This change replaces remaining occurences of the notify method with
calls to the publish method.
As NSX admin utilities heavily rely on callbacks, this change also
ensures that all callbacks are now accepting event payloads rather
thank kwargs.
Change-Id: I0450fff486898d6ab74086b7952dc27134cb77e2
When a LB exists in Octavia DB, but missing in NSX, its status is never
updated.
The following addresses this condition by collecting the LBs from
Octavia and validating them periodically.
Change-Id: I3c42a934a47532968c65aaeade8210364167f35a
When creating rules, the plugin fetches the SG mapping from Neutron DB.
If this mapping is missing, the plugin should issue a proper error and
fail.
Change-Id: Icd00116dc6e81949513db18f16eced8a2b125c7d
Edge firewall might contain FW rules which are originated from various
sources, e.g FWaaS rules, subnet rules, LB rules etc.
When a non-admin user applies a change to the FW config by changing any
of the above, the new FW config should still include resources which
aren't visible to the user. Therefore the context should be elevated.
Change-Id: I8cd3310976708b0bbf1442de7f38ebc06dc8506a
When a stale load balancer binding remains in the Neutron DB while the
load balancer was deleted, it causes FWaaS failures.
To protect agains, we take the following measures:
- Use try-catch to ignore the LB edge firewall rule while performing
FWaaS transactions.
- Delete the LB binding while deleting the router, while routers are
used as LB platform.
Change-Id: I3ab60093e3ac8ce6ff1d3557622745484d43b759
In case the physical network is not assigned, the db query
should be skipped or else it fails and raise.
Change-Id: Ief5af76f47e6b037e5fdda707f7fa75f73b0653f
NSX|V3: fix call to _confirm_router_interface_not_in_use
Commit Iea58177cce30d7ce6ba7b36ce5f8375c0985179e changed the api
NSX|V: Fix _make_port_dict api
Commit Ic08e4049f6156c0700ca3c7aee251b6eb0eb97da added bulk argument
to this api.
Change-Id: I6bbe34cfedf731f0711fee45800d9f78247bc6ba
integrate with neutron patch Id3f09b78c8d0a8daa7ec4fa6f5bf79f7d5ab8f8b
And also skip new tests added in I99681736d05eefd82bdba72b3866eab9468ef5dd
Change-Id: I8b119bc69cc87185ea77646e70135c5984200038
1.Upgrade pylint to 2.4.4, add exclusions to the tests, and
fix some lint errors in the code
2. Fix user creation with GRANT in MySQL 8.0(Ubuntu Focal)
In Ubuntu Bionic (18.04) mysql 5.7 version used to create
the user implicitly when using using the GRANT.
Ubuntu Focal (20.04) has mysql 8.0 and with mysql 8.0 there
is no implicit user creation with GRANT. We need to
create the user first before using GRANT command.
See also commit I97b0dcbb88c6ef7c22e3c55970211bed792bbd0d
3. Remove fwaas from the zuul.yaml
4. Remove DB migration test which is failing ue to FWaaS migration
with py38
5. Fix cover tests python version in .tox
6. fix requirememnts
Change-Id: I22654a5d5ccaad3185ae3365a90afba1ce870695
Since py2 is no longer supported, built in methods can replace the
six package usage, as been done in the neutron project
Change-Id: I922963fbbcc0ab263e1f6e56907b73b007015a75
Vsphere7 started to block this traffic so adding those rules to be
backwards compatible.
In addition, add admin utility to fix existing edge firewalls:
nsxadmin -r routers -o nsx-update-fw
Change-Id: Ia5c2832e377a1a17ef279191ee91b6fec8f65443
1. Make the validation optional (If False - only log the warnings)
2. Validate each resource against all clusters and fail only if not
connected to any
Change-Id: I9abd091fc42d4dbe22e1b806df4d9131ab054726
FWaaS V2 cannot be supported for distributed routers since the
FW rules are on the PLR, but only the TLR has the subnets interfaces.
This patch adds a partial support, assuming all interface ports
have the same policy & rules (as it was in FWaaSv1) by ignoring the vnic-id.
This way customers with distributed routers can migrate to FWaaS v2.
Change-Id: Ieaaf4149d5daa07341effdc480ae453a67d5b6bb
1. No need to rollback the interface creation in teh distributed router
driver. It is rolled back on the plugin level. the Double rollback causes
a new error to be raised.
2. In the plugin level - do not alert on the rollback faliure.
It may be legit
2. In the plugin level raise a proper error to neutron, instead of the
internal one.
Change-Id: I129f595d6cd17cd0af62fc9e2855451b97e73ff0
Non-admin users could not set static routes as neutron didn't fetch the
port info for the external network.
Change-Id: Ib266b6348d450b6b73064aeaf0b79a443c46a1ee
For each availability zone, check that all the resources in the configuration
and connected on teh NSX
Change-Id: I60551294c4f2d1d9d43032ac64468e5915e1f09d
This patch switches the code over to the payload style of callbacks [1]
for PORT ROUTER_GATEWAY events for those that are not using them yet.
The unit tests are also updated where needed to account for the
payload style callbacks and publish() method. Finally the patch
normalizes the passing of gateway IPs which are currently referred to
as 'gw_ips' and 'gateway_ips' depending on the event; now all events use
'gateway_ips'.
[1] https://docs.openstack.org/neutron-lib/latest/contributor/callbacks.html
Change-Id: Ibc255de79443e908cc3615a8e1cb108757f80011
Adding verification for port_update, when using same ip_address
for different ports in the same network.
Change-Id: I0bba347e165147d42d71e1247feb76006fa4fdd1
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
Remove spoofguard mappings along with spoofguard on backend
when network is set without port security.
Change-Id: I03eac35ae0dfae1c716c54d972a2441c1d98f50a
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
- When network port security is set to True, ensure the same IP
is not used for multiple ports
- Extend checks for netork port security to all ports, not only
ports with a nova compute device_id
- When creating or updating a port, perform checks if port security
is enabled for the network or the flag for allowing multiple
addresses is unset.
Change-Id: I5d81257b55730d4544537bb269030ec7f1a277c1
When this flag is enabled, spoofguard restrictions do not apply,
therefore the same IP address can be used in allowed address pairs
for multiple ports on the same logical switch.
Change-Id: Idb5175451b2aa0bec631511c68c7b404e782d8d7
This patch bumps the hacking, bandit and flake8 requirements to match
suit with similar work (ex [1]). It also updates the code to fix a few
new pep8 errors as well as adds a local tox target for
requirements-check-dev.
[1] https://review.opendev.org/#/c/658245/
Change-Id: I6caeb52dc1a5842338ec989a742ae5989608e0da
Commit Ia4f4b335295c0e6add79fe0db5dd31b4327fdb54 removed all the
neutron-lbaas code from the master (Train) branch
Change-Id: I9035f6238773aad0591436c856550b7a5e01e687
While configuration flag
bind_floatingip_to_all_interfaces = True
the subnet NAT rule should not apply only to external interface, as it
also serves traffic between instances on the same router.
So if instances A and B are connected via the same router, and instance
A is accessing instance B's FIP, traffic should reach instance B with
the router's NAT IP - unless there's a FIP to instance A as well.
Change-Id: Ib312289bed86f8539f593da4a01f800b65f72ac5