When using routed provided network, the condition is bypassing
dhcp_agents_per_network which results that in a env with 3 agents and
dhcp_agents_per_network=2, for a given network already well handled
by 2 agents. If restarting the third agent It will start to handle the
network also which will result to have 3 agents handling the
network.
Closes-bug: #2058908
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ia05a879b0ed88172694bd6bffc6f7eb0d36bb6b0
The placement_port option in fullstack tests can be implemented by
the native PortOpt instead of defining a specific type.
Change-Id: Iedf50249080d3f631942febb1f5e089f06f43db0
These test randomly fails with NetworkInterfaceNotFound
from quite some time. Until the issue is fixed added unstable_test
decorator so the job do not fail for these.
Related-Bug: #1961740
Change-Id: I1a352526aac72b417f93f51ba50c3359359c240d
Remove B324 (prohibit list calls: md5, sha1 for python>=3.9)
from bandit skip list, for this replace sha1 with blake2b.
Change-Id: Iafe571ad0de0408414ed321f4b9e9588916a873d
There were some globals in the IP monitor functional tests
that were only used and never assigned, there is no need
to define them as such in this case. No functional change.
TrivialFix
Change-Id: I0f8e630538ea5ae21537a9a72faf0cdd34096f11
OVS-agent wants to clean flows table by table during restart,
but actually it does not. If one table has same cookie with
other tables, all related flows will be clean at once.
This patch adds the table_id param to the related call
to limit the flow clean on one table at once.
Closes-Bug: #2060587
Change-Id: I266eb0f5115af718b91f930d759581616310999d
This patch is addressing some comments made in the previous patch [1]
and optimizing the code of ``HAChassisGroupRouterEvent`` class.
Related-Bug: #2052821
[1]https://review.opendev.org/c/openstack/neutron/+/909437
Change-Id: Ibc4afce16e95ea7d48737c254cd11431e9994704
When an external tunnelled network is used as gateway network in an
OVN router, the "Logical_Router_Port" is not bound to any chassis and
the "Logical_Router" is pinned to a gateway chassis, using the list
provided in a "HA_Chassis_Group".
This patch attends to any change in the "HA_Chassis" list of the
"HA_Chassis_Group" to update the "Logical_Router" chassis assigned.
This provides HA functionality in case that the bound chassis
(chassis pinned) fails.
Closes-Bug: #2052821
Change-Id: Ia3d4271d015386fbec3c3f2276a7f62c2f8ad5dd
Pin a "Logical_Router" to a chassis when the gateway network (external
network) is tunnelled. When the external network is tunnelled, the
"Logical_Router_Port" acting as gateway port is not bound to any
chassis (the network has no physical provider network defined).
In that case, the router is pinned to a chassis instead. A
"HA_Chassis_Group" is created per router. The highest "HA_Chassis" of
this group is assigned to the router. If the gateway port is deleted,
the pinned chassis is removed from the "options" field. If the
router is deleted, the "HA_Chassis_Group" is deleted too.
NOTE: in the a chassis belonging to the router "HA_Chassis_Group"
changes, the list of "HA_Chassis" will be updated in
``ChassisEvent.handle_ha_chassis_group_changes``. However, a
"HA_Chassis_Group" change is handled by OVN, when assiged.
But in this case we are using this artifact, as commented before,
to "manually assign" (from core OVN point of view) the highest
priority "HA_Chassis" to the router (this upcoming funcionality
will be implemented in core OVN). A new follow-up patch will be
pushed to provide HA functionality and update the "HA_Chassis"
assigned to the "Logical_Router" when the chassis list changes.
Partial-Bug: #2052821
Change-Id: I33555fc8a8441149b683ae68f1f10548ffb662a6
This decorator allows to create a new OVN database transaction or
use the existing one in a method. It is needed to pass the transaction
object (if any) and the IDL (Northbound or Southbound).
Related-Bug: #2052821
Change-Id: I925c1d745197edd08a62ced66b275c7b1dad1d6a
Remove B303 (md5, sha1 for python<3.9) and
remove B311 (Standard pseudo-random generators are
not suitable for security/cryptographic purpose) from
the skip list of bandit execution.
Change-Id: I6e9e61e7f94dc9ca339942529af8997adef45e38
In this change, we add the ability to create high availability
user defined router flavors under the ML2/OVN L3 service
plugin.
Closes-Bug: #2020823
Change-Id: I0d26f672d6239d840d3cf817a2553a06ef00a854
If the Nova metadata service is unavailable, the requests.request()
function may raise a ConnectionError. This results in the upper code
returning a 500 HTTP status code to the user along with a traceback.
Let's handle this scenario and instead return a 503 HTTP status code
(service unavailable).
If the Nova service is down and is behind another proxy (such as
Nginx), then instead of a ConnectionError, the request may result in
receiving a 502 or 503 HTTP status code. Let's also consider this
situation and add support for an additional 504 code.
Closes-Bug: #2059032
Change-Id: I16be18c46a6796224b0793dc385b0ddec01739c4
In order to decide whether to process a router related
request, the user defined router flavor OVN driver needs to
check the flavor_id specified in the request. This change adds
the code to test the case when the API passed the flavor_id as
unspecified.
Change-Id: I4d7d9d5582b97246cad63ef7f5511b159d6c6791
Closes-Bug: #2059051
Previously, the code used to clean up old DHCP processes for a network
before creating new ones supporting multiple segments per network
could potentially not be executed first. Since disabling applies to
cleaning the namespace, this could have led to the network setup being
destroyed after being done.
This change moves the part that cleans up the old DHCP setup to ensure
it is executed first.
Closes-bug: #2049615
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Iecdb2d81ee077c9b9057d0708c5c88e159970039
This new extension adds a new parameter to the NUMA affinity policy
list: "socket". The "socket" NUMA affinity policy has been supported
in Nova since [1].
[1]https://review.opendev.org/c/openstack/nova/+/773792
Closes-Bug: #2052786
Change-Id: Iad2d4c461a2aceef6ed2d5e622cce38362d79687
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.
Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.
Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
Since [1] was merged, user defined flavor routers with the HA
attribute set to False cannot be created. This change fixes
it.
Closes-Bug: #2057983
[1] https://review.opendev.org/c/openstack/neutron/+/910889
Change-Id: Ic72979cfe535c1bb8cba77fb82a380c167509060
When handling the deletion of extra routes we need to handle the case
that the route is already deleted by another call in the time we have
fetched the extra routes and try to delete it. This is a classic race
condition when two calls try to update the routes of a router at the
same time. The default MariaDB/MySQL transaction isolation level does
not suffice to prevent this scenario. Directly deleting the route
without fetching it solves this problem.
Change-Id: Ie8238310569eb7c1c53296195800bef5c9cb92a3
Closes-Bug: #2057698
Now the ``Logical_Switch`` register (that represents an OVN network),
stored the network type in the "external_ids" field.
Related-Bug: #2056558
Change-Id: I9e55a7412d841b7b59602c56c3a4e2f9c954aeed
- test_update_subnet_dhcp_options_in_ovn_ipv6_not_change
- test_enable_subnet_dhcp_options_in_ovn_ipv6
This tests will fail if host where unit tests has ipv6 dns_servers
configured. This patch mocks get_system_dns_servers to avoid tests
to look at the host configuration.
Closes-Bug: #2056778
Change-Id: I2e703ab4b63c90d7a14f0dc41d37b0a98163bce0
Now the "Logical_Router_Port" is updated when a "Logical_Switch_Port"
event is received. When the event is received, it is first checked that
the "Logical_Switch_Port" belongs to a router; if that check is
possitive, the router port update method is called.
Closes-Bug: #2056558
Change-Id: I13b4c804ea6a9f8a89d3796c1cec88ffa1de6ded
The "ha" API flag is now enabled for the OVN routers. Because of the
current implementation, this flag must be always "True". When a new
router is created, this flag is always set. If an OVN router is
explicitly created or updated with "--no-ha" (ha=False), the server
will raise an InvalidInput exception.
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/911081
Closes-Bug: #2020823
Change-Id: I60ff33680dd5397a226a9051d51bfb0701f862b5
iptables-save uses a system-dependent value, usually that
found in /etc/protocols, when 'ipip' is given as the
security group protocol. The intent is to always use the
string value for IP protocol '4', as iptables-save has no
'-n' flag to print values numerically.
This updates a previous change (793dfb04d) that hard-coded
that string to 'ipencap', which broke CentOS/Fedora, which
uses 'ipv4'.
For this reason we cannot hard-code anything in neutron-lib,
this needs to be added dynamically, so this one-line change
needs to stay here, and effectively closes the bug.
Closes-bug: #2054324
Change-Id: Ic40b539c9ef5cfa4cbbd6575e19e653342e8342b
This patch is implementing the OVN agent metadata extension, by reusing
the OVN metadata class. The class ``MetadataAgent`` is inherited in the
``MetadataExtension`` class. The goal is to use the same code in both
implementations (until the OVN metadata agent is deprecated).
The OVN agent metadata extension has a different initialization
process. The OVN and OVS IDL connections are created during the
extension initialization but are not accessible. The ``start`` method
is used to load the configuration, execute the sync process and
register the metadata extension.
This extension will replace the need of the OVN metadata agent. The
deprecation of this agent will imply the refactor of the existing code
that now is shared between both agents.
This new OVN agent will be tested in the "neutron-tempest-plugin-ovn"
CI job, after the change done in the following patch.
Needed-By: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/909860
Partial-Bug: #2017871
Change-Id: I4381a67648a9b6198a8d936db784964d74dc87a1