In case when port_forwarding service plugin is enabled and vlan or flat
network (provider network types) is configured as one of the
tenant_network_types in the ML2 config there is an issue with
centralized and distributed traffic.
FIP port forwarding in ovn backend are implemented as OVN Load balancers
thus are always centralized but if "enable_distributed_floating_ip" is
set to True, FIPs are distributed. And in such case it won't work as
expected as either it tries to send FIP PF's traffic as distributed when
"reside-on-redirect-chassis" for LRP is set to "false" or
tries to centralized everything (even FIP which should be distributed)
when "reside-on-redirect-chassis" is set to "true".
It's not really easy to avoid that issue from the code so this patch
adds warning in the upgrade checks and also log warning about it during
start of the neutron server process to at least warn cloud admin that
such potential issue may happen in the cloud.
Related-Bug: #2028846
Change-Id: I398f3f676c59dc794cf03320fa45efc7b22fc003
Prior to this patch, ML2/OVS and ML2/OVN had inconsistent IGMP
configurations. Neutron only exposed one configuration option for IGMP:
igmp_snooping_enabled.
Other features such as IGMP flood, IGMP flood reports and IGMP flood
unregistered were hardcoded differently on each driver (see LP#2044272
for a more details).
These hardcoded values has led to many changes over the years tweaking
them to work on different scenarios but they were never final because
the fix for one case would break the other.
This patch introduces 3 new configuration options for these other IGMP
features that can be enabled or disabled on both backends. Operators
can now fine tune their deployments in the way that will work for them.
As a consequence of the hardcoded values for each driver we had to break
some defaults and, in the case of ML2/OVS, if operators want to keep
things as they were before this patch they will need to enable the new
mcast_flood and mcast_flood_unregistered configuration options.
That said, the for ML2/OVS there was also an inconsistency with the help
string of igmp_snooping_enabled configuration option as it mentioned
that enabling snooping would disable flooding to unregistered ports but
that was not true anymore after the fix [0].
[0] https://bugs.launchpad.net/neutron/+bug/1884723
Closes-Bug: #2044272
Change-Id: Ic4dde46aa0ea2b03362329c87341c83b24d32176
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
This patch removes the compatibility with OVN under v20.09. That
implies the OVN Southbound definition has "Chassis_Private" table.
Any previous check is removed from the code.
This patch also adds a sanity check, testing that the OVN Southbound
database definition is greater or equal to 2.9.0 [1].
The testing OVN NB and SB schemas are updated to the files contained in
OVN v22.09. The new testing NB schema version is 6.3.9; the new testing
SB schema version is 20.25.0.
[1]4adc10f581
Closes-Bug: #2002839
Change-Id: Iec8854749a1df81eb6a7154d3f951e176c69156d
Support for the required DHCPv6 options was recently added in core
OVN with [1].
This patch adds support for that in ML2/OVN backend also and by that
closing one of the gaps between ML2/OVN and ML2/OVS backends.
This patch also adds upgrade check to check used ovn version and warn
operators if native OVN DHCP is used for BM provisioning and OVN version
is older than 23.06.0.
Unfortunately there is no easy way to check used version of OVN so check
relies on the ovnnb schema version.
[1] c5fd51bd15
Closes-Bug: #2030520
Change-Id: Iaa3ff8e97021e44f352e5a9a370714bf5f1d77b8
Each network type name is defined as a constant in neutron-lib. This
replaces the remaining string by the common constants.
This change ignores tests code because updating all test code brings
little gain while it touches huge number of lines.
Change-Id: I26ee715209d7d3f12c39c9e05d4fb9953b9b9537
Most code uses convert_version_to_tuple() from
oslo_utils.versionutils to determine minimum version
numbers, but there were two places that used the
packaging.version class instead. Change to always
use the same code throughout the tree.
Also added a flake8 enforcement check for it so we
don't regress.
TrivialFix
Change-Id: Ida4dcd504562646f0a450160e57680a44c387b1d
When running the OVN db sync tool, the log messages are
inconsistent between functions, attempt to sanitize them
so the output is a little more structured by:
1) Always logging a start/end time for each major section
2) Always use LOG.warning when fixing inconsistencies
3) Be consistent using 'OVN NB/SB DB' in messages
4) Try to use full name of object being updated, for example,
'floating IP' not 'fip'
Also fixed the following:
1) Only drop into blocks if in SYNC_MODE_REPAIR and there
is work to be performed
2) Random text fix-ups
Functionally the code is unchanged.
Trivialfix
Change-Id: I6060745aff0f5bc0037fb74568d81d27f3d91313
The current shebang requires /usr/bin/python which is not available in
Ubuntu Jammy by default.
This also fixes some unnecessary/missing shebangs.
Change-Id: Ib25a0a7f39f68f43622609391710dd3b1abc2d00
Since [1], present in oslo.log 5.3.0, the ``log.setup`` method is
unpatching the evenlet thread module. That is causing several problems
in some Neutron services, in particular the keepalived-state-change
service.
Within this oslo.log version, the patch [2] is provided to call this
method without unpatching any eventlet module.
This patch is also bumping the minimum required version of oslo.log
to 5.3.0, in order to call the ``log.setup`` method with the kwarg
"fix_eventlet=False".
[1]https://review.opendev.org/c/openstack/oslo.log/+/852443
[2]I4bbcfe7db6d75188e61b9084cb02b2dd2aaa0c76
Closes-Bug: #2037239
Change-Id: Iea77d20bec330b692e3e8c9e38b3a62e2047b4f4
As an operator, we want to set oslo_reports/file_event_handler because
when running behind a wsgi server, GMR cannot register the Signal to be
trigger.
The parameter file_event_handler has been designed for this specific use
case but it was not used correctly by neutron.
Closes-Bug: #2021814
Change-Id: Id13de1a3f9ea2eaaa7521eedf905aa0dd993ff89
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
This patch implements a more resilient approach to handle the case
where Neutron API workers are killed and restarted. Instead of marking
all nodes for that host as offline, this patch tries to remove the
worker that was killed from the Hash Ring leaving all others nodes for
that host online.
In case the we fail to remove the node and another entry is added upon the
restart of the worker this patch also logs a clear critical log message to
alert the operator that there are more Hash Ring nodes than API workers
(it's expect to be the same) and that OVSDB events could go missing if
they are routed to the previous node that failed to be removed from the
ring.
Closes-Bug: #2024205
Change-Id: I4b7376cf7df45fcc6e487970b068d06b4e74e319
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
dnsmasq 2.86 has a known issue where it segfaults
with configuration refresh. 2.87 has the fix included.
This patch adds a sanity check to warn users if running
a buggy version.
Related-Bug: #2026757
Change-Id: Id4f26c8a9aa6c18b9471349131a5a2b63d375772
This patch implements the proposed solution from LP #2024205 where upon
a Neutron being killed, it could trigger the deletion of the entries
from the ovn_hash_ring table that matches the server hostname. When
this happens on all controllers this could lead to the ovn_hash_ring
being rendered empty which will result in ML2/OVN not processing any
OVSDB events.
Instead of removing the nodes from the ovn_hash_ring table at exit, this
patch changes the code to just mark them as offline instead. That way,
the nodes will remain registered in the table and the heartbeat thread
will set them as online again on the next beat. If the service is
stopped properly there won't be any heartbeat anymore and the nodes will
be seeing as offline by the Hash Ring Manager (same as if they were
deleted).
For more info see LP #2024205.
Closes-Bug: #2024205
Change-Id: I052841c87651773c4988fcf39f9f978094297704
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
There could be just only one HA network per project. This database
enforcement guarantees this limitation.
Partial-Bug: #2016198
Change-Id: Ieb8aac6244d384b0af522f9ba145e9367de2c8ef
In ``cmd.upgrade_checks.checks``, there are some methods that access to
the database. The queries are now inside a database context (reader or
writer depending on the query).
Closes-Bug: #2019119
Change-Id: I35b1311576bcf1681ab4932f0baeb4cd3099301c
The output of this method should be compared to a 3 element
tuple.
This patch changes the minimum versions of the supported
features to have 3 elements too. This are the version changes
and their justifications:
* OVN_NB_DB_SCHEMA_GATEWAY_CHASSIS = '5.7.0'
Version reported in LP#2008077
* OVN_NB_DB_SCHEMA_PORT_GROUP = '5.11.0'
Version reported in LP#1946023
* OVN_NB_DB_SCHEMA_STATELESS_NAT = '5.17.0'
Version reported in LP#1949494
* OVN_SB_DB_SCHEMA_VIRTUAL_PORT = '2.5.0'
Version reported in LP#1949496
* OVN_LOCALNET_LEARN_FDB = '22.09.0'
Version reported in LP#1946023. In fact, the version
supporting this feature is older.
Closes-Bug: #2017878
Change-Id: Idc19b30e2453b4d68473b488dba226dc48be9efe
In OVN 22.09, the option "localnet_learn_fdb" was added so that
localnet ports can learn MAC addresses and store them in the FDB
table. This avoids flooding issues for VMs on provider networks
when port security is disabled
Closes-Bug: #2012069
Change-Id: I93574b4fe9a79b649bfe755cf7e0697ccc7eb83a
This new method retrieves the config option "rpc_workers" from the
configuration. If this option is not loaded, the method registers
the ``neutron.conf.service.SERVICE_OPTS`` options before reading
the knob again.
Closes-Bug: #2004656
Related-Bug: #1889737
Change-Id: I1f99cb32f33cc91141136cb4e3fbd33715530c59
In Change Ib597b62017b56b41009dd4d7359e169f424272b0, the 'qos'
service_plugin is enabled when doing an ovn_db_sync. However, if the
'qos' extension_driver is not installed, it will error out.
Append 'qos' extension_driver when using sync to fix this issue.
Closes-Bug: #1988577
Change-Id: I422d86b8e5650ced4e2cc722cea9cc30061905b4
This patch implements the OVN Neutron Agent executable, the extension
manager engine, the agent extension abstract class and the configuration
section.
Related-Bug: #1998608
Change-Id: I94bb98217e03f9ac314cb9723da277a23368649c
While creating bridges, pass the optional argument 'datapath_type'.
This parameter is read from openvswitch.ini conf file.
Closes-Bug: #1842517
Change-Id: I05f0484636e4da6290c750a1eabd5f9d09588008
The ``neutron-remove-duplicated-port-bindings`` script removes the
duplicated port binding registers ("ml2_port_bindings" table) that
have status=INACTIVE.
This patch also removes the corresponding port binding levels
("ml2_port_binding_levels" table) associated to those inactive port
bindings.
Closes-Bug: #2000078
Change-Id: I12fa0764cd0ff509f1859b61060d64cc5a54a7b9
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some remaining ones in miscellaneous directories.
Also cleanup any remaining code that I missed in this
series, or has changed since I started.
Trivialfix
Change-Id: I17b4779020a7bfb369c3e721ab6638cd4a6ab50c
For multi segments support we have update the unique contraint so
`segment_index` will be part of it.
Related-Bug: #1791233
Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ic564131dcd7525fc5f24c3282688e3584cd2e2e0
MechanismDriverContext has an attribute _plugin_context, which carries
the current context with it. This is used by many ml2 drivers, as it is
the only way for them to get the current context. We now make this a
public API by adding a property to MechanismDriverContext that returns
_plugin_context as a read-only attribute.
Change-Id: If9b05655286f42081cf26c90c563429ca2e63244
A new script to remove the duplicated port bindings was added. This
script will list all ``ml2_port_bindings`` records in the database,
finding those ones with the same port ID. Then the script removes
those ones with status=INACTIVE. This script is useful to remove
those leftovers that remain in the database after a failed live
migration.
"dry_run" mode is possible if selected in "[cli_script] dry_run"
boolean config option. The duplicated port bindings are printed in
the shell but not deleted.
Related-Bug: #1979072
Change-Id: I0de5fbb70eb852f82bd311616557985d1ce89bbf
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some of them, about 10%.
Feel free to reject if we think it will cause too much
trouble with cherry-picks, else I'll slowly work my way
through the rest of the tree.
Trivialfix
Change-Id: I3d484d11e273cb8ee617f9445a069887e7b2b89f
Library "distutils" will be marked as deprecated in Python 3.10:
https://peps.python.org/pep-0386/
This patch does the following replacements, that provide the same
functionality and API:
- distutils.version.StrictVersion -> packaging.version.Version
- distutils.spawn.find_executable -> shutil.which
Closes-Bug: #1973780
Change-Id: Iad96ad3e7055f71c629efbe80070adbe297cd7aa
convert_to_sanitized_binding_profile_allocation was added to Neutron
temporarily before [1] was merged and released in neutron-lib.
[1]: https://review.opendev.org/c/openstack/neutron-lib/+/813650
Related-Bug: #1922237
Change-Id: I953b96d97076cd6a80fff6e97e2fd956da737d46
Continue similar approach following in [1], where some project imports
collide with config options.
As part of the change, a wrapped decorator has been implemented to cover
those functions that include any of the ovn config options as value to
the decorators arguments (e.g. tenacity retry). This way we avoid
requiring the options to be registered as soon as the module is imported,
where they have not yet been registered by a main process.
[1] https://review.opendev.org/c/openstack/neutron/+/837392
Co-authored-by: Jakub Libosvar <libosvar@redhat.com>
Co-authored-by: Fernando Royo <froyo@redhat.com>
Change-Id: I4bccb094ee7f690cbc352c38b5b39d505e6ea460
Neutron API server was not using eventlet monkey patch
thus eventlet threads couldn't be properly yielded.
This patch set API neutron server like other monkey patched
neutron services: neutron-server and neutron-rpc-server.
NOTE: this change needs apache service restart. Apache
mod_wsgi auto reload can lead to SSL RecursionError.
Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@ovhcloud.com>
Closes-Bug: 1970216
Change-Id: Ib62c049cc521a548ab7e7e9584b19bdaa67b1c9d
Importing some modules lead to registering config options that may
collide with config options from a project that calls the import. This
patch wraps the side effect that registers config options into a
function that needs to be called in case the caller wants to register
the options.
This solution is also not perfect as it guards the common options to be
registered only once even if the function is called multiple times. This
is to solve problems in unittests, ideally we should always call the
function just once even in our testing suites.
Resolves-Bug: #1968606
Change-Id: Ic1532eb8de887ff1b1085206df11f53e22f7f524
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>