Commit Graph

790 Commits

Author SHA1 Message Date
Rodolfo Alonso Hernandez 70ddf4eef5 Add "socket" NUMA affinity policy
This new extension adds a new parameter to the NUMA affinity policy
list: "socket". The "socket" NUMA affinity policy has been supported
in Nova since [1].

[1]https://review.opendev.org/c/openstack/nova/+/773792

Closes-Bug: #2052786
Change-Id: Iad2d4c461a2aceef6ed2d5e622cce38362d79687
2024-03-21 16:04:24 +00:00
Takashi Kajinami bf83de893f Replace CRLF by LF
... because LF is now commonly used as newline code.

Change-Id: Iaeb970c3dc335c416329e9ec688d4a97898729c6
2024-01-27 12:31:49 +09:00
Rodolfo Alonso Hernandez 80f547ad1d Add a "port" child table "porthardwareoffloadtype"
This table has a 1:1 relationship with the "port" table, providing
the "hardware_offload_type" field (string).

The "neutron-lib" library minimum version is 3.8.0, that contains
[1].

NOTE: once the OSC patch is merged [2], the documentation will be
updated to reflect how to create a hardware offloaded port without
manually defining the port binding profile,

[1]https://review.opendev.org/c/openstack/neutron-lib/+/882726
[2]https://review.opendev.org/c/openstack/python-openstackclient/+/892792

Partial-Bug: #2013228
Change-Id: I04f232d6c43e39f254c4559caf041dcf05acec21
2023-08-19 06:08:51 +00:00
Rodolfo Alonso Hernandez f9b91289a5 Add policy enforcer for "tags" service plugin
The following resources have been updated with new policies for
tags:
* Port
* Subnet
* Network
* Router
* FloatingIP
* NetworkSegmentRange
* NetworkSegment
* SecurityGroup
* Trunk
* Subnetpool

The admin can now enforce specific policies for the resource tags
for the creation, update and deletion actions.

NOTE: a follow-up patch, with a new Launchpad bug reference, will
      be created to move the ``Tagging`` class from
      ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and
      refactor the ``TaggingController`` to be a standard
      ``neutron.api.v2.base.Controller``. Any API resource using
      the second controller will use the path used by the wsgi
      hooks, in particular the policy hook. That will make unnecessary
      to manually call the ``policy.enforce`` method from the
      extension class methods.

Closes-Bug: #2037002
Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd
2023-10-14 15:41:06 +00:00
Zuul 49709cacd6 Merge "Create a policy rule to control if a rule belongs to the default SG" 2023-10-11 12:47:03 +00:00
Zuul 8fdc6f7f31 Merge "Patch apidef for BFD/ECMP extra attributes" 2023-10-10 20:50:43 +00:00
Zuul ff30c01d5e Merge "Add missing extension classes for router BFD/ECMP extra attributes" 2023-10-10 20:50:37 +00:00
Rodolfo Alonso Hernandez 96223931ca Create a policy rule to control if a rule belongs to the default SG
The policy rule ``shared_security_group`` allows to create new policy
rules checking if a security group rule belongs or not to the project
default security group.

By default the behaviour has not changed. If an administrator wants
to prevent a non-privileged user from creating or deleting rules in the
default security group, the ``create_security_group_rule`` and
``delete_security_group_rule`` can be overriden. An example is provided
in the unit tests.

Closes-Bug: #2019960

Change-Id: I6c90b61df0e726ef07f177801069baf30c49de67
2023-10-09 14:11:55 +00:00
Rodolfo Alonso Hernandez e066cab875 Add a new extension "security-groups-rules-belongs-to-default-sg"
This new extension adds a new synthetic field, "belongs_to_default_sg",
to the security group rule OVO. This read only boolean field determines
if the security group rule belongs to a default security group or not.

This new field will be used in a new set of policy rules. By default,
these new rules will allow to create and delete security group rules
into the default security group of a project only to the admin user

NOTE: the follow-up patch will introduce the policy rules check,
      during the creation/deletion operations, of the
      "belongs_to_default_sg" field and the user executing this action.

Partial-Bug: #2019960

Change-Id: I0b3ded52e1ff8160c5804c59635c0fd34ce9995b
2023-10-06 15:36:26 +00:00
Slawek Kaplonski a4c8392209 Default SG rules - use new rules templates to create rules for SGs
Default SG rules created as template in the Neutron DB are now used to
create security group rules for each new default and non-default SG
created in Neutron.

Closes-bug: #1983053
Change-Id: Iaf27deb955c3844409fcd36239511478e9607a82
2023-08-30 10:18:19 +00:00
Frode Nordahl 25728955c9 Patch apidef for BFD/ECMP extra attributes
The 'enable_default_route_bfd' and 'enable_default_route_ecmp'
extra attributes was added in neutron-lib change
I2618475636b2bb9bfd743a62f5d4859d4f68a547.

During review it was requested to make the default for these
values configurable.  This is not possible with the apidef
currently committed to neutron-lib.

In the interest of time before feature freze, patch the apidef in
Neutron to allow for determining the default value at runtime.

As soon as an updated neutron-lib is available we can drop this
commit.

Change-Id: I2ab6b275a4867e488462c390fa16420ce8552850
2023-08-29 12:02:55 +02:00
Frode Nordahl 113f3f6689 Add missing extension classes for router BFD/ECMP extra attributes
Change I3fcd0458d20f20ce40378f90f073f37c41400865 added the
implementation for router BFD/ECMP extra attributes, but omitted
the APIExtensionDescriptor classes that are required for loading
the extension.

Partial-Bug: #2002687
Change-Id: I5f59087a1ff8d37f136ac88e50e0246de68455a8
2023-08-29 12:02:55 +02:00
Rodolfo Alonso Hernandez 4109ee9bb4 Use the new network HA parameter
This patch implements the new network HA boolean field API extension.
This field is an input only parameter for POST operations (creation).
By default is "False". When enabled, the Neutron server will create
a ``ha_router_networks`` register in the same transaction of the
network creation.

If by any circumstance (a race condition, for example), another
``ha_router_networks`` exists in the same project, a
``DBDuplicateEntry`` exception will be raised and the transaction
will be rolled back.

Partial-Bug: #2016198
Change-Id: Ie42c13ecbe4abcad9229b71f6942e393fd0f2e4e
2023-08-25 08:43:37 +00:00
Zuul d32c5f8f32 Merge "Fix some new pylint "R" warnings" 2023-07-28 06:58:46 +00:00
Brian Haley 929b383743 Fix some new pylint "R" warnings
After updating pylint, it started emitting additional "R"
warnings in some cases, fix some of them.

  use-a-generator,
  unnecessary-lambda-assignment,
  consider-using-max-builtin,
  consider-using-generator,
  consider-using-in,
  use-list-literal,
  consider-using-from-import

Trivialfix

Change-Id: Ife6565cefcc30b4e8a0df9121c9454cf744225df
2023-07-18 18:06:51 -04:00
Slawek Kaplonski e41fae522b Default SG api rules template - DB and OVO models
This patch adds DB model, OVO class and DB migration script for
SG rules template used for every new SG created.
It also implements Create/Get/Delete actions for that new resource and
adds API policies for those APIs

Related-Bug: #1983053
Change-Id: Ib3cde1710edd400b972f493b13666d0679a7753c
2023-07-07 10:43:34 +02:00
Zuul 6626fd9c9c Merge "Allow Multiple External Gateways" 2023-06-10 02:13:02 +00:00
Slawek Kaplonski 1b9a16c956 Add description field to the security_group_default_rules resource
This new resource has standard attributes and should expose description
field in the API.

Related-bug: #1983053
Change-Id: Ie2940e6c705e6692eaaf53f11d11b4b62cd0a51e
2023-05-25 12:48:30 +02:00
Slawek Kaplonski a72e97ddff Update api extension for default sg rules API
This patch adds two new attributes to the default SG rules API:
* "used_in_non_default_security_group",
* "remote_address_group_id"

Those new attributes are descibed in the proposed update to the related
spec in [1] and [2].

[1] https://review.opendev.org/c/openstack/neutron-specs/+/883267
[2] https://review.opendev.org/c/openstack/neutron-specs/+/883268

Related-bug: #1983053
Change-Id: Ic3e06460ac8294bfa882991eb678878b238735d7
2023-05-25 12:48:30 +02:00
Dmitrii Shcherbakov a221764751 Allow Multiple External Gateways
* Add a new API for adding/updating/removing multiple gateway ports
  on routers;

* Implement the necessary backend changes.

Partial-Bug: #2002687
Depends-On: I2618475636b2bb9bfd743a62f5d4859d4f68a547
Change-Id: Id885565e88f6f1898ca5cfac709a24dd62605d1a
2023-05-24 20:40:59 +03:00
Bence Romsics 97d658c4ce port-hint-ovs-tx-steering: shim extension
and a ML2 extension that does nothing, just loads the API extension.
All the real implementation is in the agent-side change.

To enable this:

* ml2_conf.ini:
  [ml2]
  extension_drivers += port_hint_ovs_tx_steering

Change-Id: I572072b3817484129a60ef68adf74ffd52b9eab8
Closes-Bug: #1990842
Related-Change (spec): https://review.opendev.org/c/openstack/neutron-specs/+/862133
Related-Change (n-lib api-def): https://review.opendev.org/c/openstack/neutron-lib/+/873112
2023-05-09 11:49:17 +02:00
Bence Romsics 0390ada97c port-hints: api extension
api extension
db model
db migration
ovo (including changes affecting push rpc)
extension driver
policies

To enable this:

* neutron-db-manage upgrade 6f1145bff34c
* ml2_conf.ini:
  [ml2]
  extension_drivers += port_hints

This patch also bumps neutron-lib requirement to 3.5.0.

Change-Id: I80816618285d742775bc0534510c0f874f84ed2e
Partial-Bug: #1990842
Related-Change (spec): https://review.opendev.org/c/openstack/neutron-specs/+/862133
Related-Change (n-lib api-def): https://review.opendev.org/c/openstack/neutron-lib/+/870080
2023-05-09 11:49:17 +02:00
Slawek Kaplonski d73f75c551 [API] Add API extension and definition for default SG rules
This patch adds API definition and API extension class for
security group rules templates API described in the spec [1].
API definition in this case is very similar to the securitygroup API
definition and uses same converters and validators which are still in
Neutron instead of neutron-lib repo. Because of that this new API
definition is proposed to the neutron repo first and will be rehomed to
neutron-lib together with security groups API definition later.

[1] https://specs.openstack.org/openstack/neutron-specs/specs/2023.1/configurable-default-sg-rules.html

Related-bug: #1983053
Change-Id: I3aafe1aba406a52bc2b57be5133dee15b8848796
2023-01-23 11:35:45 +00:00
zhouhenglc b534de966b [api]adds port_forwarding id when list floatingip
if we list floating ip and want to operate a port forwarding, we cannot
call the update 'port forwarding' api, because we don't know the port
forwarding id.
this patch adds the port forwarding returned contents: 'id' and
'internal_port_id' when list floatingip.

Closes-bug: #1971646
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/840584

Change-Id: Ie1d9169cd07547491144776311d77d49b483d5ae
2022-08-26 08:45:09 +08:00
Rodolfo Alonso Hernandez bd60f0833b Implement specific tracked resource count method per quota driver
This patch implements a new method specific for each quota driver
class. This method, "get_resource_count", returns the current number
of resources created in a project of a tracked resource. A tracked
resource is an instance of ``neutron.quota.resource.TrackedResource``.
This method does not count the current reservations, just the actual
resources created.

This new method, "get_resource_count", will be added to the abstract
class ``neutron_lib.db.quota_api.QuotaDriverAPI``.

This patch also fixes ``TestDbQuotaDriverNoLock``, that was using a
plugin inheriting from ``DbQuotaDriver`` instead of
``DbQuotaNoLockDriver``.

Closes-Bug: #1982962

Change-Id: I2707506468cb60d93a4459ea364f1e79faa83838
2022-07-28 06:01:18 +02:00
Brian Haley 58b1df699d Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some of them, about 10%.

Feel free to reject if we think it will cause too much
trouble with cherry-picks, else I'll slowly work my way
through the rest of the tree.

Trivialfix

Change-Id: I3d484d11e273cb8ee617f9445a069887e7b2b89f
2022-07-01 17:52:59 -04:00
sunxifa 326c0076ef Update port-mac-address-override shim extension
The port-mac-address-override shim extension proposed in
I54b4c85ffc4856fba7ad5e9e29f77f74815e1275 in neutron-lib has merged
and the neutron-lib has being released. So this patch updates the
API extension and replaces the import with the new neutron_lib api
definitions.

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/831935

Change-Id: Ic332769af532003a9a5b2d2cee38b6210b5aac91
Related-Bug: #1942329
2022-06-04 15:19:52 +08:00
Brian Haley 6012ba074f Start using security-groups-shared-filtering from neutron-lib
Remove security_groups_shared_filtering_lib extension and
use security-groups-shared-filtering from neutron-lib as
it is available since version 2.17.0 [0].

[0] https://review.opendev.org/c/openstack/neutron-lib/+/812617

Change-Id: Ife9b1ae47f5b447898bce0d8b44500f91f6dfbfb
Related-Bug: #1942615
2022-05-19 12:51:15 -04:00
Zuul cab15b15e2 Merge "Update port MAC from binding profile for PFs" 2022-04-25 12:54:29 +00:00
Balazs Gibizer 4e78aaa694 Update port MAC from binding profile for PFs
Today Nova updates the mac_address of a direct-physical port to reflect
the MAC address of the physical device the port is bound to. But this
can only be done before the port is bound. However during migration Nova
is not able to update the MAC when the port is bound to a different
physical device on the destination host.

This patch extends port binding logic for direct-physical ports to allow
providing the MAC address of the physical device via the binding profile.
If it is provided then Neutron overwrites the value of the mac_address
field of the port with the value from the active binding profile.

Also when the port is being unbound or the MAC address is removed from
the active binding porfile then neutron resets the mac_address field of
port to a generated MAC to avoid duplicated MAC issues when another port
is being bound to the same physical device.

The shim API extension for this change is being proposed in
I54b4c85ffc4856fba7ad5e9e29f77f74815e1275 in neutron-lib.

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/831935

Closes-Bug: #1942329

Change-Id: Ib0638f5db69cb92daf6932890cb89e83cf84f295
2022-04-21 11:31:05 +02:00
Andrew Karpow c0bf560fa3
Force security_group_id uuid validation of sg rules
security_groups_db._check_security_group is supposed to check the
security_group_id of the _create_security_group_rule payload.
When using an integer e.g. 0, as security_group_id, the check
succededs because mysql accepts following query:

SELECT * FROM securitygroups WHERE id in (0)

Forcing validation of security_group_id as uuid fixes the problem

Closes-Bug: #1968343
Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
2022-04-08 18:41:21 +02:00
Zuul 2f4661c876 Merge "Extend database to support portforwardings with port range" 2022-03-16 17:34:14 +00:00
Zuul fd4db01242 Merge "Support filtering for QoS rule type list" 2022-03-15 15:42:10 +00:00
Pedro Martins b271c82d10 Extend database to support portforwardings with port range
This patch is the second of a series of patches
to implement floating ip port forwarding with
port ranges.

The specification is defined in:
https://github.com/openstack/neutron-specs/blob/master/specs/wallaby/port-forwarding-port-ranges.rst

Implements: blueprint floatingips-portforwarding-ranges
Related-Bug: #1885921
Change-Id: I43e0b669096df865f37c74ddbd050b3b177fd5e5
2022-03-15 09:10:23 -03:00
Slawek Kaplonski 3ac4b0d634 Remove _standard_attr_segment_lib and use definition from neutron-lib
It is available in Neutron lib since version 1.16 so pretty long time
now.

Also use segment api definition from neutron-lib, it's available
since version 1.19.0. The api definition from neutron-lib also
avoids circulary dependency b/w standard-attr-segment and segment
extension[1].

[1] https://review.opendev.org/c/openstack/neutron-lib/+/577866

Change-Id: I13699f8c494a15d8bb9e13f767f2725f7cab9f4f
Related-Bug: #1765008
2022-02-28 18:04:43 +05:30
Rodolfo Alonso Hernandez 2f944d3105 Support filtering for QoS rule type list
Added support for filtering the QoS rule type list command.
Two new filter flags are added:
- all_supported: if True, the listing call will print all QoS rule
  types supported by at least one loaded mechanism driver.
- all_rules: if True, the listing call will print all QoS rule types
  supported by the Neutron server.

Both filter flags are exclusive and not required.

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/827533

Closes-Bug: #1959749
Change-Id: I41eaab177e121316c3daec34b309c266e2f81979
2022-02-24 08:28:53 +00:00
Przemyslaw Szczerbik 084bb163f2 Add qos-pps-minimum-rule-alias API extension
Introduce a new API extension to enable GET, PUT and DELETE
operations on QoS minimum packet rate rule without specifying
policy ID.

Partial-Bug: #1922237
See-Also: https://review.opendev.org/785236
Change-Id: Ia083b5ac98c9e18ddbcdd2e0fc46f2f8432a628c
2022-02-07 11:52:46 +01:00
Yang JianFeng a0a25cb15c [Server Side] L3 router support ndp proxy
Change-Id: I9b92702af8a235443a2fa1aea3997f3d40a03fc3
Partial-Bug: #1877301
2022-02-03 10:07:46 +08:00
Zuul 30951fcdfa Merge "Quota engine to accept --force parameter in limit update" 2022-01-29 08:11:29 +00:00
Rodolfo Alonso Hernandez bd38ba77dc Adopt rehomed QoS FIP extension from neutron-lib 2.18.0
Trivial-Fix

Change-Id: I804f55701c3c92c13eecb5f12c3fcac8f428f415
2021-12-23 06:02:00 +00:00
Rodolfo Alonso Hernandez 8a9b9211d1 Quota engine to accept --force parameter in limit update
Neutron quota engine now accepts "--force" parameter in quota limit
update command. This is currently the default behaviour: the quota
engine does not check the resource usage before updating the quota
limit.

However, this is an intermediate step before changing the quota engine
behaviour. In Z+ (the exact release is not defined yet), the quota
engine will requiere "--force" parameter to set a quota limit regarless
of the resource usage. By default, the engine will check it.

Partial-Bug: #1953170
Change-Id: Ic1132a731f02109233fb80937791cbe7bc3ca0c5
2021-12-09 09:21:19 +00:00
Rodolfo Alonso Hernandez 42cfa055c2 Add network QoS inheritance to floating IP
Added information of the floating IP network QoS policy to the
``FloatingIP`` OVO. The view-only parameter added allows to check
the network QoS policy in the floating IP object.

This patch does not implement any change in the L3 code (OVS or
OVN). This patch does not change any existing behaviour.

NOTE: bump neutron-lib version

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/817936

Partial-Bug: #1950454
Change-Id: I9d7bb54b14fb983161fdf51c96b6fda107db4fe6
2021-11-24 09:01:09 +00:00
Zuul b4dd7003db Merge "Add Local IP Extension and DB" 2021-11-17 20:50:43 +00:00
Oleg Bondarev cd1d96863e Add Local IP Extension and DB
This adds Local IP API extension, DB and OVO models, DB mixin,
migration and service plugin.

Partial-Bug: #1930200
Change-Id: I0ab7c5e9bc918f7fad282673ac6e32e1b01985c5
2021-11-11 10:08:23 +03:00
Zuul f97baa0b16 Merge "Check quota limits" 2021-11-04 10:10:06 +00:00
Zuul 6e9a368891 Merge "Add shared field to SG API response and filter" 2021-11-02 01:20:21 +00:00
Rodolfo Alonso Hernandez 5a7a8db0d8 Check quota limits
When "check_limit" parameter is passed in a quota update request,
the Neutron server checks the current resource usage before updating
the quota limit. If the new quota limit is below the resource usage,
an exception is raised.

This parameter was added in [1][2].

[1]https://review.opendev.org/c/openstack/openstacksdk/+/806254
[2]https://review.opendev.org/c/openstack/python-openstackclient/+/806016

Closes-Bug: #1936408

Change-Id: I5a6fb65694498dd7d8f403ea04dc1fe72b8c938d
2021-10-27 12:33:18 +00:00
Przemyslaw Szczerbik 8db15cb2f3 Add port-resource-request-groups extension
port-resource-request-groups extension provides support for the
new format of resource_request. The new format allows to request
multiple groups of resources and traits from the same RP subtree.

Closes-Bug: #1943724
Partial-Bug: #1922237
Depends-On: https://review.opendev.org/c/openstack/tempest/+/809168/
See-Also: https://review.opendev.org/785236
Change-Id: I99a49b107b1872ddf83d1d8497a26a8d728feb07
2021-10-21 14:30:07 +02:00
Hang Yang 4bd1c82213 Add shared field to SG API response and filter
Add the shared field to security group API responses and support
using shared as a query filter.

A follow-up patch will remove the temporary api def once it is merged
and released in neutron-lib.

Related-Bug: #1942615
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/812617
Change-Id: Ic04be8f0b7097c8aed19365f06089aa7af333eb9
2021-10-07 14:49:19 -05:00
Zuul 79c2b5f05d Merge "Add API extension for QoS minimum pps rule" 2021-09-30 11:17:24 +00:00