Remove shell parameter from subprocess_popen, [1] removes
shell reference in the above method in Neutron to fulfill
bandit B604 requirement.
[1]: https://review.opendev.org/c/openstack/neutron/+/915467
Change-Id: I6866f66e1ee74b28fbe28ec30c11126d00652c2d
These options were used by neutron-rootwrap-xen-dom0 which was already
removed[1].
[1] 668f582f8df78089eef44a15a81c970c26c97dc4
Change-Id: I6aec348f0d75974bf8d16741e08d70283a938849
Adds VPNaaS support for OVN.
Add a new stand-alone VPN agent to support OVN+VPN. Add OVN-specific
service and device drivers that support this new VPN agent. This will
have no impact on the existing VPN solution for ML2/OVS, the existing
L3 agent and its VPN extension will still work.
Add a new VPN agent scheduler that will schedule VPN services to VPN
agents on a per-router basis.
Add two new database tables: vpn_ext_gws (to store extra port IDs)
and routervpnagentbindings (to store VPN agent ID per router).
More details see spec (neutron-specs/specs/xena/vpnaas-ovn.rst).
This work is based on work of MingShuan Xian (xianms@cn.ibm.com),
see https://bugs.launchpad.net/networking-ovn/+bug/1586253
Depends-On: https://review.opendev.org/c/openstack/neutron/+/847005
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007
Closes-Bug: #1905391
Change-Id: I632f86762d63edbfe225727db11ea21bbb1ffc25
Since [1] (release 1.11.0), the Alembic operations "now enforce
keyword-only arguments as passed as keyword and not positionally"
(from the commit message).
This change is compatible with the previous versions (as confirmed
in the CI).
[1]df75e85489
Closes-Bug: #2019948
Change-Id: I00c34fd8c4666d5cece13f562df733e75b4b70af
The following methods are now called from inside a reader context:
* ``VPNPluginDb.get_ikepolicy``
* ``VPNPluginDb.get_ikepolicies``
* ``VPNPluginDb.get_ipsecpolicy``
* ``VPNPluginDb.get_ipsecpolicies``
* ``VPNPluginDb._get_vpnservice``
* ``VPNPluginDb.get_vpnservice``
* ``VPNPluginDb.get_vpnservices``
* ``VPNPluginDb.get_endpoint_group``
* ``VPNPluginDb.get_endpoint_groups``
This patch is also adding the writer context to
``BaseIPsecVPNDriver.create_vpnservice``.
Closes-Bug: #2008767
Closes-Bug: #2008001
Change-Id: Ic22eb356c3157713a53cd71a366b946aa57ab042
Fixes a RuntimeError "Method remove_reservation cannot be called
within a transaction" while creating an ipsec site connection.
To avoid the error the service driver now gets the vpnservice
(to get the router_id) inside a CONTEXT_READER wrapper.
Closes-Bug: #1978571
Change-Id: I6552816db8a596a933365dc9de481d8c32371f1c
This patch shows how to use a neutron-lib released API definition for
the VPNaaS extensions. This is a baby step towards a
consolidated set of Neutron APIs.
See I06760fbbbc87570412a21364fba58efe880a907b for more details.
The method get_namespace in API extensions is also removed during this
migration. Since it was removed from neutron long time ago [1].
Co-Authored-By: Anh Tran <trananhkma@gmail.com>
Co-Authored-By: Hunt Xu <mhuntxu@gmail.com>
Co-Authored-By: Dongcan Ye <hellochosen@gmail.com>
[1] I3c406910991c33cf959c5345d76153eabe3ace2d
Depends-On: https://review.opendev.org/#/c/710559/
Depends-On: https://review.opendev.org/#/c/712657/
Change-Id: I1034814639a03b6482d9c9d1a389950aef967a59
Neutron introduces an additional layer of protection when it comes
to dead VLANs, however, the VPNaaS did not have that change in it's
tests which meant that traffic was not reachable inside the
functional tests[1].
This patch changes the base class of the TestIPSecBase to use the
L3AgentTestFramework instead, and does a small refactor of the
setUp() function as well to remove extra calls.
This should stop any further changes in Neutron from breaking VPNaaS
since hopefully that class will carry the fixes down. However, there
are a lot of duplicated code from the base class into this one,
however, this patch is focused at making a simple backportable
change for now. Long term, it would be good to drop more of the
redundant code in there.
[1]: I0391dd24224f8656a09ddb002e7dae8783ba37a4
Change-Id: I04793caeaa71adbb1abcbda58aa43e63ce51d1e6
The [1] change modified the behavior Neutron had, which used to
force the default config options to be automatically set.
Neutron VPNaaS expects some of the default config options
to be set while initializing some services. If they aren not set
the initialization will fail similar to neutron-dynamic-routing[2].
This change invokes the method that sets such config options to
fix this initialization issue.
[1] https://review.opendev.org/c/openstack/neutron/+/837392
[2] https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/838780
Change-Id: I5c309c1ca8a7162b2a42b60bb3ee66df2c93fbae
Q_BUILD_OVS_FROM_GIT is used in Devstack, and in Neutron
BUILD_OVS_FROM_SOURCE recently was changed to it.
Change-Id: Ibe11e4848e46f5df44b23bbdb97f88143e6cc454
Depends-On: https://review.opendev.org/c/openstack/neutron/+/799625
In the scenario of a failover, since the state is not updated, the
router status remains as 'backup' in the agent and it skips on
checking it's status.
This patch updates the router info once there is updates to the
HA state so that it can force a status update correctly.
Change-Id: Id3ec0ec2517d0c8f09c558c25ceb53f7c9fdbcf5
Since there was a few changes inside Neutron which now use primary
instead of master, failover did not properly function. This patch
handles both master/primary until Neutron moves those keywords into
constants inside neutron-lib.
Change-Id: I9ff278801a400c52cc52d23b62b0b8447f91ebd8
Added "update_network" method implementation to all "L3AgentExtension"
child classes. This new method will be added as a new abstract method
in future neutron-lib releases.
Needed-By: https://review.opendev.org/c/openstack/neutron-lib/+/818536
Related-Bug: #1950454
Change-Id: If319a47e65e4052dd3bbfba700819cbb9183a263
Currently, strongSwan driver only triggers "ipsec reload" command
when a new IPsec Site Connection configuration is received. If that
configuration uses a different PSK, it will not be picked up upon
reload called by restart() function. This change introduces a separate
reload_secrets() function which will call "ipsec rereadsecrets" before
"ipsec reload".
Closes-Bug: #1921514
Change-Id: Ia5458bbbb38b1d645547baf56ce3bb5ee2a97781
The latest pip resolver started to check requirements strictly
and it detects many inconsistencies in neutron-vpnaas requirements.
Also applies the practices discussed in the mailing list [1][2].
* Drop pyflakes from requirements.txt as it is not used.
* Move document dependencies to doc/requirements.txt [1]
and drop them from lower-constriants.txt.
* Bump MarkupSafe lower-constraint to 1.1.1
to make it work with newer setuptools.
* Bump the minimum neutron requirement to 17.0.0 (victoria release)
as the previous min version 13.0.0.0b2 is too old.
Wallaby and Victoria neutron are not different much, so I think
it is no problem to use the latest released version here.
* Dependenicy related to neutron min version bump are updated
in requirements and lower-constraints.
Note that eventlet 0.22.0 is used as lower-constraints as 0.21.0
(the min requirement in neutron 17.0.0) is blocked in several libs.
* Move linter dependencies to tox.ini and drop them from
lower-constraints.txt (pylint, pyflakes, astroid, isort)
* Drop psutil from neutron_vpnaas/tests/functional/requirements.txt
as the specified version of psutil is too old and psutil is a dependency
of neutron so we don't need to install it explicitly here.
In addition, hacking version is updated as hacking 0.12.0 is not compatible
with python 3.8. W504 and I202 are ignored as we do in the neutron repo.
Other new flake8 violations are fixed.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/019611.html
[2] http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019362.html
Change-Id: I47f6d39379b68c4d71fc4d85ebb06d97cb5a6ce2
This patch fixes multiple issues to unblock gate:
1. With new isort releases (5.X.X) pylint started to fail, with error:
AttributeError: module 'isort' has no attribute 'SortImports'
This patch pin isort to 4.3.21, the last version before 5.0.0.
2. lower-constraints of appdirs and pytz need to be updated as
currently lower-constraints job fails.
Since patch Ia012a8e116a276a6674f86366c803e0e2d8ff704 modified the
NEUTRON_PATH variable the functional test fails with:
[..]neutron/tools/configure_for_func_testing.sh: line 113: /home/zuul/src/opendev.org/openstack/neutron-vpnaas/devstack/lib/ovs: No such file or directory
3. Functional job fails, because during tox run the latest released
neutron is installed and it requires mock to be installed. This
patch adds mock to functional test requirements. Note: this needs
to be deleted as soon as new neutron will be released as on
development branch neutron does not depend on mock anymore.
Change-Id: Ibc4cd7f8a055457b288ef101893c252cf0464a28
The *swan drivers can support the selection of main or aggressive
negotiation mode, but vpnaas only supports main mode. When the external
host establishes a VPN communication with the internal virtual machine in
the cloud environment, if the external vpn site connection is configured
in aggressive mode, this will cause communication failure. Therefore, this
patch adds support for aggressive mode.
Change-Id: Ia3c9db2d151bd7c63c6ab500dbdecfaf07583a6f
Partial-Bug: #1701413
After astroid upgrade from 2.3.3 to 2.4.0, we hit
unsubscriptable-object error:
neutron_vpnaas/db/vpn/vpn_db.py:197:
E1136: 'ipsec_site_conn_db' is unsubscriptable
neutron_vpnaas/db/vpn/vpn_db.py:622:
E1136: Value 'endpoint_group_db' is unsubscriptable
Use db attribute while vpn_models not define _getitem__()
for getting object values.
Change-Id: If0b83c693eedba5eb11dcda7abe07f51e4539516
Python 3 interprets string literals as Unicode strings,
and therefore '\d' is treated as an escaped Unicode character.
If you’re not using a raw string to express the pattern,
remember that Python also uses the backslash as an escape sequence in
string literals; if the escape sequence isn’t recognized by Python’s parser,
the backslash and subsequent character are included in the resulting string.
However, if Python would recognize the resulting sequence, the backslash
should be repeated twice. This is complicated and hard to understand,
so it’s highly recommended that you use raw strings for all but the
simplest expressions. [1]
This patch use raw string for the regular expression.
[1] https://docs.python.org/3.6/library/re.html#regular-expression-syntax
Change-Id: Ibee059af3b24896749b66d87a6691fdf40a5767a
Closes-Bug: #1871621
We're only support py3 now, so using the standard library
unittest.mock instead of the mock module.
Change-Id: Ie827780a950cf66030ee1a688674e66ca7f3479c
When neutron is installed inside venv, neutron-vpn-netns-wrapper
is placed inside venv as well. Currently vpn creation will fail due to
missing wrapper inside $PATH. So we should respect venvs and launch
neutron-vpn-netns-wrapper from the venv when applicable.
Closes-Bug: 1848201
Change-Id: I9c50bfc2cefdd97c6d54e8bfabe97748c8dfce13
Since we dropped python 2 support and testing in[1], there is
no compatibility with Python2 now. We can stop using python
six module.
[1] https://review.opendev.org/#/c/698245/
Change-Id: I15771f129ada53f1f8ca6683c8d80d5675332db5
Tempest config project_network_v6_cidr had changed,
which cause two IPv6 IPsec site connections established
session failed.
This patch use cidrs allocated from project_network_v6_cidr.
Change-Id: Id2c06a8eb794141144dc026a8b3adfdd3ff142d5
Closes-Bug: #1852516
The ipsec.conf.old and ipsec.secrets.old files can only be generated
if config "restart_check_config" enabled, so in restart we should check
restart_check_config configuration firstly, then check ipsec.conf and
ipsec.secrets changed.
Closes-Bug: #1828721
Change-Id: Iccaf1aed26f54eeb49ce1cf2cac12a820310968c
If 'local_id' not in ipsec_site_conn, we can get it from
ipsec_site_conn['external_ip']. Otherwise use it from
ipsec_site_conn['local_id'].
This patch do these:
1. Fix the 'local_ip' error, it should be 'local_id'.
2. Add two tests if the 'local_id' missing.
3. Fix 'local_id' cover tests. Fill 'local_id' to template
'leftid'.
Co-Authored-By: Dongcan Ye <hellochosen@gmail.com>
Change-Id: I4d1ccb6b23d4331ab2951c828c491199fdc46faa
netns_wrapper is using map() function when running command and this
returns map object instead of list in python 3. This patch fixes it
to return list object always.
Change-Id: I22ddde78f2d8af042789e52ea82ec3e8099f7888
Patch [1] introduced need to explicity set with "is_sort_key"
flag to attributes which attribute can be used as sort key.
This patch adds it to base attributes in vpnaas resources, like:
* id,
* tenant_id,
* name,
* subnet_id,
* router_id
This commit also updates sphinx requirements to make requirements
jobs passing.
[1] https://review.opendev.org/#/c/653903/
Change-Id: Ibe1aee0346e3fc21215d1b3be8752224aa2c162d
Closes-Bug: #1832225