There were a number of tests using variables that were
only defined in the scope of a loop, which while worked,
is undefined. No functional change.
TrivialFix
Change-Id: Ieaf6f234cf0eb747dc61c3115fdb960a708569dd
In the test_port_deletion_prevention_handles_missing_port test which is
part of the classes:
* neutron.tests.unit.extensions.test_l3.L3NatDBSepTestCase
* neutron.tests.unit.extensions.test_extraroute.ExtraRouteDBSepTestCase
it is needed to call pecan application to e.g. create network to make
all models to be ready. Otherwise things like port_forwarding attribute
in the Port class, which is loaded in lazy mode isn't available and test
was failing when was run in the isolated environment.
It wasn't failing in the gate as there were other tests run by the same
worker before this one and then it was all initialized properly.
Closes-Bug: #2028285
Change-Id: Ie2382540d7c0a8813f093ddf51d82fe530026d71
As part of the Secure RBAC community goal, we should switch options
"enforce_new_defaults" and "enforce_scope" to be True by default.
It will be still possible to fallback to old policy rules by configuring
those config options to False in Neutron config.
Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
This initialization method will assign the mechanism driver variable
and will check if any of the valid drivers ('ovn', 'ovn-sync') is
loaded. If not, the execution will stop and the
``MechanismDriverNotFound`` exception will be raise. This exception
is more informative than the reported error in the related bug, where
one of the expected configuration variables for the
``OVNL3RouterPlugin`` class was not loaded.
Closes-Bug: #1997970
Change-Id: Ie8e184c85528cd1b3fed624fb003a71c5e6c7af3
The table "router_extra_attributes" is a child of "router" table.
Each register contains extra information that completes the router
description. When using ML2/OVS mechanism driver, the methods that
create and populate the "router_extra_attributes" register are always
called from the L3 DVR, L3 HA and availability zones extensions.
When using ML2/OVN, those extensions are not loaded and therefore the
"router_extra_attributes" register is not created.
Despite this register is currently not used in ML2/OVN (it will be in
future features), there are some project expecting the
"router_extra_attributes" register to be always created (for example,
neutron-dynamic-routing [1]).
This patch enforces the child register creating always when a router is
created. This register is populated with the default values. This new
register does not affect any current operation related to ML2/OVN nor
ML2/OVS.
There is a 1:1 relationship between "routers" and
"router_extra_attributes". The child register is deleted by the database
engine when the "routers" register is deleted (ondelete="CASCADE").
[1]https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/863713
Closes-Bug: #1995974
Change-Id: Ic546e40513402fa101c9687acce382cd6b84356c
In neutron, user can create multiple ports with same IPv6 address if
the network has no IPv6 address scope. This maybe result in some
security issues.
This can be exploited by a malicious tenant via creating a subnet with
a prefix that covers an address that is already in use and take over
(part of) the traffic flowing towards that address. The success of the
attack depends on winning the race of who answers the NDP query first,
but still a 50% chance of capturing traffic seems dangerous. The attack
works not only against other addresses served by NDP proxy, but also
against other hosts that may exist, potentially even the gateway for
the external network.
So, we should use `IPv6 address scope` to ensure the IPv6 address is
unique when we want to use `ndp proxy` feature.
Depends-on: https://review.opendev.org/#/c/855997
Closes-Bug: #1987410
Change-Id: I0fa431a91a7679e409386a357a01c31ec5ad0cfd
This will subnets from shared networks to be added on routers using:
$ openstack router add subnet router_id subnet_id
Without this, neutron user must use a multi-router solution, which is
not convenient at all.
Closes-Bug: #1975603
Related-Bug: #1757482
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I50f07d41428e57e6bed9be16980a6c605b7d130e
To write a new unit test, need to set "project_id", and then
use the discarded "tenant_id" is not appropriate.
this patch updated creating resources method, both "project_id"
and "tenant_id" are acceptable. of course, "project_id" priority.
Closes-bug: #1966354
Change-Id: Ic24f03da169dd3d1549b05b35ec77d3e9a25f17b
Added information of the floating IP network QoS policy to the
``FloatingIP`` OVO. The view-only parameter added allows to check
the network QoS policy in the floating IP object.
This patch does not implement any change in the L3 code (OVS or
OVN). This patch does not change any existing behaviour.
NOTE: bump neutron-lib version
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/817936
Partial-Bug: #1950454
Change-Id: I9d7bb54b14fb983161fdf51c96b6fda107db4fe6
Config option allow_overlapping_ips is deprecated to removal now and
will be removed in the Z cycle.
Default value for that option is now set to True as this is supported by
IPAM module in Neutron.
Related-Bug: #1942294
Change-Id: I17bf5e4483025e9cc4ee04dd3e7c925f7bddc3db
Use same FIP field names for all notifications.
Move association_event field into Payload metadata.
Closes-Bug: #1933502
Change-Id: Ia462ca4b340cd3d9a27341632b24926c3290a4b2
Change FloatingIP AFTER_ notifications in l3_db to use publish calls.
Move association_event field into Payload metadata.
Closes-Bug: #1933502
Change-Id: Ie4c0f4a63a87c32026c49b03068e5f461deb38b6
This patch switches over to callback payloads for
FLOATING_IP PRECOMMIT_CREATE and PRECOMMIT_UPDATE events
Change-Id: I886a360b838c78b0596c042fb5650bc73848af31
This patch switches over to callback payloads for ROUTER
BEFORE_CREATE, PRECOMMIT_CREATE, BEFORE_UPDATE and
PRECOMMIT_DELETE events.
Change-Id: I4a52c773d3f753c918df0986f1d261083156651c
The quota driver ``ConfDriver`` was deprecated in Liberty release.
``NullQuotaDriver`` is created for testing although it could be used
in production if no quota enforcement is needed. However, because
the Quota engine is not plugable (is an extension always loaded), it
could be interesting to make it plugable as any other plugin.
This patch also creates a Quota engine driver API class that should be
used in any Quota engine driver. Currently it is used in the three
in-tree drivers implemented: ``NullQuotaDriver``, ``DbQuotaDriver``
and ``DbQuotaNoLockDriver``.
Change-Id: Ib4af80e18fac52b9f68f26c84a215415e63c2822
Closes-Bug: #1928211
This patch switches the code over to the payload style of callbacks [1]
for ROUTER_INTERFACE events for those that are not using them yet.
The unit tests are also updated where needed to account for the
payload style callbacks and publish() method. In addition, a few
callback methods that use the retry_if_session_inactive() decorator are
separated out from the callback so that the context can still be
passed and detected by retry_if_session_inactive logic.
NeutronLibImpact
[1]
https://docs.openstack.org/neutron-lib/latest/contributor/callbacks.html
Change-Id: I8d9f8296952dfb10fcccd6afd72e90a5d4f379eb
We moved all our code to the new enginefacade already so we don't use
nested transactions at all thus we don't need that check anymore.
Partially-Implements blueprint: enginefacade-switch
Change-Id: I957151a7cac4285926864029c844efd76b052c5b
If an external network have multiple subnets, the router whose
external gateway at the network will have all routes about those
subnets. So, when a internal subnet was added to the router, all
subnets of the the network which the router's external gateway
belong to need to be joined to check whether the CIDRs is
overlapped.
Also, this patch revert the patch [1]
[1] https://review.opendev.org/#/c/473356/
Change-Id: Id5d8ac09a38c656619f88a6f87b8f384fe4c55a8
Closes-Bug: #1903433
Depends-On: https://review.opendev.org/763621
Depends-On: https://review.opendev.org/763626
This patch implements the last code bits pending to
conclude the new DB engine facade migration.
Due to the resultant interactions in the modified code, is
not possible to submit smaller patches; this code must be
migrated at once.
Partially-Implements blueprint: enginefacade-switch
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Change-Id: Id3f09b78c8d0a8daa7ec4fa6f5bf79f7d5ab8f8b
Included standard attributes ID in some OVO dictionaries to improve
the OVN revision numbers operation. Having this ID, there is no need
to retrieve it from the database.
The following OVOs have been updated:
- port
- network
- subnet
- security group
- security group rule
- router
Closes-Bug: #1904188
Change-Id: Ia16335a2fc8f9324b9489692c76a73e4ef5bef96
If a floating IP has an associated port, when the floating IP is
deleted, a disassociation message is logged.
This is related to LP#1842327. Neutron does not consider the floating
IP deletion as a disassociation event thus is not logged. This patch
completes the original implementation [1].
[1]https://review.opendev.org/#/c/679667/
Change-Id: I3a01d967be09cca4db060057948d087d17e0791b
Related-Bug: #1842327
While fixing https://bugs.launchpad.net/neutron/+bug/1876148 we've made
the add_router_interface method idempotent and it no longer raised a
Conflict if the same interface was added twice, this broke the
test_add_interface_in_use from neutron-tempest-pluign.
Change-Id: I76d46a4c3c8af166e022894a5693d5c78555ea50
Closes-Bug: #1895671
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
In case when such subnet is added directly to the router, there was
validation and subnet which is expected to get RA messages from the
external router couldn't be added to the Neutron router.
But in case when port was first created manually and then plugged to the
router, there wasn't such validation. This patch fixes it by adding same
validation to adding router interface by port.
Change-Id: I054296c790b697198550acbeae29546758b422c2
Closes-Bug: #1889619
When a floating IP is being created, the network provided should be
external. Instead of quering the DB to find out if the
"externalnetworks" DB register exists, the "network" register is
retrieved and the "external" parameter is used (loaded using a
back reference relationship). This will avoid one DB access.
Change-Id: Iead245da166ee2ae691227bb18ae377fe0af4c04
Related-Bug: #1880969
A new pep8 style library must have been released which
is causing some new errors, E471 among them. Clean-up
on aisle 8.
Change-Id: I153abada74e8c522fe9866a239a36dbb8365a29e
OVNL3RouterPlugin inherits from L3_NAT_dbonly_mixin, which inherits
from neutron.extensions.l3.RouterPluginBase
As maintenance task expects OVNL3RouterPlugin to behave as
RouterPluginBase, the add_router_interface should have the signature:
add_router_interface(self, context, router_id, interface_info)
Note: With this change, the default behavior of OVNL3RouterPlugin's
_add_neutron_router_interface becomes idem-potent: multiple calls to add
the same interface will not fail. Because of that, the unit test
test_router_add_interface_dup_port no longer makes sense and is being
removed.
Closes-Bug: #1876148
Change-Id: I8010113b4d8c66ecbccf3126f322a8836d92e7ba
Signed-off-by: Flavio Fernandes <flaviof@redhat.com>
Now that we are python3 only, we should move to using the built
in version of mock that supports all of our testing needs and
remove the dependency on the "mock" package.
This patch moves all references to "import mock" to
"from unittest import mock". It also cleans up some new line
inconsistency.
Fixed an inconsistency in the OVSBridge.deferred() definition
as it needs to also have an *args argument.
Fixed an issue where an l3-agent test was mocking
functools.partial, causing a python3.8 failure.
Unit tests only, removing from tests/base.py affects
functional tests which need additional work.
Change-Id: I40e8a8410840c3774c72ae1a8054574445d66ece
Implement the Floating IP association logic only in one single place,
L3_NAT_dbonly_mixin._update_fip_assoc(). The dictionary returned will
include a new key, "association_event", with values:
- None: there is no association event. The internal port does not
change.
- True: a new internal port is added to the FIP register. An
association event can imply a disassociation event if the FIP register
had an existing internal port.
- False: the previous internal port is removed and no one is added.
Change-Id: I775aee178cf56f842b3c0a375eda01577840e227
Related-Bug: #1842327
Add a log entry when a floating IP is associated/disassociated from a
port, reporting the external IP, the internal IP, the fixed port ID and
the FIP ID.
The log level is set to INFO; this security information will be
registered regardless of the logging level.
Change-Id: I9124399f680e4123c4dc14e8be666f9c4c5385a0
Closes-Bug: #1842327
Instead of blindly making the first publish() fail.
Remove assumptions about how many publish() calls are made.
These problems were exposed by the recent change. [1]
[1] https://review.opendev.org/#/c/638274/
Closes-Bug: #1839246
Change-Id: I40a8a3905435233e6c00c5439df287db5ab10ed6
This patch switches the code over to the payload style of callbacks [1]
for PORT ROUTER_GATEWAY events for those that are not using them yet.
The unit tests are also updated where needed to account for the
payload style callbacks and publish() method. Finally the patch
normalizes the passing of gateway IPs which are currently referred to
as 'gw_ips' and 'gateway_ips' depending on the event; now all events use
'gateway_ips'.
NeutronLibImpact
[1] https://docs.openstack.org/neutron-lib/latest/contributor/callbacks.html
Change-Id: Iacd9e2d00838b402c8ab385044a7e294831a1ddc
This option was deprecated since couple of releases already.
In Stein we removed 'external_network_bridge' option from L3 agent's
config so now it's time to remove also this one.
There is also new upgrade check introduced to check and warn
users if gateway_external_network_id was used in the deployment.
This patch also removes method _check_router_needs_rescheduling() from
neutron/db/l3_db.py module as it is not needed anymore.
This patch also removes unit tests:
test_update_gateway_agent_exists_supporting_network
test_update_gateway_agent_exists_supporting_multiple_network
test_router_update_gateway_no_eligible_l3_agent
from neutron/tests/unit/extensions/test_l3.py module as those
tests are not needed when there is no "gateway_external_network_id"
config option anymore.
Change-Id: Id01571cd42cfe9c5ce91e90159917c7d3c963878
Removed E125 (continuation line does not distinguish itself
from next logical line) from the ignore list and fixed all
the indentation issues. Didn't think it was going to be
close to 100 files when I started.
Change-Id: I0a6f5efec4b7d8d3632dd9dbb43e0ab58af9dff3
After finding the mis-use of self.port() in the revision
tests, searched and found some other cases where the
subnet was not being passed. Fixed even though these
probably won't ever cause a test failure.
Trivialfix
Change-Id: I05402cfdbfd5c7941c5f442542eb0dd5a005e3fe
There are some extreme conditions which will result the unbound
router gateway port. Then all the centralized floating IPs will
not be reachable since the gateway port was set to 4095 tag.
This patch adds the HA status to the router related port
processing code path. If it is HA router, the gateway port
will go to the right HA router processing code branch.
Closes-Bug: #1827754
Change-Id: Ida1c9f3a38171ea82adc2f11cb17945d6e2434be
Brian Haley