According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.
Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.
Finally this new policy for create/update_port:binding:profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.
[1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port
Closes-Bug: #2052937
Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895
Support is added to the OVN L3 service plugin for the router
flavors and service type framework
Partial-Bug: #2020823
Change-Id: If40d7b39e7b59a39ff7622bd823dbdb14bfc69d2
Do not allow the subnet cidr of :: to be used when
creating a subnet, except in the case IPv6 prefix
delegation has been specified in the request.
Closes-bug: #2028159
Change-Id: I480e9a117513996f3c070acd4ba39c2b9fe9c0f1
When creating a subnet using a subnetpool, we were
failing to validate all the passed API arguments in
the dictionary, leading to a case where you could
specify an invalid DNS nameserver. For example,
using an IPv4 nameserver on an IPv6 subnet. This
could cause daemons the l3-agent starts, like radvd,
to fail to start correctly, leading to a loss of
connectivity.
Specifying a subnet by cidr without a subnetpool
did already correctly fail with an IP version
mismatch error, this is just an edge case that
was never tested.
Since _validate_subnet() was called in so many places
it was moved to a common location and is only not
called for IPv6 prefix-delegation subnets.
Closes-bug: #2036877
Change-Id: I6302e9a373cf93e706cec10f87c3beaf632a0391
RBAC community wide goal phase-2[1] is to add service
role for the service APIs policy rule.
This patch adds new "service_api" role in policies, deprecates old rule
"context_is_advsvc" as this had basically same goal but for consistency
reasons we want now to have it named "service_api" as in other policies
for other projects.
This patch also adds unit tests to ensure what is allowed and what is
forbidden for the service role user.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2
Closes-Bug: #2026182
Change-Id: Iaa1a3a491d310c2304f6500c6e5d2b9c31a72fa8
This table has a 1:1 relationship with the "port" table, providing
the "hardware_offload_type" field (string).
The "neutron-lib" library minimum version is 3.8.0, that contains
[1].
NOTE: once the OSC patch is merged [2], the documentation will be
updated to reflect how to create a hardware offloaded port without
manually defining the port binding profile,
[1]https://review.opendev.org/c/openstack/neutron-lib/+/882726
[2]https://review.opendev.org/c/openstack/python-openstackclient/+/892792
Partial-Bug: #2013228
Change-Id: I04f232d6c43e39f254c4559caf041dcf05acec21
The "repr" method of Network does not have an order enforced. The
elements of the DB model can be printed in the representation string
in any order.
Closes-Bug: #2027595
Change-Id: I763ee916eaf4dd9f3906bd20595f0533d25e356d
Some files are using strings access_as_shared or access_as_external
instead of using defined constants ACCESS_SHARED and ACCESS_EXTERNAL.
This commit is doing the cleaning it does not bring any functional
change.
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ib75326c762776c5259740cb2f0abc1163842f95d
A network's MTU is now only valid if it is the minimum value
allowed based on the IP version of the associated subnets,
68 for IPv4 and 1280 for IPv6.
This minimum is now enforced in the following ways:
1) When a subnet is associated with a network, validate
the MTU is large enough for the IP version. Not only
would the subnet be unusable if it was allowed, but the
Linux kernel can fail adding addresses and configuring
network settings like the MTU.
2) When a network MTU is changed, validate the MTU is large
enough for any currently associated subnets. Allowing a
smaller MTU would render any existing subnets unusable.
Closes-bug: #1988069
Change-Id: Ia4017a8737f9a7c63945df546c8a7243b2673ceb
As part of the Secure RBAC community goal, we should switch options
"enforce_new_defaults" and "enforce_scope" to be True by default.
It will be still possible to fallback to old policy rules by configuring
those config options to False in Neutron config.
Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
Change b6126bc0f1 added two subnet unit tests that were
already covered in code right below them, remove them.
Trivialfix
Change-Id: Ic89df2d4e124e61fb36add0edbb9baebb139c9bc
In ``TestPortsV2`` tests, set the
``neutron.plugins.ml2.plugin.MAX_BIND_TRIES`` to 1 to minimize the
number of retries during a failed port binding. That shortens all
test cases execution time if a port binding is executed.
Trivial-Fix
Change-Id: If0473031797984aab5b36c479fcb774e57ff5624
This is a follow-up of [1]. Before this patch, any virtual logical
switch port that was updated and the "device_owner" was not and empty
string, had its type set to '' (empty string).
This maintenance task, that is executed only once, lists all logical
switch ports, checks the presence or not of virtual parents and
sets the type to "virtual" if needed.
Related-Bug: #1973276
[1]https://review.opendev.org/c/openstack/neutron/+/841711
Change-Id: I6cf1167d556f0c2c2aa2013f05c809648020b377
To write a new unit test, need to set "project_id", and then
use the discarded "tenant_id" is not appropriate.
this patch updated creating resources method, both "project_id"
and "tenant_id" are acceptable. of course, "project_id" priority.
Closes-bug: #1966354
Change-Id: Ic24f03da169dd3d1549b05b35ec77d3e9a25f17b
This patch removes the ``IpAddressAllocationNotFound`` exception. This
exception was raised when a IPAM register was called to be deleted
but not found.
As reported in the LP bug, this IPAM register deletion can be called
several times if a port fails during the creation. The IPAM register
deletion calls the DB deletion but doesn't raise any exception if the
register does not exist. The code ensures the IPAM register is
deleted and there is no need to fail if it is not present anymore.
This patch also removes the exception catch and try in "update_port",
that was added in [0] as a fix for [1]. That was added because the
subnet deletion code involved a port update call [2] during the
IP allocation deletion, if any port was still present in the subnet.
Since [3], this code is not needed because the subnet deletion does
not call a port update anymore.
[0]https://review.opendev.org/c/openstack/neutron/+/373536
[1]https://bugs.launchpad.net/neutron/+bug/1622616
[2]https://github.com/openstack/neutron/blob/pike-em/neutron/db/db_base_plugin_v2.py#L1017-L1018
[3]https://review.opendev.org/c/openstack/neutron/+/713045
Closes-Bug: #1965807
Related-Bug: #1954763
Related-Bug: #1622616
Change-Id: I5b96b3a91aacffe118ddbb91a75c4892818ba97a
With [1] gateway is no longer set for subnet created
with prefix delegation, but when adding the subnet
to the router it fails as it expects gateway to be
set.
This patch ensures gateway is set temporary to the first IP
of the subnet as it used to be just like the temporary CIDR.
Also need to ensure dhcp configuration is skipped to avoid the
original issue[2].
[1] https://review.opendev.org/c/openstack/neutron/+/699465
[2] https://bugs.launchpad.net/neutron/+bug/1856675
Closes-Bug: #1962306
Related-Bug: #1856675
Change-Id: I512f7d98ac99bb0ef06fd2acba09482e3436d18d
The tool "neutron-ovn-db-sync-util" now syncs the Neutron QoS policies
with the OVN NB database. The tools reads the port and the floaiting IP
QoS policies and creates the corresponding OVN QoS rules.
The ovsdbapp library is bumped to version 1.15.0. This version updates
the "QoSAddCommand" to allow register updates. If the OVN NB QoS
register to be created is present in the DB and all parameters match,
no transaction is commited to the DB.
Depends-On: https://review.opendev.org/c/openstack/ovsdbapp/+/822138
Closes-Bug: #1947334
Change-Id: Ib597b62017b56b41009dd4d7359e169f424272b0
Added a check for OVN SB schema, looking for "virtual_parent" in
"Port_Binding" table (added in OVN SB schema 2.5).
This patch removes the code to support OVN without virtual ports.
It is assumed that "virtual_parent" field is present in "Port_Binding"
table.
Closes-Bug: #1949496
Change-Id: I3d01f58dca570537b5e754b331ca4809a7161ae2
In subnet update API call Neutron checks if gateway_ip was send to be
updated and if so, it checkes if old gateway_ip isn't already allocated
to some router port. If it's already used, Neutron returns 409 response.
This is valid behaviour but sometimes, some automation tools may do
subnet update request and pass the same gateway ip as already used by
the subnet. In such case, as gateway_ip is actually not changed Neutron
should not raise exception in that validation.
Closes-Bug: #1955121
Change-Id: Iba90b44331fdc63273fd3d19c583a24b5295c0ac
When there is attempt to delete network with ports,
a general error message is displayed that one or more
ports are in use on the network. This patch proposes
to also return the ports which are in use as part of
the message.
Also modify test_delete_network_if_port_exists unit
test to check for port id and network id in Error
message.
Also bump required version of neutron-lib to 2.18.0
as that's needed for custom message in NetworkInUse
Exception.
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/821806
Closes-Bug: #1953716
Change-Id: Ib0b40402746c6a487a226b238907142384608d3c
This adds Local IP API extension, DB and OVO models, DB mixin,
migration and service plugin.
Partial-Bug: #1930200
Change-Id: I0ab7c5e9bc918f7fad282673ac6e32e1b01985c5
Config option allow_overlapping_ips is deprecated to removal now and
will be removed in the Z cycle.
Default value for that option is now set to True as this is supported by
IPAM module in Neutron.
Related-Bug: #1942294
Change-Id: I17bf5e4483025e9cc4ee04dd3e7c925f7bddc3db
The quota driver ``ConfDriver`` was deprecated in Liberty release.
``NullQuotaDriver`` is created for testing although it could be used
in production if no quota enforcement is needed. However, because
the Quota engine is not plugable (is an extension always loaded), it
could be interesting to make it plugable as any other plugin.
This patch also creates a Quota engine driver API class that should be
used in any Quota engine driver. Currently it is used in the three
in-tree drivers implemented: ``NullQuotaDriver``, ``DbQuotaDriver``
and ``DbQuotaNoLockDriver``.
Change-Id: Ib4af80e18fac52b9f68f26c84a215415e63c2822
Closes-Bug: #1928211
When needing to create a point to point connection via a subnet,
generally and /31 is the recommended cidr. Neutron supports /31
disabling dhcp and gateway on a subnet. /32 is also supported in
openstack.
Closes-Bug: #1580927
Change-Id: I3bfa3efb9fb8076656b16c89d2f35d74efde12b7
Verify if concurrently delete neutron DB records will
encounter the StaleDataError which suggest us to add
"confirm_deleted_rows=False" to mapper configuration.
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/777581
Change-Id: Ia8935d5dd87402bedfd7aa9df9dfcb0ce06f8e39
Related-Bug: #1916889
This new quota driver, ``DbQuotaNoLockDriver``, does not create a lock
per (resource, project_id) but retrieves the instant (resource,
project_id) usage and the current (resource, project_id) reservations.
If the requested number of resources fit the available quota, a new
``Reservation`` register is created with the amount of units requested.
All those operations are done inside a DB transaction context. That
means the amount of resources and reservations is guaranteed inside
this transaction (depending on the DB backend isolation level defined)
and the new reservation created will not clash with other DB transation.
That will guarantee the number of resources and instant reservations
never exceed the quota limits defined for this (resource, project_id).
NOTES:
- This change tries to be as unobtrusive as possible. The new driver
uses the same ``DbQuotaDriver`` dabatase tables (except for
``QuotaUsage``) and the same Quota engine API, located in
``neutron.quota``. However, the Quota engine resources implements some
particular API actions like "dirty", that are not used in the new
driver.
- The Pecan Quota enforcement hooks,
``neutron.pecan_wgsi.hooks.quota_enforcement``, execute actions like
"resync", "mark_resources_dirty" or "set_resources_dirty", that has
no meaning in the new driver.
- The isolation between the Quota engine and the Pecan hook, and the
driver itself is not clearly defined. A refactor of the Quota engine,
Quota service, Quota drivers and a common API between the driver and
the engine is needed.
- If ``DbQuotaDriver`` is deprecated, ``CountableResource`` and
``TrackedResource`` will be joined in a single class. This resource
class will have a count method (countable) or a hard dependency on a
database table (tracked resource). The only difference will be the
"count" method implementation.
Closes-Bug: #1926787
Change-Id: I4f98c6fcd781459fd7150aff426d19c7fdfa98c1
Now is possible to define a gateway IP when creating a subnet using a
subnet pool. The IPAM subnet generator retrieves the available IP
ranges in the subnet pool and generates a list of candidate subnets
with the prefix lenght defined. If the gateway IP can be allocated in
one of those candidate subnets, the IPAM returns a valid IpamSubnet
that will be used to create a Neutron subnet.
Closes-Bug: #1904436
Change-Id: Ib1d1f591c4d0f59ebff3ddcb3be7b10b0b5e67dc
Added a new port extension: device profile (``port_device_profile``).
This extension adds the "device_profile" parameter to the "port" API
and specifies the device profile per port. This parameter is a
string.
This parameter is passed to Nova and Nova retrieves the requested
device profile from Cyborg. Reference:
https://docs.openstack.org/api-ref/accelerator/v2/index.html#
device-profiles
For backwards compatibility, this parameter will be "None" by
default.
Closes-Bug: #1906602
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/767586
Change-Id: I1202a8388e64ae4270ef4ca118993504ae7c1731
assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.
NOTE(dmllr): added hacking check
[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277
Change-Id: I7c20fec08e5dc9f67b34100c925ea6724bbd25f0
Added a new port extension: NUMA affinity policy. This extension adds
the "numa_affinity_policy" parameter to the "port" API and specifies
the NUMA affinity policy per port.
This parameter is passed to Nova when a virtual machine is created.
Nova will use this information to schedule the virtual machine.
For backwards compatibility, this parameter will be "None" by default.
Depends-On: https://review.opendev.org/#/c/740058/
Closes-Bug: #1886798
Change-Id: Ie3d68c098ddb727ab8333aa1de4064e67a4f00a7
fip agent gw ports may be left in DB after router removal due to
race condition between l3 agent and server: when server processes
"router delete" - l3 agent is still processing "router add" and creates
fip agent gw port after server already removed the router.
The patch also adds handling of external network delete event
to cleanup fip namespaces left on agents due to same race condition.
Change-Id: Ib2f3aca08946e584156d092c37e1ea5ed5ca81a6
Closes-Bug: #1902998
This patch adds the verification of whether admin context when
verifying the valid security groups of port.
Change-Id: I2674bdc448d9a091b9fe8c68f0866fd19141c6be
Closes-Bug: #1890539
Now that we are python3 only, we should move to using the built
in version of mock that supports all of our testing needs and
remove the dependency on the "mock" package.
This patch moves all references to "import mock" to
"from unittest import mock". It also cleans up some new line
inconsistency.
Fixed an inconsistency in the OVSBridge.deferred() definition
as it needs to also have an *args argument.
Fixed an issue where an l3-agent test was mocking
functools.partial, causing a python3.8 failure.
Unit tests only, removing from tests/base.py affects
functional tests which need additional work.
Change-Id: I40e8a8410840c3774c72ae1a8054574445d66ece