This is follow up patch to [1] in which was added warning about
incompatible configuration of the vlan/flat networks allowed as tenant
networks, distributed routing and port forwardings.
In this new patch similar warning is logged every time when port
forwarding is created using router which have actually connected vlan or
flat networks as "internal networks" (external gateway network is fine)
and when distributed routing is enabled in the Neutron config.
This patch additionally adds "neutron:is_ext_gw" flag to the
Logical_Router_Port's external_ids. With that it's easier to check if
network is used as gateway network (no checks needed) or not (checks are
perfomed and warning may be logged).
[1] https://review.opendev.org/c/openstack/neutron/+/892542
Related-Bug: #2028846
Change-Id: I101128bdb421ec83df5cdcb0d486cbafbbca2ce5
In case when port_forwarding service plugin is enabled and vlan or flat
network (provider network types) is configured as one of the
tenant_network_types in the ML2 config there is an issue with
centralized and distributed traffic.
FIP port forwarding in ovn backend are implemented as OVN Load balancers
thus are always centralized but if "enable_distributed_floating_ip" is
set to True, FIPs are distributed. And in such case it won't work as
expected as either it tries to send FIP PF's traffic as distributed when
"reside-on-redirect-chassis" for LRP is set to "false" or
tries to centralized everything (even FIP which should be distributed)
when "reside-on-redirect-chassis" is set to "true".
It's not really easy to avoid that issue from the code so this patch
adds warning in the upgrade checks and also log warning about it during
start of the neutron server process to at least warn cloud admin that
such potential issue may happen in the cloud.
Related-Bug: #2028846
Change-Id: I398f3f676c59dc794cf03320fa45efc7b22fc003
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/services.
Trivialfix
Change-Id: Ie9779b257981bc80e69639cdaa4d7dfd0ffa5809
Use "value > constant" syntax and not vice-versa. Also
removed disable of misplaced-comparison-constant in
.pylintrc so future ones are caught.
Trivialfix
Change-Id: I733864e7437213bfb6edde24f207b2c9861998c6
if we list floating ip and want to operate a port forwarding, we cannot
call the update 'port forwarding' api, because we don't know the port
forwarding id.
this patch adds the port forwarding returned contents: 'id' and
'internal_port_id' when list floatingip.
Closes-bug: #1971646
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/840584
Change-Id: Ie1d9169cd07547491144776311d77d49b483d5ae
Currently we are adding lbs to logical_routers, but
to get the lbs accessible from the vms we need to
add lbs also to all the logical_switches connected
to the logical router as suggested in the Related
Bug rhbz#2043543.
If in future ovn automatically handles addition of
lbs to logical_switches if they exist on associated
logical_router, then we can remove this handling
from port-forwarding service plugin.
Also subscribed to router_interface's after create
and delete events to handle the case when logical
switches are added/removed from router after intial
port forwarding create.
Related-Bug: #1957185
Related-Bug: rhbz#2043543
Change-Id: I0c4d492887216cad7a8155dceb738389f2886376
This is a small optimization in
"PortForwardingPlugin._check_floatingip_request". To check the existence
of any OVO, "objects_exist" is the fastest method.
Closes-Bug: #1942358
Change-Id: I5097dbdda5a17d15152c5a6c1a56f5b5037d1f70
This patch switches over to callback payloads for
FLOATING_IP PRECOMMIT_CREATE and PRECOMMIT_UPDATE events
Change-Id: I886a360b838c78b0596c042fb5650bc73848af31
This reverts commit 062336e59b.
Now, we have proper fix for the system_scope='all' in elevated context
in the neutron-lib so we can revert temporary fix made at the end of the
Wallaby cycle.
Related-Bug: #1920001
Conflicts:
neutron/api/rpc/agentnotifiers/dhcp_rpc_agent_api.py
neutron/common/utils.py
neutron/db/address_group_db.py
neutron/services/segments/db.py
Change-Id: Ife9b647b403bdd76a8a99984ea8858bf95c96bc3
In case when enforce_new_defaults is set to True and new policy rules
are used, context.is_admin flag isn't really working as it was with old
rules.
But in case when elevated context is needed, it means that we need
context which has full rights to the system. So we should also set
"system_scope" parameter to "all" to be sure that system scope queries
can be done with such elevated context always.
It is needed e.g. when elevated context is used to get some data from
db. In such case we need to have db query which will not be scoped to
the single project_id and with new defaults to achieve that system_scope
has to be set to "all".
Proper fix for that should be done in neutron-lib and it is proposed
in [1] already but as we are have frozen neutron-lib version for
stable/wallaby already this patch for neutron is temporary fix for that
issue.
We can revert that patch as soon as we will be in Xena development cycle
and [1] will be merged and released.
[1] https://review.opendev.org/c/openstack/neutron-lib/+/781625
Related-Bug: #1920001
Change-Id: I0068c1de09f5c6fae5bb5cd0d6f26f451e701939
create port forwarding, should set floating ip status running, delete all port
forwarding, the floating ip status should be down.
Closes-Bug: #1910334
Change-Id: I8b3e4bf6b3cac3a95ea76b85dd4882ddafc962c8
This patch implements the last code bits pending to
conclude the new DB engine facade migration.
Due to the resultant interactions in the modified code, is
not possible to submit smaller patches; this code must be
migrated at once.
Partially-Implements blueprint: enginefacade-switch
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Change-Id: Id3f09b78c8d0a8daa7ec4fa6f5bf79f7d5ab8f8b
This is a subset of the changes for implementing the floating IP
port forwarding feature in neutron, using OVN as the backend.
This changeset covers the core implementation for portforwarding/drivers/ovn,
mech_driver, ovn-router as well as a subset of tests.
Port forwarding support in ovn_db_sync is not included here to facilitate review.
That, as well as all other supporting changes, are under the ovn/port_forwarding topic:
https://review.opendev.org/#/q/topic:ovn/port_forwarding+(status:open+OR+status:merged)
Depends-On: https://review.opendev.org/#/c/726478/
Partially-implements: ovn/port_forwarding
Partial-Bug: #1877447
Change-Id: I019fe11ac1ddcf2304f3f144c62d52667fc11dce
This is a follow up for https://review.opendev.org/#/c/738145/
During backporting review, it became clear that unit test had a
flaw. It assumed that order of items in dictionary that make up
the exception message did not change. That is not true, based
on the python version used.
This follow up also includes a review feedback that did not make
into the original change: rename function that raises exception
to have "raise" in its name (raise_port_forwarding_update_failed).
Change-Id: I6fcd64e205e584017e6c9022f82a5497ea1cc576
Closes-Bug: #1878299
Add validator to update_floatingip_port_forwarding so codepath does not
attempt performing invalid database operation. With that, operation fails
right away, with a hint on the offending argument(s).
Change-Id: I8284b22c5d691bfd9eadeb8590c3d4b27d261b04
Closes-Bug: #1878299
This is a follow up from commit eb46081150
In order to be used by functional tests -- or anything that does not use
stevedore that can map from "ovn-router" value -- pf_plugin also needs to
recognize "neutron.services.ovn_l3.plugin.OVNL3RouterPlugin" as a way for
specifying the OVN L3 service plugin.
Change-Id: I4227cc3ceb2a17f40df86dadd71d99198b6b26e9
Related-Bug: #1877447
This is a follow up from commit 102c442bcf
The call to resources_rpc.ResourcesPushRpcApi() will fail in situations
where RPC is not available. That is the case for neutron_ovn_db_sync_util.
The changes here will only set push_api if any of the configured service
plugins need it. This is a behavior similar to what is done for the QOS
plugin.
Related-Bug: #1877447
Change-Id: I3f2e18fabf4556cd708c6e544b5aaf37f72b44df
This commit adds possibility to configure fip port_forwarding
service plugin and l3 extension with devstack plugin for OVN.
Since OVN uses API workers, this change also introduces the
callbacks necessary in pf_plugin, so events related to port
forwarding are sent using neutron_lib callbacks registry.
Related-Bug: #1877447
Change-Id: I8124fac13bf4d802d232e8b3976e6a2cebc72106
In [1] new api extension "fip_pf_description" was introduced but it
wasn't added to the list of supported extensions by port_forwarding
service plugin.
Because of that "description" attribute was unknown for the
port_forwarding resource.
Now this new api extension is added and supported by pf plugin.
[1] https://review.opendev.org/#/c/670930/
Closes-Bug: #1866560
Partially-implements: bp/fip-pf-description
Depends-On: https://review.opendev.org/#/c/711856/
Change-Id: Ibf42a4d276d0141d66ae6e88aa9fbc291eaa4f82
Implements Conntrack Helper service plugin for conntrack
helper resources. Supports create, update and delete
conntrack helper for l3 routers.
A new configuration option:
[l3-conntrack-helpers]/allowed_conntrack_helpers
introduced to allow the operator to configure CT
helpers, and the helper protocol constraints.
Related-Bug: #1823633
Depends-On: https://review.opendev.org/663446
Change-Id: I58193955261f50b18b1946261fe662da6b20f0f5
Today a number of classes define their supported_extension_aliases
using static strings rather than API definition ALIASes. This patch
switches them to use the ALIAS where applicable.
Change-Id: I716270c68a9fcd850c3c26de31bc13ea16def23d
Adds a required list 'required_service_plugins' to each service plugin,
then we can initialize the service plugin with required dependency.
And also adds the 'router' plugin to port forwarding service plugin
required list.
Closes-Bug: #1809238
Change-Id: I53fdaee0cd96a5315a7abc39799657d613eb3a2e
Port forwarding floating IPs QoS should be limited under
the binding QoS policy. So this patch extends the l3-agent
fip-qos agent extension floating IP list with the port
forwarding related IPs.
Change-Id: Iddabfabafc0803edd1e4ac0893dc188f1907234a
Closes-Bug: #1796925
If one port has port forwarding and the port is under
a dvr router, then binding floating IP to this port
will not be allowed.
Change-Id: Ia014e18264b43cf751a5bc0e82bc55d106582620
Closes-Bug: #1799138
The _resource_extend module is already rehomed into neutron-lib and is
shimmed in neutron. This patch removes the module as no active
consumers are using it.
NeutronLibImpact
Change-Id: I1550075fa5fa2aa2f1a88ee7189d311a1fe78391
For dvr scenario, if port has a bound floating, and then create
port forwarding to it, this port forwarding will not work, due to
the traffic is redirected to dvr rules.
This patch restricts such API request, if user try to create port
forwarding to a port, check if it has bound floating IP first.
This will be run for all type of routers, since neutron should
not let user to waste public IP address on a port which already
has a floating IP, it can take care all the procotol port
numbers.
Closes-Bug: #1799137
Change-Id: I4ba4b023d79185f8d478d60ce16417d3501bf785
Floating IP port forwardings with different protocols can not have
the same internal or external port number to the same VM port. But
we can have different application servers, for instance TCP server
and UDP server, listen to the same port at same time.
This patch adds the protocol attribute to the DB uniq constraint
to allow creating different protocol port forwardings with same
internal or external port number.
Co-Authored-By: LIU Yulong <i@liuyulong.me>
Closes-Bug: #1799155
Change-Id: Ifbb5f3ee2473aac98982bff0d2e6bb9b3e5ab5d6
The neutron.db.api.context_manager already references neutron-lib's
context manager; so consumers of it are already using neutron-lib. This
patch switches neutron's references to the context_manager over to
use neutron-lib's directly rather than that in neutron.db.api.
NeutronLibImpact
Change-Id: I97120faeec73690592ed21a5ec3c6202f61e1429
The retry_if_session_inactive decorator was rehomed into neutron-lib
[1]. This patch consumes it by removing the function from neutron and
using neutron-libs version where appropriate.
NeutronLibImpact
[1] https://review.openstack.org/#/c/557040/
Change-Id: I3e3289f33e62d45933d0fbf165bb4b25078f22d5
This patch fixes the race condition with update/delete neutron
serveral resources, such as port forwarding conflict with
floatingip and port forwarding conflict with port.
Also this approach need the revision function, so need to fix in port
forwarding model to aware relationship revision update.
As the port forwarding resource associated with 2 resources,
one is floatingip, the other is neutron internal port.
So floatingip update/delete maybe in a conflict situation with
port forwarding creation. But for port, we just lack the logic to
process port forwarding during update port's fixed_ip and delete
port.
So the approach here is adding logic to let l3 plugin and port
forwarding plugin know each other when both sides may process the same
floatingip resource. Based on the existing revision_number feature,
if one side fail as db staleError, the api layer will retry the whole
operation for this resource, so there must be a failure on one side in
this case. This patch just adds the association logic for l3 plugin and
port forwarding plugin, also adds a event receiver for port update/delete.
Then the behavior about the port forwarding associated resources would
be:
* For fip resource, I introduce one function in that patch.
_check_floatingip_request
So during floatingip update/delete, the function will process
fip and check by rpc callback from l3_plugin, if port forwarding plugin
also creates a port forwarding with the same fip at this moment. The
success side would be the one who update the fip_db first, the other side
would be failure after db retry.
* For port resource, during update port fixed_ip or delete port, we will
delete the associated port forwarding resources for free the
fip:external_port socket.
Partially-Implements: blueprint port-forwarding
Change-Id: I637ebcb33b91d899a077bded5ca10097a830a847
Partial-Bug: #1491317
This patch introduces a new API extension named 'extend-fip-port-forwarding'
for exposing 'port_forwardings' field in floatingip responses.
Partially-Implements: blueprint port-forwarding
Change-Id: I9016abb6eb650c86c570a0ee78ee12361f4632e4
Partial-Bug: #1491317
This patch implements the plugin.
This patch introduces an new service plugin for port forwarding resources,
named 'pf_plugin', and supports create/update/delete port forwarding
operation towards a free Floating IP.
This patch including some works below:
* Introduces portforwarding extension and the base class of plugin
* Introduces portforwarding plugin, support CRUD port forwarding
resources
* Add the policy of portforwarding
The race issue fix in:
https://review.openstack.org/#/c/574673/
Fip extend port forwarding field addition in:
https://review.openstack.org/#/c/575326/
Partially-Implements: blueprint port-forwarding
Change-Id: Ibc446f8234bff80d5b16c988f900d3940245ba89
Partial-Bug: #1491317