If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.
Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.
[1] https://review.opendev.org/#/c/371523/
Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259
Since [1] was introduced, it's very frequent to have
"fixtures._fixtures.timeout.TimeoutException" exceptions during the
execution of UTs and FTs. Because the privsep includes the synchronized
decorator, the synchronization wait is done inside the privsep context.
This is prone to timeouts if the wait is too long.
Until we can reorder the decorators of ip_lib [2] or we can remove the
sync decorators [3], this patch can mitigate the errors in the CI.
[1]https://review.opendev.org/#/c/631275/
[2]https://review.opendev.org/#/c/666853/
[3]https://review.opendev.org/#/c/657608/
Closes-Bug: #1843478
Change-Id: If865c4683645f9bd11f5e1b528bade0547505bfd
We seem to have forgot to properly document this limitation and this
is popping up in bug reports.
Change-Id: I3c1d79017349be13ebb2f4a924c065e041ccbf5a
Partial-Bug: #1843285
The devstack plugin also adds these statements to the ML2 config, so
amend the documentation here accordingly.
Change-Id: I5db327e91a3d4293b0a27fddc70dc6139fd42eb3
Bump neutron-lib to 1.29.1 [1] in requirements and lower-constraints.
[1] https://review.opendev.org/680619
Change-Id: I95ed02087e7cd6cc757f9a1578a1e4590458a714
Add a log entry when a floating IP is associated/disassociated from a
port, reporting the external IP, the internal IP, the fixed port ID and
the FIP ID.
The log level is set to INFO; this security information will be
registered regardless of the logging level.
Change-Id: I9124399f680e4123c4dc14e8be666f9c4c5385a0
Closes-Bug: #1842327
When setting up the DHCP agent of a network, the DHCP namespace external
port is configured. If this port already exists and the fixed IP
addresses are correctly configured (in the DHCP subnets range), the port
is used as is.
Sometimes, because of 1627480 or 1841636, the port information is not
correctly retrieved. This patch does not solve it but mitigates the
process of resynchronizing the network DHCP. If the stored DHCP port
does not have the correct information, the agent calls the RPC plugin to
retrieve from the server the DHCP port updated information, including
the fixed IP address and the subnets.
Change-Id: Iff40e7bba645ee12c2001d7ce735a36e0ddc81e9
Related-Bug: #1627480
Related-Bug: #1841636
In [1] the concept of "connectivity" was introduced for the ML2 drivers.
This parameter defines the mech driver connectivity type (layer 2, layer
3 only or legacy - not defined).
The spec defined in the blueprint allows to spawn a VM with ports
without IP addresses. As commented in the Nova spec [2], those ports can
be bound only to "l2" drivers.
[1] https://review.opendev.org/#/c/645645/
[2] https://review.opendev.org/#/c/641670/
bp boot-vm-with-unaddressed-port
Related-Bug: #1821058
Change-Id: I438cbab43b45b5f7afc820b77fcf5a0e823d0eff
When bulk ports are created with a security group supplied, the
resulting port(s) should only have that security group assigned. But the
resulting ports are getting both the requested security group as well as
the tenant default security group assigned. This fixes that condition.
In order to ensure that bulk port creation results in the proper
assignment of security groups, add some testing.
Change-Id: I65aca7cd14447cc988e4bc4ab62bc7b9279e7522
Fixes-Bug: #1842666
When a network is deleted, precommit handlers are notified prior to the
deletion of the network from the database. One handler exists in the ML2
plugin - _network_delete_precommit_handler. This handler queries the
database for the current state of the network and uses it to create a
NetworkContext which it saves under context._mech_context. When the
postcommit handler _network_delete_after_delete_handler is triggered
later, it passess the saved context._mech_context to mechanism drivers.
A problem can occur with provider networks since the segments service
also registers a precommit handler - _delete_segments_for_network. Both
precommit handlers use the default priority, so the order in which they
are called is random, and determined by dict ordering. If the segment
precommit handler executes first, it will delete the segments associated
with the network. When the ML2 plugin precommit handler runs it then
sees no segments for the network and sets the provider attributes of the
network in the NetworkContext to None.
A mechanism driver that is passed a NetworkContext without provider
attributes in its delete_network_postcommit method will not have the
information to perform the necessary actions. In the case of the
networking-generic-switch mechanism driver where this was observed, this
resulted in the driver ignoring the event, because the network did not
look like a VLAN.
This change uses a priority of zero for ML2 network delete precommit
handler, to ensure they query the network and store the NetworkContext
before the segments service has a chance to delete segments.
A similar change has been made for subnets, both to keep the pattern
consistent and avoid any similar issues.
Change-Id: I6482223ed2a479de4f5ef4cef056c311c0281408
Closes-Bug: #1841967
Depends-On: https://review.opendev.org/680001
This param is set in the functions, but actually no use. It
was never set to True. And it reduces the code readability.
So better remove it. From the code search [1], only neutron
and networking-vsphere have such global_refresh_firewall now.
[1] http://codesearch.openstack.org/?q=global_refresh_firewall
Change-Id: I87e1463d2cc1ee855f0cf6631863d89a6bd8ee2e
Operators may want to see how long it takes in the port
processing procedure since DEBUG log does not enable
basically in the production envrionment.
Related-Bug: #1813703
Related-Bug: #1813707
Related-Bug: #1813706
Related-Bug: #1813709
Change-Id: I43733546abf5421d0e3f4cd5a959d279e1b89d1e
This foreign key is present in the DB model definition [1]. The OVO
definition should reflect it.
Trivial-Fix
[1]25d0ad6197/neutron/db/models/l3.py (L29-L33)
Change-Id: Ib47d4ade934e1a631bddc19f4a78c237da822994
This is combined patch to fix couple of issues which
we recently had in gate.
1. [Functional tests] Fix SIGHUP handling tests
Tests in neutron.functional.test_server module are testing how
PluginWorker, WSGIWorker and RPCWorker are handling SIGHUP signal.
Recently this was changed in Oslo.service with [1] and our tests
were failing because they were still expecting that after sending
SIGHUP to the process, stop() and than start() method will be called.
But as our services uses "mutate" as restart method, since [1] such
process don't executes stop() and start() after SIGHUP. It now executes
only reset() method.
This patch reflects that change in Neutron functional tests.
2. Veth pair "IFLA_LINK" populated since kernel 4.15.0-60-generic
Since kernel_version=4.15.0-60-generic, "iproute2" provides the veth
pair index, even if the pair interface is in other namespace. In
previous versions, the parameter 'IFLA_LINK' was not present. We need
to handle both cases
[1] https://review.opendev.org/#/c/641907/
Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Change-Id: I7a3f20a795c89ab1ab037d046a1101cd5c0287d6
Closes-Bug: #1842659
Closes-Bug: #1842482
There are still references to FWaaS v1 in the Neutron documentation.
Remove them as the code was deleted in the Stein cycle.
Closes-bug: #1833122
Change-Id: I8673d94d0f70e046a6fd7b45572773e7e3df73d0
No longer build the OVS kernel modules when installing from
source. This was added when OVS didn't support conntrack,
which hasn't been the case for a while.
This is breaking one of the networking-ovn repos periodic jobs.
Depends-on: https://review.opendev.org/#/c/680066/
Change-Id: Ia9cc8f3ee11802f51317eb0e7c82fadd1c15c4b4
Closes-bug: #1830248
The previously choosen PDF file name conflicts in some repos with the
project logos (badge). Thus change https://review.opendev.org/679777
renames the desired PDF name to be doc-PROJECT.pdf to allow using the
badge in PDF files.
Follow this rename.
Change-Id: Id17cfdce6c38dc30bfaf557be7eee0675fa8f87c
Implements Conntrack Helper service plugin for conntrack
helper resources. Supports create, update and delete
conntrack helper for l3 routers.
A new configuration option:
[l3-conntrack-helpers]/allowed_conntrack_helpers
introduced to allow the operator to configure CT
helpers, and the helper protocol constraints.
Related-Bug: #1823633
Depends-On: https://review.opendev.org/663446
Change-Id: I58193955261f50b18b1946261fe662da6b20f0f5
