OVN now uses normalised CIDR when adding a security group rule[1]. It
uses may_exist=True for adding ACL (secgroup rule), in case there are
multiple CIDRs in neutron that normalises to the same.
Do the same in ovn_db_sync, so that the sync don't fail hard on such
duplicates.
[1] https://review.opendev.org/c/openstack/neutron/+/736386/
It is manually cherry-picked from the patch
https://review.opendev.org/c/openstack/neutron/+/833562 in Neutron repo.
Change-Id: I9d9c21e460029e4a6a845520bfcc2889ad20429b
Related-Bug: #1869129
Closes-Bug: #1961112
(cherry picked from commit 5a0a2b7847da067817640404f53e0807755e08d7)
The patch filters columns from OVN DB only to those that are used by the
ovn mechanism driver. It means generated ACLs from Neutron DB and ACLs
obtained from the OVN DB will always have the same columns. This is
useful for db sync script when comparing if given security group rule
has corresponding ACL in the OVN DB.
Closes-Bug: #1951296
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: I39e3b987b8546fd970a933b846ed23c8a2588258
(cherry picked from commit 23b99e2f127731c85f63c88c7144aa0a111c4abf)
The db-sync script removes ovnmeta ports because sometimes removing
reserved_dhcp_port in the loop doesn't work.
Closes-Bug: #1932421
Conflicts:
networking_ovn/ovn_db_sync.py
Change-Id: I78673b6a85f1c872e70026da82124d1ba2326562
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
(cherry picked from commit 0aab51c9f8be1d42e5b578493cefd384ee07665b)
This patch is adding support for the router_availability_zone extension
for Neutron.
The OVN driver will now read from the router's availability_zone_hints
field and schedule the router ports onto OVN chassis belonging to those
AZs.
Since the OVN driver does not rely on the L3 agent, this patch does not
re-use the configuration option for the agent to configure the
availability zone that a Chassis belongs to (even because there's no
configuration file in nodes such as networker nodes). Instead, this
patch reuses the "ovn-cms-options" field from the local OVSDB to
configure the Chassis. The follow syntax has been used:
$ ovs-vsctl set Open_VSwitch .
external-ids:ovn-cms-options="enable-chassis-as-gw,availability-zones=az0:az1"
In the example above, the Chassis has been configured to belong to two
AZs: "az0" and "az1".
This patch also implements listing the availability zones:
$ openstack availability zone list
As well as validating the router's availability zone hints:
$ openstack router create --availability-zone-hint az0
--availability-zone-hint az1 test_router
The above command would fail if there's no "az0" and "az1" configured in
any OVN chassis.
Documentation for this feature is being written and will be submitted
in a separated patch.
(cherry picked from Neutron d669dff1dcf0fbc2dc7ea0d2e0c88f244a1add4b)
Change-Id: I04858cb7a38da083962449779b6063f0c48f3ae7
Partial-Bug: #1881095
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
While the segments plugin is not loaded in neutron config, it should
be loaded anyways in OVN maintanance task, to operate on the first
default segment of each network.
Change-Id: Ideffacc2f478c95eeec881c82d1d5bae46ecdc74
Closes-Bug: 1883193
(cherry picked from commit 56f519f472adf235856853bf12bfeac0d16a8b3f)
If new segment is created/old deleted we should update its
localnet port in related Logical_Switch.
Added also missing code to sync tool in order to delete provnet
ports in case of leftovers.
Cherry-picked from Neutron: https://review.opendev.org/#/c/715157/
Conflicts:
networking_ovn/cmd/neutron_ovn_db_sync_util.py
networking_ovn/common/maintenance.py
networking_ovn/common/ovn_client.py
networking_ovn/tests/functional/test_mech_driver.py
networking_ovn/tests/unit/ml2/test_mech_driver.py
Change-Id: I6b864ba1c168643640a64bd7c25e1d0fc0ea348a
Related-Bug: 1865889
(cherry picked from commit 483f468fdd5bb549f763d0507e0a7ac1106eb85a)
Port_Groups table has been introduced in OVN 2.10 and we've moved in
master to newer version since. This patch removes all references to code
branching between port_groups and address_sets, and also removes
unneeded Address_Set commands and references.
Merge Conflicts Resolved:
networking_ovn/common/acl.py
networking_ovn/common/ovn_client.py
networking_ovn/ovn_db_sync.py
networking_ovn/tests/functional/test_ovn_db_resources.py
networking_ovn/tests/functional/test_ovn_db_sync.py
networking_ovn/tests/unit/common/test_acl.py
networking_ovn/tests/unit/ml2/test_mech_driver.py
networking_ovn/tests/unit/test_ovn_db_sync.py
Change-Id: Ica73aa09e1e5f88e699d5dda166296fb16cba83e
(cherry picked from commit 9cbbd8de53db18a5388d109174a464dcd96ab78b)
It looks like sometimes, the device_id for ports created
by Neutron DHCP Agent can be in the form of:
- dhcp-$hostuuid-$networkid
- 'reserved_dhcp_port' (DEVICE_ID_RESERVED_DHCP_PORT)
Current code is only taking the first form into account when
skipping Neutron DHCP Agent ports. This patch is changing it
to include both forms.
Closes-Bug: #1848521
Co-Authored-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
Change-Id: Ifbfc551ac68dcc5d3d39a155f7642f2f2d9272c4
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
(cherry picked from commit 15bf8f265b14c3a1e2c89a17a77cee69cad22b9d)
Removed E125 (continuation line does not distinguish itself
from next logical line) from the ignore list and fixed all
the indentation issues. Recently done in neutron tree.
Change-Id: I135f6422700791c45c0d6758873689b37aaec401
This is to:
1. Remove the unncessary slash when the line doesn't exceed the length
of 79, to make the code more readable.
2. Replace backslashes with Python's implied line continuation according
to https://www.python.org/dev/peps/pep-0008/#maximum-line-length
Change-Id: I989507020d5bb7f216d374575cebe005d27225da
Prior to this patch, only IPv4 subnets were accounted to install
static routes on Logical Routers when setting a external gateway.
This is a problem if the public network has an IPv6 subnet as
instances won't get a default route.
Change-Id: I1cb4cd3dd2bf3be1e0beb4f2cc89a89fcf803f70
Closes-Bug: #1808753
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Before this patch, both the sync tool and the production code
would assume that 'network:dhcp' owner ports would be for
the OVN metadata service. However, since Neutron DHCP agents
can be deployed as well on OVN environments, we need to support
these ports as well.
This change is doing several things:
- Fixing sync tool so that Neutron DHCP ports are not deleted
anymore (these ports are owned by DHCP and have a device_id
as 'dhcp<host_uuid>-<network_id>'). Syncing these ports in
OVN will no longer result in creating 'localport' ports but
normal ports to allow non-local DHCP traffic.
- Fixing networking-ovn code to skip such ports when looking
for the metadata port on a specific network.
- Newly created metadata ports will have a device_id such as
'ovnmeta-<network_id>'.
Change-Id: I30181e1752f456f30f94818c5350f447c387cbb2
Related-Bug: #1804390
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
If port groups are supported, the sync script will still create
address sets and ACLs based on the old implementation.
This patch is taking into account whether Port Groups are supported
and create the right resources accordingly.
Closes-Bug: #1798028
Change-Id: I529d82b28be9bb93649f19034027c41ee1aff08b
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
The migration to port groups task is now moved to the maintenance
worker. This worker holds a distributed lock within OVSDB so we'll
make sure that the migration will be performed just once.
During an update/upgrade, it may happen that newer version of
neutron-server can't migrate to Port Groups as the lock is held
by other (old instance). When all servers have been updated, the
maintenance task will perform the migration just once on the cloud
making sure that normal operation will happen.
We can remove this task in later cycles as this is just a migration
path from Address Sets to Port Groups for implementing Neutron
Security Groups.
TODO: functional test to validate the migration path to PGs.
Change-Id: I227ec967f450b26b12f19d687e94029e6ef1e558
Closes-Bug: #1789921
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
This patch is dropping the code that creates and handles the
subnet Port Groups. Those were used to place the ACLs that
allowed DHCP traffic to reach the responder in the OVN
pipeline but as explained in the bug description, it's
not needed anymore.
Change-Id: I30bee5c5576554b162e66e1b5dfbe734522ab363
Closes-Bug: #1790900
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
A new feature has been introduced in core OVN which allows to define
a group of ports and assign ACLs to those. This patch is making use
of the new feature if supported by the underlying OVS version.
As a result we'll be modelling Neutron Security Groups as OVN Port
Groups and we won't be adding one ACL per Security Group Rule per
port. Instead, just add one single ACL per Security Group. This will
also tackle the race conditions that we had for Address Sets as those
will just be used for Remote Security Groups and will be automatically
generated/deleted by core OVN in SB database upon Port Group creation/
deletion.
The major benefit of this patch is that we'll reduce the number of
ACL's dramatically, resulting in a performance leap as discussed at:
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
This patch will address the migration of old Security Groups being
modelled as Address Sets if the OVN schema supports the feature. This
migration will be performed from the OvnWorker which is holding a lock
on the IDL. This ensures that the migration happens from only one worker
in the cloud and after it's done, all the neutron-server instances are
ready to use Port Groups.
Co-Authored-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
Change-Id: I35d5ec40c666e92b92b9d664e9615c6fecde595a
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
This patch consolidades the database transactions for creating/deleting
router ports on/from the OVN NB database. Having a single transaction is
ideal to avoid inconsistencies that can be cause between two or more
transactions.
Closes-Bug: #1756388
Change-Id: I0a0a5f6571ea695b91db89170be1fab258acd917
The commit 185b13f228ac6861f567270cb9fc0bc08260ec09 from core OVN
introduced two new tables called Meter and Meter_Band to the north and
south OVN databases and a new column called "meter" in the ACL table.
These new reference is not being accounted in our tests (when comparing
the ACLs) which is breaking our functional tests. This patch fixes that.
Change-Id: I2f70a87b7e8422515c592600fa1fbd9fa45ceaa5
This patch is updating networking-ovn to check for correctness when
creating, updating or deleting floating ips.
Partial-Bug: #1605089
Change-Id: I377007c955809b8d56af93e24f0914e446f56bb2
Right now when a router port is updated, the corresponding
Logical Router Port is not updated. This patch checks if the
port to be updated is a LRP and updates it accordingly.
Also, I'm removing the router_id parameter in router_port_update
method since it was no longer used.
Closes-Bug: #1744087
Change-Id: I939f4c40a5e9e58c3a216353f03179578b81f64c
This patch is refactoring the routers resource to adhere with the
database sync specification.
The update_router() method from OVNClient has been modified to not
depend on the "original_router" parameter anymore. A layer to make it
backward compatible with existing routers and OVS version < 2.8.2 was
added as well.
Partial-Bug: #1605089
Change-Id: I1744c91004fc36e0b97ebc51230f876eaaa3bd7f
get_external_router_and_gateway_ip is moved to ovn_client.
Change-Id: I6d9190129b6a7297192d22728f716f9b959510e1
Signed-off-by: Guoshuai Li <ligs@dtdream.com>
OVN supports Router Solicitation responder i.e it will reply to the
Router Solicitation packets. In order to use this feature, we need
to configure the Logical_Router_Port.ipv6_ra_configs column with the
appropriate values. This patch does that. When a router is added with
an interface port, these values are added.
Support to send periodic Router Advertisement in OVN is under review.
This patch also configures to use this feature by setting
Logical_Router_Port.ipv6_ra_configs:send_periodic='true'. There is no harm
in setting this in this patch.
Change-Id: I5d4d16e517d71830ea16245529dd2ba5433e0fd3
This patch is bringing logic for handling floating ips out of the L3
driver and into OVNClient.
The code now uses the ``external_ids`` column in the NAT table from
OVNDB to bind the FIP from Neutron DB with it (before we used a
combination of external + logical ips to identify those entries).
The values added in the ``external_ids`` are:
* neutron:fip_id = The ID of the FIP in neutron
* neutron:fip_port_id: This is used in the update_floatingips() method
to compare and see whether the port_id of the FIP has changed in the
update or not.
* neutron:router_name: The name of the router which the FIP is associated
with.
The ovn_db_sync.py script was updated to make use the updated methods
in OVNClient to create and delete floating IPs, that way we avoid the
code duplication that existed between this script and the L3 driver.
Partial-Bug: #1605089
Change-Id: I21e9728c93392de4c579ea00c34059ad6812f682
This patch does two things:
1. Delete the security group at the AFTER_DELETE notification level
Prior to this patch we were using the BEFORE_DELETE notification level
which can be problematic because if the deletion fails in Neutron we
would have deleted it from OVN already.
2. Remove security groups updates
The only thing that the security group updates did was to update the
external_ids of the Address_Set with its current name.
That name wasn't used for anything in networking-ovn other than knowing
whether the security group was created by networking-ovn or not.
So, instead of having the name saved in the external_ids this patch
changes it to the security group ID which is the canonical identifier of
the resource and won't change.
Partial-Bug: #1605089
Change-Id: I5a8b64639d38e11050dae1008b14d48de14ecf94
OVN supports native DNS. This patch makes use of this feature for
internal DNS resolution. With this, VMs within the same network can use
the 'dns_name' associated with the other ports. When the VMs send the
DNS request, it is resolved by ovn-controller if the dns is configured
in the 'DNS' table in the OVN Northbound db.
For each network, a DNS row is created and the 'records' column contain
the dns names and the ip addresses to resolve. The dns record is added
only of the 'dns_name', 'dns_assignment' and 'device_id' of the port is
set.
In order to use this feature, "dns" extension driver should be loaded
and 'dns_domain' in neutron.conf should be defined other than 'openstack.local'.
Change-Id: I59bdc0bc2665118fe8025a12a1c1961e04444abc
Closes-bug: #1688172
Args physnet and segid are legacy args and they do not bring any
optimization benefits right now.
This patch gets them directly from network and removes unnecessary
_get_attribute method.
Change-Id: I762e0a297a7e3a9ca32c64c63f226859e8c1ed0c
Signed-off-by: Dong Jun <dongj@dtdream.com>
Creating/Updating LSP for floating IP is unnecessary in OVN.
It introduced a race condition bug.
Change-Id: I380686d21314095c39d7d1a2a4eea3e21dbe7c9d
Closes-bug: #1734819
Signed-off-by: Dong Jun <dongj@dtdream.com>
Currently, all arguments of metadata_port_ip are got by
_find_metadata_port_ip and then passed, it's unnecessary.
We can remove this parameter from all functions and only leave it in
_get_ovn_dhcpv4_opts.
Change-Id: Ibb87a0b5e3cc414a4a7b1bc67a9de4d9dd14d033
Signed-off-by: Dong Jun <dongj@dtdream.com>
User can enable the distributed floating ip by configuring the
option enable_distributed_floating_ip.
This require the user to configure the physical network map
to connecting the floating ip's network on each compute node.
the Nat action for floating IP will be done locally, not
gateway. This will saves the path to the external network.
Change-Id: I4e8d6811b5a544e68b184fe457391b35e4516d01
Co-authored-by: Dong Jun <dongj@dtdream.com>
And this change fixes RuntimeError in functional test.
Closes-bug: 1723118
Change-Id: Icc59f286d19557792010c25f414ebe7450ef2f25
Signed-off-by: Dong Jun <dongj@dtdream.com>
This patch is moving some of the logic from the {create,
update}_router() methods of the L3 driver into the OVNClient. In
summary, two things is being done in this patch:
* Remove the "networks" parameter from the {create, update}_router()
method in OVNClient. Now the list of network is fetched within these
methods.
* Remove the "delta" parameter from the update_router() method in
OVNClient. We are already passing the new and old version of the
router to that method, we know the differences we don't need to have
an extra parameter for it.
This patch is related to the work to that is being done at bug #1605089
which uses the OVNClient to recovery the resources that are out of sync
and by having OVNClient to handle the bulky work does simplify the
synchronization work.
Related-Bug: #1605089
Change-Id: I8f0afb841e042f75e5062cca81717a3ecad17015
When running the neutron-ovn-db-sync-util tool and a Metadata port
is missing in Neutron, the corresponding LSP is not created in OVN.
This is due to the fact that OVN mechanism driver is overriden in the
cmd tool.
This patch fixes it by overriding the create_port_postcommit so that
it also gets created in OVN.
Closes-bug: 1724591
Change-Id: Iacb5f6eb3cecce883afae104764221d92f8ece04
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
When migrating from ML2/OVS or OVN without metadata to an OVN
environment with metadata support, the existing networks must have
a metadata port in it with an IP address on each of its subnets.
This patch ensures that all networks have such port. Also, in case
that a network had more than one DHCP port, it will delete all but
one, which will be used for metadata (and eventually for DHCP) in
OVN.
Change-Id: I4c9fa6c08a489877c85d7bb725009ab5cd5f8120
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
ovsdbapp 0.6.0 adds the ability to stop/restart connections. This
patch uses that ability to remove the Mock hack to suppress SSL
errors. In addition it removes around 3500 connection failure
errors when running the functional tests.
Change-Id: I46681c7649d604d9a3fc5ad2c4c91167fe4873ee
