After taking a closer look at bug 1818385, I found a couple
of follow-on things to fix in the security group code.
First, there are very few protocols that accept ports,
especially via iptables. For this reason I think it's
acceptable that the API rejects them as invalid.
Second, UDPlite has some interesting support in iptables. It
does not support using --dport directly, but does using
'-m multiport --dports 123', and also supports port ranges using
'-m multiport --dports 123:124'. Added code for this special
case.
Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
Closes-Bug: #1818385
In conjunction with the prior fix to only get a subset of fields
when needed, this makes the querying of non-rules SG objects
very very fast.
Before the two fixes, if you have about ten security groups with 2000 rules each:
list all: 14s
list all, just 'id' field: 14s
list one: 0.6s
list one, just 'id' field: 0.6s
With just the previous partial fix:
list all: 14s
list all, just 'id' field: 6s
list one: 0.6s
list one, just 'id' field: 0.2s
Now with this change:
list all: 14s
list all, just 'id' field: 0.04s
list one: 0.6s
list one, just 'id' field: 0.03s
Closes-Bug: #1810563
Change-Id: I15df276ba7dbcb3763ab20b63b26cddf2d594954
This is the content for subnet onboard to be included
in the networking guide.
Change-Id: I51a0347d9314818a9f8cbb71ae95266a904d01da
Implements: blueprint subnet-onboard
In order to avoid interferences between other tests, the objects
created in TestRevisionPlugin will be created for random
tenant IDs, generated during the execution of each test.
Change-Id: Ica7fe2379c7b1ce516ae7b0cd3959cff88a0b895
Closes-Bug: #1819740
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.
Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
This patch migrates also neutron-functional-python27 job to
zuul v3 syntax.
Neutron's functional tests have to be run on host with
deployed minimal devstack but without running any e.g. neutron
services. Because of that new job's template inherits from
devstack-minimal job instead of devstack-tox-functional and
we need to have own run_functional_job and post_functional_job
playbooks.
It also adds ansible roles:
- configure_functional_tests
- setup_logdir
- fetch_journal_log
which are used in new neutron-functional job definition.
Those roles can be also used later e.g. for fullstack job.
Change-Id: I80bc17c8c9f43050ac0c21176fbc4be46c11ce35
Related-bug: #1804844
In fullstack tests it was required to compile ovs kernel module
for specific version from sources because we needed fix [1] for vxlan
tunnels traffic.
Now, as in Ubuntu Bionic there is at least ovs 2.9 available,
this installation from sources shouldn't be necessary anymore.
[1] b1c74f3527
Closes-Bug: #1818632
Change-Id: I83df981a4446e8f52f6f623351d1b80c224a5aff
This patch migrates definition of
neutron-tempest-dvr-ha-multinode-full job to zuul v3 syntax.
Additionally this patch sets l3_ha config option in neutron
to True to make sure that routers created in tests are HA
always.
Change-Id: I3e48c5109dddc2fca6f3b9c289f416ed4a018a41
Related-Bug: #1804844
Reduces E128 warnings by ~260 to just ~900,
no way we're getting rid of all of them at once (or ever).
Files under neutron/tests still have a ton of E128 warnings.
Change-Id: I9137150ccf129bf443e33428267cd4bc9c323b54
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
The fwaas_v2 driver string is specified incorrectly in the fwaas_v2
scenario documentation. Fix it. This was uncovered because it had to
be fixed elsewhere, like puppet-openstack-integration [1].
[1] https://review.openstack.org/635095
Change-Id: Ib68faa4db08f4315c6a2fe137fa8eef199b0255d
Changed migrate_centralized_floating_ip() to return a
status in DvrLocalRouter class. Also changed the parent
method in RouterInfo class to return FLOATINGIP_STATUS_NOCHANGE,
which will cause the agent to not send an updated status for
the floating IP.
Also changed floating_ip_added_dist() to not use an
intermediate variable and just return directly.
Change-Id: I7dc4934308da95cf00a36b4ef1020aac7cef7d99
Closes-bug: #1816874
Sometimes in case of HA routers it may happend that
keepalived will set status of router to MASTER before
neutron-keepalived-state-change daemon will spawn "ip monitor"
to monitor changes of IPs in router's namespace.
In such case neutron-keepalived-state-change process will never
notice that keepalived set router to be MASTER and L3 agent will
not be notified about that so router will not be configured properly.
To avoid such race condition neutron-keepalived-state-change will
now check if VIP address is already configured on ha interface
before it will spawn "ip monitor". If it is already configured
by keepalived, it will notify L3 agent that router is set to
MASTER.
Change-Id: Ie3fe825d65408fc969c478767b411fe0156e9fbc
Closes-Bug: #1818614
In this case, there is no need to raise an exception because the
Queue is not present anymore in the OVS database. A warning message
will be logged.
Change-Id: I836e762bf0703d53f47877b73354948cba70e9c2
Closes-Bug: #1819477
The Placement sync process involves some input from Placement first.
That is the UUID of the compute host RP. This is a remote call just like
the Placement updates we send later and it also may fail in all the
usual ways of remote calls. We need to fail the sync procedure if this
remote call fails.
Previously I had the mistaken belief that if I set the parent_uuid to
None that will be an invalid call rejected by Placement. But no, that's
a valid call and creates a resource provider without a parent. That is
the neutron managed resource providers will be in their own resource
provider tree instead of the compute host's resource provider tree.
In this change we make sure to handle the failure of getting the compute
host RP properly. We must not continue with the updates. And we must set
the agent's resources_synced to False.
Change-Id: Ie6ad33e2170c53a16c39a31a8d7f6496170a90ce
Closes-Bug: #1818683
The test tool function is_bsd() lives in neutron-lib.
This patch removes the function from neutron and uses it from
neutron-lib instead.
NeutronLibImpact
Change-Id: Ib48f7f1c89e215e9e94d62de31776c492f810f54
When ovs L2 agent is removing qos minimum bandwidth rules for port,
it may happen that qos_queues for this port will not be found.
Such case should be handled properly to not raise AttributeError
when trying to call "keys()" method on None object.
Change-Id: Ic76bf41983e021919ab0a6ffcf0fdcfd45c935ee
QoS rule (QosBandwidthLimitRule and QosMinimumBandwidthRule) update now
expects to have direction field in the API request for checking for
duplicates.
This patch changes this by using the rule fetched from the policy and
the update will work on that rule object instead of a newly created
object which for minimum_bandwidth rule has no default direction, which
causes the update to fail.
Change-Id: Ib8f95bf14193a50f22102668bed9208a93d1caba
Closes-Bug: #1815618