Prior to oslo.policy version 3.6.2, the Enforcer() object would load and
update the deprecated rules for a check regardless of it already being
done.
A recent change to oslo.policy updated the Enforcer() to be smarter
about this case and it was released in oslo.policy version 3.6.2:
https://review.opendev.org/c/openstack/oslo.policy/+/773414
This became prevalent in neutron's usage of deprecated rules to update
their policies for secure RBAC personas since the Enforcer() object is
used extensively for APIs, resource, and attribute protection.
This should restore neutron's API performance to what it was prior to
the mass deprecation default policy rules.
Depends-On: https://review.opendev.org/c/openstack/requirements/+/774290
Closes-Bug: 1913718
Change-Id: Ia0e283f09c80605d6920843450b88cbc061996d5
The patch determines a table that should be used for the agent API
in the runtime, based on the current available schema. It means OVN
database can be updated or downgraded while neutron-server is running
and agents will always report its liveness based on currently available
tables.
Change-Id: I679945b68acf391901c8602fb1828c46cd1eec55
Closes-bug: #1901527
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Added a new port extension: device profile (``port_device_profile``).
This extension adds the "device_profile" parameter to the "port" API
and specifies the device profile per port. This parameter is a
string.
This parameter is passed to Nova and Nova retrieves the requested
device profile from Cyborg. Reference:
https://docs.openstack.org/api-ref/accelerator/v2/index.html#
device-profiles
For backwards compatibility, this parameter will be "None" by
default.
Closes-Bug: #1906602
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/767586
Change-Id: I1202a8388e64ae4270ef4ca118993504ae7c1731
In https://review.opendev.org/#/c/753824/ ovsdbapp adds the ability
to pass a "frozen" object to the RowEventHandler so that if a
transaction is started from the main thread that changes the row,
it won't step on the values that the Event is trying to process.
This patch switches to using the ovs_idl backend-specific
RowEventHandler which converts the row to a frozen_row.
Change-Id: I87489596e2ff224431f7e83f43a1725172ee0953
Related-Bug: #1896816
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I0dbb8484e749e645627756e88ec79c1b26a6414a
Another item noted with the new pip resolver [1], linters dependencies
in test-requirements.txt may cause resolver issues (trying to pull in
enum34), conflicting requirements and cause them to be installed for all
test jobs. Move them to tox.ini as was done for some projects already
(this may be backported/squashed with pip resolver fix in stable
branches depending on how fixing these will go).
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019362.html
Change-Id: I0111c41bea6a6caf5ffba1f5c34489854d9c9747
Bump astroid test requirement to 2.4.0
Older versions trigger an error on wrapt dependency:
https://github.com/PyCQA/astroid/issues/755
Bump pylint accordingly to new astroid
Fix some new PEP8 warnings appearing with new versions, and filter out
the larget I202 "Additional newline in a group of imports" one for now
Drop psutil from functional requirements, it indicated an old version
and we have it in common requirements now
Bump a series of lower-constraints and requirements to work with new pip
resolver, testing with steps outlined at:
http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019285.html
This includes eventlet 0.22.1, previous versions triggered a hard to
track error on enum34
Cap cryptography in lower-constraints to prevent discovery failure in
relevant job (other jobs have it capped via upper-constraints)
Change-Id: Ie74ea517a403e6e2a7a4e0a245dd20e5281339e8
Closes-Bug: #1907242
To implement proper scope checking, we need some updated libraries that
properly handle tokens and relay that information to the underlying
service. This commit updates the oslo.policy, oslo.context, oslo.log,
and keystonemiddleware requirements to versions that understand all the
various scopes so that we can update the default policies.
Partially-Implements blueprint: secure-bac-roles
Change-Id: I567c11152d27155ab4297cf7e6851965fb9f8516
"packaging.version" should be imported explicitly to avoid the
following error:
>>> import packaging
>>> packaging.version
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: module 'packaging' has no attribute 'version'
This patch also inclues "packaging" in the requirements file.
Change-Id: Ibd277e2fcc152fcf7c81ef7470e3beb0c668575c
Closes-Bug: #1904854
This reverts commit e92193d246.
With pecan 1.4.0 aodh and ceilometer has issues, so for now better to
revert this change.
Closes-Bug: #1894864
Change-Id: I32b667b9fcc8bd6909d58c8fb60797f961ab9b44
With older versions, lower-constraints job fails on Focal as seen in DNM
patch https://review.opendev.org/#/c/738163/
Change-Id: I05e0f3a3ad0abc02f97a89d63af9f58d5fa00549
Closes-Bug: #1894857
This patch implements in the OVN backend the existing floating
IP QoS extension.
The OVN client, using the existing QoS extension, will retrieve
the QoS rules attached to each floating IP, the router where the
floating IP lives and the router gateway port. The QoS rules
will be applied on the router gateway port.
The OVN NB QoS rules for floating IP addresses have a "match"
field containing a tuple of parameters:
- The direction of the flow:
'inport == "src"' or
'outport == "dst"'
- The IP address to match:
'ip4.src == 1.2.3.4' or
'ip4.dst == 1.2.3.4'
- The chassis where the port is located:
'is_chassis_resident("chassis")'
Closes-Bug: #1877408
Related-Bug: #1596611
Depends-On: https://review.opendev.org/#/c/727847/
Change-Id: Ib65d8edcb0a415f6d698c952334d3b4bb0d9fff6
In the spec we said:
"""
When the metadata proxy processes a request, it gathers the L2 addresses
of a VM, and the source interface, and passes it to the metadata service.
The Metadata service, instead of using the VM IP, uses the "VM MAC" and
"Gateway MAC" to identify the instance.
"""
But since we switched from the home-grown metadata-ns-proxy to haproxy
we no longer control some of the headers included, like X-Forwarded-For.
haproxy allows us to turn X-Forwarded-For on or off, but it cannot
give us an X-Forwarded-For-MAC header.
Instead it seems we have to rely on the source address being the IPv6
link local address generated from the NIC's MAC address as specified
in RFC 4291:
https://tools.ietf.org/html/rfc4291#section-2.5.6https://tools.ietf.org/html/rfc4291#appendix-A
Note that means you cannot use IPv6 Privacy Extensions:
https://tools.ietf.org/html/rfc4941
Change-Id: Ife592fcfc69e26f61ec1f45c06821cb025cc7cf2
Closes-Bug: #1460177
As seen in focal testing failure [1], lower constraints fail on
some packages (fixing one, another may appear). This bumps a series of
packages after local testing to pass on Focal.
Also sync requirements on these new versions
[1] https://review.opendev.org/#/c/734304/
Change-Id: I3abf86d90ed5cb1c4434746860b53c676eecbfd3
As seen in Ubuntu Focal test patches like [1], lower-constraints fails
on greenlet compilation. 0.4.13 added python 3.7 support with additional
fixes coming in .14 so bumping to this version.
[1] https://review.opendev.org/#/c/734304/
Change-Id: I0739458ac31307d651376a33a835336285d2c7dd
Add support for basic address group CRUD. Subsequent patches will be added to
use address groups in security group rules.
Implements: blueprint address-groups-in-sg-rules
Change-Id: I4555c068ec6229b1d7ac1168d5687549370893b4
There's a fix in pecan 1.4 to handle accept headers that have
extra parameters included.
Closes-Bug: #1829042
Change-Id: Id7d78d77da8dfd1620936e437d862c1d60e8eb25
This new version contains [1]. The aim of this patch is to remove
any eventlet patch in the root daemon, trying to avoid the recurrent
evenlet timeout we detect in the CI jobs (mainly functional and
fullstack ones).
[1]https://review.opendev.org/#/c/740970/
Change-Id: Ide2081e8de032752c3aae940ed7d2a8380dd4b3d
Since [1], it's possible to specify the shared library to be used
when creating a Pyroute2 namespace context.
As commented in [2], "privsep" library makes use of eventlet to
implement multitasking. If the method executed returns the GIL,
nothing guarantees that the "eventlet" executor will return it
again to this task. This could lead to timeouts during the
execution of those methods.
From https://docs.python.org/3.6/library/ctypes.html#ctypes.PyDLL:
"Instances of this class behave like CDLL instances, except that
the Python GIL is not released during the function call, and
after the function execution the Python error flag is checked."
[1]https://github.com/svinota/pyroute2/issues/702
[2]https://review.opendev.org/#/c/717017/
Change-Id: I6c9f9adba8b4433cc96704bb69dd4e0d4b154ebd
Related-Bug: #1870352
When creating the OVS manager, define the command timeout
(CONF.OVS.ovsdb_timeout) and inactivity probe time
(CONF.OVS.of_inactivity_probe)
NOTE: CONF.OVS.of_inactivity_probe is defined in seconds but the
parameter should be passed to ovs-vsctl in milliseconds [1].
[1]http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.txt
Depends-On: https://review.opendev.org/#/c/720785
Change-Id: I8ed1fc85c2f78710bf6589ba3deca518471339b8
Closes-Bug: #1868686
OVN distributed services like Metadata and DHCP uses now
DEVICE_OWNER_DHCP device_owner which isn't distributed by its nature.
To fully use benefits of OVN Distributed ports (localports) [1]
and to not overlap with Neutron logic created for not-distributed
ports we should use new device_owner.
In this change we need also to bump minimum required
neutron-lib to 2.4.0.
[1] https://www.ovn.org/support/dist-docs/ovn-nb.5.txt
Change-Id: I0a69f1bddaa7030c7287216e62ec1ac6dd381475
New versions of isort broke pylint. This patch fixes it at 4.3.21.
Depends-On: https://review.opendev.org/739469
Change-Id: Ic6858b60ae6b7cd031843ea594b8fe1c8a67bb54
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Version 2.4.0 of neutron-lib has the DHCP port numbers
correct, so start using them.
Also updated other code in linux/dhcp.py to use the
constants as well, instead of re-defining them.
Closes-bug: #1882588
Change-Id: I5dc1d8e7bcc94efd1fab68d980d60e3130d5e5bc
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Also enabled the hacking check that should have caught this, it
was missing from tox.ini along with most of the other in-tree
hacking checks we have added over the years.
Change-Id: Id91175d0db8b8edc72f0dd98925ddbf7415bb881
There were a couple of versions of oslo.log that were
not backwards-compatible. Now that a fixed version was
released, bump lower-constraints to require it and
remove the temporary workaround.
Change-Id: If38105ceaa48a0520ae8243982b736d0bc99ec3a
Related-bug: #1871840
Versions of oslo.log >= 4.1.2 require a second argument when
initializing the OSJournalHandler class. While I've started
a review to fix that regression [0], bump oslo.log to a later
version that requires this new flag and pass it to fix the
gate.
Also had to blacklist the OVN tempest IPv6 hotplug test
since it is failing too much to pass the check jobs.
[0] https://review.opendev.org/732457
Change-Id: Ic9bbb43aa832ad6cc45d57328b40afe4468ddfca
Related-bug: #1871840
Related-bug: #1881558
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Set openstackdocs_auto_name to use 'project' as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I780eea00c9c47f52dcc7928546fd22dec5d145b4
In hacking 2.0 or later, local-check-factory was removed as it is not
compatible with flake8 3.x and it is advised to use flake8's local
plugins [1]. neutron-lib provided a factory to register common hacking
rules, but it no longer works with hacking 2, so we need to define rules
defined in neutron-lib as flake8 local check plugin [2] explicitly.
This needs to be done in each neutron related project, so it is the
downside of the migration to hacking 2.x (I explored a way to continue
to use the factory but failed to find a good way to achieve this) but
I believe it is good to migrate the newer libraries.
* flake8ext decorator in neutron/hacking/checks.py is also replaced with
hacking.core.flake8ext to avoid the copy-and-paste code.
* neutron-lib dependency is updated as neutron-lib 2.3 added hacking 3 support.
* Python modules related to coding style checks (listed in blacklist.txt in
openstack/requirements repo) are dropped from lower-constraints.txt
as they are not actually used in tests (other than pep8).
* HackingDocTestCase is now converted into normal test cases.
HackingDocTestCase depends on the internal of hacking and pycodestyle
so it looks better to use normal style of writing tests.
[1] https://docs.openstack.org/releasenotes/hacking/unreleased.html#relnotes-2-0-0
[2] https://flake8.pycqa.org/en/3.7.0/user/configuration.html#using-local-plugins
Change-Id: I92cf50a84bb587a0649a7cffee15cce4ce37d086
Currently, we are overriding 'install_command' to use 'pip'. This is
considered poor behavior and 'python -m pip' should be used instead:
https://snarky.ca/why-you-should-use-python-m-pip/
It turns out that this is the the default value provided by tox:
https://tox.readthedocs.io/en/latest/config.html#conf-install_command
So we can remove the line and simply use the default value.
This change showed we needed a newer version of debtcollector in lower
constraints, aliging with the version required by os-vif. This change
showed we needed also a newer version of cffi and keystoneauth1 in lower
constraints. Update also the requirements file for debtcollector and
keystoneauth1.
Change-Id: I5e190c3db8bed0a264b911cdf425aa4c9b51f768
Contains fixes for functional tests needed after the networking-ovn has
moved to Neutron and OVN splitting from the OVS repository upstream.
Depends-On: https://review.opendev.org/#/c/704176/
Change-Id: If3d6a04bf47f7e308530a3e1abb20ebfc184451f
Related-Blueprint: neutron-ovn-merge
In OVN we can configure connection to NBDB and SBDB to be under
SSL. We forgot to add this requirement during move.
There is a TestPortBindingOverSsl functional test case that
is failing because of this missing requirement.
Related-Blueprint: neutron-ovn-merge
Change-Id: I664f721e9b7edbf3358749e3d31e8e1632123b05
Library "unittest2" has not released a new version since
Jun 30 2015 [1]. Neutron should remove the references to
this library and point to "unittest" instead.
[1] https://pypi.org/project/unittest2/#history
Change-Id: I7d55adc262280c0c2f13b9b81ecc582e1729afa0
Closes-Bug: #1859190
Since it's no longer supported past Train, lets stop
running the tests.
Updated docs and made some pep8 code tweaks as well.
Change-Id: I1c171ab906a3b4c66558163ad26947ebf710a276
This patch removes the dependency from ironicclient for the ironic
event notifiers in favor of openstacksdk.
Also, increasing minimum required versions for mock and
openstacksdk.
Change-Id: Ib76e19d29f0ae3db6d181578b638da699181f60d
Bump neutron-lib to 1.29.1 [1] in requirements and lower-constraints.
[1] https://review.opendev.org/680619
Change-Id: I95ed02087e7cd6cc757f9a1578a1e4590458a714
Bump neutron-lib to 1.29.0 [1] in requirements and lower-constraints.
[1] https://review.opendev.org/677314
Change-Id: Ia243c7d64f99ca222ad3b9c583fe4a64b01beb43
Slawek Kaplonski
Lance Bragstad
Jakub Libosvar
Rodolfo Alonso Hernandez
Terry Wilson
Ghanshyam Mann
Bernard Cafarelli
Lajos Katona
elajkat
Bence Romsics
Hang Yang
Dan Radez
Maciej Józefczyk
Lucas Alvares Gomes
Brian Haley
Hervé Beraud
Andreas Jaeger
Akihiro Motoki
Daniel Bengtsson
Flavio Fernandes
Riccardo Pittau