Commit Graph

701 Commits (master)

Author SHA1 Message Date
Zuul de1a3a84b6 Merge "port-hint-ovs-tx-steering: agent side" 2 weeks ago
Zuul beabb51938 Merge "Notify neutron-server ovs is restarted" 3 weeks ago
LIU Yulong 7573fca58c Notify neutron-server ovs is restarted
If openvswitch is restarted, try to notify neutron-server
that to refresh tunnel flows for every ports.

Closes-Bug: #2004041
Change-Id: Iba0ae947e3595674e63b998826daae2582bb7668
4 weeks ago
Bence Romsics 6b55589ae0 port-hint-ovs-tx-steering: agent side
In ovs-agent extract `other_config` from port `hints` and set/clear
ovs `other_config` accordingly.

Change-Id: I1106bc03061fd62e9baadadbe2bb4aaa8c3a6b1d
Partial-Bug: #1990842
Related-Change (spec):
1 month ago
LIU Yulong 5a17f2b24a Pass physical bridge informations to OVS agent extension API
The metadata agent extension needs the patch ports informations
between br-int and br-meta to add direct flows.

Partially-Implements: blueprint distributed-metadata-datapath
Change-Id: I58f3813ed9a4c4006ebb62e613ef4dc07a17a23b
2 months ago
Sahid Orentino Ferdjaoui cf96bd8bdf ovs: fix regression when vlan mapping is not already registered
Bug introduced by Ic3c147136549b17aea0fe78e930a41a5b33ab9d8, when a
VLAN mapping is not registered during a call to
update_network_segement, the function should return None.

Closes-Bug: #2009215
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: I91f8e8bd18d9956216e5715c658dfb408a2cbf07
3 months ago
Zuul c078c6569f Merge "Support for minimum bandwidth rules in tunnelled networks" 5 months ago
Zuul 1374b01cfb Merge "Discard port with ofport -1 in _get_ofport_moves" 5 months ago
Rodolfo Alonso Hernandez 3ebdfe612a Support for minimum bandwidth rules in tunnelled networks
This patch adds support for QoS minimum bandwidth rules in tunnelled
networks. Now the ML2/OVS and ML2/OVN mechanism drivers can represent
in the Placement API the available bandwidth of the tunnelled networks
in each compute host.

Both mechanism drivers represent the compute VTEP (VXLAN) or TEP
(Geneve) interface as an IP address. This new resource provider
(by default called "rp_tunnelled") represents the available bandwidth
of this interface. Any new port created in a compute node that belongs
to a tunnelled network, will request to the Placement API the
corresponding bandwidth from the resource provider inventory.

This patch does not provide backend enforcement support for minimum
bandwidth rules.

RFE spec:

What is missing and will be added in next patches:
* Tempest tests, that will be pushed to the corresponding repository.


Partial-Bug: #1991965
Related-Bug: #1578989
Change-Id: I3bfc2c0f9566bcc6861ca91339e32257ea92c7e9
5 months ago
Zuul 2751d75383 Merge "Fix some pylint indentation warnings" 6 months ago
Brian Haley 86badcfe2d Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
some remaining ones in miscellaneous directories.

Also cleanup any remaining code that I missed in this
series, or has changed since I started.


Change-Id: I17b4779020a7bfb369c3e721ab6638cd4a6ab50c
6 months ago
LIU Yulong dad23fdcdb Strictly delete arp_spoofing_protection flows
Port arp_spoofing_protection will install flows like this:
table=0, priority=9,in_port=2 actions=goto_table:25
table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60

For network ports or port_security_enabled = False, those flows
will be delete by setup_arp_spoofing_protection in _bind_devices.

But the delete actions are a bit rough because it will delete any
flows with "table=0 in_port=2" and "table=25 in_port=2".

Besides, the ovs_agent extension handle_port will be run before
these actions [5]. So network or no security ports, if any flows
added by agent extesnion in table=0 with "in_port=2" will be delete
unexpectedly. Which also means any flows added before this call of
"uninstall_flows(table=0, in_port=2)" will be deleted.

This patch changes the uninstall flows to strict mode. Let it
delete the arp_spoofing_protection related flows only by verifying
the priority.

Closes-Bug: #2000046
Change-Id: Ifdd47b2ce8610e4b4b527fc3279e0bd7a8b21a1d
6 months ago
Arnaud Morin f22aa5dfdd Discard port with ofport -1 in _get_ofport_moves
When libvirt (nova) detach a port on OVS bridge, two events are sent:
* one event with 2 actions "old" and "new": a change on ofport (from a
  regular value to -1)
* a second event with action "delete"

If, for some reason, the second event is delayed, the rpc_loop iteration
will consider this port as "updated" instead of "deleted".
But, because ofport == -1, the port update will be discarded, and
finally removed from port_info["current"].

As a result, on next iteration, the deletion wont be performed.

Most of the time, we endup with some leftovers (like openflow rules,

The purpose of this patch is very simple, when looping over ports in
_get_ofport_moves, we will discards the ports that have ofport == -1, so
the port will not be considered as updated and next iteration will be
able to delete it correctly.

Closes-Bug: #1992109

Change-Id: Ib4a7183867e1b21810b6915a475a234278bf884c
Signed-off-by: Arnaud Morin <>
6 months ago
Zuul 1434a1e5dd Merge "Refactor for meter ID Generator" 6 months ago
LIU Yulong c3ebefa5f7 Refactor for meter ID Generator
Add a Singleton meter ID Generator for both bandwidth limit
and packet rate limit, because for one bridge the meter ID
is a sharing range.

Closes-Bug: #1964342
Change-Id: Ibb9762d57913ea701dcf2746a0e0db74c6a7ca01
7 months ago
Brian Haley b1714a2b9d Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/plugins.


Change-Id: Id9138652f5f07ef12fa682e182fe210019e8f975
7 months ago
Slawek Kaplonski 8fcf00a36d Disable in-band management for bridges before setting up controllers
Disabling in-band management for bridge will effectively disable it for
all controllers which are or will be set for the bridge. This will
prevent us from having short time between configuring controller and
setting connection_mode of the controller to "out-of-band" when
controller works in the default "in-band" connection mode and adds some
hidden flows to the bridge.

Closes-Bug: #1992953
Change-Id: Ibca81eb59fbfad71f223832228f408fb248c5dfa
8 months ago
elajkat 7c1a894ce5 Nit: network_update in ovs_neutron_agent has a bad LOG
The log entry had %(tag)s but the dict has 'segmentation_id' as key,
so let's change tag to segmentation_id.

Change-Id: Ic6e82a31efe7798c9ec0c5e6bc743db4c280fd1a
Partial-Bug: #1956435
Partial-Bug: #1764738
8 months ago
Felix Huettner 2402145713 Cleanup fanout queues on ovs agent stop (part 2)
As a followup from the previous commit we here now also cleanup the
SubPort an Trunk fanout queues.

Closes-Bug: #1586731
Change-Id: I047603b647dec7787c2471d9edb70fa4ec599a2a
9 months ago
Felix Huettner 9ff46546cb Cleanup fanout queues on ovs agent stop
Previously when a neutron-openvswitch-agent was stopped it left
behind the following fanout queues in rabbitmq:

In this change we ensure that all but the SubPort and Trunk fanout
queues are correctly removed from rabbitmq by cleanly stopping the
RemoteResourceCache when the agent stops.

Partial-Bug: #1586731
Change-Id: I672f9414a1a8ed91e259e9379ca707a70f6b4467
9 months ago
Sahid Orentino Ferdjaoui 7a1e253851 ovs: use a local vlan per network/segmentation
This is using changes introduced before to support for a network more
than one vlan.

Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: Ifd61e379c3cef3589803c96a276da9827051f660
9 months ago
Sahid Orentino Ferdjaoui 6ec0bc70a7 ovs: make vlanmanager to handle more vlan mapping per network
This change is updating the vlanmanager data structure to handle for a
given network more than one vlan mapping. This is a prerequisite work
needed to progress on accepting several segments per network per

The work done here is trying to avoid changing logic in the
current implementation. Unit test should not have value updated,
but probably signatures changed.

Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: Ic3c147136549b17aea0fe78e930a41a5b33ab9d8
9 months ago
Zuul bc94e29361 Merge "Remove ovs agent's common constants module" 10 months ago
Slawek Kaplonski d82647215c Remove ovs agent's common constants module
It was rehomed to neutron_lib.constants and it's available in
neutron_lib already.

Change-Id: If91a5259b84e1a27b04f51f9ac7f496cec0ecc60
10 months ago
Sahid Orentino Ferdjaoui 672f949d95 ovs: add fdb_entries details to the logs
This is adding fdb entries in log add/dev/upt log messages.

Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: I3e72d6bc871c2cb54fc2f479e67cc222a397394c
10 months ago
Sahid Orentino Ferdjaoui 6037190580 ovs: remove unecessary condition on undefined variable
Based on current alorithm it seems that vif_port may never be None.

Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: I50f2b65f0bbefe8b7f7598876cd7804d17ccdb02
10 months ago
Sahid Orentino Ferdjaoui 5848c0dd1c ovs: improve log message when ofport is not configured
This switch the warning to error as we may be in a sitation of no
connectivity and this should never happen.

Also improves the condition for an ofport invalid.

Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: Ic6bd7bfadcba8deb132d8af3e295ec25a8d64b50
11 months ago
Rajesh Tailor 8ab5ee1d17 Fix remaining typos in comments and tests
Change-Id: I872422cffd1f9a2e59b5e18a86695e5cb6edc2cd
11 months ago
Sahid Orentino Ferdjaoui 1bfbc33ce0 ovs: handle segmentation ids per network ports
This is changing the datastructure that maintains the relationship
between ports and networks to also handle the segmenation ids related.

This will be necessary in future to support multiple segments per
networks on a same physical provider network.

Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: Iaf40ddc20692a3a51a8d5f5acfc2094b2d5c00c4
11 months ago
Sahid Orentino Ferdjaoui c9abb2cec3 ovs: remove unused function _get_port_local_vlan
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: I611ed3233ea689fe3a7218f0cca7e9b0a44aa9ce
11 months ago
Takashi Kajinami 17106dc6f5 ml2: Use the base module to register common ml2 agent config
The neutron.plugins.ml2.drivers.agent.config module registers options
commonly used by the ml2 agents but in fact it is used only by linux
bridge agent and macvtap agent.

This change makes all ml2 agents use that base module consistently in
individual config modules.

Change-Id: Ib3ec8a8eaf347721bb06f092a0887e62f3a6bffd
12 months ago
Slawek Kaplonski a22d6d6a95 Use ovs constants from neutron-lib
Ovs constants were moved from neutron to neutron_lib some time ago.
This patch switches to use them from neutron-lib already.

That decision was agreed during the Neutron team meeting. See [1] for



Change-Id: I2fd1954bec6a52856195190441d77ac8b7d97055
12 months ago
Zuul 0e40dfe862 Merge "Support pps limitation for openvswitch agent" 12 months ago
Zuul d76eab3122 Merge "Meter flows and ovsdb action for ovs bridge" 12 months ago
LIU Yulong 5765186516 Support pps limitation for openvswitch agent
Add packet rate limit rule to the openvswitch QoS
driver SUPPORTED_RULES list. This patch adds the
ability to limit neutron port packet I/O rate. We
will leverage the ovs meter to achieve the limitation.

The meter action is only supoorted when datapath is
in user mode (with ovs >= 2.7) or ovs kernel datapath with
kernel version >= 4.15 (and ovs >= 2.10).


Partially-Implements: bp/packet-rate-limit
Related-Bug: #1938966
Related-Bug: #1912460
Change-Id: Ib6341ad539afc9f94f1783a721cf5f793ccdc7d8
1 year ago
LIU Yulong 0232ead2c3 Meter flows and ovsdb action for ovs bridge
Add meter flows actions and ovsdb actions for pps
limitation. Meter flow actions are:
* list_meter_features
* create_meter
* delete_meter
* update_meter
* apply_meter_to_port
* remove_meter_from_port

Ovsdb actions are:
* get_port_tag_by_name
* get_value_from_other_config
* set_value_to_other_config
* remove_value_from_other_config

Partially-Implements: bp/packet-rate-limit
Related-Bug: #1938966
Related-Bug: #1912460
Change-Id: Idc9a2b1f39964fc3b603310ac7f22c1bc58d27f7
1 year ago
Sahid Orentino Ferdjaoui 601eeca281 ovs: add complete details to the log
Signed-off-by: Sahid Orentino Ferdjaoui <>
Change-Id: I48e6aaf97b57ff6ae0f23842510e2ebd5f534c6c
1 year ago
Rodolfo Alonso Hernandez 141f372c82 [OVS] Do not shadow "l2_agent_extensions_manager" module
"OVSNeutronAgent" input variable "ext_manager" was shadowing the
renamed module "l2_agent_extensions_manager".


Change-Id: Ib54f2d93630d81beab4fe533bbd9e1f51c6ce76e
1 year ago
Zuul bdd6d4daee Merge "Remove useless function _add_port_tag_info" 1 year ago
Zuul 0355ea6f37 Merge "Remove block flow when port UP" 1 year ago
LIU Yulong c4adec924a Remove useless function _add_port_tag_info
This reverts commit: b83fedbd78.

Since port is set to dead by default after the commits of:

And we add the local vlan tag to the port right after it is
bound to aviod trunk port flood issue:

So that _add_port_tag_info function is not necessary anymore,
and we will save a large OVSDB read action which is dumping
the entire table of Port, for hosts with a huge number of
ports this is time-comsuming. So removed it.

Related-Bug: #1968896
Related-Bug: #1952567
Change-Id: Iefd765d497c7e2d4bb093052478185125b907025
1 year ago
LIU Yulong 8dfb24a933 Remove block flow when port UP
Port admin state down will add 4095 tag to it while
it is adding a drop flow for this ofport.

When port is back UP again, remove the drop flow.

Closes-bug: #1968896
Change-Id: Ie8f67def69ae0e5d425d0e6fc43e35373a96bd88
1 year ago
Jakub Libosvar 4d3a274765 Don't register config options on imports
Importing some modules lead to registering config options that may
collide with config options from a project that calls the import. This
patch wraps the side effect that registers config options into a
function that needs to be called in case the caller wants to register
the options.

This solution is also not perfect as it guards the common options to be
registered only once even if the function is called multiple times. This
is to solve problems in unittests, ideally we should always call the
function just once even in our testing suites.

Resolves-Bug: #1968606
Change-Id: Ic1532eb8de887ff1b1085206df11f53e22f7f524
Signed-off-by: Jakub Libosvar <>
1 year ago
LIU Yulong c63ebef2d5 Add tag to port more earlier
During some ml2 ovs agent port processing performance test, we noticed
that some ports are missing tag before it really done processing. While
ovs treats those ports without tag as trunk port, so some packets will
be flooded to it. In large scale cloud, if too many port added to the
bridge, the ovs-vswitchd will consume a huge amount of CPU cores if
ports are not bound in a short time.

So, in the port_bound function of ovs-agent, we set the port tag to
it after a local_vlan id is allocated. Because after that, setup
security groups (setup_port_filters) and bind devices in DB
(update_device_list) are really time-consuming.

And also fix a potential bug, port is processed as created first,
but no tag in ovsdb, so openflow security group will not be processed
successfully [1]. It must be done in a update event during next loop,
after port bound and ovsdb set the required value.

This patch can also fix some upstream test failures of waiting too
long time to ping some cases.


Closes-Bug: #1952567
Change-Id: I3533f0d416d32f8d0888ad58f975960d89a985d9
1 year ago
Slawek Kaplonski e7edcec260 Ensure that re_added ports are DOWN before set back to UP
During e.g. rebuild of the server by Nova, ports plugged to such server
are quickly removed and added again into br-int. In such case, ports are
in the "re_added" ports set in the neutron-ovs-agent.
But it seems that in some cases it may happen that such port isn't
switched to be DOWN first and then, when neutron-ovs-agent treats port
as added/updated and reports to the server that port is UP, there is no
notification to nova-compute send (because port's status was UP and new
status is still UP in the Neutron DB).
As Nova waits for the notification from Neutron in such case server
could ends up in the ERROR state.

To avoid such issue, all ports which are treated as "re_added" by the
neutron-ovs-agent are now first switched to be DOWN on the server side.
That way, when those ports are treated as added/updated in the same
rpc_loop iteration, switching their status to UP will for sure trigger
notification to nova.

Closes-Bug: #1963899
Change-Id: I0df376a80140ead7ff1fbf7f5ffef08a999dbe0b
1 year ago
Slawek Kaplonski f7ab90baad Fix ingress bandwidth limit in the openvswitch agent
For ingress bandwidth limiting openvswitch agent is using QoS and queues
from the Open vSwitch. There is always queue 0 used for that purpose.
Initially, when this feature was implemented, we assumed that queue 0 is
kind of the "default" queue to which all traffic will be send if there
are no other queues. But that's not true thus ingress bandwidth limiting
wasn't working properly with this agent.

This patch fixes that issue but adding in the table=0 of the br-int
additional OF rule to send all traffic to the queue 0.
In this queue for some ports there can be QoS configured
and then it will be applied for the port. If port don't have any QoS
configured, nothing will happen and all will work like before this

Biggest problem with that solution was the case when also ports with
minimum bandwidth are on the same node becuase such ports are using
different queues (queue number is the same as ofport number of the tap
In case when traffic is going from the port with minimum bandwidth QoS
to the port which has ingress bw limit configured, traffic is going only
through br-int and will use queue 0 to apply ingress bw limit properly.
In case when traffic from port with minimum bandwidth set needs to go
out from the host, it will always use physical bridge (minimum bandwidth
is only supported for the provider networks) and proper queue will be
set for such traffic in the physical bridge.
To be able to set proper queue in the physical bridge, this patch adds
additional OF rule to the br-int to set queue_num value in the pkt_mark
field [1] as this seems to be only field which can "survive" passing


Closes-Bug: #1959567
Change-Id: I1e31565475f38c6ad817268699b165759ac05410
1 year ago
Zuul 808a33a03f Merge "Clean duplicated QoS bandwidth related methods in ovs_lib module" 1 year ago
Slawek Kaplonski 0255f41ad0 Clean duplicated QoS bandwidth related methods in ovs_lib module
This patch also some helper methods used in the
minimum bandwidth qos methods as it seems that we had things almost
duplicated in methods like _find/update/delete_{qos,queue} and

It also moves functional tests for the ingress bandwidth limit rules
methods to more appropriate module.

Related-bug: 1959567
Change-Id: I848af01c8fe3a08b26d05e37d225c944ea080f03
1 year ago
Rodolfo Alonso Hernandez 0fe6c0b8ca Use the "connectivity" property of "MechanismDriver"
The base class "MechanismDriver" now has a property called
"connectivity". This patch overrides the default value in the
in-tree drivers.

The method "_check_drivers_connectivity" now uses this property
that is available in all drivers.


Closes-Bug: #1959125
bp boot-vm-with-unaddressed-port
Related-Bug: #1821058

Change-Id: I91734835b07d804365b46adfb26e984557107d80
1 year ago
LIU Yulong 053a9d24ec Add table for pps limitaion
Table 59 will be used for pps limitation, the pipeline change is:
all original flows with ``goto table 60`` will be changed to
``goto table 59``, while table 59 has a default rule is goto
table 60. Then we can add pps flows to table 59 for all ports.

Basic limit pipeline is:
Ingress: packets get into br-int table 0, before send to table 60,
in table 59, check the destanation MAC and local_vlan ID, if the
dest is resident in this host, do the meter pps action and send
to table 60.
Egress: match src MAC and in_port, before send to table 60,
in table 59, do the meter pps action and send to table 60.

Why table 59? Because for ovs-agent flow structure, all packets
will be send to table 60 to do next actions such as security group.
Between table 0 and table 60, there are tables for ARP poison/spoofing
prevention rules and MAC spoof filtering. We want similar security
checks to take effect first, so it can drop packets before filling
our limit queues (pps limitation based on data forwarding queue).
And we do not want packets go through the long march of security group
flows, in case of performance side effect when there are large amount
of packets try to send, so limit it before goto security group flows.

Partially-Implements: bp/packet-rate-limit
Related-Bug: #1938966
Related-Bug: #1912460
Change-Id: I943f610c3b6bcf05e2e752ca3b57981f523f88a8
1 year ago