Adds VPNaaS support for OVN.
Add a new stand-alone VPN agent to support OVN+VPN. Add OVN-specific
service and device drivers that support this new VPN agent. This will
have no impact on the existing VPN solution for ML2/OVS, the existing
L3 agent and its VPN extension will still work.
Add a new VPN agent scheduler that will schedule VPN services to VPN
agents on a per-router basis.
Add two new database tables: vpn_ext_gws (to store extra port IDs)
and routervpnagentbindings (to store VPN agent ID per router).
More details see spec (neutron-specs/specs/xena/vpnaas-ovn.rst).
This work is based on work of MingShuan Xian (xianms@cn.ibm.com),
see https://bugs.launchpad.net/networking-ovn/+bug/1586253
Depends-On: https://review.opendev.org/c/openstack/neutron/+/847005
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007
Closes-Bug: #1905391
Change-Id: I632f86762d63edbfe225727db11ea21bbb1ffc25
Setuptools v54.1.0 introduces a warning that the use of
dash-separated options in 'setup.cfg' will not be supported
in a future version [1].
Get ahead of the issue by replacing the dashes with underscores.
Without this, we see 'UserWarning' messages
like the following on new enough
versions of setuptools:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: I84131fe10c7ca309e576b1769f2a3eccf4fdfe50
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.
[1] https://governance.openstack.org/tc/reference/runtimes/zed.html
Change-Id: I68fded0366a3be3ef5459391982e80c570562735
These translation sections are not needed anymore, Babel can
generate translation files without them.
Change-Id: Idbd4f0b3565de74aa40a054ee6e98699422a0095
Make a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg:
* Wheel is not needed for python 3 only repo
* Some other sections are obsolete
- Update classifiers
- Update requirements, no need for python_version anymore
Change-Id: I79cf58adf35726999a0791525dd28a7e70de4591
This commit defines the default policies in code. VPNaaS has
no policy.json so far, so all policy definitions are newly created.
Partially Implements: blueprint neutron-policy-in-code
Change-Id: Ic0bf99b69a792197399e38ace6d23ea18874892a
After the announcement on mailing list [1] but there is no response.
This patch intends to remove the following drivers that are unmaintained:
- CiscoCsrIPsecDriver
- FedoraStrongSwanDriver
- VyattaIPsecDriver
[1] http://lists.openstack.org/pipermail/openstack-dev/2017-July/120264.html
Change-Id: I984a41b9a9b5c154c4be7f5bcef621fe8c5677ac
This is the iteration of the VPNaaS Agent with some basic
functionality to enable integration of Plugin - Agent - Driver.
Co-Authored-By: Van Hung Pham <hungpv@vn.fujitsu.com>
Change-Id: I0b86c432e4b2210e5f2a73a7e3ba16d10467f0f2
Closes-Bug: 1692128
Infra has been running python35 jobs, replaced the python34 jobs.
This is due to the change from Ubuntu Trusty to Xenial, where only
python3.5 is available.
So we update a py35 environment with the same definitions for
skipping not-yet-working checks as we have in place for py34 already.
Change-Id: I3e7fc720ca6bd9df80620d609e9a9603a644673a
The aliases should be maintained in the same repo that hosts the plugin
itself.
Change-Id: Ieb4e9fce9f5cf9b5a60f1207ec38a59adfe400a8
Depends-On: I2136a530a8351cc290418d9ae18af08b480707c5
Currently, when we run api tests with command: "tox -e api",
tests are failing with errors.
This change first fixes errors, make api tests pass. Then refactor
the neutron-vpnaas api tests tree to fit the tempest plugin.
As a tempest plugin, the steps to run tests by hands are:
1. Setup a local working environment for running tempest
tempest init ${your_tempest_dir}
2. Enter ${your_tempest_dir}
cd ${your_tempest_dir}
3. Check neutron_vpnaas_tests exist in tempest plugins:
tempest list-plugins
+----------------------+------------------------------------------------------+
| Name | EntryPoint |
+----------------------+------------------------------------------------------+
| neutron_tests | neutron.tests.tempest.plugin:NeutronTempestPlugin |
| neutron_vpnaas_tests | neutron_vpnaas.tests.tempest.plugin:VPNTempestPlugin |
+----------------------+------------------------------------------------------+
4. Run neutron_vpnaas tests:
tempest run --regex "^neutron_vpnaas.tests.tempest.api\."
In the jenkins gate, devstack-gate/devstack-vm-gate-wrap.sh will invoke tempest
with proper configurations, such as:
DEVSTACK_GATE_TEMPEST=1
DEVSTACK_GATE_TEMPEST_ALL_PLUGINS=1
DEVSTACK_GATE_TEMPEST_REGEX="^neutron_vpnaas.tests.tempest.api\."
The actual raw command in gate running under the tempest code directory is:
tox -eall-plugin -- "^neutron_vpnaas.tests.tempest.api\."
This is a part of activate the API job:
https://review.openstack.org/#/c/337011/
Change-Id: Icdc946bccb77b4c78d161a590de1aa15e0a57139
Follow new infra setup for translations, see spec
http://specs.openstack.org/openstack-infra/infra-specs/specs/translation_setup.html
for full details.
This basically renames
neutron-vpnaas/locale/neutron-vpnaas.pot to
neutron_vpnaas/locale/neutron_vpnaas.pot. For this we need to update
setup.cfg.
Update also domain name in _i18n.py.
The project has no translations currently, let's remove the outdated
pot file, the updated scripts work without them. So, we can just
delete the file and once there are translations, an updated pot file
together with translations can be imported automatically.
Change-Id: Ie2c93bebdfbade7c0e2dd7f1f0393639bd8970ed
The tox docs environment converts Sphinx warnings to
errors using the '-W' option. However, the equivalent
gate job calls build_sphinx directly and lacks the
necessary option in setup.cfg to convert warnings
to errors. Adding this option to provide the same
checks in both places.
Change-Id: Id752831a5d09d819f342427833f68ccb0acdaaf1
Oslo config generator was introduced in patch [1] to
automatically generate the sample Neutron VPNaaS configuration
files.
This patch removes the static example configuration files from
the repository as they are now redundant.
[1] https://review.openstack.org/#/c/253399/
Change-Id: Ibf5ed0f1e80d01dd2332a3638974479bca350ecf
Partially-Implements: blueprint autogen-neutron-conf-file
Partial-bug: #1199963
Depends-On: Icef8f7e8f0e8e78bfffa7a5af3f9f2300376b115
This adds a new tox environment, genconfig, which generates sample
neutron VPNaaS configuration file using oslo-config-generator.
Updates to some configuration option help messages to reflect useful
details that were missing in the code but were present in config files.
DocImpact: Update the docs that VPNaaS no longer includes static example
configuration files. Instead, use tools/generate_config_file_samples.sh
to generate them and the files generated now end with .sample extension.
Partially-Implements: blueprint autogen-neutron-conf-file
Change-Id: I4a6094b8218dfd320d05bfb1e3bc121e8930c551
Partial-bug: #1199963
Per email from the release team [1], we are moving to using only
tags and removing verisons from setup.cfg.
Depends-On: I19e888fc403aa2d95b769ed1730721eba29e68ea
[1] http://lists.openstack.org/pipermail/openstack-dev/2015-November/080692.html
Change-Id: I02f0f5a18d7587c429d150ad7da2decbb609b045
Signed-off-by: Kyle Mestery <mestery@mestery.com>
Bump preversion to mark the start of the Mitaka development branch.
The liberty release branch will be cut from the previous commit.
Change-Id: Ia57a1212c1f702ebf5a367ce9d3462eb1cecfc96
Signed-off-by: Kyle Mestery <mestery@mestery.com>
This allows neutron-db-manage to find the alembic migrations
automatically if this project is installed.
The config file alembic.ini is not needed in this project since it's
tables are in neutron's DB and so it depends on neutron's config.
Partial-Bug: #1470625
Change-Id: I90a4a10d10769e48571327b98cbc67b68260e909
Bump pre-version in setup.cfg to formally open Liberty development.
Kilo release branch will be cut from the previous commit.
Change-Id: Id4cf723c18c564e9007178fad97a2a8827266822
Introducing new service-driver and device-driver for Vyatta vRouter.
with portions of vRouter parsing code hosted in stackforge/networking-brocade
repo.
Change-Id: I6028283c86849196170ada8b5ebeb1efe4e38ea4
Implements: blueprint brocade-vyatta-vpnaas-plugin
Don't rely on l3_agent entry point in neutron to do it for the agent.
There are plans [1] to move eventlet monkey patching into a separate
location other than neutron.agent.l3_agent. That means we won't be able
to rely on base l3_agent module to be monkey patched for us.
This patch mimics the tree structure used in neutron to keep eventlet
patched services in single place. Even though there is only one agent in
tree that needs monkey patching, it's better to keep things uniformly
with neutron, and allow to introduce more agents later without
explicitly adding another call to monkey_patch() for those.
[1]: I2bc16ca4422c01d64e9fac4910214dbb0d0326ff
Change-Id: I2d7081dbd4cb532332e3b66667bb8c71aa5a6658
- Some shared exceptions will be left in Neutron, until further l3 refactoring
Depends on neutron change I16b5e5b2bb70717166da14faa975fa2ab9129049
Change-Id: I081b7482776b7294fcafcae6c8610ddd5271cc5e
Partially-Implements: blueprint services-split
strongSwan doesn't support namespace natively, this wrapper
will use "mount --bind" to simulate the ns like this:
sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns \
exec <namespace-id> neutron-netns-wrapper --mount_paths \
=/etc:/var/lib/neutron/vpnaas/<xxxx-id>/etc, \
/var/run:/var/lib/neutron/vpnaas/<xxxx-id>/var/run \
--cmd=ipsec,status
Both sudoers and rootwrap.conf will not exist in the
directory /etc after bind-mount, thus we can't use
utils.execute(cmd, conf.root_helper) in
neutron/agent/linux/utils.py. so implement a function
execte(cmd) in this wrapper as an alternative. then we can
use root_helper to invoke this wrapper to make sure all
commands are still running as root as below code shows.
Finally, also need to check in wrapper if cmd matches
CommandFilter based on the same reason.
ip_wrapper = ip_lib.IPWrapper(root_helper, namespace)
ip_wrapper.netns.execute(
[NS_WRAPPER,
'--mount_paths=/etc:%s/etc,/var/run:%s/var/run' % (
self.config_dir, self.config_dir),
'--cmd=%s' % ','.join(cmd)],
check_exit_code=check_exit_code)
We are using check of net namespace (since linux 3.0),
instead of mount namespace (since Linux 3.8), as older
kernels do not support mount namespace. In addition,
mount --bind has been available since Linux 2.4. so we
don't need to worry kilo's minumum kernel requirement.
This patch is based on patchset67 of nachi's initial
vpnaas implementation, many thanks to nachi.
submit this wrapper as a separate review from [1].
[1] https://review.openstack.org/#/c/144391/
Partially-implements: blueprint ipsec-strongswan-driver
Change-Id: Icc80b9102acb87170f2d1cda06c848fa71bb1634
Vpnaas driver class is changed to one from this repo in case it attempts
to be loaded from neutron repo.
This change depends on I76af175c4387326a4e5ff95c2f15d8b866dedab3
Change-Id: I2986a9724396920071a3a22121e5b5a5a08ed059
Closes-Bug: 1401895
Neutron does not support Python 2.6 anymore starting with Kilo and might
not work correctly with it, so remove the classifier.
Change-Id: Ib7cddecdbec2c5152fe526bada6587129cf63ffd
Ryu plugin was marked deprecated in Juno.
This commit actually removes the code for Kilo.
We (Ryu team) recommend users to migrate to ofagent, on which
we aim to concentrate our development resources by this deprecation.
DocImpact
Partial-Bug: #1391714
Change-Id: I4916ce3c246730dc00516404471f8a1a008e27b6
neutron-ofagent-agent currently relies on the fact the rootwrap
filters for neutron-openvswitch-agent covers what it needs.
as they are independent agents and their requirements are
getting more different, introduce a dedicated rootwrap filters
for ofagent.
Closes-Bug: #1392560
Change-Id: Iba205260a238431432caf8d9697268ceeef85eca
The openvswitch core plugin has been removed but not its associated
"neutron.core_plugins" entry point. This change removes it from
setup.cfg.
Change-Id: I79f7c334cdeb0f4d0d68743734f69c0ec8523467
Related-Bug: #1323729
Closes-Bug: #1391326
This changeset removes the linuxbridge plugin, but retains the agent for ML2.
The database models were not removed since operators will need to migrate the
data.
Additionally, the ml2 migration script was altered to support Juno. For
testing, a user must either run the migration against the icehouse
scheme or run the update, manually change alembic_version to juno and
then run the migration script. Once the juno migration is added, this
manually step will not be required.
Change-Id: I70689b4247947e6dc08e80fd9b31da9dc691d259
Partial-Bug: 1323729