This patch removes the compatibility with OVN under v20.09. That
implies the OVN Southbound definition has "Chassis_Private" table.
Any previous check is removed from the code.
This patch also adds a sanity check, testing that the OVN Southbound
database definition is greater or equal to 2.9.0 [1].
The testing OVN NB and SB schemas are updated to the files contained in
OVN v22.09. The new testing NB schema version is 6.3.9; the new testing
SB schema version is 20.25.0.
[1]4adc10f581
Closes-Bug: #2002839
Change-Id: Iec8854749a1df81eb6a7154d3f951e176c69156d
Each network type name is defined as a constant in neutron-lib. This
replaces the remaining string by the common constants.
This change ignores tests code because updating all test code brings
little gain while it touches huge number of lines.
Change-Id: I26ee715209d7d3f12c39c9e05d4fb9953b9b9537
This reverts commit be4e150de9.
Reason for revert: some CI gates (devstack for example) are still
using some OS (Ubuntu Focal) that provide older OVN version. On
these jobs we are not manually compiling OVN.
Change-Id: Ia716f73dffa94c9fecbcc1a7dd0f10cb62639671
This patch removes the compatibility with OVN under v20.09. That
implies the OVN Southbound definition has "Chassis_Private" table.
Any previous check is removed from the code.
This patch also adds a sanity check, testing that the OVN Southbound
database definition is greater or equal to 2.9.0 [1].
The testing OVN NB and SB schemas are updated to the files contained in
OVN v22.09. The new testing NB schema version is 6.3.9; the new testing
SB schema version is 20.25.0.
[1]4adc10f581
Closes-Bug: #2002839
Change-Id: If64c967b89099946165bfaf66247def4881af832
In OVN 22.09, the option "localnet_learn_fdb" was added so that
localnet ports can learn MAC addresses and store them in the FDB
table. This avoids flooding issues for VMs on provider networks
when port security is disabled
Closes-Bug: #2012069
Change-Id: I93574b4fe9a79b649bfe755cf7e0697ccc7eb83a
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some of them, about 10%.
Feel free to reject if we think it will cause too much
trouble with cherry-picks, else I'll slowly work my way
through the rest of the tree.
Trivialfix
Change-Id: I3d484d11e273cb8ee617f9445a069887e7b2b89f
Importing some modules lead to registering config options that may
collide with config options from a project that calls the import. This
patch wraps the side effect that registers config options into a
function that needs to be called in case the caller wants to register
the options.
This solution is also not perfect as it guards the common options to be
registered only once even if the function is called multiple times. This
is to solve problems in unittests, ideally we should always call the
function just once even in our testing suites.
Resolves-Bug: #1968606
Change-Id: Ic1532eb8de887ff1b1085206df11f53e22f7f524
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Added a check for OVN SB schema, looking for "virtual_parent" in
"Port_Binding" table (added in OVN SB schema 2.5).
This patch removes the code to support OVN without virtual ports.
It is assumed that "virtual_parent" field is present in "Port_Binding"
table.
Closes-Bug: #1949496
Change-Id: I3d01f58dca570537b5e754b331ca4809a7161ae2
Added a check for OVN NB schema, looking for "options" field in "NAT"
table (added in OVN NB schema 5.17).
This patch removes the code to support OVN without stateless NAT rules.
It is assumed that "options" field in "NAT" table is always present.
Closes-Bug: #1949494
Change-Id: Ib3b6dd68009ab635627168b11626d7e7c548ee2f
Added a check for OVN NB schema, looking for "Port_Group" table
(added in OVN NB schema 5.11).
This patch removes the code to support OVN without "Port_Group"
table. It is assumed that this table is always present.
Closes-Bug: #1946023
Change-Id: If193ff5bc6e1421f4fa9db3779872a82a36c8b69
Added common config and SR-IOV agent config parameters to the sanity
check script, to add the following missing configuration parameters:
- default.notify_nova_on_port_status_changes
- default.notify_nova_on_port_data_changes
- sriov_nic.physical_device_mappings
Change-Id: I2a5e1fe3dbc6f2f342feaec92f4c122cfccce6d1
Closes-Bug: #1926170
Since the migration to privsep, some Neutron commands execute methods
under a privsep context. The privsep library must be initialized first.
Change-Id: Icd69bca23d781bace580b3937bc8bd25b586e852
Closes-Bug: #1923870
Some NICs do not support ip-link vf "min_tx_rate" parameter. This is
not an API issue (ip-link or Pyroute2); the parameter is already
supported. The error is returned by the specific NIC driver.
A sanity check is implemented, reading the SR-IOV configured devices
("physical_device_mappings") and the excluded VFs ("exclude_devices").
Change-Id: If70de0a7112777ac4011ad42af0ac98969765011
Closes-Bug: #1918464
Using veth to interconnect openvswitch bridges was deprecated
in Victoria cycle. Now it's time to remove it from the code.
In neutron-ovs-agent code, there is still kept piece of code which
migrates from the veth to the patch ports for bridges interconnection.
We will be able to remove that piece of code in X release.
Change-Id: I94545c3c3d9be46ac2062691f69663e5e59cd648
Closes-Bug: #1587296
Since [1], the SR-IOV commands are executed using Pyroute2. The
support to execute those commands is guaranteed by the requested
minimum version of this library.
[1]https://review.opendev.org/#/c/727811/
Change-Id: I53372524c9cdc75c4b24e1f3c973f8f87a73a8f9
Closes-Bug: #1888920
Recent changes in some versions of iproute2 CLI output (v4.18),
have invalidated the regular expression used to parse the
"ip link" output.
To solve this problem and avoid future ones, pyroute2 is used to
retrieve the virtual functions information and set the VF attributes
(spoofcheck, min_tx_rate, max_tx_rate and link_state).
pyroute2 extended the "ip link" support to retrieve this information,
adding "ext_mask=1" in the get command. If no virtual functions are
present in this particular network interface, the added method,
"get_link_vfs", will return an empty list.
The set commands can return a "InterfaceOperationNotSupported" in
case the operation is not supported. For min_tx_rate, if the driver
does not support to set a minimum bandwidth, an "InvalidArgument"
(from a pyroute2.NetlinkError(22)) exception will be raised.
Change-Id: I680da4f64bd114f1caecaaeedbf8a4b1915a0849
Closes-Bug: #1878042
When openvswitch firewall driver is used, it is required to load
nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM
working properly.
This patch adds such info in ovs firewall documentation as it should be
deployer decision to load or not load this module.
This patch also adds sanity check which checks if nf_conntrack_proto_gre
module is loaded or not, and can warn user when this module is not
loaded.
It also adds loading of this kernel module in neutron devstack plugin.
Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869
Closes-Bug: #1828053
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
[1] https://bugs.launchpad.net/neutron/+bug/1501206
Closes-Bug: 1501206
Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
When the config options were all moved to neutron/conf
the neutron-sanity-check script was not updated. Have
it use the registration methods directly.
Change-Id: Ie45ce0faa17ee4cfe8d2a1dce442b032efea0041
Closes-bug: #1769868
Refactoring neutron db config opts to be in neutron/conf/db/ and
neutron/conf/agent/database/ so that all the configuration options
reside in a centralized location. This simplifies the process of
looking up the config opts and provides an easy way to import.
Change-Id: I4da9bb48d49b99e8c2b34a5c1b83e7eb95b70b82
Partial-Bug: #1563069
Refactoring neutron ml2 config opts to be in neutron/conf/plugins/ml2.
This would allow centralization of all configuration options and
provides an easy way to import.
NeutronLibImpact
Change-Id: Ibc5a9ab268578c243ef13f7e0041bacd6c0c410b
Partial-Bug: #1563069
Needed-By: Id0a97dda7718f06e33b2d30ce01cdcb3e9a46f7d
Since Pike log messages should not be translated.
This patch removes calls to i18n _LC, _LI, _LE, _LW from
logging logic throughout the code. Translators definition
from neutron._i18n is removed as well.
This patch also removes log translation verification from
ignore directive in tox.ini.
Change-Id: If9aa76fcf121c0e61a7c08088006c5873faee56e
This was deprecated over a year ago in [1] so let's
get rid of it to clean up some code.
1. Ib63ba8ae7050465a0786ea3d50c65f413f4ebe38
Change-Id: I6039fb7e743c5d9a1a313e3c174ada36c9874c70
Those are against the spirit of the tool, and were introduced by
mistake. Sanity checks should validate actual features not version
numbers, because distributions can ship an older version of a package
that still has the needed patches backported to support features needed
for neutron; in which case the sanity check tool should not fail on
those deployments.
Updated 'effective neutron' guide to reflect the unspoken rule.
Since the tool is supposed to be consumed by operators, and not (just)
developers, we can't remove those CLI arguments immediately, and so we
follow deprecation process instead. In Queens, we will completely remove
those checks and options.
Change-Id: I2df8b7b39bca6d548a6f17466c26ffa688eb1d59
Recent mailing-list issue showed we never sanity check
for the conntrack command being installed.
Trivialfix
Change-Id: If7fd8541cdefa3123cc2031683c8139b16576cab
The SR-IOV option supported_pci_vendor_devs has been deprecated in Newton
and This change removes it from Ocata.
Change-Id: I42dadfd0b62730ca2d34d37cb63f19f6fec75567
For new kernels (3.18+), bridge module is split into two pieces: bridge
and br_netfilter. The latter provides firewall support for bridged
traffic, as well as the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
Before kernel 3.18, any brctl command was loading the 'bridge' module
with the knobs, so at the moment where we reached iptables setup, they
were always available.
With new 3.18+ kernels, brctl still loads 'bridge' module, but not
br_netfilter. So bridge existance no longer guarantees us knobs'
presence. If we reach _enable_netfilter_for_bridges before the new
module is loaded, then the code will fail, triggering agent resync. It
will also fail to enable bridge firewalling on systems where it's
disabled by default (examples of those systems are most if not all Red
Hat/Fedora based systems), making security groups completely
ineffective.
Systems that don't override default settings for those knobs would work
fine except for this exception in the log file and agent resync. This is
because the first attempt to add a iptables rule using 'physdev' module
(-m physdev) will trigger the kernel module loading. In theory, we could
silently swallow missing knobs, and still operate correctly. But on
second thought, it's quite fragile to rely on that implicit module
loading. In the case where we can't detect whether firewall is enabled,
it's better to fail than hope for the best.
An alternative to the proposed path could be trying
to fix broken deployment, meaning we would need to load the missing
kernel module on agent startup. It's not even clear whether we can
assume the operation would be available to us. Even with that, adding a
rootwrap filter to allow loading code in the kernel sounds quite scary.
If we would follow the path, we would also hit an issue of
distinguishing between cases of built-in kernel module vs. modular one.
A complexity that is probably beyond what Neutron should fix.
The patch introduces a sanity check that would fail on missing
configuration knobs.
DocImpact: document the new deployment requirement in operations guide
UpgradeImpact: deployers relying on agents fixing wrong sysctl defaults
will need to make sure bridge firewalling is enabled.
Also, the kernel module providing sysctl knobs must be
loaded before starting the agent, otherwise it will fail
to start.
Depends-On: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Change-Id: I9137ea017624ac92a05f73863b77f9ee4681bbe7
Related-Bug: #1622914
Original problem is that dhcp_release does not work with IPv6, but IPv6
leases still should be released. For example:
1. Start VM in dhcpv6-stateful network, make it acquire IPv6 address.
2. Delete VM.
3. Start another VM in same network before lease expires.
There's a very high chance that the same IPv6 address will be allocated
for both of these VMs (same address will be reused after first VM was
deleted).
On DHCP agent, hosts file would be changed, but not lease file, so
dnsmasq will not give second VM address until lease expires. Reducing
lease time is not a good solution here.
Solution is adding invocation of dhcp_release6 utility when
releasing IPv6 address. dhcp_release6 utility appears in dnsmasq 2.76.
It crafts DHCP6_Release packet, sends it from passed network
interface to IPv6 multicast address and waits for DHCP6_Reply.
Closes-Bug: 1521666
Change-Id: I5efab81cdaf0676503b6c7da0d4b4f400d859286
This test will check if 'ip link' version installed in this server
supports extended VF management parameter 'min_tx_rate'. This
parameter set the minimum egress rate for an interface.
This test is executed when SR-IOV back-end and QoS extension
are enabled.
DocImpact
Partial-Bug: #1560963
Change-Id: Ie9334f4ad2f6b047bf56689edf3333a8a612364a
If --config-{file,dir} are used to genearate a list of tests to
run, using set_override() will also override any options passed
via the CLI.
For example, on Centos 7 which uses dnsmasq 2.66, running:
neutron-sanity-check --nodnsmasq_version --config-file \
/etc/neutron/l3_agent.ini
will still run and fail the dnsmasq version test. Using
set_default() allows using --config-{file,dir} and --no* in
conjunction.
Closes-Bug: #1549394
Change-Id: I5b9e520add7324660148c4451bbef54c0dfe428e
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see
https://github.com/openvswitch/ovs/blob/master/FAQ.md
As part of this new entry points for current reference firewalls were
added.
Configuration:
in openvswitch_agent.ini:
- in securitygroup section set firewall_driver to openvswitch
DocImpact
Closes-bug: #1461000
Co-Authored-By: Miguel Angel Ajo Pelayo <mangelajo@redhat.com>
Co-Authored-By: Amir Sadoughi <amir.sadoughi@rackspace.com>
Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
In some scenario, like in OpenStack Kolla, system may lack
iptables-ipv6 package. This may cause command ip6tables-save
or ip6tables-restore invalid and ovs-agent error.
This patch allows checking ip6tables support from CLI:
neutron-sanity-check --ip6tables_installed
Or using configuration options, for example:
neutron-sanity-check --config-file /etc/neutron/neutron.conf
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
Change-Id: Ia6cf1ed6b5033442f03eac61d2d0d783c146d797
Closes-Bug: #1530042
- This does NOT break other projects that rely on neutron.i18n,
as this change includes a debtcollector shim to maintain those
older entry points, until they can migrate.
- Also updates _i18n.py to the latest pattern defined by oslo_i18n
- Guidance and template are from the reference:
http://docs.openstack.org/developer/oslo.i18n/usage.html
Partially-Closes-Bug: #1519493
Change-Id: I1aa3a5fd837d9156da4643a367013c869ed8bf9d
In some case, host may lack ipset utility (e.g., due to a
dependency issue)
This patch allows checking IPSet utility support from CLI:
neutron-sanity-check --ipset_installed
Or using configuration options, for example:
neutron-sanity-check --config-file /etc/neutron/neutron.conf
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
Closes-Bug: #1510680
Change-Id: I2b9d6b13087a970bb0919a8217e428ce60d6e0c3
The SR-IOV option agent_required has been deprecated in Liberty.
This change removes it and from now agents are mandatory for SR-IOV
mechanism in order to support extended features: QoS, port security.
DocImpact
Closes-Bug: #1508182
Related-Bug: #1488807
Change-Id: I4e6497da6b287531a211084a5208028c84112a83
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.
For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
DocImpact
SecurityImpact
Closes-Bug: #1491690
Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88
This patch doesn't changes behaviour of dhcp-agent
but adds the opportunity to use user-defined config,
that will make dhcp-agent more flexible
and allows to run functional tests correctly
(without changing global oslo.config CONF)
Closes-Bug: #1492283
Change-Id: Ice807e8fc872b56bb3960b7a3de4110c7675d9d6
neutron-sanity-check fails while importing ml2_sriov
configuration. This patch fixes the import path and
also includes a unit test to avoid such issues.
Closes-Bug: #1489374
Change-Id: I4265ee78be9e7f83e35c94187d4577b32005bef9
More information about Geneve protocol can be found here:
https://tools.ietf.org/pdf/draft-gross-geneve-02.pdf
Following configuration variables were added:
[ml2_type_geneve]
vni_ranges - Comma-separated list of <vni_min>:<vni_max> tuples
enumerating ranges of Geneve VNI IDs that are
available for tenant network allocation
max_header_size - Geneve encapsulation header size is dynamic, this
value is used to calculate the maximum MTU for the driver
this is the sum of the sizes of the outer
ETH + IP + UDP + GENEVE header sizes
DocImpact
Change-Id: I8c29a1c1a7c79e02c26ac9e2ad2645d30dfbeefc
Closes-Bug: #1461069
This patch adds the common framework to be used by specific
implementations of the DHCPv6 protocol for Prefix Delegation.
It also includes a reference implementation based on the Dibbler
DHCPv6 client. Dibbler version 1.0.1 or greater is required.
Sanity tests are included to verify the installed version.
A patch for admin/user documentation is up for review here:
https://review.openstack.org/#/c/178739
Video guides for configuring and using this feature are available on
YouTube:
https://www.youtube.com/watch?v=wI830s881HQhttps://www.youtube.com/watch?v=zfsFyS01Fn0
Co-Authored-By: Baodong (Robert) Li <baoli@cisco.com>
Co-Authored-By: Sam Betts <sam@code-smash.net>
Change-Id: Id94acbbe96c717f68f318b2d715dd9cb9cc7fe4f
Implements: blueprint ipv6-prefix-delegation
Rodolfo Alonso Hernandez