Commit Graph

14084 Commits

Author SHA1 Message Date
Miguel Lavalle 8ff8203fd7 Enable HA for OVN router flavors
In this change, we add the ability to create high availability
user defined router flavors under the ML2/OVN L3 service
plugin.

Closes-Bug: #2020823

Change-Id: I0d26f672d6239d840d3cf817a2553a06ef00a854
2024-03-26 20:07:52 -05:00
Zuul 01a6684dd0 Merge "Don't delete already deleted extra router routes" 2024-03-26 17:34:23 +00:00
Zuul 0590bcda68 Merge "Fixing the 500 HTTP code in the metadata service if Nova is down" 2024-03-26 16:42:10 +00:00
Anton Kurbatov 6395b4fe8e Fixing the 500 HTTP code in the metadata service if Nova is down
If the Nova metadata service is unavailable, the requests.request()
function may raise a ConnectionError. This results in the upper code
returning a 500 HTTP status code to the user along with a traceback.
Let's handle this scenario and instead return a 503 HTTP status code
(service unavailable).

If the Nova service is down and is behind another proxy (such as
Nginx), then instead of a ConnectionError, the request may result in
receiving a 502 or 503 HTTP status code. Let's also consider this
situation and add support for an additional 504 code.

Closes-Bug: #2059032
Change-Id: I16be18c46a6796224b0793dc385b0ddec01739c4
2024-03-26 12:14:08 +00:00
Miguel Lavalle 9d729bda20 Check unspecified flavor in user defined driver
In order to decide whether to process a router related
request, the user defined router flavor OVN driver needs to
check the flavor_id specified in the request. This change adds
the code to test the case when the API passed the flavor_id as
unspecified.

Change-Id: I4d7d9d5582b97246cad63ef7f5511b159d6c6791
Closes-Bug: #2059051
2024-03-25 17:30:01 -05:00
Zuul 4e9d03d29f Merge "Fix used-before-assignment warnings" 2024-03-22 01:27:48 +00:00
Zuul 57f48b03ac Merge "Fix disallowed-name warnings" 2024-03-22 01:27:40 +00:00
Rodolfo Alonso Hernandez 70ddf4eef5 Add "socket" NUMA affinity policy
This new extension adds a new parameter to the NUMA affinity policy
list: "socket". The "socket" NUMA affinity policy has been supported
in Nova since [1].

[1]https://review.opendev.org/c/openstack/nova/+/773792

Closes-Bug: #2052786
Change-Id: Iad2d4c461a2aceef6ed2d5e622cce38362d79687
2024-03-21 16:04:24 +00:00
Zuul e5d0877045 Merge "Enhance IptablesFirewallDriver with remote address groups" 2024-03-21 10:08:15 +00:00
Robert Breker 5e1188ef38 Enhance IptablesFirewallDriver with remote address groups
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.

Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.

Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
2024-03-20 22:20:45 +00:00
Miguel Lavalle 26ff51bf05 Fix making all user defined flavor routers HA
Since [1] was merged, user defined flavor routers with the HA
attribute set to False cannot be created. This change fixes
it.

Closes-Bug: #2057983

[1] https://review.opendev.org/c/openstack/neutron/+/910889

Change-Id: Ic72979cfe535c1bb8cba77fb82a380c167509060
2024-03-18 19:20:03 -05:00
Zuul 00355e092d Merge "[OVN] Use the LSP update event to update the LRP" 2024-03-15 10:30:43 +00:00
Zuul 24a7f20a5e Merge "[OVN] Add the network type to the ``Logical_Switch`` register" 2024-03-15 10:30:38 +00:00
Zuul c0f113073d Merge "[OVN] Implement OVN agent metadata extension" 2024-03-14 16:49:40 +00:00
Sebastian Lohff 27b2f22df1 Don't delete already deleted extra router routes
When handling the deletion of extra routes we need to handle the case
that the route is already deleted by another call in the time we have
fetched the extra routes and try to delete it. This is a classic race
condition when two calls try to update the routes of a router at the
same time. The default MariaDB/MySQL transaction isolation level does
not suffice to prevent this scenario. Directly deleting the route
without fetching it solves this problem.

Change-Id: Ie8238310569eb7c1c53296195800bef5c9cb92a3
Closes-Bug: #2057698
2024-03-13 11:21:32 +01:00
Rodolfo Alonso Hernandez f82c650c8c [OVN] Add the network type to the ``Logical_Switch`` register
Now the ``Logical_Switch`` register (that represents an OVN network),
stored the network type in the "external_ids" field.

Related-Bug: #2056558
Change-Id: I9e55a7412d841b7b59602c56c3a4e2f9c954aeed
2024-03-13 07:38:03 +00:00
Arnau Verdaguer 2a196fefd4 Fix TestOVNMechanismDriver ipv6 tests
- test_update_subnet_dhcp_options_in_ovn_ipv6_not_change
- test_enable_subnet_dhcp_options_in_ovn_ipv6
This tests will fail if host where unit tests has ipv6 dns_servers
configured. This patch mocks get_system_dns_servers to avoid tests
to look at the host configuration.

Closes-Bug: #2056778
Change-Id: I2e703ab4b63c90d7a14f0dc41d37b0a98163bce0
2024-03-11 17:30:11 +01:00
Rodolfo Alonso Hernandez 0fd654f592 [OVN] Use the LSP update event to update the LRP
Now the "Logical_Router_Port" is updated when a "Logical_Switch_Port"
event is received. When the event is received, it is first checked that
the "Logical_Switch_Port" belongs to a router; if that check is
possitive, the router port update method is called.

Closes-Bug: #2056558
Change-Id: I13b4c804ea6a9f8a89d3796c1cec88ffa1de6ded
2024-03-10 04:39:40 +00:00
Rodolfo Alonso Hernandez b8953b543a [OVN] Enable "ha" API flag for OVN routers
The "ha" API flag is now enabled for the OVN routers. Because of the
current implementation, this flag must be always "True". When a new
router is created, this flag is always set. If an OVN router is
explicitly created or updated with "--no-ha" (ha=False), the server
will raise an InvalidInput exception.

Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/911081

Closes-Bug: #2020823
Change-Id: I60ff33680dd5397a226a9051d51bfb0701f862b5
2024-03-06 18:42:29 +00:00
Zuul 5de90ff9c4 Merge "Use the system-dependent string for IP protocol 4" 2024-03-06 18:28:59 +00:00
Zuul c6b9106784 Merge "[FT] Check "Port_Binding" register exists before checking type" 2024-03-06 12:25:42 +00:00
Zuul 91ec092987 Merge "Fix pointless-string-statement warnings" 2024-03-06 12:25:26 +00:00
Zuul 3d1abd3343 Merge "Fix misplaced-bare-raise warning" 2024-03-06 12:25:18 +00:00
Zuul ecbe2a2059 Merge "Fix import-outside-toplevel warnings" 2024-03-06 12:12:54 +00:00
Zuul 36c6da46e5 Merge "Allow HA routers to have automatic l3agent failover" 2024-03-06 09:32:43 +00:00
Brian Haley cd1d191e33 Use the system-dependent string for IP protocol 4
iptables-save uses a system-dependent value, usually that
found in /etc/protocols, when 'ipip' is given as the
security group protocol. The intent is to always use the
string value for IP protocol '4', as iptables-save has no
'-n' flag to print values numerically.

This updates a previous change (793dfb04d) that hard-coded
that string to 'ipencap', which broke CentOS/Fedora, which
uses 'ipv4'.

For this reason we cannot hard-code anything in neutron-lib,
this needs to be added dynamically, so this one-line change
needs to stay here, and effectively closes the bug.

Closes-bug: #2054324
Change-Id: Ic40b539c9ef5cfa4cbbd6575e19e653342e8342b
2024-03-05 15:36:17 -05:00
Rodolfo Alonso Hernandez fe31f4fe02 [OVN] Implement OVN agent metadata extension
This patch is implementing the OVN agent metadata extension, by reusing
the OVN metadata class. The class ``MetadataAgent`` is inherited in the
``MetadataExtension`` class. The goal is to use the same code in both
implementations (until the OVN metadata agent is deprecated).

The OVN agent metadata extension has a different initialization
process. The OVN and OVS IDL connections are created during the
extension initialization but are not accessible. The ``start`` method
is used to load the configuration, execute the sync process and
register the metadata extension.

This extension will replace the need of the OVN metadata agent. The
deprecation of this agent will imply the refactor of the existing code
that now is shared between both agents.

This new OVN agent will be tested in the "neutron-tempest-plugin-ovn"
CI job, after the change done in the following patch.

Needed-By: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/909860

Partial-Bug: #2017871
Change-Id: I4381a67648a9b6198a8d936db784964d74dc87a1
2024-03-05 16:44:34 +00:00
Zuul c4c14f9589 Merge "[OVN] Set MTU of the VETH interfaces between OVS and metadata" 2024-03-05 09:48:42 +00:00
Zuul 729937f6d2 Merge "[OVN] Make mandatory the router name in the LRP.external_ids" 2024-03-04 14:23:07 +00:00
Rodolfo Alonso Hernandez 8b007e6366 [FT] Check "Port_Binding" register exists before checking type
In "test_virtual_port_host_update_upon_failover", it is needed to check
if the "Port_Binding" register exists before checking the type.

Closes-Bug: #2055886
Change-Id: I8a6b3498803bcba592a82dfbe43a39137dd12fa2
2024-03-04 14:00:07 +00:00
Zuul 96558ac77a Merge "Fix iptables mapping of 'ipip' protocol" 2024-03-04 10:44:58 +00:00
Rodolfo Alonso Hernandez b5aecfeff8 [OVN] Make mandatory the router name in the LRP.external_ids
The router name will be always defined in the "Logical_Router_Port"
external_ids field.

Related-Bug: #2052821
Change-Id: Ia2f70363963dca9f035eff8d1ff0c399dc8b9239
2024-03-04 08:10:48 +00:00
Zuul 310a96a302 Merge "[ovn] Add support for enable_default_route_bfd attribute" 2024-03-01 23:04:54 +00:00
Zuul 40815c7086 Merge "Make common Metadata Driver classes" 2024-03-01 20:59:48 +00:00
Zuul afe001cf63 Merge "[OVN] Remove OVN_GATEWAY_INVALID_CHASSIS artifact" 2024-03-01 20:38:48 +00:00
Zuul fffcab9f68 Merge "[ovn] Ensure OVN DB update on change of number of GW ports" 2024-03-01 12:43:55 +00:00
Zuul 6106eefdf8 Merge "[OVN][FT] Check ``WaitForCreatePortBindingEvent`` wait result" 2024-03-01 11:03:06 +00:00
Zuul 44159ca659 Merge "[OVN] Identify the LR GW port with "external_ids:neutron:is_ext_gw"" 2024-03-01 07:53:15 +00:00
Rodolfo Alonso Hernandez fa3223bb9d [OVN] Remove OVN_GATEWAY_INVALID_CHASSIS artifact
This artifact is no longer used in the "Logical_Router" registers (in
the "options" field) to mark this "Logical_Router" as unhosted. A
"Logical_Router" is considered as unhosted if the gateway
"Logical_Router_Ports" have no "chassis" set.

This artifact is also used to create a "Gateway_Chassis" register
pointing to a inexisting invalid chassis called
"neutron-ovn-invalid-chassis". Any "Logical_Router_Port" not bound
to a chassis will have no value in "gateway_chassis" (NOTE1).

NOTE1: this is valid now with the current two OVN L3 schedulers that
use "gateway_chassis" to schedule the "Logical_Router_Port" of a
router. In a future, we can consider using "ha_chassis_group" for
scheduling.

Partial-Bug: #2052821
Related-Bug: #2019217
Change-Id: I12717936fe2bc188545309bacb8a260981f14c88
2024-03-01 07:03:26 +00:00
Frode Nordahl cc1ff09b9e
[ovn] Add support for enable_default_route_bfd attribute
When ``enable_default_route_bfd`` is set, maintain BFD records
along with default route records.  Default route records will
also be fitted with the `output_port` key, which is a requirement
for the OVN BFD support.

Partial-Bug: #2002687
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Change-Id: I34e2453ab206c13c3ca40c4181970c320bdd8e67
2024-02-29 22:01:06 +01:00
Frode Nordahl 743bd1ccef
[ovn] Ensure OVN DB update on change of number of GW ports
If a router is created and a GW port is subsequently added by
updating the router, the change is not always propagated to the
OVN DB.

This patch fixes this and also adds a functional test case.

Trivial-Fix
Partial-Bug: #2002687
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Change-Id: I9455678d73fb35b77eac7416917200a419abfa84
2024-02-29 11:54:13 +01:00
Frode Nordahl ae9749a5e3
[ovn] Ensure all routes are deleted when deleting ExtGw
The current DeleteLRouterExtGwCommand stops iterating over static
routes once the first route with a ovn_const.OVN_ROUTER_IS_EXT_GW
external_id is found.

There can be multiple static routes with this external ID, so
this patch continues iteration until all external routes are
removed and adds a unit test for this condition.

Trivial-Fix
Partial-Bug: #2002687
Change-Id: Ie43abd8bf511e12a0f64c10bafeaafc0823a2076
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
2024-02-29 11:54:13 +01:00
Brian Haley 793dfb04d0 Fix iptables mapping of 'ipip' protocol
Map 'ipip' to use the string 'ipencap' so the
IptablesFirewallDriver class in neutron works correctly.
Once neutron-lib is bumped this can be removed.

Add tests for IP protocol 'ipip', '4' and '94' to make
sure the IptablesFirewallDriver class in neutron treats
them correctly.

Long description below.

This is one of those confusing edge cases and I think
Linux is conspiring against us. Let me explain.

1) neutron-lib does correctly define the protocol name 'ipip' as 4.

2) The linux kernel uses the same in in.h:

 IPPROTO_IPIP = 4
 IPPROTO_BEETPH = 94 (?)

3) iptables maps 'ipip' to 94 and 'ipencap' to 4.

 # for num in {0..255}; do iptables -A INPUT -p $num; done
 # iptables-save | grep -E 'ipip|ipencap'
 -A INPUT -p ipencap
 -A INPUT -p ipip

4) /etc/protocols does the same as iptables:

 grep -E 'ipencap|ipip' /etc/protocols
 ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
 ipip 94 IPIP # IP-within-IP Encapsulation Protocol

5) getprotoby{name|number} does what /etc/protocols does:

 $ getprotobyname ipip
 struct protoent: (0x7fbbbcca9c60)
   p_name ipip
   p_aliases IPIP
   p_proto 94

 $ getprotobynumber 4
 struct protoent: (0x7fc51ad86be0)
   p_name ipencap
   p_aliases IP-ENCAP
   p_proto 4

Neutron actually builds a mapping based on the getprotoby*
calls, so in the iptables case it winds-up doing the wrong
thing.

Partial-bug: #2054324
Change-Id: Icc84b54be07d39059723d6c233c03aa130102423
2024-02-27 15:08:19 -05:00
Frode Nordahl 8df5ee61d9
[ovn] Apply soft anti-affinity for LRs with multiple LRPs when scheduling
Move scheduling logic from OVNClient._create_lrouter_port to an
ovsdbapp command so that scheduling decisions are made on up to
date information as the transaction applies.

One of the main use cases for routers with multiple gateway
ports are resiliency.  Whenever there are multiple LRPs present in
a LR, we want to ensure diverse placement of the ports to
minimize impact of chassis failure.

Partial-Bug: #2002687
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Change-Id: I36860b739a8cb99ba0e7fc65950ea252ad6803c4
2024-02-27 11:06:08 +01:00
Frode Nordahl 898498ca3b
[ovn] Add helper for retrieving LR associated with LRP
This will be used in the next patch set to implement anti-affinity
scheduling for routers with multiple LRPs.

Partial-Bug: #2002687
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Change-Id: Iff958195f229f7e0714f1285bb3d53497aeec9aa
2024-02-27 11:06:08 +01:00
Frode Nordahl 0bae4b70b6
[ovn] Make scheduling of unhosted gateways aware of current transaction
At present, whenever multiple additions/updates are made to LRPs
with gateway_chassis, each update is put in separate transactions
in an attempt to ensure the scheduler operates on updated
information for each iteration.

This is problematic because we don't have the luxury of creating
separate transactions for updates in all parts of the code base,
and it is also not very efficient.

The OVSDBapp library wraps the OVS Python IDL and provides
different semantics. Most notably the OVSDBapp represents a
Transaction as a list of command objects with `run_idl` methods
for execution at some point in the future. The main loop and the
command objects are not aware of changes made in the current
transaction until it is committed.

Fortunately, as an ovsdbapp transaction is committed, the
underlying OVS Python IDL is kept up to date during the course of
the transaction [0][1][2].

Move implementation of scheduling of unhosted gateways into an
ovsdbapp command, using a plugin reference to the Neutron
OVNClient class for any calls into the Neutron code, allowing
scheduling decisions to be made on up to date data as the
transaction is applied.

0: https://github.com/openvswitch/ovs/blob/e3ba0be48ca4/python/ovs/db/idl.py#L1316
1: https://github.com/openvswitch/ovs/blob/e3ba0be48ca4/python/ovs/db/idl.py#L1400
2: https://github.com/openvswitch/ovs/blob/e3ba0be48ca4/python/ovs/db/idl.py#L2083

Partial-Bug: #2002687
Co-Authored-By: Terry Wilson <twilson@redhat.com>
Co-Authored-By: Brian Haley <haleyb.dev@gmail.com>
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Change-Id: I83bcf7fe838c0d6b0617c43439643e8443b2bdae
2024-02-27 11:06:01 +01:00
Zuul 491fbc890b Merge "Ensure that haproxy spawned by the metadata agents is active" 2024-02-27 10:03:03 +00:00
Brian Haley 63f690e6fd Make common Metadata Driver classes
The ML2 and OVN metadata agents have almost identical
code, as the former was copied to the latter and modified.
Instead, combine all the common parts and just have
each do any driver-specific operations separately.

Change-Id: Iff8bc8de16a8afc7c0195bf301d1b0643e17d7c6
2024-02-27 08:33:16 +01:00
Zuul 89d2108390 Merge "[OVN] Remove ``create_lrouter`` and ``delete_lrouter`` implementation" 2024-02-26 13:49:27 +00:00
Rodolfo Alonso Hernandez 47b4d14955 [OVN] Set MTU of the VETH interfaces between OVS and metadata
The VETH pair between the metadata namespace and the local OVS now
has the same MTU as the network associated to this metadata service.
The "LSP.external_ids" field has a new key defined: "neutron:mtu".
This is the value of the network MTU.

This patch does not update the previous metadata datapaths nor the
existing LSP. This change will affect only to new created ports
and the corresponding metadata datapaths.

Closes-Bug: #2053274

Change-Id: I7ff300e9634e5e3fc68d70540392109fd8b9babc
2024-02-25 09:38:50 +00:00