a
new runtime_checks.py file that includes a note encouraging people
to use sanity checks wherever possible.
Change-Id: I06bffe00bb796b4727dca7867a15302582ffcc10
There was an existing attempt to disable process monitoring, but
since the AGENT.check_child_processes_interval defaults to 60 and
is checked in ProcessMonitor.__init__, overriding the config value
after instantiating the ProcessMonitor only has the affect of
making the check happen continually as quickly as possible instead
of not at all. Instead, we instantiate the process monitor after
changing the config value.
Change-Id: Ic4907b6a227c6fa8288c9d3e2106da0b53323509
Closes-Bug: #1665061
This change modifies the behavior of OVS native and ovs-ofctl bridge
implementations so that instead of configuring the bridge only for the
required OVS protocol version, they add the required version to the
already configured versions.
To achieve this, an add_protocols method is added to the OVSBridge
class, relying on the OVSDB add_db_attribute added in
Ib6ce75846f9b13c1c33f0ced5ccc619ee7860dc1, with the behavior of
making the provided set of versions supported in addition to already
configured ones.
It is aimed to be a cleaner solution to bug 1622644 than the quickfix merge
from I4475865c4f83cb9f3e12c709af752bc490692ca3 .
After this change, the set_protocols method appears useless and is
hence marked for future removal.
Depends-On: I4386aa293f9b18d2e17b4a80d9c7da4b9b46f3c9
Change-Id: Id5ac7e6431c97fc70d8404b16f89533b6f270eee
Related-Bug: 1622644
For new kernels (3.18+), bridge module is split into two pieces: bridge
and br_netfilter. The latter provides firewall support for bridged
traffic, as well as the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
Before kernel 3.18, any brctl command was loading the 'bridge' module
with the knobs, so at the moment where we reached iptables setup, they
were always available.
With new 3.18+ kernels, brctl still loads 'bridge' module, but not
br_netfilter. So bridge existance no longer guarantees us knobs'
presence. If we reach _enable_netfilter_for_bridges before the new
module is loaded, then the code will fail, triggering agent resync. It
will also fail to enable bridge firewalling on systems where it's
disabled by default (examples of those systems are most if not all Red
Hat/Fedora based systems), making security groups completely
ineffective.
Systems that don't override default settings for those knobs would work
fine except for this exception in the log file and agent resync. This is
because the first attempt to add a iptables rule using 'physdev' module
(-m physdev) will trigger the kernel module loading. In theory, we could
silently swallow missing knobs, and still operate correctly. But on
second thought, it's quite fragile to rely on that implicit module
loading. In the case where we can't detect whether firewall is enabled,
it's better to fail than hope for the best.
An alternative to the proposed path could be trying
to fix broken deployment, meaning we would need to load the missing
kernel module on agent startup. It's not even clear whether we can
assume the operation would be available to us. Even with that, adding a
rootwrap filter to allow loading code in the kernel sounds quite scary.
If we would follow the path, we would also hit an issue of
distinguishing between cases of built-in kernel module vs. modular one.
A complexity that is probably beyond what Neutron should fix.
The patch introduces a sanity check that would fail on missing
configuration knobs.
DocImpact: document the new deployment requirement in operations guide
UpgradeImpact: deployers relying on agents fixing wrong sysctl defaults
will need to make sure bridge firewalling is enabled.
Also, the kernel module providing sysctl knobs must be
loaded before starting the agent, otherwise it will fail
to start.
Depends-On: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Change-Id: I9137ea017624ac92a05f73863b77f9ee4681bbe7
Related-Bug: #1622914
neutron-sanity-check tool was importing neutron.tests.base module, which
may be not present on some systems (f.e. RDO splits neutron/tests/
subtree in a separate python-neutron-tests package). It made the tool
not usable in some setups.
https://bugzilla.redhat.com/show_bug.cgi?id=1374282
This is not the first time when we by mistake import from
neutron.tests.* and break distributions. It's time to stop it by
proactively forbidding that pattern via a new hacking check.
Some functions were moved from neutron.tests.base to
neutron.common.utils to fulfill the need requirement. They were moved
using debtcollector, no current consumers should be affected.
Closes-Bug: #1621782
Change-Id: I790777ddcbd1b02218b3db54ae3d5c931d72d4fa