Commit Graph

14374 Commits (474b1e7e2f9618a74db3d1359bf2b8f8beffc221)

Author SHA1 Message Date
Assaf Muller 474b1e7e2f Add logging for some functional tests
Functional tests log to a file only if they inherit from
the Sudo tests base class. This patch changes the base
class for some test cases to make them log.

Related-Bug: #1567668
Change-Id: I494ad5410e48489f1fb3689cec44c5a29bbc42f3
2016-05-04 06:41:17 -04:00
Assaf Muller 863b170009 Fix functional tests logging
Turns out the patch with Git commit hash prefix 13993764
disabled functional tests logging completely. This patch
fixes that by moving the neutron-db-manage logging setup
from import to the main function. Fixing that, it looks like
patch with Git commit hash prefix 4980f031fe turned off
DEBUG level logging for functional tests. I changed the
tests default logging from INFO to DEBUG to fix that.

Closes-Bug: #1567613
Change-Id: If02c18af20a236514409f37fa993224903877a8b
2016-05-04 06:39:37 -04:00
Jenkins 7f1ae6c1b7 Merge "Remove threading before process forking" 2016-05-04 06:32:06 +00:00
dukhlov 1cafff0871 Remove threading before process forking
Forking a process when multiple threads are running is an unsafe
operation and could cause a lot of problems because only current
thread will continue working in child thread. Any locked by other
thread resource will remain locked forever.

We faced with this problem during oslo.messaging development and
added workaround to hide this problem:

I tried to fix this problem in oslo.service:

but oslo folks said that this fix is ugly and it is wrong way to add
workarounds to common libraries because projects use them incorrectly.
I think that is fair.

So this patch fixes incorrect usage of oslo libraries. In this patch
I extended functionality of NeutronWorker and add there
`worker_process_count` parameter which determines how many processes
should be spawned for this worker. If `worker_process_count` = 0 - don't
create process and spawn thread in scope of current process for worker

Then I moved all background tasks to workers and return them by
`get_workers` method. start_plugin_workers collects plugin's workers
using `get_workers` method and starts in ProcessLauncher first workers
with `worker_process_count` > 0 and only after this starts threaded
workers by simple Launcher

Closes-bug: #1569404

Change-Id: I0544f1d47ae53d572adda872847a56fa0b202d2e
2016-05-03 21:54:23 +03:00
Jenkins 261edb48b7 Merge "Use paginate_query from oslo_db" 2016-05-03 00:15:32 +00:00
Jenkins c05c9323da Merge "fullstack: Use noop firewall" 2016-05-02 22:14:29 +00:00
Jenkins 3fa83a1c0b Merge "Policies: additional go-to contacts for IPv6 bugs" 2016-05-02 22:12:26 +00:00
Jakub Libosvar 77456735cb fullstack: Use noop firewall
Currently fullstack tests don't use hybrid plugging but they use hybrid
firewall by default. Using iptables is not segregated and OVS agents
running in parallel may interfere between each other.

This patch removes using iptables in ovs agents per created port.

Change-Id: Ic15c942360a4a6ecf0eb5d8ecbbc54e59b10431d
Closes-Bug: #1575033
2016-05-02 17:35:49 +02:00
Jenkins ba8c051401 Merge "Allow OVSDB Connection to register certain tables" 2016-04-30 21:54:26 +00:00
Jenkins 55b5686863 Merge "Resigning as "go to contact" for DVR bugs" 2016-04-30 01:14:22 +00:00
Jenkins 066ca0afee Merge "Pecan: Fix Shim status codes" 2016-04-30 01:01:40 +00:00
Henry Gessau 276a5514ff Policies: additional go-to contacts for IPv6 bugs
IPv6 issues can cover many areas from the API down to agents and
wiring. Add a couple of people to the tag to cover more things.

Change-Id: I1b9f3669f92f4590d1bf21a6d90c3b323b725c3f
2016-04-29 18:23:24 -04:00
Ryan Moats 7fc0fd5a5c Resigning as "go to contact" for DVR bugs
Change-Id: I350955f27a23b3f9b048cfeaf0c8ecf9d53af02b
Signed-off-by: Ryan Moats <>
2016-04-29 15:51:25 -05:00
Kevin Benton 2e19107fe2 Pecan: Fix Shim status codes
Fix the status codes returned by the shim controller
to match the expectations of the API tests.

Closes-bug: #1567801
Change-Id: Ibfede6b6bc4ba24cf2b9e4ff5540c2249695252f
2016-04-29 13:18:14 -07:00
Isaku Yamahata 66ddefb9ab update networking-odl lieutenant
This patch update networking-odl lieutenant to reflects the reality.

Change-Id: Icc53ee4343ae690b79aae480eaed1fe804fcb3be
2016-04-28 08:21:16 -07:00
Sean M. Collins 1019d2b1e5 Resignation from FwaaS duties
Change-Id: Ib8d52558cd43a9f7af20e9cd6e04b4531293f985
2016-04-27 22:39:35 -05:00
Jenkins 50a3142c36 Merge "Remove old fwaas remnants from neutron" 2016-04-28 00:12:03 +00:00
Jenkins 2bf98fe8ce Merge "IPtables firewall prevent ICMPv6 spoofing" 2016-04-27 23:40:20 +00:00
Carl Baldwin 31861843d9 Remove old fwaas remnants from neutron
This was planned to be removed a long time ago but no one ever got to
it.  This shouldn't come as a surprise.

Closes-Bug: #1500960

Change-Id: I3a50d4c069dc54a7c86e7d79586d893a3ae31f2c
Co-authored-by: Ryan Moats <>
2016-04-27 16:48:29 -05:00
Jenkins fe702f8f2a Merge "Remove BGP code from neutron" 2016-04-27 16:20:41 +00:00
Henry Gessau 2f767839c9 Use paginate_query from oslo_db
The paginate_query method was copied from nova which was copied
from glance. Now it is available in oslo_db.

Check and convert the sort keys and sort directions for
consumption by the oslo_db version of the method, and fix up
some grammar in the exception messages.

This work is related to the neutron-lib effort. The lib should
not propagate neutron's copy of paginate_query().

Related-Blueprint: neutron-lib

Change-Id: Ie7da16b94fa2023c9c3d84d96d55f33d0f76903f
2016-04-27 03:12:24 +00:00
Dustin Lundquist a8a9d225d8 IPtables firewall prevent ICMPv6 spoofing
IPv6 includes the concept of link-local addresses. There are address
within the fe80::/64 prefix which are used only within the local layer 2
network. They should never be routed. DHCPv6 is one of several protocols
which utilize link-local addresses.

Previously the blanket permit DHCPv6 rule permitted DHCPv6 requests from
a link-local source, before the source address was validated.

The structure of the IPtables egress firewall is:

  a. fixed rules for special traffic
  b. validate source address
  c. fixed rules necessary for host to function
  d. user rules defined by security groups

This change restricts the special traffic permitted in part (a) to only
that traffic which utilizes the "unspecified address" (::), by moving
the fixed permit ICMPv6 and DHCPv6 rules to part (c), so they are
applied after the source address has been validated. In order to enable
DHCPv6 and other protocols utilizing link-local addresses, the
link-local address corresponding to each MAC address are included in the
permitted source addresses. After the source address is verified, the
fixed rules permit ICMPv6 and DHCPv6, then the user defined security
group rules are applied.

In the existing implementation ICMPv6 and DHCPv6 rules in the fixed
ip6tables firewall rules are too permissive: they permit ICMPv6 and
DHCPv6 traffic, regardless of source MAC or IPv6 address. These rules
where intended to allow a host to acquire an IPv6 address, but
inadvertently allowed a malicious or compromised host to spoof another's
MAC or IPv6 address.

A host acquiring an IPv6 address should preform DAD (duplicate address
detection). To preform this the host must join the multicast group
corresponding to the tentative IPv6 address and the all nodes multicast
group. To join these groups the host sends ICMP MLD (multicast listener
discovery) report messages before it has an IPv6 address assigned, so
the unspecified address is used as the source address. To complete DAD,
ICMP neighbor solicitation messages are sent to solicit if any nodes
using that address. This should be the only use of the unspecified IPv6
address as a source address. The IPv4 case is similar the unspecified
address is used for DHCP discovery and request messages.

To summarize, this patch permits only ICMPv6 traffic from the unspecified
address which is used for duplicate address detection. Then it enforces
the source IPv6 and MAC addresses and finally, allows only ICMPv6 traffic
which has passed this source address validation.

In addition this patch permits traffic from all link-local addresses
associated with each MAC address assigned to the port. This is required
by many IPv6 protocols, such as DHCPv6, which depend on the link-local
addresses. This traffic was previously allowed by the blanket allow
ICMPv6 and allow DHCPv6 rules before the source address was validated.

Finally, it includes a functional test for IPv6 spoofing using both
ICMPv6 and DHCPv6 traffic. OVSFirewall currently permits this spoofed
DHCPv6 traffic. I'm excluding the OVSFirewall implementation from test
so it can be fixed in a follow on patch.

Change-Id: Ice1c9dd349864da28806c5053e38ef86f43b7771
Partial-Bug: 1502933
2016-04-26 10:24:27 -05:00
Jenkins 3db5f5e677 Merge "Add device_id index to Port" 2016-04-26 08:18:39 +00:00
Jenkins eea8fe1081 Merge "Use converters and validators from neutron-lib" 2016-04-26 05:54:04 +00:00
Jenkins 28daa714b9 Merge "Use constants from neutron-lib" 2016-04-26 05:49:47 +00:00
Armando Migliaccio e8d3626d1c Remove BGP code from neutron
Once the spinout is undergoing we should perform the eviction.

Partially-implements: blueprint bgp-spinout

Depends-on: I8be510153edbc496575cde34943ca4c56645e0fb
Change-Id: I20b6ddd37d10eae70e8294d578e53137c0f866fe
2016-04-25 21:54:06 -07:00
Jenkins b3a41f4a31 Merge "Revert "Improve performance of ensure_namespace"" 2016-04-26 01:24:59 +00:00
Jenkins 307353be59 Merge "Data models for vlan-aware-vms" 2016-04-26 00:11:50 +00:00
Ilya Chukhnakov 3fb07b6629 Add device_id index to Port
Some 'Port' queries use 'device_id' column for lookup.
Such queries could be observed in database query log (at least) during
instance launch. In the absence of 'device_id' index that leads to full
table scan. That causes unnecessary database load and impacts query
response time.

Change-Id: If42b7d3265e216d393d3ab8c172b97637af908cc
Closes-Bug: #1574750
2016-04-25 16:28:54 -07:00
Ryan Moats 339a1ccbb9 Revert "Improve performance of ensure_namespace"
This reverts commit 81823e8632.

Unneeded optimization: this commit only improves execution
time on the order of milliseconds, which is less than 1% of
the total router update execution time at the network node.

This also

Closes-bug: #1574881

Change-Id: Icbcdf4725ba7d2e743bb6761c9799ae436bd953b
2016-04-25 22:57:31 +00:00
Jenkins 0d80af94f1 Merge "Updated devref documents for neutron-dynamic-routing" 2016-04-25 16:51:52 +00:00
Jenkins 91d95197d8 Merge "Revert "ML2: Configure path_mtu to default to 1500 bytes"" 2016-04-25 15:00:28 +00:00
vikram.choudhary b1c92f9368 Updated devref documents for neutron-dynamic-routing
Below devref documents are updated for the newly created repository.
* bugs.rst
* neutron-teams.rst
* sub_projects.rst

Change-Id: Ia210109be80a4856a7ee9138e42d05ff6bf95f8a
2016-04-25 14:30:56 +00:00
Brent Eagles 67b621de73 Data models for vlan-aware-vms
This patch introduces the following:

- data models and related schema migrations
- first stub at DB operations
- trunk module structure

This is a tepid attempt to land the first functional code
for this sorely needed feature.

Partially-implements: blueprint vlan-aware-vms

Change-Id: I84b2a7604b6a282ec7cb953482bf7b567ae2344d
2016-04-24 19:41:54 -07:00
Kevin Benton b047e3c28a Pass through setattr to deprecated things
Without setattr defined, setting an attr will end up
setting a new attribute on the deprecated instance
rather than changing my_globals. This means that other
functions in my_globals that have a reference to the original
will have a different view than external users that get
the new attribute.

Closes-Bug: #1575316
Change-Id: I7d1f00b5649399cb6db5213fa5efc7a924cf30a8
2016-04-24 18:20:22 -07:00
Henry Gessau 78fff41ee3 Use converters and validators from neutron-lib
Related-Blueprint: neutron-lib

Change-Id: I6b9079e9e703c6fd75adbed3846e7257685433e8
2016-04-24 19:13:10 -04:00
Jenkins 0fae3bebbd Merge "Revert "Switch to inheriting hacking checks from neutron-lib"" 2016-04-24 17:47:02 +00:00
Henry Gessau 74e7df482c Revert "Switch to inheriting hacking checks from neutron-lib"
This reverts commit 7e1601fcb8.

Change-Id: Ib2420370d29dd40c187197c611d05d1b4a13eaae
2016-04-24 15:19:20 +00:00
Henry Gessau 4148a347b3 Use constants from neutron-lib
With this we enable the deprecation warnings by default.

Related-Blueprint: neutron-lib

Change-Id: I5b9e53751dd164010e5bbeb15f534ac0fe2a5105
2016-04-23 21:23:56 -04:00
Jenkins cdb47fe53a Merge "Switch to inheriting hacking checks from neutron-lib" 2016-04-23 15:58:57 +00:00
Jenkins cc3ba38641 Merge "Modify an option for delete-port as recovery" 2016-04-23 09:38:13 +00:00
Jenkins 5024077fc9 Merge "Remove functional migration script about external tables" 2016-04-23 07:15:48 +00:00
Jenkins 940a13ae86 Merge "Decorate AvailabilityZonePluginBase properly" 2016-04-23 04:07:52 +00:00
John Perkins fe34afc13a Decorate AvailabilityZonePluginBase properly
Without this, users could improperly overlook either
get_availability_zones or validate_availability_zones.

Change-Id: I6530dca041a92da2f1d0bf01d359e5edea3df5c0
Closes-Bug: #1573388
2016-04-22 21:27:13 +00:00
Armando Migliaccio 24e04ddaa2 Remove functional migration script about external tables
This test has run out of its useful purpose. It was meant to protect
accidental schema changes involving external tables. After a few cycles
now, it is very unlikely that human error will not be spotted during
code review, where external tables are referenced/modified during Neutron
core schema migrations.

Putting effort into fixing the BGP removal corner case is not worth it,
and it is probably best to get rid of the test entirely.

Change-Id: I71da8ea5aa5513056a0dc62b6ac9d8c0394583dd
Related-bug: 1466704
2016-04-22 12:50:36 -07:00
lzklibj 667ea2ac7c Allow OVSDB Connection to register certain tables
Current OVSDB Connection will register all tables with schema_helper.
It doesn't matter for most cases, but for implementation for bp
routed-networks in networking-ovn, we don't need all tables in OVN_
Southbound DB are registered. We only need a certain table named
Chassis can be registered.

This patch add a parameter for OVSDB Connection to allow it to
register certain tables, instead of all tables.

Change-Id: I79df60a08a7a6c555b07a9b566d7c09b97e2463c
Closes-Bug: #1568718
2016-04-22 08:43:28 +00:00
Doug Wiegley 7e1601fcb8 Switch to inheriting hacking checks from neutron-lib
Partially-Implements: blueprint neutron-lib
Change-Id: I78691012e9fa2a4ac31c370f28206d7257f83a63
2016-04-21 20:55:03 -06:00
Henry Gessau ae5bad49cc Use exceptions from neutron-lib
Related-Blueprint: neutron-lib

Change-Id: Ia014468bd621c4ee6aea95bf19328c61070174c4
2016-04-21 21:29:44 -04:00
Jenkins f2785fc797 Merge "Don't update DHCP ports in a transaction" 2016-04-22 01:11:31 +00:00
Ihar Hrachyshka 38531ca59c Revert "ML2: Configure path_mtu to default to 1500 bytes"
This reverts commit 7a4633a9ca.

Revert to using 0 as the default value for path_mtu.

In most situations, underlying MTU does not differ for tunnel backed and
vlan/flat tenant networks, in which case the only configuration expected
from operators is setting global_physnet_mtu to the appropriate MTU
value as reflecting all data paths that tenant traffic may take between

But with the non-zero value set for path_mtu, if an operator would like
to raise the global underlying MTU used by neutron to support Jumbo
frames, both global_physnet_mtu and path_mtu need a bump, which is not

So switch back to using a zero value for path_mtu, effectively making it
not participating in MTU calculation, unless explicitly overridden.

Left the original release note intact since it reflects the state for

Added a release note for the change.


Change-Id: I97c4aa647efc85d7b6b45359e43e2a2ae2514a69
2016-04-21 15:50:34 +02:00