1065 Commits

Author SHA1 Message Date
Slawek Kaplonski
4597dfc136 Add RHEL8 platform-python to the L3 rootwrap filters
In L3 rootwrap filters we have filter to kill
neutron-keepalived-state-change process.
As this process is run under python, in commit [1] we added
KillFilter rules to allow kill various Python processes.

In RHEL8 there are "system" and "user" python versions provided.
It is called "platform-python" and is placed in /usr/libexec dir.
Details about it are in [2].

So this patch adds to neutron-keepalived-state-change Kill filters also
/usr/libexec/platform-python and /usr/libexec/platform-python3.6 to
allow killing this process on RHEL8 based OS.

[1] https://review.opendev.org/#/c/636710/
[2] https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/

Change-Id: Iafdaf2c1a6e5c1f5de856ff99e04c72c911c5123
2019-05-17 10:15:45 +02:00
Miguel Lavalle
25c432a05a Add rootwrap filters to kill state change monitor
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.

Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
2019-03-13 07:40:15 -07:00
Ben Nemec
1cf30c552d Add oslo.privsep to config-generator list
We recently exposed the privsep opts for config generator use, so
projects that depend on oslo.privsep should include them in their
sample configs.

Change-Id: Ibaef2e2848855cd8ef987ec58457220911ad7c69
2019-03-01 16:54:20 +00:00
Brian Haley
3d70272f42 Rename README.policy.json.txt
README.policy.yaml.txt is a more appropriate name since
policy.json does not exist any more.

Change-Id: I89a425cb1552f8f6bc81d54f376b5e80bf71c1cc
2019-01-07 12:45:15 -05:00
Akihiro Motoki
f8984c6699 Convert policy.json into policy-in-code
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
2018-12-13 20:37:53 +00:00
Goutham Pratapa
31be154657 Add get_availability_zone rule to policy.json
"neutron availability-zone-list" checks for "get_availability_zone" rule
and policy.json doesn't contain it so adding it now.

Change-Id: I7e5e706c44136e0b565f3ee18e15f1166d82040d
2018-11-21 16:33:30 +05:30
Hongbin Lu
4e3fb31919 Introduce floating IP pool resource
Add support for listing floating ip pools (subnets).
A new API resource ``floatingip-pools`` is introduced.
This API endpoint can return a list floating ip pools
which are essentially mappings between network UUIDs and
subnet CIDRs. Users can use this API to find out the pool
to create the floating IPs.

Related patches:
* neutron-lib: https://review.openstack.org/#/c/556674/
* tempest-plugin: https://review.openstack.org/#/c/562038/

APIImpact add floatingip pools api
Change-Id: Iaa995630645042520df67d95271e14f11ffcff8c
Partial-Bug: #1653932
2018-10-04 15:53:53 +00:00
Zuul
e59013b9e8 Merge "Remove _migrate_python_ns_metadata_proxy_if_needed method" 2018-08-21 21:21:50 +00:00
Zuul
bc79f04613 Merge "Add delete rule for auto_allocated_topology" 2018-08-11 23:13:58 +00:00
Zuul
41f36fb9f4 Merge "Add osprofiler to api-paste pipeline" 2018-08-11 12:45:52 +00:00
Slawek Kaplonski
f046031456 Remove _migrate_python_ns_metadata_proxy_if_needed method
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.

Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
2018-08-04 09:53:00 +02:00
Mykola Yakovliev
9caf87bb0c Add delete rule for auto_allocated_topology
This patchset updates policy.json to cover delete action for
auto_allocated_topology introduced in Neutron API [0].

[0] https://developer.openstack.org/api-ref/network/v2/index.html#delete-the-auto-allocated-topology

Closes-bug: #1785349
Change-Id: If7b5c3262370057e6b40d96967d355cd0ee7e2d3
2018-08-04 00:45:51 +00:00
ZhaoBo
35d945e92f Add ext_parent policy check
Add common parent owner check for the resources which introduced by
service plugin.

Then port forwarding resource will share the same tenant_id with
floatingip. That means only the fip owner can create/update/get/delete
the associated port forwarding resource.

Partially-Implements: blueprint port-forwarding
Partial-Bug: #1491317
Change-Id: I450c674e55ca15e1d9a6a6224138f3305427da68
2018-08-01 02:45:42 +08:00
ZhaoBo
21ae99d5b3 [server side] Floating IP port forwarding plugin
This patch implements the plugin.
This patch introduces an new service plugin for port forwarding resources,
named 'pf_plugin', and supports create/update/delete port forwarding
operation towards a free Floating IP.

This patch including some works below:
* Introduces portforwarding extension and the base class of plugin
* Introduces portforwarding plugin, support CRUD port forwarding
resources
* Add the policy of portforwarding

The race issue fix in:
https://review.openstack.org/#/c/574673/

Fip extend port forwarding field addition in:
https://review.openstack.org/#/c/575326/

Partially-Implements: blueprint port-forwarding
Change-Id: Ibc446f8234bff80d5b16c988f900d3940245ba89
Partial-Bug: #1491317
2018-07-26 11:43:34 +08:00
Felipe Monteiro
41fe927c80 Add missing policy actions to policy.json file
This patchset adds missing policy actions to the policy.json
file for several reasons:

1) It signals to operators all the policy actions that are
   enforced in the system. With the governance spec [0]
   urging projects toward policy in code documentation,
   it makes sense to document all policy actions in the
   policy.json as Neutron doesn't have policy in code.

2) It is consistent with Neutron's policy enforcement
   documentation [1]:

   "For each attribute which has been explicitly specified in the
    request create a rule matching policy names in the form
    <operation>_<resource>:<attribute> rule"

    So it makes sense to capture each policy that is enforced,
    including all those with these special attributes.

3) Why include "update_router:external_gateway_info" but not
   "create_router:external_gateway_info"? This is inconsistent.

4) It makes it difficult to validate Neutron's policy via Patrole
   if the policies aren't contained in the policy.json -- how else
   is it possible to determine which policies to expect if they
   aren't documented anywhere?

[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
[1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow

Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df
2018-07-18 02:17:16 +01:00
Jonathan Rosser
0fe31bc8ae Add osprofiler to api-paste pipeline
The osprofiler filter is included in the standard pipelines for
nova, glance, cinder, heat, magnum [1], but is missing for neutron.

This means when a deployment uses profiling, there is a gap in the
data collected when the neutron API is executing.

[1] https://github.com/openstack/openstack-ansible-os_nova/blob/master/templates/api-paste.ini.j2#L31-L32

Change-Id: I8e45888968cde8ca29548447d0b0bc00ae569fc1
Closes-Bug: #1781619
2018-07-17 20:58:25 +00:00
LIU Yulong
5ddb2a4762 Make L3 IP tc filter rate limit more accurate
Currently the L3 agent qos extension does not set the mtu for
tc filter rules, the default value is 2kb. Tc filter rules use
such mtu will result in an inaccurate bandwidth.

So in order to improve the precision, we set the mtu to 64kb.
For the test results, you can read the bug description.

For more information you can read the linux tc man page:
[1] https://linux.die.net/man/8/tc-tbf
[2] http://man7.org/linux/man-pages/man8/tc-police.8.html

Closes-Bug: #1777598
Change-Id: I7a167ec6139ccc55988b34f82080a182116d02a3
2018-06-20 02:21:28 +00:00
Brian Haley
3ad91f61f2 Remove deprecated IVS interface driver
This was marked deprecated in Queens for removal in Rocky,
https://review.openstack.org/#/c/505401/

Change-Id: I77fa59ae1819e87ab8ccc1fa5f0db86de3b90e2e
2018-04-26 20:15:46 +00:00
Brian Haley
06dab9d3b3 Re-order items in policy.json
Grouped similar items into create/get/update/delete
order so they are easier to find, as some were even
in separate blocks.

Trivialfix

Change-Id: I283cd31fadf26f00fb18ccffea19a6b59d4277a1
2018-04-17 14:26:01 +00:00
Reedip
8236e83dec Allow port create/update by shared nw owners
Currently if a new port is created by a tenant with whom
the network is shared (tenant is not the owner but has
network shared via RBAC) , the port is allocated on the default
subnet. This patch allows the tenant to create/update a port on
any subnet which is actually a part of a shared network, owned by
another tenant.
Tempest test in [1]

[1]: https://review.openstack.org/521413
Change-Id: I1046f6b13e68b1e274cc8f62f5b30aa5f8d71cdc
Closes-Bug: #1543756
2017-12-12 04:12:54 +00:00
LIU Yulong
f40128b437 [L3][QoS] Adding L3 rate limit TC lib
This is the TC lib utils for L3 IP QoS implementation.
For more detail please see [1]: L3 agent side TC rules.

[1] https://review.openstack.org/#/c/374506/

Partially-Implements blueprint: floating-ip-rate-limit
Related-Bug: #1596611
Change-Id: Icfec83ca6dc31d7283d9c6c6ef0997d5e60daae6
2017-11-15 09:44:05 +00:00
Edan David
04b31bb72a Fix typo "extention" -> "extension"
Change-Id: Ib3d8edfc8319cbb9c15610b1d81b8ff400ce5e71
2017-11-09 07:05:56 -05:00
Edan David
c6d8ccb640 Enable bridge command for openvswitch agent
Allow ovs agent to run bridge command.
This is necessary because FDB extension uses bridge to update the FDB table.

Closes-Bug: #1730407

Change-Id: I0897f1efcf36fc7f6f06e80c3b29c0e1fa14b141
2017-11-08 02:03:44 -05:00
Kevin Benton
de82ded117 Remove dead versions code
The versions endpoint is now handled by Pecan
and there is no way to reach this old endpoint
now that we have dropped the web_framework option.

Change-Id: I5d493623b107f125cb9426310f2e43612c94bb7f
2017-09-19 14:54:33 -07:00
Stefan Nica
f1b43395e7 linuxbridge-agent: add missing sysctl rootwrap entry
Sysctl was missing from the linuxbridge plugin rootwrap
configuration file. This was causing failures in the
linuxbridge agent when networks are created:

Rootwrap error running command: ['sysctl', '-w', 'net.ipv6.conf.eth0/557.disable_ipv6=1']:

NOTE: this bug was hidden by the fact that sysctl was
covered by the iptables-firewall.filters until recently,
when it was removed (see https://review.openstack.org/#/c/436315/).

Change-Id: Id20175df30d4d6039fb42e722d03f39521f6a499
Closes-Bug: #1715194
2017-09-05 18:59:30 +02:00
Jenkins
8538db828a Merge "Remove neutron-fwaas specific policies" 2017-07-26 08:49:43 +00:00
Akihiro Motoki
a52f3af266 Remove neutron-fwaas specific policies
Drops unit tests related to fwaas policies.

Tests related to get_firewall_policy/rule are also unnecessary.
They have been migrated to neutron-fwaas already.

Closes-Bug: #1703347
Depends-On: I6dc6b2295a605444c918e44949f4b1485177e82e
Change-Id: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
2017-07-16 17:56:25 +00:00
Nguyen Phuong An
913c9e78b9 [log]: implement logging plugin
This patch introduces the logging api definition and initial
implementation of LoggingApiPlugin. The api definition code will
be removed after [1] has been merged on neutron lib.

[1]https://review.openstack.org/#/c/415817/

Co-Authored-By: Yushiro FURUKAWA <y.furukawa_2@jp.fujitsu.com>

Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
Change-Id: Iace31506502de25da9dce5fcfdbfe2c726bea27f
2017-07-12 13:30:50 +07:00
Miguel Angel Ajo
6037e53f07 Remove deprecated support for QoS notification_drivers
In Ocata, notification_drivers were deprecated in favor of
the new QoSDriver architecture.

This patch removes backwards compatible support for notification
drivers along with its testing.

Change-Id: I5f747635be3fd66b70326d9f94c85a6736286bd2
2017-04-17 06:32:01 -07:00
Jenkins
fc5aafaf57 Merge "Adding missing neutron policies to policy.json" 2017-04-17 05:17:21 +00:00
Felipe Monteiro
8fad40bd2f Adding missing neutron policies to policy.json
Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.

This has some downsides:
  1) It makes it harder to override these policy actions
  2) It is inconsistent
  3) The policy.json should be a "golden copy" of all the
     policy actions enforced by the system.
  4) It makes it harder to RBAC test Neutron
     (because it is very difficult to determine which
      policy actions are valid and which are not).

The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
  - create_security_group
  - delete_security_group
  - delete_security_group_rule
  - get_security_group_rules
  - get_security_groups
  - get_security_group_rule
  - get_security_group
  - update_security_group
  - update_router
  - update_router:external_gateway_info
  - update_router:external_gateway_info:network_id

Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
2017-04-12 16:05:35 +01:00
Carlos Goncalves
89de63de05 Port data plane status extension implementation
Implements the port data plane status extension. Third parties
can report via Neutron API issues in the underlying data plane
affecting connectivity from/to Neutron ports.

Supported statuses:
  - None: no status being reported; default value
  - ACTIVE: all is up and running
  - DOWN: no traffic can flow from/to the Neutron port

Setting attribute available to admin or any user with specific role
(default role: data_plane_integrator).

ML2 extension driver loaded on request via configuration:

  [ml2]
  extension_drivers = data_plane_status

Related-Bug: #1598081
Related-Bug: #1575146

DocImpact: users can get status of the underlying port data plane;
attribute writable by admin users and users granted the
'data-plane-integrator' role.
APIImpact: port now has data_plane_status attr, set on port update

Implements: blueprint port-data-plane-status

Depends-On: I04eef902b3310f799b1ce7ea44ed7cf77c74da04
Change-Id: Ic9e1e3ed9e3d4b88a4292114f4cb4192ac4b3502
2017-04-11 19:56:13 +00:00
Huan Xie
3d58ce44d4 Deal with port commonly when hypervisor is XenServer
When neutron is deployed with hypervisor is XenServer, current
implementation will grab port's iface-id via xapi, but this isn't
the proper way:
Port's iface-id is already set when creating VM or hot plugging
VIFs in nova project, so there is no need to grab it via xapi

Change-Id: Ie07527cc89ac81ff1e3519db66925cee482f77a4
Closes-Bug: #1649747
2017-03-30 22:33:14 -07:00
Jenkins
6dba921f2d Merge "Add PD support in HA router" 2017-03-15 07:25:35 +00:00
Robert Li
bb3c0e8285 Add PD support in HA router
The following enhancements are added:
  -- PD keeps track of status of neutron routers: active or
     standalone (master), or standby (not master),
  -- PD DHCP clients are only spawned in the active router. In the
     standby router, PD keeps track of the assigned prefixes, but
     doesn't spawn DHCP clients.
  -- When switchover occurs, on the router becoming standby, PD
     clients are "killed" so that they don't send prefix withdrawals
     to the DHCP server. On the router becoming active, PD spawns DHCP
     clients with the assigned prefixes configured as hints in the
     DHCP client's configuration

Closes-Bug: #1651465
Change-Id: I17df98128c7a88e72e31251687f30f569df6b860
2017-03-15 04:31:09 +00:00
Jenkins
b29339f28f Merge "iptables: stop 'fixing' kernel sysctl bridge firewalling knobs" 2017-03-15 02:45:53 +00:00
Jenkins
26b8848a9e Merge "Switch ns-metadata-proxy to haproxy" 2017-03-14 17:32:13 +00:00
Daniel Alvarez
3b22541a2a Switch ns-metadata-proxy to haproxy
Due to the high memory footprint of current Python ns-metadata-proxy,
it has to be replaced with a lighter process to avoid OOM conditions in
large environments.

This patch spawns haproxy through a process monitor using a pidfile.
This allows tracking the process and respawn it if necessary as it was
done before. Also, it implements an upgrade path which consists of
detecting any running Python instance of ns-metadata-proxy and
replacing them by haproxy. Therefore, upgrades will take place by
simply restarting neutron-l3-agent and neutron-dhcp-agent.

According to /proc/<pid>/smaps, memory footprint goes down from ~50MB
to ~1.5MB.

Also, haproxy is added to bindep in order to ensure that it's installed.

UpgradeImpact

Depends-On: I36a5531cacc21c0d4bb7f20d4bec6da65d04c262
Depends-On: Ia37368a7ff38ea48c683a7bad76f87697e194b04

Closes-Bug: #1524916
Change-Id: I5a75cc582dca48defafb440207d10e2f7b4f218b
2017-03-08 15:20:50 +00:00
Ihar Hrachyshka
c1dfb53bf1 iptables: stop 'fixing' kernel sysctl bridge firewalling knobs
Those are different on different kernel versions, and have reasonable
default values on all newer kernel versions, including RHEL. We
nevertheless made devstack to set those in the past; now I propose to
clean the code from neutron tree and leave it up to deployment tools to
fix in an unlikely case the system has broken default values.

Now that iptables firewall code does not trigger sysctl, we can also
remove this filter from the corresponding rootwrap .filters file.

DocImpact make sure deployment docs mention the expected sysctl knob
          values.

Change-Id: Iabf61021c90b0536be274463d48fb5a572ecc023
Related-Bug: #1622914
2017-02-27 15:14:14 +00:00
Hirofumi Ichihara
e3063496cf Revert "Linux Bridge: driver support for QoS egress minimum bandwidth"
This reverts commit 84b3ae3ae9111e241352bdccad238c9fd37b83df.

The logic was incorrect[1]. We cannot achieve QoS egress minimum bandwidth of Linuxbridge by the patch. I also think that the issue is not solved by small patch and we must consider deeply.

[1]: https://bugs.launchpad.net/neutron/+bug/1662582

Change-Id: Id4703b5c63876f16e31b6805cd147b5840a4a591
2017-02-09 19:11:00 +00:00
Jenkins
4157c2888e Merge "Linux Bridge: driver support for QoS egress minimum bandwidth" 2017-01-25 10:13:03 +00:00
Jenkins
86d47bad2d Merge "XenAPI: Support daemon mode for rootwrap" 2017-01-21 02:18:20 +00:00
Davanum Srinivas
d6c99d521f Add KillFilter for python 3.5
When we run devstack with USE_PYTHON3, the existing KillFilter
definitions are not enough. Let's add one specific to python 3.5
as well.

Change-Id: I2472e4e39315225d6c9ea1651c8e3b20edc59b49
2017-01-20 15:08:56 +00:00
Jianghua Wang
8047da17db XenAPI: Support daemon mode for rootwrap
For Neutron's compute agent in a XenServer's compute node, the commands
actually need run in Dom0. Currently XenServer only supports rootwrap
for that purpose by invoking a script which invokes XenAPI to execute
commands in dom0. There are much performance overhead due to it requires
parsing on the script and the configuration file every time running
commands.

This change is to support daemon mode with which each agent service will
call XenAPI directly to execute commands in dom0. And it will keep the
single XenAPI session.

DocImpact: Need update the following configuration.

file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
root_helper_daemon = xenapi_root_helper
[xenapi]
connection_url = http://169.254.0.1
connection_username = root
connection_password = xenroot

Closes-Bug: #1585510
Change-Id: I684034359fe0571bc92dbcf342a9821553b1da35
2017-01-19 07:33:43 +00:00
Rodolfo Alonso Hernandez
84b3ae3ae9 Linux Bridge: driver support for QoS egress minimum bandwidth
This patch provides the Linux Bridge agent driver the ability to control
Linux Traffic Control (TC) to set the minimum required transmission rate
for an interface.

The TC library is refactored to use HTB qdiscs. This allows TC to
define, for several flows in the same interface, the maximum and the
minimum network bandwidth and the burst size.

To be able to do traffic shaping (instead of policing) for ingress
traffic, a new element, the Intermediate Functional Block device (IFB)
is introduced.

DocImpact
Partial-Bug: #1560963

Change-Id: I4d4db54519f1435068d1af38819404d1e5d9cd52
2017-01-13 15:44:16 +00:00
Jenkins
296670e3ff Merge "SR-IOV: remove ml2_conf_sriov.ini from oslo-config-generator" 2017-01-04 09:44:21 +00:00
Davanum Srinivas
45ef8997e8 Remove Duplicate line in privsep.filters
Only one line is picked up by configparser, so we should just
have one in the default privsep.filters file. This was found when
a stricter configparser kicked in for a python3.5 test.

Closes-Bug: #1652157
Change-Id: Ib7d9aa0e0b74a936002e0eea0b3af05102b06a62
2016-12-23 10:59:57 -05:00
Jenkins
77de472680 Merge "Adopt privsep and read routing table with pyroute2" 2016-12-22 12:00:03 +00:00
Omer Anson
9183da7c96 Adopt privsep and read routing table with pyroute2
Make use of oslo.privsep to support namespaces. This includes all
relevant code necessary for oslo.privsep to work.

Change ip_lib's get_routing_table method to use pyroute2, rather than
parsing the output of 'ip route'.

Change-Id: I89bfa3dbf1776da973cfca389b2841019a520f75
Partial-Bug: 1492714
Co-Authored-By: Angus Lees <gus@inodes.org>
2016-12-21 17:52:58 +02:00
Moshe Levi
e9efe86856 SR-IOV: remove ml2_conf_sriov.ini from oslo-config-generator
This I42dadfd0b62730ca2d34d37cb63f19f6fec75567 patch
remove the supported_pci_vendor_devs option and now
no additional options are required for sriov ml2 mech
driver. The is a clean up patch to remove also the
ml2_conf_sriov.ini from the oslo-config-generator.

Closes-Bug: #1641220

Change-Id: Ida6c0930ce65169a9bc59ef80d6b427b2d5d4e09
2016-12-21 08:27:07 +02:00