According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.
Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.
Finally this new policy for create/update_port:binding:profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.
[1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port
Closes-Bug: #2052937
Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895
Update hacking to a more recent version, along with
flake8-import-order.
Remove N347 (import mock library) check as that is the
default with later hacking versions.
Update the builtins override of '_' to be the neutron.i18n
version due to the code triggering a false positive. This
is done in a couple of other projects as well.
Fix a number of new warnings it found.
Added some ignore directives for new whitespace issues
found in the test tree, can fix later.
TrivialFix
Change-Id: I5923255af86cf1fa11ab8e3b03bb9efac7dd7b58
RBAC community wide goal phase-2[1] is to add service
role for the service APIs policy rule.
This patch adds new "service_api" role in policies, deprecates old rule
"context_is_advsvc" as this had basically same goal but for consistency
reasons we want now to have it named "service_api" as in other policies
for other projects.
This patch also adds unit tests to ensure what is allowed and what is
forbidden for the service role user.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2
Closes-Bug: #2026182
Change-Id: Iaa1a3a491d310c2304f6500c6e5d2b9c31a72fa8
In patch [1] API policies for get_port_binding and activate port binding
were added. But I forgot about create_port_binding and
delete_port_binding actions there so this follow up patch adds those
missing policies.
It also fixes mistake which was made in [1] with method for "activate"
action set to "GET". It should be "PUT" and that's what this patch now
fixes also.
[1] https://review.opendev.org/c/openstack/neutron/+/884613
Closes-Bug: #2013326
Change-Id: I6e91c2b7df070f19270f9c60da5c32b69cf11918
As part of the Secure RBAC community goal, we should switch options
"enforce_new_defaults" and "enforce_scope" to be True by default.
It will be still possible to fallback to old policy rules by configuring
those config options to False in Neutron config.
Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
Fix an issue with concurrent requests to activate a port binding.
If there are two activate requests in parallel, one might set the
binding on the new host to active and the other request may
not find the previously INACTIVE row anymore in
_commit_port_binding and initializing the driver_context.PortContext
crashed.
Closes-Bug: #1986003
Change-Id: I047e33062bc38f36848e0149c6e670cb5828c8e3
Today Nova updates the mac_address of a direct-physical port to reflect
the MAC address of the physical device the port is bound to. But this
can only be done before the port is bound. However during migration Nova
is not able to update the MAC when the port is bound to a different
physical device on the destination host.
This patch extends port binding logic for direct-physical ports to allow
providing the MAC address of the physical device via the binding profile.
If it is provided then Neutron overwrites the value of the mac_address
field of the port with the value from the active binding profile.
Also when the port is being unbound or the MAC address is removed from
the active binding porfile then neutron resets the mac_address field of
port to a generated MAC to avoid duplicated MAC issues when another port
is being bound to the same physical device.
The shim API extension for this change is being proposed in
I54b4c85ffc4856fba7ad5e9e29f77f74815e1275 in neutron-lib.
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/831935
Closes-Bug: #1942329
Change-Id: Ib0638f5db69cb92daf6932890cb89e83cf84f295
This new parameter "bound_drivers" is a dictionary with the binding
levels and the driver name. E.g.:
port['vif_details']['bound_drivers'] = {'0': 'openvswitch'}
port['vif_details']['bound_drivers'] = {'0': 'ovn'}
If the port is not bound, this key won't be present in "vif_details".
This information is important for Nova, along with the VIF type, to
adequate the port plugin strategy or to know what kind of plugin
events are expected; currently, depending on the driver and the
connection type, Neutron sends a different set of vif-plugged events.
This is specially critical during live migration process, where the
network communication should be halted as little as possible.
Related-Bug: #1821058
Change-Id: I1c42fa4f44cc2311e874b2b9bf2bd40ffd142e91
Now that we are python3 only, we should move to using the built
in version of mock that supports all of our testing needs and
remove the dependency on the "mock" package.
This patch moves all references to "import mock" to
"from unittest import mock". It also cleans up some new line
inconsistency.
Fixed an inconsistency in the OVSBridge.deferred() definition
as it needs to also have an *args argument.
Fixed an issue where an l3-agent test was mocking
functools.partial, causing a python3.8 failure.
Unit tests only, removing from tests/base.py affects
functional tests which need additional work.
Change-Id: I40e8a8410840c3774c72ae1a8054574445d66ece
Drive the choice of mechanism driver during binding as inferred from
the resource provider allocated by nova and as told to neutron via the
port's binding:profile.
As discussed on a neutron qos irc meeting some time ago
this patch introduces a new assumption on bind_port() implementations.
That is an implementation of bind_port() in any mech driver supporting
Guaranteed Minimum Bandwidth bind_port() must not have a non-idempotent
side effect. Because the last binding level will be redone for a 2nd
time with a narrowed down list of mechanism drivers. And if the 2nd call
does not give the same result as the first all kind of weird things can
happen.
Change-Id: I2b7573ec6795170ce45a13d5d0ad7844fb85182d
Depends-On: https://review.openstack.org/574781
Depends-On: https://review.openstack.org/635160
Partial-Bug: #1578989
See-Also: https://review.openstack.org/502306 (nova spec)
See-Also: https://review.openstack.org/508149 (neutron spec)
Today the neutron common exceptions already live in neutron-lib and are
shimmed from neutron. This patch removes the neutron.common.exceptions
module and changes neutron's imports over to use their respective
neutron-lib exception module instead.
NeutronLibImpact
Change-Id: I9704f20eb21da85d2cf024d83338b3d94593671e
The get_port_binding_by_status_and_host function was rehomed into
neutron-lib with https://review.openstack.org/#/c/580786/ and released
in neutron-lib 1.18.0. This patch consumes the function by removing it
in neutron and replacing all uses with lib's version.
NeutronLibImpact
Change-Id: Iac3246d0eb59709749e0b7e857091447d11a0133
Functionality is added to the ML2 plugin to handle multiple port
bindings
Co-Authored-By: Anindita Das <anindita.das@intel.com>
Co-Authored-By: Miguel Lavalle <miguel.lavalle@huawei.com>
Partial-Bug: #1580880
Change-Id: Ie31d4e27e3f55edfe334c4029ca9ed685e684c39
This reverts commit febeaf5d40.
This patch broke postgres tempest jobs, as well as introduced potential
race conditions in database layer because of mixed usage of old and new
engine facades.
Related-Bug: #1744829
Change-Id: Ic142ae7faf4e5f10cbdf761d7e6f3d442e94a3eb
This patch integrates Port Binding OVO in /plugins/ml2/db.py
and /plugins/ml2/plugin.py.
Co-Authored-By: Artur Korzeniewski <artur.korzeniewski@intel.com>
Change-Id: Idb76c0cb2a4d66690c9aca5ba338d5df814cd21e
Partially-Implements: blueprint adopt-oslo-versioned-objects-for-db
Refactoring neutron ml2 config opts to be in neutron/conf/plugins/ml2.
This would allow centralization of all configuration options and
provides an easy way to import.
NeutronLibImpact
Change-Id: Ibc5a9ab268578c243ef13f7e0041bacd6c0c410b
Partial-Bug: #1563069
Needed-By: Id0a97dda7718f06e33b2d30ce01cdcb3e9a46f7d
The workaround of using deepcopy calls on the PortBinding
and PortBindingLevel objects prevents the port relationship
from being loaded to bump its revision because it then fails
to merge.
So in order to allow port bindings to bump the revision we
need to stop using sqlalchemy objects in the PortContext. This
patch adds a new snapshot object that just copies the column
values and provides a method to reconcile them back into the
session.
This workaround can go away after we switch to using OVOs, but
this needs to be backportable so we can't just wait for OVO
adoption.
Partial-Bug: #1699034
Change-Id: Ib85ec8182117fa3c4844dabfffe881e38e68b556
With the switch to subquery relationships, individual get_port calls
can get expensive with large numbers of ports
(100ms per port in my dev environment). This patch bulks up the
retrieval of the port contexts so one set of queries covers all
of the devices in an RPC call.
Partial-Bug: #1665215
Change-Id: I63757e143b23c24c349be98dc5a09115b8709a25
Perform a deepcopy on the sqla objects passed into the PortContext
so we get detached versions of them safe to reference forever.
This is necessary because the PortContexts outlive the
transaction context managers they are creating in which means an
object can be expired and result in a query after a commit
(e.g. in bind_port_if_needed) that will fail and result in an
exception.
This required a few additional explicit session.merge calls to deal
with cases where touching the mech context was implicitly expected
to modify the DB state on the next commit.
Closes-Bug: #1669528
Change-Id: Ib5ba2daa80acba53c082bade1f61a3ee44ca41fc
Neutron-lib 1.1.0 is now out and contains the portbindings
API definition (as per commit [1]). This patch moves neutron
references over to the neutron-lib version.
NeutronLibImpact
- Consumers using the public constants within neutron's
portbindings API extension must now use the values
from neutron-lib.
[1] 87e42f993c07ae320159d5123662ee9f3bd4d903
Change-Id: I669af9b4c712877772d91a03857ab108714001d4
During config opts refactor, some changes were introduced, which caused
problems to run unittests with pdb. This change address some of them.
Change-Id: I4d4e1dc5606a81761ef12f60fb7feba3be88d1fc
Neutron Manager is loaded at the very startup of the neutron
server process and with it plugins are loaded and stored for
lookup purposes as their references are widely used across the
entire neutron codebase.
Rather than holding these references directly in NeutronManager
this patch refactors the code so that these references are held
by a plugin directory.
This allows subprojects and other parts of the Neutron codebase
to use the directory in lieu of the manager. The result is a
leaner, cleaner, and more decoupled code.
Usage pattern [1,2] can be translated to [3,4] respectively.
[1] manager.NeutronManager.get_service_plugins()[FOO]
[2] manager.NeutronManager.get_plugin()
[3] directory.get_plugin(FOO)
[4] directory.get_plugin()
The more entangled part is in the neutron unit tests, where the
use of the manager can be simplified as mocking is typically
replaced by a call to the directory add_plugin() method. This is
safe as each test case gets its own copy of the plugin directory.
That said, unit tests that look more like API tests and that rely on
the entire plugin machinery, need some tweaking to avoid stumbling
into plugin loading failures.
Due to the massive use of the manager, deprecation warnings are
considered impractical as they cause logs to bloat out of proportion.
Follow-up patches that show how to adopt the directory in neutron
subprojects are tagged with topic:plugin-directory.
NeutronLibImpact
Partially-implements: blueprint neutron-lib
Change-Id: I7331e914234c5f0b7abe836604fdd7e4067551cf
Stevedore documentation suggest that full import paths are not supposed
to be user visible. Since unit tests emulate users when configuring
oslo.config, we better off relying on well known plugin aliases than
internal details.
For in-tree that may be not a big deal, but with it we set a bad example
for third parties that may later find their tests broken eg. when we
decide to move code around.
TrivialFix
Change-Id: I7bd036ac3df7e7f4c678356d0a793e7d38599dda
As part of making DVR portbinding implementation generic, we rename
dvr portbinding functions as distributed portbinding functions.
In next patch we make dvr logic for port binding generic,
to be useful for all distributed router ports(for example, HA).
Partial-Bug: #1595043
Partial-Bug: #1522980
Change-Id: I402df76c64299156d4ed48ac92ede1e8e9f28f23
The change set of c5fa665de3
introduced a new test TestMl2PortsV2.test_update_port_host_id_changed
which isn't always correct depending on driver.
ML2 driver may change port status to ACTIVE on port binding.
With such driver, the test fails. Grep showed 5 decomposed driver
don't have the assumption.
So this patch makes the test to run only _process_bind_port() without
calling full update_port() so that precommit/postcommit don't get
involved.
Change-Id: Ib034e2121914e5f253eb673261f26b4c8487f431
Closes-Bug: #1545218
Fix params order to correspond to real signature:
assertEqual(expected, actual)
Change-Id: I722b998f6eae47076f3d10213073296a0a9a2081
Closes-Bug: #1277104
Extends the existing ML2 port binding unit tests to cover the
distributed port bindings used for DVR. Within the test mechanism
driver, bindings are tracked per-host, and additional assertions are
added.
Fixes issues with PortContext attributes that were exposed by these
new tests. Adds new vif_type, original_vif_type, vif_details, and
original_vif_details PortContext attributes, similar to the exising
host, original_host, status, and original_status attributes, to
reflect host-specific details of distributed (or normal) port
bindings. Also fixes original_host and original_status to return None
when in the context of an operation other than an update, and fixes
original_host to reflect the specific host being bound for a
distributed port.
Closes-bug: 1453943
Closes-bug: 1453955
Change-Id: I467db0d48e4b82fdaad8d851e294e639a84a8160
This change ensures that the structure of the unit test tree matches
that of the code tree to make it obvious where to find tests for a
given module. A check is added to the pep8 job to protect against
regressions.
The plugin test paths are relocated to neutron/tests/unit/plugins
but are otherwise ignored for now.
Change-Id: If307593259139171be21a71c58e3a34bf148cc7f
Partial-Bug: #1440834
Slawek Kaplonski