This is the second patch to allow upgrades on RPC versioned
objects callbacks.
This enables resource version notifications from agents to all
neutron servers via fanout for updating the version sets in
memory, and via agent status updates for DB storage, so any
neutron server can retrieve such information at boot.
Closes-Bug: #1535247
Change-Id: I67c1323267aaf7e49f4a359ff50b94e52dba4380
Unfortunately we may have to continue to support veth connections
in the OVS agent for QoS use-cases. Related discussion:
https://bugs.launchpad.net/bugs/1550501
For the particular veth connections that reference the 'veth_mtu'
setting, they are constructed long before we know the MTUs of the
networks that will be going over them. So this patch changes their
default to be 9000 to try to ensure they won't be silently dropping
frames in jumbo MTU deployments.
Change-Id: I6859ebdde1f7e3a8163b49d705620e522ada606a
Related-bug: #1542475
- Introduces an API to allow l2-agents to access resources within
the Open vSwitch Agent, specifically the integration and tunnel bridges.
- adds consume_api method to the AgentCoreResourceExtension class.
- modifies the AgentExtensionManager class to accept the AgentExtensionAPI
class as an optional argument.
- adds the OVSAgentExtensionAPI class.
- modifies ovs_lib and ofswitch to include a list of uuid stamps
to exempt from flow deletion.
- adds the OVSBridgeCookieMixin class that manages the distribution of
cookies and maintains the list of reserved cookies.
- modifies OVSNeutronAgent to initialize OVSAgentExtensionAPI and pass
into the AgentExtensionManager.
Partial-Bug: #1517903
Co-Authored-By: Nate Johnston <nate_johnston@cable.comcast.com>
Co-Authored-By: Thomas Morin <thomas.morin@orange.com>
Implements: blueprint l2-api-extensions
Change-Id: I7cb61f30689dff2d7895d444060dedc1532a63ec
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see
https://github.com/openvswitch/ovs/blob/master/FAQ.md
As part of this new entry points for current reference firewalls were
added.
Configuration:
in openvswitch_agent.ini:
- in securitygroup section set firewall_driver to openvswitch
DocImpact
Closes-bug: #1461000
Co-Authored-By: Miguel Angel Ajo Pelayo <mangelajo@redhat.com>
Co-Authored-By: Amir Sadoughi <amir.sadoughi@rackspace.com>
Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
Before the initial SG firewall setup, the VLAN tag is added to
the port information; this assignment is removed from _bind_devices
function. This value is needed by some SG agent
implementations.
This implementation mantains the actual function call order:
- Apply security groups.
- Bind devices.
Change-Id: I6f70083a1d42a5be4545956406a96d6579145c00
Closes-Bug: #1512636
This protection should always be enabled unless its explicitly
shutoff via the port security extension via the API. The primary
reason it was a config option was because it was merged at the end
of Kilo development so it wasn't considered stable. Now that it
has been enabled by default for all of Liberty and the development
of Mitaka, it's a good idea to just get rid of the option completely.
DocImpact: Remove references to prevent_arp_spoofing and replace
with pointer to port security extension for disabling
security features.
Change-Id: Ib63ba8ae7050465a0786ea3d50c65f413f4ebe38
When subnet or gateway port has been deleted concurrently, rpc call
to get_subnet_for_dvr will return an empty dict without any value.
ovs_dvr_neutron_agent should be more gracefull and at least log
warning message in that situation.
Change the existing error log to warning, because it is not a server
error, but a fact that should be noticed.
Change-Id: Icb3a57553a8b0eb635c0d85e2c60e7ce519893f6
Closes-bug: #1454921
When the of_interface=native configuration is active, Ryu's event loop
must be explicitly terminated.
Change-Id: I28779cf0da6a9b369922566998ec388679593819
Closes-bug: 1525780
OVS agent tunnel interfaces are named via:
'%s-%s' % (tunnel_type, destination_ip)
This means that the tunnel interface name is not unique if
two OVS agents on the same machine try to form a tunnel with a
third agent. This happens during full stack tests that start
multiple copies of the OVS agent on the test machine.
Thus, for full stack tests, to make sure that the tunnel
interface names created by ovs agents are globally unique, they
will have the following format :
'%s-%s-%s' % (tunnel_type, hash of source IP, hash of dest IP)
Since this patch centralizes the formation of the tunnel interface
name in a dedicated method that is monkey patched by the full stack
framework, a unit test has been added for this method.
Co-Authored-By: Mathieu Rohon <mathieu.rohon@gmail.com>
Closes-Bug: #1467633
Change-Id: I991af6a5f982746cc297f0248454f803dfbb2daf
When a port is deleted, that port is set to a dead-vlan, and
an ofport drop-flow is added in port_dead().
The ofport drop-flow gets removed only in some cases
in _bind_devices() - depending on the timing of the
concurrent port-deletion. In other cases, the drop-flow
never gets removed, and such garbage drop-flow rules
accumulate forever until the ovs-agent restarts.
The fix is to use the function update_stale_ofport_rules which
solves this problem of tracking stale ofport flows
in deleted ports, but currently only applies only to
prevent_arp_spoofing.
Change-Id: I0d1dbe3918cc7d7b3d0cdc49d7b6ff85f9b02a17
Closes-Bug: #1493414
exit() is used for interactive shell, it relies on the site module.
sys.exit() is considered good to use in programs.
Trivial-fix
Change-Id: Ic34e137a4f1d116a63f50a56ee6b3b2d5efa6d97
Add these additional protocols listed below to
security groups brings convenience to operators
on configuring these protocols. In addition, make
the security group rules more readable.
The added protocols are: ah, dccp, egp, esp, gre,
ipv6-encap, ipv6-frag, ipv6-nonxt, ipv6-opts,
ipv6-route, ospf, pgm, rsvp, sctp, udplite, vrrp.
A related patch is submitted to neutron-lib project:
https://review.openstack.org/259037
DocImpact: You can specify protocol names rather than
protocol number in API and CLI commands. I'll update
the documentation when it is merged.
APIImpact
Change-Id: Iaef9b650449b4d9d362a59305c45e0aa3831507c
Closes-Bug: #1475717
When the l2population mechanism driver is enabled, if ovs is restarted
tunnel ports are not re-configured in full due to stale ofport handles
in the OVS agent.
Reset all handles when OVS is restarted to ensure that tunnels are
fully recreated in this situation.
Change-Id: If0e034a034a7f000a1c58aa8a43d2c857dee6582
Closes-bug: #1460164
Currently agent will fall back to non-dvr mode in case it can't.
However neutron server does not check dvr mode of ovs agents when
scheduling routers. So in a DVR enabled cluster all ovs agents
should run in DVR mode. Otherwise it will lead to undefined
behavior which is hard to debug.
Closes-Bug: #1536110
Change-Id: I6c31aabf1852c688e9c27fc1859d3fdd830caa68
Occurances of Openstack (incorrect capitalization) are replaced with
OpenStack
Change-Id: I7f33060a2dd430cdd49aebf9420e3cd54d21c72c
Closes-Bug: #1535246
If a device fails more than MAX_DEVICE_RETRIES, the agent
won't try to sync it anymore and will log an error message.
Partially-Implements: blueprint restructure-l2-agent
Change-Id: Ie37e9197573870fb2e73370b30e41fc2be7bcf78
With the new RPC calls get_devices_details_and_failed_devices
and update_device_list the agent gets a list of devices
for which some operation failed. The agent can now make use
of this information and instead of syncing all the devices
can sync only those which failed.
With the current change if a device keeps failing, the agent
will try to sync it forever. In a following patch I will limit
the number of retrials.
Partially-Implements: blueprint restructure-l2-agent
Change-Id: I295dc79031a0547f8687c5835c7ba7bbc43df36d
When changing datapath_type in the config, physical and tunnel bridges
do not have their datapath_type updated. Calling create() on already
created bridges should be safe as it passes '--may-exist' when adding
the bridge, which will do nothing if the bridge already exists, but
the second part of the transaction will still update things like
datapath_type.
It should be noted that ancillary bridges (like br-ex) are not
modified by this patch as datapath_type was never applied to them to
begin with.
Incidentally, the native and vsctl versions behaved slightly
differently when handling datapath_type: vsctl builds the multi-cmd
transaction with add-br ... -- set ..., so that the second cmd would
actually complete. The native just bailed if may_exist and the bridge
existed. This is fixed as part of this patch.
Change-Id: Ib8bc817c7bc724d80193d0ca7af480a7ea103f77
Closes-Bug: 1532273
Disabling admin state can cause confusion in OVS agent logs as to why
VLAN 4095 is set to a particular port. This commit adds an extra INFO
log message when admin state is disabled. There is no log emitted
upon enabling admin state as there is already a detailed log entry
logged in treat_devices_added_or_updated() function.
Change-Id: I1301db8fea75af211f66a1914d1f0b706a6d5b36
Closes-Bug: 1463891
Currently 'flows' is being checked for empty list in
a non standard way 'if flows == []:'. This patch
simplifies logic so that above check is unnecessary.
TrivialFix
Change-Id: I0eac42e425213b6588090e7e2379b14446308361
This patch adds a notification for systemd after the agent has reported
its initial state to the Neutron server. This enables configuring
orderly startup of services that are dependent on the server having a
healthy openvswitch agent running.
Related-Bug: #1525901
Change-Id: I8d08f1b2ae196b1e48f9d91e06966687c0a8bd43
Misspelling in following message:
"# interconnect physical and integration bridges using veth/patchs".
Should be:
"# interconnect physical and integration bridges using veth/patches".
Totally 1 occurrence in Neutron base code.
Change-Id: If752b8c65cf4993447b93dfc9a06de15389f2675
The patch Id28248f4f75821fbacf46e2c44e40f27f59172a9 makes agent
always reporting its state with RPC call() method, so the variable
self.use_call was unused, this patch removes it.
Change-Id: I2e15d9ea2f35dce710858db8c8c6efd8c8304a23
Wrong usage of "a" in the messages:
"'%s' is not a integer"
"Create a address scope"
"Return True if port has as a allowed address pair"
"But if a agent does not report its status"
"a ipv4 link-local address"
"Retrieve and return a extended information about a network"
"It could be a eui-64 address, a random IPv6 address"
"push a elastic-recheck query for it (see below)"
"is not a enforced requirement"
"a ovs_lib.VifPort object"
Should be:
"'%s' is not an integer"
"Create an address scope"
"Return True if port has as an allowed address pair"
"But if an agent does not report its status"
"an ipv4 link-local address"
"Retrieve and return extended information about a network"
"It could be an eui-64 address, a random IPv6 address"
"push an elastic-recheck query for it (see below)"
"is not an enforced requirement"
"an ovs_lib.VifPort object"
Totally 9 occurrences in Neutron base code.
Change-Id: I0f980fc8c98524db3d194ecb779f76abb37eb31c
AsyncProcess.stop() will raise if the process we are trying
to stop is not running. Some functional tests sporadically
fail because in the clean up the polling manager is stopped
without checking if it's still running. Add an except
in InterfacePollingMinimizer.stop() to avoid raising an
exception when the monitor is not running.
Change-Id: Iec8f5039ae5b830836564a1a402ad3e4ba38935d
Closes-bug: #1525856
This change transforms validate_local_ip into a sub-method of
validate_tunnel_config and raises directly SystemExit instead of
indirectly.
Related-bug: #1464394
Change-Id: I35addd41e1a8b061bd0e5e6656a1728fb7fe04ce
The original change had to be reverted because it caused
tests failing in the gate. The failures were due to the
fact that when a port was not ready, an exception was
thrown to trigger a full resync of the agent. This
behavior was meant to be temporary and was fixed in a
dependent patch that was not merged though. This revert
moves the handling of not ready ports in this patch.
It also refactors the unit tests a bit.
This reverts commit e7270d9505.
Change-Id: I6574cef3c95525ace6a98cf968ee159190681394
This implementation is to give support on neutron security group with
XenServer as compute driver. When using openvswitch, the ovs agent on
compute node cannot execute some linux commands correctly due to
xenserver driver lacking of such support. This change will add some
allowed commands which can be executed in dom0.
Implements: blueprint xenserver-give-support-on-neutron-security-group
Change-Id: I377f8ad51e1d2725c3e0153e64322055fcce7b54
- This does NOT break other projects that rely on neutron.i18n,
as this change includes a debtcollector shim to maintain those
older entry points, until they can migrate.
- Also updates _i18n.py to the latest pattern defined by oslo_i18n
- Guidance and template are from the reference:
http://docs.openstack.org/developer/oslo.i18n/usage.html
Partially-Closes-Bug: #1519493
Change-Id: I1aa3a5fd837d9156da4643a367013c869ed8bf9d
db_get_val can return None if the port got deleted concurrently.
In this case there is no need to mark it dead and add drop flow for it.
Change-Id: I5ef9665770df3a9bbaf79049b219fadd73e20309
Partial-Bug: #1493414
This adds a new tox environment, genconfig, which generates sample
neutron core configuration file using oslo-config-generator.
Updates to some configuration option help messages to reflect useful
details that were missing in the code but were present in config files.
It also adds details to devref on how to update config files.
Partially-Implements: blueprint autogen-neutron-conf-file
DocImpact
Change-Id: I1c6dc4e7d479f1b7c755597caded24a0f018c712
Closes-bug: #1199963
Co-Authored-By: Louis Taylor <louis@kragniz.eu>
The previous OVS ARP spoofing code was dropping the rule to jump to
the ARP protection table each time it was called. This call was
unnecessary since the majority of port updates are not turning
off port security.
This patch adjusts the logic to only drop the jump rule if port-sec
is disabled or if it is a network port. The existing functional tests
ensure that connectivity works as expected.
Closes-Bug: #1520013
Change-Id: I7b396d758c2d4c7e1004257d432b210bf3ee5c66
Removed create_agent_config_map method which creates specific
configurations dictionary according to cfg.CONF and call the OVS-agent
with that structure. Passing oslo_config directly to init-method
of OVS-agent is more straightforward and makes it more testable.
Also refactored unit and functional tests of OVS-agent in accordance
with the changes in init-method.
Closes-bug: #1464394
Change-Id: I88742e4d454709e35481f2c505c9d64995497cac
The OVS device name hashing algorithm shortens interface names that are too
long. To ensure uniqueness it makes use of a hashing algorithm.
Move this function to a common place where it can be shared between ml2
drivers and agents.
Extend the function to support defining the max device length to be used.
Change LOG level to info to help deployers figuring out the unhashed name
of an hashed inteface.
Adapt OVS agent to use this common function instead of its
own implementation.
Change-Id: I5c04f39928d070aa7e372934fcb2675609d2761c
Partial-Bug: #1495960
Adds the ovs 'config' property which returns the contents of the
single row of the Open_vSwitch table. This gives access to certain
OVS capabilities such as datapath_types and iface_types.
Using this information in concert with the datapath_type config
option, vif details are calculated by the OVS mech driver. If
datapath_type == 'netdev' and OVS on the agent host is capable of
supporting dpdkvhostuser, then it is used.
Authored-By: Terry Wilson <twilson@redhat.com>
Co-Authored-By: Sean Mooney <sean.k.mooney@intel.com>
Closes-Bug: #1506127
Change-Id: I5047f1d1276e2f52ff02a0cba136e222779d059c
In big and busy clusters there could be a condition when
rabbitmq clustering mechanism synchronizes queues and during
this period agents connected to that instance of rabbitmq
can't communicate with the server and server considers them
dead moving resources away. After agent become active again,
it needs to cleanup state entries and synchronize its state
with neutron-server.
The solution is to make agents aware of their state from
neutron-server point of view. This is done by changing state
reports from cast to call that would return agent's status.
When agent was dead and becomes alive, it would receive special
AGENT_REVIVED status indicating that it should refresh its
local data which it would not do otherwise.
Closes-Bug: #1505166
Change-Id: Id28248f4f75821fbacf46e2c44e40f27f59172a9
Now that we have the constant defined, we should reuse it from other
code to avoid potential typos.
Change-Id: Id7a941c1a461264ba44893d97cc6226f092e9888
When the neutron server is down/busy the agent is not able to get any
port info. After the agent restarts, it will not install any new flow.
Cleaning the existing flows will break all networking until the agent
succeeds to sync with the neturon server.
This patch ensures the agent cleans the stale flows only after it
succeeds to sync with the neturon server.
Change-Id: I763fc06a73b6d2f010da65e74241182636dda44d
Closes-bug: #1515075
This might be associated to manifestation of bug #1514935
This reverts commit 1992d52d63.
Closes-Bug: #1514935
Change-Id: If01cc87b6735e1bc039f99c4c6121e7c5ce547d0
OVSDB monitor generates the events that the OVS agent
needs to process (device added or updated). Instead of
polling the agent processes the queue of events.
Change-Id: I168a3cc3aa96a809153a30635ad7bda29e8ee47c
Partially-Implements: blueprint restructure-l2-agent
Change function call order in ovs_neutron_agent during the
creation or modification of a port, in order to fulfill the
VLAN OVS tag information in the "port" register before calling
the SG agent. This information is needed in some SG agent
implementations.
Closes-Bug: #1512636
Change-Id: I9813aca6443ac402b10b4cebf8be42416628b050
Commit 44d73d1ad3 added support
for oslo.config 2.6.
Commit 4d2cb851b7 added this to Neutron.
The patch adds a few missing items.
Change-Id: Id36515e28458c354ddb6fe3656f182d17df08f8a
Went through all of the docstrings in Neutron and did
some cleanup. I'm sure there are bunch more that I have missed.
Change-Id: Ib29d2de1c580880c89ed4fd069e1515d0977a3e7
The oslo_config library provides new type PortOpt to validate the
range of port now.
Change-Id: I40792ddcee0f89c47defa726fed24f26c4b88ce2
Depends-On: I9c0e3f44cf93db020933d8d766cedfc2e3f3bb8b
Miguel Angel Ajo
Kevin Benton
David Shaughnessy
Assaf Muller
Jakub Libosvar
Rodolfo Alonso Hernandez
Hong Hui Xiao
IWAMOTO Toshihiro
Ramu Ramamurthy
Dongcan Ye
Bhagyashri Shewale
Li Ma
James Page
Oleg Bondarev
Emma Foley
rossella
Kevin Benton
Terry Wilson
Hynek Mlnarik
Ravi Shekhar Jethani
Brent Eagles
Herman Ge
shihanzhang
hgangwx
ChangBo Guo(gcb)
YAMAMOTO Takashi
Cedric Brandily
Akihiro Motoki
Huan Xie
Doug Wiegley
Martin Hickey
Kevin Benton
Sergey Belous
Andreas Scheuring
Eugene Nikanorov
Gary Kotton
Jian Wen
Armando Migliaccio
Brandon Palm
ZhiQiang Fan