As reported in LP#1896734, there is a limit in the size of information
that can be transmitted in one single message between an application
and the privsep daemon. The read socket buffer is limited in size;
a message exceeding this size will generate an exception.
In order to limit the amount of information to be sent, this patch
improves the performance of "get_devices_with_ip". In the previous
implementation, the whole list of network devices from a namespace
was retrieved. In some environments, the list of devices could be
so big that the list returned by "privileged.get_link_devices" can
exceed the read buffer size (as reported in the LP bug when the
OVS agent tries to retrieve the list of IP addresses in the system).
Now the function calls "privileged.get_ip_addresses", that returns
a much smaller list. This patch is also reducing the number of system
calls to just one; the previous implementation was retrieving first
the devices link information list (that method was returning a much
bigger blob) and then, per device, retrieving the IP address
information.
Change-Id: I97ada62484023b9833ed12afd68eb4c8d337fd1f
Related-Bug: #1896734
Implemented a method, in "IPAllocation" OVO class, to retrieve
the allocated router ports.
The new query used dispenses with one of the inner join queries
required in the former query, making it faster.
This method allows to filter by gateway IP address and can return the
whole query list or just the first register found.
Trivial-Fix
Change-Id: I1a5205303ebede533ffa6b3b85d4ec2f4b112426
_ensure_default_security_group() is done in
_ensure_default_security_group_handler [1] on each port BEFORE_CREATE
event. No need to ensure once again right after sending this event.
[1] 084fa99874/neutron/db/securitygroups_db.py (L894)
TrivialFix
Change-Id: I1bfe2a50b52502b5ab3631c016a617f7a9756cc6
This method was intended to check state of the HA router on the
node and update it in the neutron server.
Patch [1] added check of the initial status to the
neutron_keepalived_state_change_monitor process.
It also could cause some race conditions and event which is setting
correct state of the router will be not processed thus router may endup
with two nodes with "primary" state in the Neutron's DB.
Neutron_keepalived_state_change_monitor was notifying agent about
router's initial state only if this state was 'primary'.
Now it will notify agent always to let agent set router's state as
'backup' if needed (that was previously done by this removed
update_initial_state() method).
[1] https://review.opendev.org/c/openstack/neutron/+/642295
Change-Id: I2cc58c30cf844ee0ecf0611ecdec430086464790
Closes-Bug: #1916022
neutron.tests.unit.common.test_utils.TestThrottler.test_throttler
is failing with "AssertionError: 1 not greater than 1", change the
assert to assertGreaterEqual.
Change-Id: Iba29ab0b1141e731cc811e8bee076dd5726248b5
Closes-Bug: #1916572
When an floating IP is dissasociated from an internal port, the QoS
rule in the OVN database should be removed too. This patch adds a
QoS extension call to delete the QoS rules in OVN in this case.
Change-Id: I00794e9c6403bbe528ea398b981e54d41d53b5a5
Closes-Bug: #1916470
Patch [1] introduced new, read only field "normalized_cidr" in
the security groups' rules.
With this patch this new field is send as source or
destination_ip_prefix field in the rule's dict in case if
remote_ip_prefix and normalized_cidr are set in the rule.
[1] https://review.opendev.org/c/openstack/neutron/+/749158
Related-Bug: #1869129
Change-Id: Icebe0255ce11eae859c05a273335b027da3f1545
This patch tries to make execution of the CI jobs in the Neutron
queue to be more smart. There is no need to e.g. run
linuxbridge scenario jobs job when only changed files in patch
are in e.g. the openvswitch agent module, or vice versa.
Change-Id: Ie33514da28991fa5952a1d8c289402ecb9ffee49
Before that patch it was possible to send ICMPv6 packets like e.g.
neutron_lib.constants.ICMPV6_TYPE_MLD_QUERY,
neutron_lib.constants.ICMPV6_TYPE_RS,
neutron_lib.constants.ICMPV6_TYPE_NS,
neutron_lib.constants.ICMPV6_TYPE_NA
And that could cause some security issues as instance could advertise
that it owns IPv6 address which really don't belong to it.
Now rules in table=71 which allows that traffic are "per mac/ipaddress"
and are allowed only for fixed ips allocated to port and port's
allowed_address_pairs.
Closes-Bug: #1902917
Change-Id: I4749fdc6a6cabd253b971bf4010ff76f5593c59c
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.
Story: #2007686
Task: #41558
Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
Minimum bandwidth QoS rule is only applicable for the network which is
backed by physical networks.
It will raise exception when you want to set Minimum bandwidth QoS rule
or update rule on network without ports.
Closes-Bug: #1913180
Change-Id: I6ab945086b13730ad60957760bbc2eb5c321aca2
Ports with device_owner like:
* floating_ip,
* DHCP,
* some types of router ports, like: HA interface interface,
* distributed ports,
don't need to be configured in the dnsmasq file.
So there is no need to reload dnsmasq every time when such port is
added/updated to the network.
This patch adds skip in such case which should improve load on the
Neutron DHCP agent.
Closes-Bug: #1913269
Change-Id: I63221507713b941c261cdf88781133149da8ab8d
In case when security group is removed from port, connections
established to/from port which were hitting some of the removed SG
rules will be marked with CT_MARK_INVALID in the conntrack table.
Due to that such existing connections will be stopped.
But then if SG will be added again to the port, those conntrack entries
marked as invalid will not be removed and those hang connections will
not be revived.
To fix that, this patch adds deletion of the conntrack entries marked
with CT_MARK_INVALID and related to the port of which SG are
updated/added.
Closes-Bug: #1915530
Change-Id: I84718b8ac4d8d6e39426e1c4485c2d7fe28185dd
Patch [1] added possibility that haproxy spawned as metadata proxy in
the router's namespace can be bound to IPv6 address.
We misssed to add the same for the HA router, so when router was
switched to be active on the node, L3 agent starts haproxy for that
router but it was always bound to IPv4 address only.
That patch fixes it by adding check if IPv6 is enabled on host, and if
yes, it adds same config to the haproxy like it is in non-ha mode.
[1] https://review.opendev.org/c/openstack/neutron/+/715483
Closes-Bug: #1915495
Change-Id: Ie97cfe9fe0020929d9a1736d55ad92a5bd643072
1. When dvr router is disabled and enabled back, the rfp
interfaces are deleted on the nodes without snat-* namespace.
This is due to creation of snat namespace during router
initialization stage on all the nodes. At later stages, since
the gw_port_host is not bounded on this node, external gateway
is removed which triggers removal of rfp interfaces and snat
namespace.
Create snat namespace only on the nodes where gw_port_host is
bounded.
2. In case of DVR SNAT, when the l3 agent is rescheduled to
another node, the rfp interfaces on qrouter-* namespace are
removed. Instead of calling external_gateway_removed() which
further deletes the rfp interfaces, the qg-, sg- interfaces
need to be unplugged and snat namespace need to be deleted.
Closes-Bug: #1894843
Change-Id: Ic35c2f9bceacec8eeba67a2b1ea0cd0b0ffc72fe
Slawek Kaplonski
Zuul
Rodolfo Alonso Hernandez
zhouhenglc
Oleg Bondarev
LIU Yulong
Nurmatov Mamatisa
shenjiatong
Hemanth Nakkina