Commit Graph

188 Commits

Author SHA1 Message Date
Dmitrii Shcherbakov
a155e9cf11 Use AZLeastRoutersScheduler by default
Neutron uses an AZ-unaware scheduler (LeastRoutersScheduler) by default
in its configuration and the neutron-api charm does not override it.

AZLeastRoutersScheduler inherits from LeastRoutersScheduler and does the
same, plus respects AZ hints when scheduling HA routers.

For --distributed --ha routers using AZLeastRoutersScheduler means that
snat namespaces will be scheduled with respect to the AZ hints specified
during router creation by an operator.

For --ha but not distributed routers using AZLeastRoutersScheduler means
that qrouter namespaces will be scheduled with respect to the AZ hints.

snat namespaces (--ha & --distributed) and qrouter namespaces (--ha
only) are placed by the scheduler to l3 agents that run in the dvr_snat
mode only so the scheduler change will affect both the deployments with
neutron-gateway units and the ones with neutron-openvswitch running with
use-dvr-snat=True.

Change-Id: I98cd67ff0cf5418a9699acc7aff96c3edb9b2341
Closes-Bug: #1886195
2020-11-09 20:17:17 +03:00
Pedro Guimaraes
f401914ee3 Add igmp_snooping_enable config
This option is available on both OVS and OVN to
allow virtual switch to snoop into multicast IGMP
messages and learn which ports should be flooded.

This change adds igmp snooping option on neutron.conf.

Change-Id: I3a0e757e5afe6a77cc507ee01298961c16d41cb2
2020-07-03 16:44:05 +02:00
Zuul
ece024b467 Merge "Disable Apache port 80" 2020-01-31 15:48:35 +00:00
tpsilva
b972488ad2 Disable Apache port 80
Currently, Apache ports.conf file is not being configured by this
charm. This patch changes the ports.conf default file with another one
that does not open port 80 on SSL environments.

Change-Id: I0d935de2eada861b986e2f17ead6a5674afd2969
Closes-bug: #1845665
2020-01-27 17:32:50 +00:00
Stamatis Katsaounis
b36ac4b4ed Remove lbaas in OpenStack Train deployments
This patch removes completely any lbaas related service or
configuration for OS Train deployements.

Change-Id: Ib48adee32d649e5254265924175c3bf2d3437c0b
Closes-Bug: #1853868
Signed-off-by: Stamatis Katsaounis <skatsaounis@admin.grnet.gr>
2019-11-26 13:58:13 +02:00
Frode Nordahl
40b3977d16
Expose ML2 context and config to new style plugins
When a plugin does not override the ``core_plugin`` and
``neutron_plugin_config`` and leaves them to the ML2 default the
charm will now register the ``ml2_conf.ini`` config with both
the default Neutron and subordinate plugin contexts.

Any exposed context variables not provided by the plugin will no
longer be returned as empty values on the context, allowing for
passing of the Neutron API charm deduced and configured context
values.

The ``neutron.conf`` and ``ml2_conf.ini`` templates have been
updated to allow adding of new sections.

Partial-Bug: #1845212
Change-Id: I90ca77ad16c1a0f59deb34c4faa7e7a89f22aea9
2019-09-30 08:17:12 +02:00
Sahid Orentino Ferdjaoui
2ad425b1cd revert "Ensure that only cloud admins are neutron admins"
We can't add constraints to admin role without consider
regressions. It happens that two tempest scenarios are now failling:

 tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops
 tempest.scenario.test_server_multinode.TestServerMultinode.test_schedule_to_all_nodes

If admin wants to give role (even Admin role) to an user for a tenant,
the right way is to use keystone trust API.

Change-Id: I161ea7d1aec5e5784455b5bce4605b2f9143daa2
Related-Bug: #1830536
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
2019-09-18 13:39:43 +00:00
Corey Bryant
d12413ffad Sync charm-helpers and use "rabbit_use_ssl" for ocata
Ensure "rabbit_use_ssl" is specified in the [oslo_messaging_rabbit]
config section instead of "ssl" for Ocata, since "ssl" was not yet
introduced.

Change-Id: Ib96880659403a0163654ea1fc26f43718ff65232
Closes-Bug: #1838696
2019-08-01 22:53:32 -04:00
Liam Young
e03501dee1 Ensure that only cloud admins are neutron admins
When determining if a user is an admin the default neutron policy
file only checks if a user has the 'admin'  role. It does not check
what that role is applied to.

The problem is illustrated by the following scenario: A cloud
admin creates a new domain, then creates a new project within that
domain. The cloud admin wants to delegate the maintenance of the
new project to userA so she grants them admin on the new project.
UserA is now a cloud admin from Neutrons pov.

To fix this issue a policy override file is added which checks that
the user is admin either against the admin project (as defined by
keystone) or the service project.

Change-Id: If4c5b0c1ab7bf2c75e911e77531d442d417a1231
Closes-Bug: 1830536
2019-07-19 13:00:59 +00:00
Michael Skalka
92a1062830 Add support for Infoblox IPAM configuration via subordinate charm.
This change adds infoblox-api relation which allows neutron-server
to publish events to a remote infoblox server. Additionally this
change enables IPAM for the neutron service, which forces neutron
to authorize any network changes against the target Infoblox
server.

This change adds the proper hooks, context, and templates to add
infobox configuration to /etc/neutron/neutron.conf, passed by the
infoblox subordinate charm.

Closes-Bug: 1776689

Change-Id: Ib11377bd61c2b3fed5104ba0a423073a15cc18a2
2019-06-20 12:03:28 -04:00
James Page
25ec688145 stein: switch to FWaaS v2
FWaaS v1 has been removed as of the latest Stein snapshots. Switch
to configuration of v2 service provider.

This commit also switches >= rocky to use the lbaasv2 entry point
rather than the fully qualified class name for the lbaas service
provider.

Change-Id: Id0fd808a33dff25d48610bcf97d12c512a21fc40
2019-03-20 06:13:51 +00:00
Edward Hope-Morley
c9103a668a Mark min-l3-agents-per-router as deprecated for >= O
Deprecated in N and removed in O to be precise so
removing from neutron.conf templates for >= O and
marking as deprecated from N in config.yaml.

Change-Id: Iff75ab3b4dda91be29d4349b8a9796d943c5fe44
Closes-Bug: #1819902
2019-03-14 19:36:37 +00:00
Corey Bryant
56873b0c3e Update rabbit driver config options
The stein version of python-oslo.messaging (9.0.0+) has removed
the following config options from the [oslo_messaging_rabbit]
section:

rabbit_host, rabbit_port, rabbit_hosts, rabbit_userid,
rabbit_password, rabbit_virtual_host rabbit_max_retries, and
rabbit_durable_queues.

The above change requires a sync from charm-helpers.

Additionally the transport_url directive has been moved to the
[DEFAULT] section.

These have been deprecated since Ocata, therefore this change
will be provided to pre-Stein templates in order to drop
deprecation warnings.

See release notes at:
https://docs.openstack.org/releasenotes/oslo.messaging/index.html

test_300_neutron_config is also removed in this change as amulet
tests no longer need to confirm config file settings.

Change-Id: I3c22b6ca1992b3c20ed83afc430545999096d370
Closes-Bug: #1817672
2019-02-26 12:53:03 +00:00
Dmitrii Shcherbakov
1e6430f9c6 Switch to AZAwareWeightScheduler as of Mitaka
AZAwareWeightScheduler is based on WeightScheduler and provides a way to make
DHCP agent scheduling be AZ-aware. This is used in conjunction with
dhcp-agents-per-network config option and per-network agents (such as dnsmasq)
will be distributed across neutron-dhcp-agents that have availability_zone
configuration (based on dhcp-load-type for placement calculation).

bp: https://blueprints.launchpad.net/neutron/+spec/add-availability-zone

Upgrade impact is mentioned here:
specs.openstack.org/openstack/neutron-specs/specs/mitaka/availability-zone.html

The spec mentions that by default all agents belong to 'nova' AZ so
the scheduler change should be backwards-compatible.

Change-Id: I4d948efa157573fdbc0fbfd3b1efb21b69a713ef
Closes-Bug: #1796068
2019-01-21 15:29:46 +02:00
Niels van Adrichem
5f255bc9f9 Enable support for l3agent- and dhcp-failover
Implements the missing configuration options and context to configure
allow-automatic-l3agent-failover and allow-automatic-dhcp-failover
options in neutron.conf. The options are respectively added to
versions juno and kilo upwards as those are the Neutron versions
since they were first supported.

Change-Id: I7e465b7fef13f61f7b37135a86ac2f590c0c9be6
Closes-Bug: #1799956
2018-12-14 15:49:49 +03:00
Frode Nordahl
d58ec757d5
Add neutron-load-balancer interface
The Neutron built-in LBaaS provider is deprecated as of
OpenStack version Queens and the service is to be replaced
by a separate service such as Octavia.

This interface serves the purpose of notifying a external
load balancer service of when the Neutron API is ready to
accept queries.

In a transition period it is also used by the ``neutron-api``
charm to determine whether it should configure Neutron with
the legacy LBaaS provider enabled or if it should enable
the ``lbaasv2-proxy`` driver to proxy load balancer requests
sent to the Neutron API to the external service.

Change-Id: Id9f7ffb3d363c7606d92af592b9803644046d865
2018-10-29 15:44:16 +01:00
Edward Hope-Morley
31a7dd32d7 Make Queens and Rocky share same conf template
The original patch for this bug fixed the problem for
rocky only but queens also suffers from the same
problem. Since the only diff between the P and R
templates is this change, move it into Q so that
Q and R will both get the fix.

Change-Id: Ib4573aa925cb1b3b9e1fa04e8a3c5bf611223c25
Related-Bug: #1788631
2018-10-26 16:58:08 +01:00
Vladimir Grevtsev
47a2b8fbb4 Enable support for security group logging
Add support to enable logging of security groups for
OpenStack Queens or later; this feature is enabled via
the neutron-api charm, with local configuration options
provided in the neutron-openvswitch charm.

The feature is only compatible with the openvswitch firewall
driver and will not be enabled if this configuration option
is not set in the neutron-openvswitch charm.

This change is removing unnecessary Neutron config
option "neutron_firewall_driver" since FW drivers are
being handled on agents side (not on API server) since
Mitaka release.

Change-Id: Icadb055b2c5c3216b6d086b44a4823595b2baffa
Closes-Bug: #1787397
2018-10-09 12:01:03 +03:00
James Page
49d377bfea py3: Switch to Python 3 for OpenStack Rocky
Switch neutron installation to use Python 3 for OpenStack Rocky.

Purge python- packages on upgrade.

Fix duplicate keystone entry in api-paste.ini for Rocky.

Change-Id: I9ead4d0b637f3067e0aa9a20604b2738221860df
2018-09-21 16:17:57 +02:00
Corey Bryant
109005ad36 Add neutron.conf for Rocky with updated quota_driver
Updates the path to the quota_driver as of Rocky.

Also enable gate-basic-*-rocky amulet tests.

Change-Id: Iaaeac7e1e8aded85e9cdb2f9fec3344c2fae4ed2
Closes-Bug: #1788631
2018-08-27 14:55:59 +00:00
Frode Nordahl
bc8a91dea0
Update api-paste.ini for Rocky
Removal of entrypoint `neutron.api.versions:Versions.factory`
mandates a new version of the `api-paste.ini` file for Rocky.

Reference:
https://github.com/openstack/neutron/blob/master/releasenotes/notes/noneutronversions-fbbdb98f350767d8.yaml

Change-Id: I0405c698190c84b521e52ba02e6fb1c5396be9be
Closes-Bug: #1784405
2018-07-31 07:20:11 +02:00
Liam Young
b53e83c465 Enable proxy header parsing
Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.

Includes charm helper sync to bring in oslo middleware
template.

Change-Id: If1f3913967082618e7004d4b552d14fc2fe7b937
Closes-Bug: 1758675
2018-06-28 11:46:25 +09:00
Liam Young
e6fb69786f Fix creds for keystone v3 deploys with designate
The charm was using keystone v2 creds to attempt to authenticate
with keystone despite keystone using v3.

Change-Id: Ib815fa5d77949e6cd6e79cd9fa9a088e5f6ae394
2018-03-05 17:13:30 +00:00
Zuul
892666557c Merge "add segments service_plugin to neutron-api" 2018-02-14 09:02:53 +00:00
Dmitrii Shcherbakov
ff2547c6d5 Revert "drop notifications_designate"
This reverts commit 45792d3c86.

During the discussions in reviews relevant to the bugs below the
decision was to use both notifications_designate and notifications
topics.

Related-Bug: #1710831
Related-Bug: #1738100
Change-Id: I496f54d9917fe8c8279ebb91cc2fed02b74b181c
2018-02-08 17:18:37 +03:00
Frode Nordahl
08e806f098 Add support for configuring individual physical network MTUs
This is needed if a subset of your flat or VLAN provider networks have a MTU
that differ with what is set in global-physnet-mtu.

Change-Id: Ifd348311b5c313fa95d6ed49c32d9b26b0f5e662
Closes-Bug: #1663533
2018-02-01 10:02:27 +01:00
Dmitrii Shcherbakov
f131505576 add segments service_plugin to neutron-api
* adds a service_plugin called segments to enable routed provider
networks
* adds a nova placement api section and inclusion of that section to
neutron.conf
* routed provider networks can be used for setups with and without
charm-neutron-gateway - in both cases there should be a dhcp agent per
segment which can be achieved via charm-neutron-openvswitch
configuration option enable-local-dhcp-and-metadata in case of a setup
without charm-neutron-gateway

Change-Id: I78222b567c72c03ab2d861836172032d4d9a0b3f
Closes-Bug: 1743743
2018-01-20 23:14:26 +03:00
James Page
7eac81a36e Remove deploy from source support
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: I44f00afeee8623713055310b025f1e91af18b86a
2018-01-10 15:41:05 +00:00
Tytus Kurek
95c045d1ce Designate - Neutron integration
This patchset implements new relation ("external-dns") using new
interface ("designate") between designate and neutron-api charms.
The following charm options have been added:

* "reverse-dns-lookup"
* "ipv4-ptr-zone-prefix-size"
* "ipv6-ptr-zone-prefix-size"

The patchset contains changes to various items (config files, hooks,
template files and unit tests).

When neutron-api is related to designate, the notification topic
previously used to send notification events to designate will be
disabled (as the DNS driver method is preferred).

Change-Id: I13b2ab39bd1daac13112398762f2be06022594b0
Closes-Bug: #1704769
2017-12-21 07:58:30 -08:00
James Page
b0469d5927 py3: Fix use of iteritems in templates
Switch to using items for all dictionary iteration.

Change-Id: I465d0b53c3ff2eeb114b4a7f68ff6b124cb6362b
Closes-Bug: 1735797
2017-12-04 10:14:36 +00:00
Dmitrii Shcherbakov
45792d3c86 drop notifications_designate
A separate topic has been used for nova, neutron -> designate. Let's use
a single one instead.

Change-Id: I17d0036f6dcbfd0e87849091e453d2a8b2bc498f
Closes-Bug: #1710831
2017-11-28 17:47:34 +03:00
David Ames
1ee9f46543 Fix Ocata to Pike upgrade
When upgrading from Ocata to Pike the context was not recognizing
Pike until a subsequent hook run. Resetting os release fixes this.

Enable xenia-pike amulet test.

Closes-Bug: #1723981

Change-Id: I67ec257f0a91cf4108de54a2cd93ab0cc3663376
2017-11-14 10:12:01 -08:00
Liam Young
a8e6824e3a Add QoS support
This patch adds the enable-qos option to the charm. If enable-qos is
set then neutron.services.qos.qos_plugin.QoSPlugin is added to
service_plugins in neutron.conf locally. The
neutron-plugin-api-relation has also been updated to send the
enable-qos option to charms connected over that relation (for
example neutron-openvswitch and neutron-gateway).

As part of this some of the logic for setting service_plugins was
removed from the neutron.conf and placed in the NeutronCCContext.

This patch is based on the steps in:
https://docs.openstack.org/mitaka/networking-guide/config-qos.html

Change-Id: I1beba9bebdb7766fd95d47bf13b6f4ad86e762b5
Partial-Bug: #1705358
2017-09-25 16:35:12 +00:00
James Page
4d48338c96 Update notification config >= mitaka
Use oslo_messaging_notifications for mitaka or later releases
including setting the transport_url to the value provided by
the AMQP context.

This removes use of deprecated configuration options for
ceilometer notifications.

This change includes some refactoring to allow the topics to
use for notifications to be configured specifically for this
charm; future changes can use this to enable/disable designate
notifications dynamically.

Also includes redux of services check for amulet tests to drop
all checks apart from those for the neutron-api units.

Change-Id: Ib66371c0c479e0b341055941842e43ac57d4151d
2017-08-08 12:48:34 +01:00
Frode Nordahl
353d4a97eb Add support for setting sriov_supported_pci_vendor_devs
This is required for SR-IOV to work on OpenStack versions
Kilo, Liberty and Mitaka (unless you are the lucky owner of
NICs with the default vendor/product IDs '15b3:1004', '8086:10ca').

The option is deprecated in Newton and the default behaviour
onwards is to not perform the check (unless configured) and not
overrule Nova's scheduling decision. (See LP #1611302)

Re-work mechanism_driver templating. Current implementation
treats mechanism drivers 'hyperv' and 'sriovnicswitch' as
mutually exclusive for simplicity. This prohibits us from
adding functional test for verifying sriov statements in
configuration files.

Due to how neutron init scripts are laid out on various Linux
distributions put the [ml2_sriov] section in ml2_conf.ini instead
of its default ml2_conf_sriov.ini location.

Add a placeholder ml2_conf_sriov.ini with comment to point users
in the right direction.

Change-Id: I37da1c430a06417ff7f1bc9df2d984137688bba0
Closes-Bug: #1630387
2017-08-02 09:45:35 +01:00
Jenkins
6c6224b890 Merge "Updates for pike b1" 2017-05-18 17:22:15 +00:00
James Page
853a280f08 Updates for pike b1
Resync charmhelpers for pike support.

Add amulet tests for pike, but leave disabled for now.

Drop use of vpnaas for pike onwards as no milestones where
released and its not being actively maintained.

Change-Id: Ifce4cf80bee53422612e26114fa2fec684580103
2017-05-12 06:59:26 +02:00
Billy Olsen
9bbd2bad9c Enable internal DNS resolution
Add the dns-domain config and enable-ml2-dns options, allowing the
user to enable DNS integration between Neutron and Nova. This enables
the DNS integration between Nova and Neutron for internal DNS services
when the enable-ml2-dns option is set to True.

Change-Id: Id5f828da003e056a882297ffdbf3df22e856d14a
Implements: blueprint internal-dns
2017-04-30 22:19:29 -07:00
Jenkins
89677aec92 Merge "Update notification_driver for oslo.messaging" 2017-04-27 08:45:28 +00:00
Nobuto Murata
bf7d28daad restore dhcp_agents_per_network
According to the commit 892db0dbd7, it
looks like neutron_plugin=='Calico' guard is no longer needed for
Liberty+.

Change-Id: Ide2027ddcb8351bc46fb99b1352eaca569a3121a
Closes-Bug: 1683987
2017-04-19 14:28:05 +09:00
James Page
65e1ba667a Update notification_driver for oslo.messaging
The 'neutron.openstack.common.notifier.rpc_notifier' notification
driver key was removed from neutron in Ocata; 'messaging' has been
provided directly from oslo.messaging since icehouse, so switch to
using the newer, correct value for configuration of notifications.

Closes-Bug: 1681452

Change-Id: I837a4857f4da2eb2d8c38f13d6b79b6fb4854128
2017-04-10 15:20:45 +01:00
James Page
4a99be6bf6 Use global_physnet_mtu config in newton templates
The Newton neutron.conf template was missing the snippet to
support configuration of the underlying physical network MTU.

Add this snippet based on the Mitaka template, and tweak the
Mitaka template to insert the snippet prior to the zeromq
section config.

Change-Id: If38c2e056df8215d717bd29b46ff2fa0d0c6024d
Closes-Bug: 1673161
2017-03-15 16:50:03 +00:00
Dmitrii Shcherbakov
f3b655acdf add keystone middleware update logic
In order to support changes in the api-paste.ini file for the keystone
middleware of the neutron-api service by subordinates we need a generic
mechanism to pass wsgi middleware data via a relation.

The following approach is used in this change:

- relation data set by subordinates:
{'extra_middleware': [{
        'type': 'middleware_type',
        'name': 'middleware_name',
        'config': {
            'setting_1': 'value_1',
            'setting_2': 'value_2'}}]}
- there may be many subordinates each with their own set of middleware
all of which should be taken into account
- besides a factory method for middleware other settings can be
specified, therefore, a generic config dictionary is used
- neutron-server has to be restarted as api-paste.ini is read upon
startup of the service
- api-paste.ini rendering code is added along with a template code
containing loops over a list of middleware provided in a context to
construct the following entries:

keystone = [name-1 ... name-m] <default_middleware>

[type-1:name-1]
key-1 = value-1
...
key-n = value-n
...
[type-m:name-m]
key-1 = value-1
...
key-k = value-k

- api-paste.ini defaults are copied from their respective upstream
neutron branches

Change-Id: I9449aa2e85b1523f24acdcee11ca1f635dda47c0
2017-03-09 22:49:10 +03:00
Tytus Kurek
491e501b06 Add basic support for "global_physnet_mtu" and "path_mtu" options.
I've added basic support for "global_physnet_mtu" and "path_mtu"
options by allowing to configure them via charm parameters.

Change-Id: Ia95533418ccd4b7d1b96270633193ea34b1edecb
Partial-Bug: 1650579
2016-12-16 17:49:24 +01:00
Liam Young
446de085a0 Add default-tenant-network-type config option
- Add default-tenant-network-type config option to allow the default
  network type for a tenant network to be set

- Fix rendering of overlay-network-type so that an empty string is
  valid

Change-Id: Ib2325d273a0dd5e637f36113b951130387902777
Closes-Bug: 1533651
2016-12-06 08:59:53 +00:00
Neil Jerram
b86b1aa35f Support for etcd on Xenial
Generate etcd config in form suitable for systemd init as well as for
upstart.

Change-Id: I78091d630e95d94e9b6effb077cce1fe63687474
2016-10-05 17:28:25 +01:00
James Page
68c6b5e515 Switch to LBaaS v2 for OpenStack Newton
OpenStack Newton drops support for the deprecated v1 LBaaS model;
switch to using LBaaS v2 including directly referencing all
service_providers in the neutron.conf template (implicit loading
from neutron_*.conf files will be removed in Ocata anyway).

Change-Id: I8d625ddf079ed0f0f22d180334b928f04cbae182
2016-09-06 17:09:20 +01:00
Liam Young
1a4e9592d1 notification topics missed from mitaka config
When the mitaka configs where created notifications_topic was missed
Curretnly designate is missing messages.

Change-Id: Iac1d6b0e5ab17e4d785284c70bc0c8ddc58e2f17
2016-07-25 17:32:16 +00:00
Zhang Hua
c5609c54c6 Support to inject config-flags for neutron-api charm
This patch is just to enable adding custom options to
neutron.conf by the following command:

juju set neutron-api config-flags='key1=val1, ...'

Change-Id: I46bc32c250295a511508ced4cbca8f9748229415
Closes-Bug: #1585508
2016-07-21 16:27:17 +08:00
Jenkins
6ee476166b Merge "Added Hyper-V networking support" 2016-07-08 15:56:57 +00:00