The AIM BridgeDomain resource was being configured with an
explicit value of the ep_move_detect_mode parameter. This was
done to address a workaround needed for older hardware. Now
that the older hardware is no longer supported, AIM has been
changed to disable this value by default, which means that the
AIM mechanism driver no longer needs to set this value explicilty.
Change-Id: I41036952c46bfd72e0c9ed2416fcf3af6294c9ad
Fixed various resource naming when using multi_ext_net extension.
Change-Id: I72f9705691e98f7f0d4abff835d2904a857c3407
(cherry picked from commit 2710049aa5)
Add support for setting the scope of a subnet by configuring
'apic:advertised_externally' and 'apic:shared_between_vrfs'.
Change-Id: Ieedaec28098c4f6d4e6b3c3c97f0c8f86cf072a4
(cherry picked from commit 717ab3b5f4)
This reverts commit 953997a9a8.
The patch reverts the change of warn to warning in alembic_mgrations.
The alembic utils library only has warn, and not warning, so this
patch isn't needed.
Change-Id: Ibd16c88ea33ae668316506c58348ce2b5c1a53d6
Support for having networks with and without the multi_ext_nets extension
to share the same L3Outside.
Change-Id: Ia2daff31059437ed83813d93d98865131f2919b5
(cherry picked from commit 4f5f8aa66f)
Fix the bug where remote ip's version is not being checked against
the ethertype before adding it to security group rule's remote_ips
in security_group_rule_create_procommit.
Change-Id: I10df6ed562e1af66b89c14c0769b670b2f61d9a0
(cherry picked from commit 8f6da2c57e)
The order of the admin_owner_or_network_owner alias in the
policy.json file can trigger DB queries for the network
resource in order to complete the policy checks, even in
cases where those checw aren't needed. This changes the
order of the policy rule to ensure that checks for the
tenant ID owner are made before looking at the tenant ID
of the network.
Change-Id: Ic3a7c99ff69c652bd1df4d43a98f298da876b4ba
The multi external networks extention allows multiple external networks
to be associated with a single L3Outside.
Change-Id: Ib872d8661fae321270130b4986d7d21249919ae6
(cherry picked from commit 2edc1ab5c5)
Change Idb39b75ff6d611a1dd413f26055622310cdf0df7 introduced a baked
query to the DB using the "in_" clause. That clause is only supported
starting with SQL Alchemy version 1.2, which isn't yet used by the
stable/queens branch. This patch converts that query to a non-baked
one.
Change-Id: Iaffac4835da396028d6b13c0f67cb968f38da5e0
Fix #2.
The backport of [0] to stable/queens had a syntax error, which
wasn't caught by the upstream gate since queens for upstream neutron
has now gone EOL. This patch fixes that syntax error.
[0]: https://review.opendev.org/c/x/group-based-policy/+/876812
Change-Id: I0e159b8e747ec21732e962668fe0e1e4c5dbc7fa
The backport of [0] to stable/queens had a syntax error, which
wasn't caught by the upstream gate since queens for upstream neutron
has now gone EOL. This patch fixes that syntax error.
[0]: https://review.opendev.org/c/x/group-based-policy/+/876812
Change-Id: I1fb97dc7459faa85831c448f5594adb02864a03d
The patch in [0] added support for the no-NAT CIDRs extension. This
covered the case where the agents would get extension details when a
network was created, as well as when a network was connected or
disconnected from a neutron router. However, it missed the case where
the extension on the ntwork itself was updated. This patch addresses
that gap.
The patch also adds UT coverage of the extension for AIM validation
(there is no mapping to an AIM resource, but the extension was added
to the UT for completeness).
[0]: https://review.opendev.org/c/x/group-based-policy/+/875317
Change-Id: Ibf3df8a0d48b9ba9a68c17ad70251a611aa40cab
The patch in [0] created a DB query to support a new no-NAT CIDRs
extension. This DB query was incorrect, as it used unrelated joins.
This patch fixes the DB query to ensure related joins are used.
There also was an issue with the _query_vrf_subnets method before
the extension was added. It was possible that a single subnetpool
with multiple prefixes could have been used to allocate multiple
subnets. The current query would have returned the same subnetpool
ID for each prefix, leading to duplicates in the returned list. This
patch fixes that issue by ensuring that the returned values from
the query are distinct.
[0]: https://review.opendev.org/c/x/group-based-policy/+/875317
Change-Id: I7870ad58bc4d9098b4aa12a0cefbfe027d982564
The no-NAT CIDRs extension is applied to the network resource
in neutron. When applied, it affects the list of subnets that
should be reachable without NAT that are delivered in the RPC
calls to agents. The agents can then use this information to
ensure that specific destination CIDRs will never use NAT.
The extension can be applied to both tenant and external/public
networks. The extension should be used judiciously, as placing
it on a network will cause those CIDRs to be added to all RPC
calls requesting subnets within that VRF (e.g. the extension
could be added to a shared network or to a network that uses
a subnetpool relating to a shared address scope, which would
be seen by all other networks that report to that same address
scope or shared network).
Change-Id: Idb39b75ff6d611a1dd413f26055622310cdf0df7
This patch is a vehicle for cleaning up the stable branches. The
patch to master addresses a fix that was missed when [1] was merged.
That patch was created to enable the stable/ussuri branch, but it
included a PEP8 fix which should have been a separate patch that could
have been backported through the stable branches. This patch adds the
missing fix (addresses an alias with import namespace). The backports
of this patch will include the portion of the original PEP8 fix in [1]
starting from before stable/ussuri (i.e. train through newton).
Backports of this patch will add fixes to address other issues recently
found with stable branches due to end-of-life in other projects, such
as neutron.
Drop the use of basepython = 2.7 for PEP8 jobs, as that causes the
PEP8 gate to fail.
Switch to use the upper-constraints for installing neutron, and move
upper-constraints based installations earlier in test-requirements.
Mark the openstack-tox-py27 job as non-voting. The upstream gate is
missing the pre-installation of python2.7 for stable/rocky (see [2]).
This can be reverted if the job gets fixed (although given that rocky
has already been EOL'd, that seems unlikely).
Mark all jobs as non-voting, in preparation of stable/queens branch
deprecation. This is in response to upstream branches and gate jobs
already being deprecated or removed for stable/queens (see [3], [4]).
[1]: https://review.opendev.org/c/x/group-based-policy/+/752338
[2]: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/873020
[3]: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/871596
[4]: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/871594
Change-Id: Idfd8ccc60ed6cd0fffe63064faa3e7eb46cf8cbe
(cherry picked from commit 2341cce7ca)
The notification listener for Keystone was subscribing using a pool
value other than "None". The semantics for oslo.messaging notification
listeners is that there has to be at least one listener whose pool value
is set to "None" in order to ensure that the notifications are consumed.
In order to support both environments (i.e. installations where there
are other listeners whose value is already set to "None", and
installations where there are no listeners whose value is set to
"None"), the pool value is configurable, with a default value of "None".
This ensures that the default behavior is that the notification
messages are consumed, but allows for other consumers, while still
ensuring that our notification listener will receive the messages.
Change-Id: I706ee3c4e88cb8d6ad492c1b97fe48b0392b8033
Contract references in aci-integration-module (AIM) were previously
created or destroyed by modifying list members of the ExternalNetwork
resource. This caused problems when the ExternalNetwork was monitored
state but the contract references were meant to be configured state,
as the view of the monitored universe/state could be inconsistent from
time to time, causing the contract references to inadvertently get
deleted.
A recent commit (9076bd8738e27052e75ec53052e509c54c4b91ea) in AIM made
the contract references top-level resources, so that their creation or
removal can only be made directly. The aim_lib module was changed to
support passing lists of provided and consumed contracts expclicitly,
in order to adopt these changes.
Change-Id: I14b01bea751823c3e3b70df3e7f41ea5babd9522
The error happens when the FIP is dissociated from the port
and ports get deleted, which are using the VIP port's fixed
IP address as an allowed-address-pairs. The expected behavior
is that dissociation succeeds, and the final status of the
dissociated FIP is “DOWN”. Instead, they are seeing the
dissociation fail with an HTTP 404, and the final FIP status
is “ACTIVE”.
fix here is to catch and ignore "port not found" exceptions.
Change-Id: I7769371b41f390adf668f976fad9ec209b5acf69
(cherry picked from commit 7fe026d9fc)
Some of the services have end-of-life'd their older stable branches.
This patch uses the new EOL links.
Change-Id: I1ca2935b560d589411b2f2ddd0ce5437b4c53f90
Fixed spelling errors in the comment pertaining to HAIPAddressToPortAssociation in data_migrations.py.
Change-Id: Ie51fabeec357206dff4abc51b3b8434dbc4e067e
(cherry picked from commit 86c8506a0b)
Update mechanism_driver cache to select neutron_client or gbp_client
based on group_policy enabled/disabled.
Change-Id: I2b787bb8576175f1e38beac1199a27c609eeb486
(cherry picked from commit de548128ce)
The use of log translations were removed in upstream
neutron in this patch:
https://review.opendev.org/c/openstack/neutron/+/453355
The same was applied to GBP. However, some files we missing
imports of the oslo_i18n translator, as this is still needed
for other printing (e.g. exceptions, configuration file options, etc.).
Change-Id: Ie8d3d312dcb1b811e76879ec8df2a0cd892ce6d3
(cherry picked from commit 832ba2760c)
The semantics for the update router API call were affected by the
introduction of the SNAT subnet only extension patch series. This
patch modifies the API to support the upstream semantics, while
still supporting the new extension.
Change-Id: Ia1244876b19b364295cf4198a809d820810a16c5
Commit 6ddc59aedc created a fix for
the HA IP address schema, and updated the DB migraiton. That fix
missed the case where the same IP address was used as a valid HA IP
entry in different networks (the DB migration would fail because
multiple entries had the same AAP and network ID). This patch defers
updating the primary keys during the migration until after the data
has been migrated.
Change-Id: I8f071fcc20f4afb61a0f0333dd8e599154c45387
The gate for stein stopped supporting this project so we need to
remove it.
Change-Id: I76cb0325636e6e754aaadc6a0bade50dc31ca896
(cherry picked from commit 8720a937a7)
(cherry picked from commit fda3bab3b5)
Instead of using the default convert_none_to_empty_list converter
from the neutron_lib, use a custom one
that can handle string attributes imilar to convert_nested_domain_allowed_vlans.
This allows us to pass in those additional attributes from terraform/pulumi
which only supports string values for
extra attributes
Change-Id: Idba3ded81f72128bb712660443458e24148ef188
Add network_id column to apic_ml2_ha_ipaddress_to_port_owner table
to guard against multiple rows of same VIP address.
Change-Id: I2d5a2cfdb4242450140689adc50df2197d4a04b3