The order of the admin_owner_or_network_owner alias in the
policy.json file can trigger DB queries for the network
resource in order to complete the policy checks, even in
cases where those checw aren't needed. This changes the
order of the policy rule to ensure that checks for the
tenant ID owner are made before looking at the tenant ID
of the network.
Change-Id: Ic3a7c99ff69c652bd1df4d43a98f298da876b4ba
This adds an extension to the neutron port resource, in order to
support creation and tear-down of ERSPAN sessions. The port resource
is extended with the apic:erspan_config property, which is a list
of dictionary objects. Each entry in the dictionary specifies the
parameters for an ERSPAN session:
'dest_ip': the ERSPAN destination IP address
'flow_id': the flow ID to use (1-1023)
'direction': 'in', 'out', or 'bi' (port-centric)
The neutron port UUID plus direction define a unique ERSPAN
source, while the destination IP and flow ID defina a unique
ERSPAN destination. ERSPAN Sources and and Destinations are
associated by name using the SpanSpanlbl resource in AIM.
Sources and destinations must also be applied to interface
resources in AIM, providing topology to the source EPs. This means
that overlapping destination IPs aren't supported. This could be
extended to consider things like the VRF that the network/EPG is
mapped to, but would require a data migration of existing DB state.
This extension is only supported on ports that belong to networks
of type 'opflex'. This means that hierarchical port binding (HPB)
and 'vlan' type networks are not supported, nor are SVI networks. The
ports must have a vnic_type of "normal" and have a device owner prefix
of "compute:". The extensions can be added to the port at any point in
its life cycle, but the configuration is only pushed to AIM when the
port is bound. Unbinding the port removes the configuration from AIM,
but not the extension information in the port resource. That state must
be removed explicitly by the user.
This workflow currently doesn't support live-migration. Live migration
may still work, as port rebinding updates the appropriate state in AIM,
but this is done by first deleting the information from the source
interface policy group in APIC, then adding it to the destination/target
iterface policy group, which will lead to some loss of traffic. This can
be addressed in a future patch if needed.
Administrative privileges are required to use this extension. This
restriction can be relaxed in a subsequent patch, if needed.
ERSPAN traffic is sent from the local vSwitch to the host,
and the host's IP stack forwards the encapsulated
Change-Id: I3a35b060f914daebd7b34fa1fca2e289bd5f6967
This plugin is subsumed by the Node Composition plugin
starting in the liberty cycle.
Switching to the NCP as default invalidated some UTs (since
NCP does not support more than one service_chain_spec
per service_chain_instance). These tests are being skipped.
Change-Id: I03383145eaa72681695e12649f731ba1a6b8bad8
This patch restricts GET and UPDATE for auto-ptg to the admin
via policy.json RBAC enforcement mechanism. When these rules are
in effect, policy_target creation in the auto_ptg is also restricted
to only the admin. These rules can however be relaxed if required by
modifying the policy.json file as follows:
Replace:
"get_policy_target_group": "rule:admin_auto_ptg or rule:non_auto_ptg",
"update_policy_target_group": "rule:admin_auto_ptg or rule:non_auto_ptg",
with:
"get_policy_target_group": "rule:admin_or_owner or rule:shared_ptg",
This patch adds a new driver extension attribute: is_auto_ptg to
facilitate specification of rules in policy.json. This has the added
benefit of supportying the specification of a filter for auto_ptgs
when retrieving policy_target_groups.
Change-Id: I6d9e873acb2b1b3bee8d78a45527bd4d5d437eca
Add enforce_service_chains attribute to PTGs as part of the
proxy-group driver extension. When set to False, PTGs won't trigger
service chain creation even when providing a PRS with a redirect
rule.
Change-Id: I78fb098ec4092f2c2b43f0eb41f35ab2fd5e01d9
This is a very preliminary version of a new APIC mechanism driver
utilizing the ACI Integration Module (AIM) library concurrently being
developed. A corresponding extension driver exposes details regarding
the mapping of the Neutron resources to APIC. These drivers require
the Ml2Plus extended driver APIs.
See the apic-aim-ml2-driver devref for implementation details and for
devstack configuration instructions.
Change-Id: I82df32f0880d6a0d53b305f6c6391fcbea049d1b
All SC related operations (create/delete/update chains) will now
exist on a separated gbp mapping driver. This driver will likely
run as the last of the driver chain (ipd rmd and cmd).
Partially implements blueprint node-centric-chain-plugin
Change-Id: I1f329101f32640058ed5250e8fe49a53b1f3deee
Whenever a Redirect action is provided/consumed GBP, the
implicitly created SCI could be owned by different tenants
depending on the actor triggering it.
To make this consistent, this patch proposes to have a single
configurable admin tenant that will own all the chain resources.
When the said tenant is not configured, the provider PTG's
tenant will be used instead.
Change-Id: I4862b87c41b48344a53dbf72c004a8dc18c2aa99
Closes-Bug: 1432816
Changed default_subnet_prefix_length from "default=26"
to "default=24" in implicit_policy.ini and implicit_policy.py
for consistency.
Updated relevant unit tests.
Closes-Bug: #1489981
Change-Id: I2356191b4de2e182e27a6070791e3c57a6db80c8
Adding 'shared' attribute to the following service chain objects:
- Service Chain Node;
- Service Chain Spec.
As a side effect, REDIRECT rules can now be shared with a
shared SCS value.
implements blueprint share-servicechain-objects
Change-Id: If6cd4072271fdbe9f213aa2922cb918547340cd3
With the introduction of the new servicechain plugin, some sort
of path reorganization is required so that the code doesn't become
confusing as new plugins are implemented.
The existing servicechain_plugin has been renamed "MSC" for
Modular Service Chain. The name recalls ML2 because of the MSC
structure being inspired by it.
The old entry point name is not removed from setup.cfg for backward
compatibility, still need to figure out a way to rename the configuration
files properly having the same goal in mind.
Partially implements blueprint node-centric-chain-plugin
Change-Id: I4f8db6f5fa30479aad283b07e499901af000a6c5
Adds support for extension drivers, similar to those in ML2, to the
GBP service plugin. All GBP resource types can be extended.
Partially-implements: blueprint gbp-extension-drivers
Change-Id: If4e522233fae4442bb179ddabd9ac6295ca6f431
(Patch series identifier: GP-API-1)
This is the first in a series of patches which implement Group Policy. It
includes the Resource Model and API for Endpoint, Endpoint Group, L2
Policy, and L3 Policy resources.
In the context of the larger Group Policy Model, the Endpoint Group resource
references Contracts, which will be introduced in a subsequent patch.
The DB and Plugin layers to back these resources will also be introduced in
subsequent patches.
DocImpact
Gerrit Spec: https://review.openstack.org/#/c/89469
Author: Sumit Naiksatam <sumitnaiksatam@gmail.com>
Co-Authored-By: Bob Kukura <kukura@noironetworks.com>
Co-Authored-By: Stephen Wong <s3wong@midokura.com>
Co-Authored-By: Mohammad Banikazemi <mb@us.ibm.com>
Co-Authored-By: Mandeep Dhami <dhami@noironetworks.com>
Co-Authored-By: Ivar Lazzaro <ivarlazzaro@gmail.com>
Change-Id: I4f4cc7e2a899b39947b784ec390c3df599cf01ae