21711 Commits

Author SHA1 Message Date
Brian Haley
4350ed3c35 Better handle ports in security groups
After taking a closer look at bug 1818385, I found a couple
of follow-on things to fix in the security group code.

First, there are very few protocols that accept ports,
especially via iptables.  For this reason I think it's
acceptable that the API rejects them as invalid.

Second, UDPlite has some interesting support in iptables.  It
does not support using --dport directly, but does using
'-m multiport --dports 123', and also supports port ranges using
'-m multiport --dports 123:124'.  Added code for this special
case.

Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
Closes-Bug: #1818385
2019-03-15 13:54:33 -04:00
Zuul
1ef77b1796 Merge "Use dynamic lazy mode for fetching security group rules" 2019-03-15 12:05:58 +00:00
Zuul
51fbd1e549 Merge "Fail placement sync if _get_rp_by_name() fails" 2019-03-15 11:52:06 +00:00
Zuul
c21d922abd Merge "Fix pep8 E128 warnings in non-test code" 2019-03-15 11:37:27 +00:00
Brian Haley
8e4f625da6 Fix pylint R1717 (consider-using-dict-comprehension) refactor messages
Don't create an intermediate list before creating a dict.

Change-Id: Idb93835f2312625d649231c1baa2a3c566096825
2019-03-14 23:19:58 +00:00
Doug Wiegley
1e9086f6e2
Use dynamic lazy mode for fetching security group rules
In conjunction with the prior fix to only get a subset of fields
when needed, this makes the querying of non-rules SG objects
very very fast.

Before the two fixes, if you have about ten security groups with 2000 rules each:

list all: 14s
list all, just 'id' field: 14s
list one: 0.6s
list one, just 'id' field: 0.6s

With just the previous partial fix:

list all: 14s
list all, just 'id' field: 6s
list one: 0.6s
list one, just 'id' field: 0.2s

Now with this change:

list all: 14s
list all, just 'id' field: 0.04s
list one: 0.6s
list one, just 'id' field: 0.03s

Closes-Bug: #1810563
Change-Id: I15df276ba7dbcb3763ab20b63b26cddf2d594954
2019-03-14 16:23:53 -06:00
Zuul
c7ab5b8729 Merge "Add documentation for subnet onboard" 2019-03-14 19:28:31 +00:00
Zuul
8781ece44f Merge "Fix misuse of assertTrue/assertFalse" 2019-03-14 19:28:22 +00:00
Zuul
25003068c9 Merge "consume is_bsd from neutron-lib" 2019-03-14 19:28:19 +00:00
Zuul
b6c2d2afd1 Merge "Set initial ha router state in neutron-keepalived-state-change" 2019-03-14 19:08:19 +00:00
Zuul
7041c25483 Merge "Do not release DHCP lease when no client ID is set on port" 2019-03-14 19:08:15 +00:00
Zuul
45e73be416 Merge "Specify tenant_id in TestRevisionPlugin objects" 2019-03-14 15:47:08 +00:00
Ryan Tidwell
72e783f14e
Add documentation for subnet onboard
This is the content for subnet onboard to be included
in the networking guide.

Change-Id: I51a0347d9314818a9f8cbb71ae95266a904d01da
Implements: blueprint subnet-onboard
2019-03-14 10:42:02 -05:00
Takashi NATSUME
86b3993cee Fix misuse of assertTrue/assertFalse
Change-Id: I247705feeb71e20ad5260b0ca1da08de7290ba6e
Closes-Bug: #1819982
2019-03-14 09:16:10 +09:00
Zuul
add5347f9d Merge "Fix fwaas_v2 driver string in docs" 2019-03-13 23:50:07 +00:00
Zuul
325d19eaea Merge "Migrate neutron-functional job to zuul v3 syntax" 2019-03-13 23:25:03 +00:00
Zuul
bf27f6e5ff Merge "[Fullstack] Don't compile ovs kernel module on Ubuntu Bionic" 2019-03-13 23:24:56 +00:00
Zuul
bcc2f87d3f Merge "Add rootwrap filters to kill state change monitor" 2019-03-13 21:00:14 +00:00
Zuul
e28fda1591 Merge "Migrate neutron-tempest-dvr-ha-multinode-full job to zuulv3" 2019-03-13 20:39:13 +00:00
Zuul
94ea100c5e Merge "Do not rise exception if OVS Queue is not present when being deleted" 2019-03-13 19:08:15 +00:00
Zuul
6b750059e7 Merge "Fix pylint E1128 (assignment-from-no-return) in l3-agent" 2019-03-13 16:51:58 +00:00
Rodolfo Alonso Hernandez
44382ac446 Specify tenant_id in TestRevisionPlugin objects
In order to avoid interferences between other tests, the objects
created in TestRevisionPlugin will be created for random
tenant IDs, generated during the execution of each test.

Change-Id: Ica7fe2379c7b1ce516ae7b0cd3959cff88a0b895
Closes-Bug: #1819740
2019-03-13 15:54:37 +00:00
Zuul
7198fb6a0a Merge "Remove deprecated 'external_network_bridge' option" 2019-03-13 15:42:44 +00:00
Miguel Lavalle
25c432a05a Add rootwrap filters to kill state change monitor
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.

Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
2019-03-13 07:40:15 -07:00
Slawek Kaplonski
33110fb7e8 Migrate neutron-functional job to zuul v3 syntax
This patch migrates also neutron-functional-python27 job to
zuul v3 syntax.

Neutron's functional tests have to be run on host with
deployed minimal devstack but without running any e.g. neutron
services. Because of that new job's template inherits from
devstack-minimal job instead of devstack-tox-functional and
we need to have own run_functional_job and post_functional_job
playbooks.

It also adds ansible roles:
- configure_functional_tests
- setup_logdir
- fetch_journal_log

which are used in new neutron-functional job definition.
Those roles can be also used later e.g. for fullstack job.

Change-Id: I80bc17c8c9f43050ac0c21176fbc4be46c11ce35
Related-bug: #1804844
2019-03-13 11:07:38 +00:00
Slawek Kaplonski
c3ad500df0 [Fullstack] Don't compile ovs kernel module on Ubuntu Bionic
In fullstack tests it was required to compile ovs kernel module
for specific version from sources because we needed fix [1] for vxlan
tunnels traffic.
Now, as in Ubuntu Bionic there is at least ovs 2.9 available,
this installation from sources shouldn't be necessary anymore.

[1] b1c74f3527

Closes-Bug: #1818632

Change-Id: I83df981a4446e8f52f6f623351d1b80c224a5aff
2019-03-13 10:09:24 +00:00
Slawek Kaplonski
b3d26ab2dd Migrate neutron-tempest-dvr-ha-multinode-full job to zuulv3
This patch migrates definition of
neutron-tempest-dvr-ha-multinode-full job to zuul v3 syntax.

Additionally this patch sets l3_ha config option in neutron
to True to make sure that routers created in tests are HA
always.

Change-Id: I3e48c5109dddc2fca6f3b9c289f416ed4a018a41
Related-Bug: #1804844
2019-03-13 08:06:55 +00:00
Zuul
03d0e43c32 Merge "Fix QoS rule update" 2019-03-12 21:35:26 +00:00
Brian Haley
eaf990b2bc Fix pep8 E128 warnings in non-test code
Reduces E128 warnings by ~260 to just ~900,
no way we're getting rid of all of them at once (or ever).
Files under neutron/tests still have a ton of E128 warnings.

Change-Id: I9137150ccf129bf443e33428267cd4bc9c323b54
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
2019-03-12 21:22:33 +00:00
Nate Johnston
34627a5bb9 Fix fwaas_v2 driver string in docs
The fwaas_v2 driver string is specified incorrectly in the fwaas_v2
scenario documentation.  Fix it.  This was uncovered because it had to
be fixed elsewhere, like puppet-openstack-integration [1].

[1] https://review.openstack.org/635095

Change-Id: Ib68faa4db08f4315c6a2fe137fa8eef199b0255d
2019-03-12 15:36:25 -04:00
Zuul
0f89f3e6dd Merge "Fix fullstack test_dscp_marking_packets test" 2019-03-12 18:45:19 +00:00
Zuul
03045a8b3f Merge "Remove quota_db backward compat file" 2019-03-12 15:10:43 +00:00
Brian Haley
2ac0ee0b28 Fix pylint E1128 (assignment-from-no-return) in l3-agent
Changed migrate_centralized_floating_ip() to return a
status in DvrLocalRouter class.  Also changed the parent
method in RouterInfo class to return FLOATINGIP_STATUS_NOCHANGE,
which will cause the agent to not send an updated status for
the floating IP.

Also changed floating_ip_added_dist() to not use an
intermediate variable and just return directly.

Change-Id: I7dc4934308da95cf00a36b4ef1020aac7cef7d99
Closes-bug: #1816874
2019-03-12 13:43:58 +00:00
Slawek Kaplonski
8fec1ffc83 Set initial ha router state in neutron-keepalived-state-change
Sometimes in case of HA routers it may happend that
keepalived will set status of router to MASTER before
neutron-keepalived-state-change daemon will spawn "ip monitor"
to monitor changes of IPs in router's namespace.

In such case neutron-keepalived-state-change process will never
notice that keepalived set router to be MASTER and L3 agent will
not be notified about that so router will not be configured properly.

To avoid such race condition neutron-keepalived-state-change will
now check if VIP address is already configured on ha interface
before it will spawn "ip monitor". If it is already configured
by keepalived, it will notify L3 agent that router is set to
MASTER.

Change-Id: Ie3fe825d65408fc969c478767b411fe0156e9fbc
Closes-Bug: #1818614
2019-03-12 12:29:36 +01:00
Rodolfo Alonso Hernandez
1813ec74cc Do not rise exception if OVS Queue is not present when being deleted
In this case, there is no need to raise an exception because the
Queue is not present anymore in the OVS database. A warning message
will be logged.

Change-Id: I836e762bf0703d53f47877b73354948cba70e9c2
Closes-Bug: #1819477
2019-03-12 11:24:29 +00:00
Zuul
f2c6d50d5f Merge "Mark dvr_ha_router_failover tests as unstable" 2019-03-12 10:53:57 +00:00
Bence Romsics
732dbdaf5e Fail placement sync if _get_rp_by_name() fails
The Placement sync process involves some input from Placement first.
That is the UUID of the compute host RP. This is a remote call just like
the Placement updates we send later and it also may fail in all the
usual ways of remote calls. We need to fail the sync procedure if this
remote call fails.

Previously I had the mistaken belief that if I set the parent_uuid to
None that will be an invalid call rejected by Placement. But no, that's
a valid call and creates a resource provider without a parent. That is
the neutron managed resource providers will be in their own resource
provider tree instead of the compute host's resource provider tree.

In this change we make sure to handle the failure of getting the compute
host RP properly. We must not continue with the updates. And we must set
the agent's resources_synced to False.

Change-Id: Ie6ad33e2170c53a16c39a31a8d7f6496170a90ce
Closes-Bug: #1818683
2019-03-12 10:06:39 +01:00
Zuul
773489af62 Merge "[doc] Add network segment ranges into admin guide" 2019-03-12 08:26:42 +00:00
Zuul
e0cfe41491 Merge "Join on explcit relationship paths" 2019-03-11 23:28:35 +00:00
Kailun Qin
59600afc5a [doc] Add network segment ranges into admin guide
Add a new networking guide section for "Network segment ranges" into
admin guide.

Co-authored-by: Allain Legacy <Allain.legacy@windriver.com>

Partially-implements: blueprint network-segment-range-management
Change-Id: I22fd32627d732b3bac9fc7d58e58a13784fda5f1
2019-03-12 07:16:24 +08:00
Boden R
7a285a7fcc consume is_bsd from neutron-lib
The test tool function is_bsd() lives in neutron-lib.
This patch removes the function from neutron and uses it from
neutron-lib instead.

NeutronLibImpact

Change-Id: Ib48f7f1c89e215e9e94d62de31776c492f810f54
2019-03-11 09:50:03 -06:00
Zuul
590002728d Merge "Fix handling no qos_queues while removing min bw limit rule" 2019-03-11 13:32:56 +00:00
Zuul
ccd7380f15 Merge "Catch OVSFWTagNotFound in update_port_filter" 2019-03-11 12:41:26 +00:00
Zuul
0e2f667489 Merge "Fix a couple of bw burst calc unit tests for macs" 2019-03-11 12:08:59 +00:00
Slawek Kaplonski
beb2f2ef15 Fix handling no qos_queues while removing min bw limit rule
When ovs L2 agent is removing qos minimum bandwidth rules for port,
it may happen that qos_queues for this port will not be found.
Such case should be handled properly to not raise AttributeError
when trying to call "keys()" method on None object.

Change-Id: Ic76bf41983e021919ab0a6ffcf0fdcfd45c935ee
2019-03-11 07:35:07 +00:00
Lajos Katona
c1999a2b22 Fix QoS rule update
QoS rule (QosBandwidthLimitRule and QosMinimumBandwidthRule) update now
expects to have direction field in the API request for checking for
duplicates.
This patch changes this by using the rule fetched from the policy and
the update will work on that rule object instead of a newly created
object which for minimum_bandwidth rule has no default direction, which
causes the update to fail.

Change-Id: Ib8f95bf14193a50f22102668bed9208a93d1caba
Closes-Bug: #1815618
2019-03-11 07:24:30 +00:00
Zuul
6920727fe1 Merge "Add TC filter functions implemented with pyroute2" 14.0.0.0b3 2019-03-11 04:27:46 +00:00
Zuul
4b52b123d3 Merge "Update appdirs to 1.4.3" 2019-03-10 20:43:10 +00:00
Zuul
aa72fcace7 Merge "Devstack plugin for network-segment-range api" 2019-03-10 20:42:55 +00:00
Zuul
bb53757044 Merge "When converting sg rules to iptables, do not emit dport if not supported" 2019-03-10 20:42:43 +00:00