ovsdbapp>=2.6.1 handles cleanup of Chassis_Private record
with chassis delete so we don't need explicit delete.
The compatibility part can be dropped when we update
requirements.txt to ovsdbapp>=2.6.1.
Closes-Bug: #2066263
Change-Id: I45c6e6a1c3536cf4f2d90b01a3577eec9eaf3743
(cherry picked from commit 20b9893e34dda0b448ac75c795867cb46de5e127)
set_gateway_mtu runs for all the gateway ports for a network
and if one of the ports get's deleted in meanwhile
whole transaction fails.
To handle this we need to add if_exists=True to the transaction
but for that it needs to be supported in ovsdbapp. It's fixed
in ovsdbapp with [1] but would require to bump ovsdbapp
minimal version in requirements.txt which we normally don't
do for stable branches.
So using "update_lrouter_port" instead as that have the
required option available. Before [2] that was only used
but during the switch if_exists part was missed.
[1] https://review.opendev.org/q/I56685478214aae7b6d3a2a3187297ad4eb1869a3
[2] https://review.opendev.org/c/openstack/neutron/+/762695
Closes-Bug: #2065701
Related-Bug: #2060163
Change-Id: I447990509cdea9830228d3bc92a97062cc57a472
When neutron API is called to check requirements for the auto_allocate
topology, it needs to return not only 'tenant_id' field but also
'project_id' as that is required for the policy enforcement.
Without this 'project_id' field requirements check was failing for
member and reader users as they got 404 from the Neutron API. And the
reason why Neutron was returning 404 was that it wasn't passing policy
enforcement due to missing project_id field in the 'target' object.
Closes-bug: #2066369
Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba
(cherry picked from commit dfc01beab22f1c2b977d3e399c3fcda69a72082d)
When the common Metadata Driver was created in [0], the
monitors dictionary was dropped accidentally. This causes
tracebacks in the fullstack L3-HA tests when
after_router_updated() is called. Put it back along with
its related tests.
[0] https://review.opendev.org/c/openstack/neutron/+/894399
Closes-bug: #2065145
Change-Id: I137ed7cec9e0eafdb3a351e5a414f5a0c16f33e5
(cherry picked from commit 5b62e27154c976cfd5707029a94e22e23ecbddef)
If there were not changes made to data in the database there is no
reason to bump revision numbers because the underlying drivers won't
change too. This saves cycles in case empty updates are incoming to the
API.
Co-Authored-By: Ihar Hrachyshka <ihar@redhat.com>
Closes-bug: #2065094
Change-Id: Ib74fdab7a8927ef9cc24ef7810e9cf2c264941eb
(cherry picked from commit 5795c192b840ae327bc9e32d5183f177daa9b55b)
If the netron-ovn-db-sync-util is run while neutron-server
is active (which is not recommended), it can randomly fail
if there are active API calls in flight to create networks
and/or subnets.
Skip the subnet and log a warning if detected.
Closes-bug: #2045811
Change-Id: Ic5d9608277dd5c4881b3e4b494e1864be0bed1b4
(cherry picked from commit e4323e1f209ea1c63fe7af5275ea2b96f52b8740)
If the Nova metadata service is unavailable, the requests.request()
function may raise a ConnectionError. This results in the upper code
returning a 500 HTTP status code to the user along with a traceback.
Let's handle this scenario and instead return a 503 HTTP status code
(service unavailable).
If the Nova service is down and is behind another proxy (such as
Nginx), then instead of a ConnectionError, the request may result in
receiving a 502 or 503 HTTP status code. Let's also consider this
situation and add support for an additional 504 code.
Closes-Bug: #2059032
Change-Id: I16be18c46a6796224b0793dc385b0ddec01739c4
(cherry picked from commit 6395b4fe8ed99855853587fa93cb59fd2691aed5)
In order to decide whether to process a router related
request, the user defined router flavor OVN driver needs to
check the flavor_id specified in the request. This change adds
the code to test the case when the API passed the flavor_id as
unspecified.
Change-Id: I4d7d9d5582b97246cad63ef7f5511b159d6c6791
Closes-Bug: #2059051
(cherry picked from commit 9d729bda207847b4c94d570eacdd26951294f49f)
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.
Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.
Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
(cherry picked from commit 5e1188ef38da3f196aadf82a3842fa982c9a0c83)
Since [1] was merged, user defined flavor routers with the HA
attribute set to False cannot be created. This change fixes
it.
Closes-Bug: #2057983
[1] https://review.opendev.org/c/openstack/neutron/+/910889
Change-Id: Ic72979cfe535c1bb8cba77fb82a380c167509060
(cherry picked from commit 26ff51bf05dd8b61d96489f6b459e8f62f855823)
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/2024.1 branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I1371b181b1042a25a43686566952cdc6a1c23bef
- test_update_subnet_dhcp_options_in_ovn_ipv6_not_change
- test_enable_subnet_dhcp_options_in_ovn_ipv6
This tests will fail if host where unit tests has ipv6 dns_servers
configured. This patch mocks get_system_dns_servers to avoid tests
to look at the host configuration.
Closes-Bug: #2056778
Change-Id: I2e703ab4b63c90d7a14f0dc41d37b0a98163bce0
The "ha" API flag is now enabled for the OVN routers. Because of the
current implementation, this flag must be always "True". When a new
router is created, this flag is always set. If an OVN router is
explicitly created or updated with "--no-ha" (ha=False), the server
will raise an InvalidInput exception.
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/911081
Closes-Bug: #2020823
Change-Id: I60ff33680dd5397a226a9051d51bfb0701f862b5
iptables-save uses a system-dependent value, usually that
found in /etc/protocols, when 'ipip' is given as the
security group protocol. The intent is to always use the
string value for IP protocol '4', as iptables-save has no
'-n' flag to print values numerically.
This updates a previous change (793dfb04d) that hard-coded
that string to 'ipencap', which broke CentOS/Fedora, which
uses 'ipv4'.
For this reason we cannot hard-code anything in neutron-lib,
this needs to be added dynamically, so this one-line change
needs to stay here, and effectively closes the bug.
Closes-bug: #2054324
Change-Id: Ic40b539c9ef5cfa4cbbd6575e19e653342e8342b
This patch is implementing the OVN agent metadata extension, by reusing
the OVN metadata class. The class ``MetadataAgent`` is inherited in the
``MetadataExtension`` class. The goal is to use the same code in both
implementations (until the OVN metadata agent is deprecated).
The OVN agent metadata extension has a different initialization
process. The OVN and OVS IDL connections are created during the
extension initialization but are not accessible. The ``start`` method
is used to load the configuration, execute the sync process and
register the metadata extension.
This extension will replace the need of the OVN metadata agent. The
deprecation of this agent will imply the refactor of the existing code
that now is shared between both agents.
This new OVN agent will be tested in the "neutron-tempest-plugin-ovn"
CI job, after the change done in the following patch.
Needed-By: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/909860
Partial-Bug: #2017871
Change-Id: I4381a67648a9b6198a8d936db784964d74dc87a1
Added new files to the "omit" section of the coverage testing. These
files have a current 0% of testing coverage. The list include:
* The initial cmd commands for the different Neutron agents.
* The OVN mechanism driver OVSDB API definition.
* The Loki plugin, used only in tempest tests.
Change-Id: Ifb43e3e0b69fac21f49096153de11016e0c8e581
``OvnDriver`` and ``DvrHaDriver`` classes were using an incorrect
variable name to define the DVR support, that should be
"distributed_support" instead of "dvr_support".
Closes-Bug: #2056199
Change-Id: Id2ee080dde8cd094995e94564f2877a89e9cc5aa
In "test_virtual_port_host_update_upon_failover", it is needed to check
if the "Port_Binding" register exists before checking the type.
Closes-Bug: #2055886
Change-Id: I8a6b3498803bcba592a82dfbe43a39137dd12fa2
The router name will be always defined in the "Logical_Router_Port"
external_ids field.
Related-Bug: #2052821
Change-Id: Ia2f70363963dca9f035eff8d1ff0c399dc8b9239