QoS support for PTs inside PTG, as 2 new NSP param types.
The new NSP param types, qos_maxrate and qos_burstrate, map to the
Neutron QoS Policy resource, which then gets associated to a QoS
bandwith limit rule with a certain maximum rate and/or burst rate (in
Kbps and Kb respectively) set.
Change-Id: I3950a13c482d7a7e1fa03667a543628aaa36ee6e
Implements: blueprint initial-support-qos
Support l3_policy workflows by providing different combinations
of explicitly created Neutron address_scopes and subnetpools.
Though this patch supports associating multiple explicit subnetpools,
only the first one is used for subnet allocation. A follow-up patch
will extend this to leveraging multiple subnetpools, if configured.
Fixes UT setup for address_scopes.
Fixes v6 implicit address_scope and subnetpool creation.
Implements blueprint: address-scope-mapping
Change-Id: If830dacb2ac52bb067ca7fb58c2422cedb6b10bd
Expose each AIM Subnet's distinguished name and synchronization state
on the Neutron router, in addition to on the Neutron subnet.
Build the AIM Subnet's display name using both the Neutron router and
subnet names, handling updates to either name. If the Neutron subnet's
name is empty, use its CIDR instead in the display name.
Change-Id: I697d490b76dea0f099d62aa153fc29c12b2e3c70
This patch defines a new extension: cisco_apic_gbp_allowed_vm_name,
for the apic policy drivers. An extension attribute:
allowed_vm_names, that extends the L3 Policy definition, is
being introduced in this extension.
A corresponding extension driver: apic_allowed_vm_name, that processes
this extension, is also being added. This extension driver should be
configured for this extension to be available. The driver name should be
added to the existing list of extension drivers under:
[group_policy]
extension_drivers=<existing_ext_drivers>,apic_allowed_vm_name
The allowed_vm_names attribute is a list of regexes. Each regex can
be up to 255 characters long.
While during the port-binding phase, we will also enforce the regex
checking against the VM name from Nova. Only those VM names matching
one of those regexes will be allowed.
A CLI option: --allowed_vm_names will be provided for the
L3 Policy create and update operations. This CLI option will accept
a comma separated string as the option value.
Change-Id: I4602919df9a0458eb255b93399c70f64dfeeb863
Now that AIM keeps resources in PENDING state until AID actually
synchronizes them, as it should, the TestSyncState.test_*_synced tests
need to mock get_status to return the SYNCED state.
Also, a new attribute added to the AIM resources was breaking UTs for
the aim-mapping driver. This new attribute does not need to be
validated and is fixed here.
Change-Id: I84f3181ba769c58773137b34f858888d939f3fcc
Fix SYNC_* constants, log exceptions from extend_*_dict methods, and
add unit tests for apic:synchronization_state attribute.
Change-Id: I71af9da7ac4ec34a7ec0ebc41f6dc52fdca5248e
When updating the AIM EPG (on account of update to the corresponding PTG),
the attributes that are not being updated also need to be populated in the
AIM EPG resource before its passed to the AIM manager to perform the update
(since we perform update as a create operation with override option).
Change-Id: I9bbcfecea44a953204f8f4d2449fc7b96cd4d197
Closes-bug: 1631307
The commit 6d56931196 introduced a
variation in the UUID of the "auto" PTGs implicitly created by the
apic_mapping policy driver. The API layer however was not made aware
of this variation and hence rejected this new UUID format when used
to create a policy target. This is fixed in this patch by allowing
the validation for this new UUID format with the regex:
auto[0-9a-f]{32}\Z
The auto PTG was also missing an implicit subnet for IP address allocation
to any PTs that are created in that PTG. This is also being fixed.
UTs have been added/updated to validate the above changes.
Change-Id: Idda35feb5c61587f3f014491768daecf03660ad9
Closes-bug: 1630923
Moved code where function arguments were getting wrongly
modified into a new function in proxy namespace-create script.
Change-Id: I9daeca42269b581ee20ac1831ba9236e9434b59c
Complete basic east/west routing. Enables routing on BDs of routed
networks and associates those BDs with the address scope's VRF if
applicable, or else with a per-tenant default routed VRF. The selected
VRF is exposed via the extended attributes of the Neutron network and
router resources.
Validation of routing topologies will be implemented in a follow-on
patch.
Change-Id: Ic7396e5ebbc466ea5be0028931b31bdbab9833e6
Netmask for service management network interface in the nfp-proxy namespace is set
with reference to service management network subnet CIDR.
Change-Id: I6e574f27acd12d0005c28405f96d474800c06982
This patch adds interface for the PTG subnets to the default Router.
Corresponding UTs are added which check that the correct port is created for
the router interface.
A bug due to which the apic_aim_l3 was not getting set for the GBP aim_mapping
tests is also being fixed.
Change-Id: Ia8e96da15b2571491412c649af5a99261ceb8a84
When VLAN networks are used instead of OpFlex,
additional networks and ports are created that mirror
the usual networks and ports. The device_id of the
VM's port is set to VM's UUID whereas the port that
mirrors had its device_id set to the PT UUID. This
latter value resulted in failure to lookup metadata
information for the VM.
This change ensures that the device_id for both the
VM port and its mirror stay in sync.
Closes-Bug: 1627915
Change-Id: Ibea325fbfa344acd9626d5e651297dd5e24297b6
Signed-off-by: Amit Bose <amitbose@gmail.com>
As part of cross tenancy relaxation for nfp getting
services tenant id is failing in liberty with
Unauthorized failure. Added exception handling for
the failure and silently ignoring, moving in default path.
Change-Id: I7c3baa8a82a587a82ac86b416521ce4d62aac433
Closes-Bug: 1608616
This changeset,
(1) fixes the install configuration script and
(2) has a change to the NFP firewall plugin
to support stable/mitaka installation.
Change-Id: Ibaf5c997f5e80dbb1c7414c3841c2d9338501c74
This patch defines a new extension: cisco_apic_gbp_segmentation_label,
for the apic policy drivers. An extension attribute:
segmentation_labels, that extends the Policy Target definition, is
being introduced in this extension.
A corresponding extension driver: apic_segmentation_label, that processes
this extension, is also being added. This extension driver should be
configured for this extension to be available. The driver name should be
added to the existing list of extension drivers under:
[group_policy]
extension_drivers=<existing_ext_drivers>,apic_segmentation_label
The segementation_labels attribute is a list of strings. Each string can
be upto 255 characters long. These labels are not interpreted by GBP
but are instead passed downstream by the apic policy driver. It is
assumed that these are defined outside of OpenStack and the backend
system can appropriately interpret them.
The get_gbp_details() RPC call implemented by the apic policy driver
will return the segmentation_labels in its body if the
'segmentation_labels' attribute is populated for the policy_target.
A CLI option: --segmentation-labels will be provided for the
policy_target create and update operations. This CLI option will accept
a comma separated string as the option value.
Change-Id: I360bf9f7f1d4bdca76d4f16b7535a6416f430830
The apic_aim mechanism driver and L3 plugin map router interfaces to
AIM Subnets. The DNs and status of these subnets are exposed via
extended Neutron subnet attributes. If any subnets of a network are
attached as interfaces to a router, the network's default EPG provides
and consumes the router's Contract.
A seperate patch will manage the VRFs of routed networks, and will
reject invalid routing topologies, completing the basic east/west
routing functionality.
Another follow-on patch will additionally expose the AIM Subnets via
extended attributes of the router to with the corresponding Neutron
subnet is attached, and will likely include both the Neutron subnet
and router names in the AIM display name of the Subnet.
Change-Id: Id8aa749c2a590bf6d0548162483553edb8a3589d
The apic_name of the shadow EPG was being added as is to the DB. The shadow EPG
object was actually a Apic_name class, and needed to be converted to a string
before adding to the apic mapping DB.
Change-Id: Id6299fbd0dd83b5295ccb27d4e287ac31c70c5f6
Closes-bug: 1624184
Implements an L3 service plugin, apic_aim_l3, that, in conjunction
with the apic_aim mechanism driver, maps each Neutron router to an AIM
Contract and ContractSubject whose DNs and status are exposed via
extended attributes similar to those on the core Neutron resources. An
"any" Filter and FilterEntry are created per-tenant, and referenced in
this contract, allowing all traffic from EPGs providing and consuming
this contract to be routed.
The add_router_interface and remove_router_interface methods are stubs
that will be implemented in the next patch set. They will manage the
mapping of router interfaces to AIM Subnets, along with having the
default EPGs associated with those interfaces provide and consume the
router's Contract.
The corresponding GBP policy driver's extension is renamed
apic_aim_gbp for consistency with the apic_aim and apic_aim_l3
extensions at the Neutron level, and all extensions are now in the
gbpservice.neutron.extensions module.
The GBP policy driver's unit tests are updated to account for the
Filter and FilterEntry resources created by the mechanism driver.
The apic_aim unit tests wipe the AIM DB in tearDown, and use the
aci_integration_manager branch of the apicapi repo.
The GBP devstack plugin, when ENABLE_APIC_AIM=True, configures neutron
to use the apic_aim_l3 service plugin, and installs the
aci_integration_manager branch of the apicapi repo.
Change-Id: I1b7f0c80e66d55d58c27fe9e4cb461f62aec3c42
This change automatically creates a PTG per L2P. This PTG is created as a
reverse map of the "shadow" EPG that was already being created per L2P by
the apic_mapping policy driver.. We will henceforth refer to this PTG as
"auto" PTG.
The ID of the auto PTG is derived from the ID of the L2P as a MD5 hash
calculation (for uniqueness) and persisted in the format:
"auto<hash_of_l2p_id>". It is thus always possible to determine the ID of the
auto PTG from the ID of the L2P and no additional state needs to be maintained.
In order to maintain the reverse-mapping integrity between the shadow EPG and
the auto PTG, an entry is created in the apic name-mapping DB that maps the ID
of the auto PTG to the "apic-name" of the "shadow" EPG.
The initial name of the auto PTG is derived from the ID of the L2P to ease
debugging and troubleshooting, and takes the form: "auto-ptg-<l2p_id>". This
name is mutable (just like any other PTG). The apic_mapping driver does not
have any specical meaning for this name, and does not care about after it
implicitly sets it at the time of the auto PTG creation.
The auto PTG cannot be deleted by the end user and doing so will result in
an error.
The user can update the name, description, provided and consumed PRS for the
auto PTG, but cannot update any other attributes and doing so will result in
an error.
The shared status of the auto PTG is made consistent with the shared status
of the L2P (once set, it cannot be changed).
The auto PTG is deleted when the corresponding L2P is deleted (attempted in
the pre-commit phase).
To prevent forward mapping of the auto PTG to a new EPG, all above
operations are invoked on the GBP DB mixin (parent of the GBP plugin). This
ensures that the apic_mapping policy driver is not invoked for the create and
delete auto PTG operations during L2P creation and deletion.
The creation of the auto PTG is controlled by a configuration and is disabled
by default thus allowing this new feature to be turned ON only where needed.
All existing deployments should not see any change in behavior as long
as they choose not to turn ON this feature. This configuration is as follows:
[apic_mapping]
create_auto_ptg=<True or False>
As the commit title suggests, this is currently only a apic_mapping driver
specific feature. It may evolve to a GBP feature with a well defined auto PTG
attribute definition for the L2P (and/or accessor APIs). The convention used
for the Auto PTG name and the ID format could change as a part of this
evolution.
Change-Id: Ie132ace0fc9f78baa0034a6f30f2ee758bb271c0
This uses the devstack GBP plugin with ENABLE_APIC_AIM configuration
set to true.
These hooks will start getting invoked once a new gate job in enabled
in infra. This patch needs to be merged before the infra patch can be
posted.
Change-Id: Ib9c3cb287a357fbb2974e8a086f5d6edd19b5915
L3 Policy is mapped to Address Scope and Subnetpool. This patch implements
the implicit workflow to create these mapped resources.
Implements blueprint: address-scope-mapping
Change-Id: I4309ada6f26c23a11232a858ff4e36bd5d03e25a
Add enforce_service_chains attribute to PTGs as part of the
proxy-group driver extension. When set to False, PTGs won't trigger
service chain creation even when providing a PRS with a redirect
rule.
Change-Id: I78fb098ec4092f2c2b43f0eb41f35ab2fd5e01d9