This adds the new API endpoint to create, update, and delete
role-based access control entries. These entries enable tenants
to grant access to other tenants to perform an action on an object
they do not own.
This was previously done using a single 'shared' flag; however, this
was too coarse because an object would either be private to a tenant
or it would be shared with every tenant.
In addition to introducing the API, this patch also adds support to
for the new entries in Neutron networks. This means tenants can now
share their networks with specific tenants as long as they know the
tenant ID.
This feature is backwards-compatible with the previous 'shared'
attribute in the API. So if a deployer doesn't want this new feature
enabled, all of the RBAC operations can be blocked in policy.json and
networks can still be globally shared in the legacy manner.
Even though this feature is referred to as role-based access control,
this first version only supports sharing networks with specific
tenant IDs because Neutron currently doesn't have integration with
Keystone to handle changes in a tenant's roles/groups/etc.
DocImpact
APIImpact
Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867
Partially-Implements: blueprint rbac-networks
The ML2 Cisco UCSM driver's entry point is being switched to the
networking-cisco vendor repo. The definition of the driver's db
file and all references to it in the neutron branch are removed.
Change-Id: I75eb165f3bb78d31bece26762ca0ff47cab2b79b
Implements: blueprint: core-vendor-decomposition
Closes-bug: #1484165
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.
Closes-Bug: #1485858
Change-Id: Ide1cd30979f99612fe89dddf3dc0e029d3f4d34a
Note to reviewers: gerrit diff for merge patches is very limited, and
leaving comments in global section won't scale, so please comment here:
https://etherpad.openstack.org/p/qos-merge-back-review
This merge commit introduces QoS feature into Liberty release of
Neutron.
The feature is documented in: doc/source/devref/quality_of_service.rst
included with the merge patch.
It includes:
- QoS API service plugin with QoS policy and QoS bandwidth limit
(egress) rule support;
- core plugin mechanism to determine supported rule types, with its ML2
implementation;
- new agent extension manager;
- QoS agent extension with pluggable backend QoS drivers (Open vSwitch
and SR-IOV support is included).
To extend network and port core resources with qos_policy_id attribute,
a new ML2 extension driver (qos) was introduced that relies on the QoS
core resource extension (the idea is that eventually we'll get a core
resource extension manager that can be directly reused by core plugins).
Agent-server interaction is based on:
- get_device_details() method that is extended with qos_policy_id;
- a new push/pull mechanism that allows agents and servers to
communicate using oslo.versionedobjects based objects sent on the
wire.
The merge includes the following types of test coverage:
- unit tests;
- functional tests for OVS agent, QoS agent extension, and low level
ovs_lib changes;
- API tests to cover port/network qos_policy_id attribute and new QoS
resources.
The client changes can be found at:
* https://review.openstack.org/189655
* https://review.openstack.org/198277
The team also prepared fullstack test but it needs to wait for client
merge before it can pass in the gate:
* https://review.openstack.org/202492
Gerrit does not show diff for merge changes that did not result in any
conflict, so to facilitate review, rely on the following steps:
- fetch the patch locally
- git fetch origin
- git diff origin/master...
This merge also disables qos extension API tests until the service is
enabled in master gate.
Local changes apart from conflicts:
- updated down_revision for qos migration to reflect master expand head;
- disabled qos API tests with gate_hook.sh until we have it enabled in
master gate;
- bumped oslo.versionedobjects requirement to reflect what is in
openstack/requirements' global-requirements.txt
DocImpact
APIImpact
Partially-Implements: blueprint quantum-qos-api
Partially-Implements: blueprint ml2-qos
Partially-Implements: blueprint ml2-qos-ovs-bwlimiting
Partially-Implements: blueprint ml2-sriov-qos-with-bwlimiting
Change-Id: I92916d0e391791187e9a25ff172fb4b3504857b1
Remove neutron:/etc/neutron/plugins/vmware/ because
it has been moved to vmware-nsx:/vmware_nsx/etc/
in commit# b27bc1942195ff551cd22ddaf6853a25302cbb7e.
This is the first part of vmware plugin decomposition
(etc, extensions, and database).
Partial-bug: #1483453
Change-Id: Ic6fe5e256369a1b6aabdaadf019989f0e6a6e444
The L3 HA mechanism creates a project network for HA (VRRP) traffic
among routers. The HA project network uses the first (default) network
type in 'tenant_network_types'. Depending on the environment, this
combination may not provide a desirable path for HA traffic. For
example, some operators may prefer to use a specific network for HA
traffic to prevent split-brain issues.
This patch adds configurable options that target the network_type and
the physical_network of the created HA network.
Doc-Impact
Closes-Bug: #1481443
Change-Id: I3527a780179b5982d6e0eb0b8c32d6dafeeab730
There is no (general) use case to allow users to configure qos driver to
load by qos l2 agent extension. So instead of getting the driver name
from the configuration file, hardcode it and potentially reuse for other
extensions that may also be interested in splitting extension into
agent agnostic and agent specific pieces.
Added driver_type parameter to AgentCoreResourceExtension.initialize().
Also updated the method signature to reflect that we expect l2
extensions to receive connection.
Finally, removed #noqa import for openvswitch.common.config from qos
extension unit test since it seems unneeded.
Change-Id: Iae4dcc20c967d1da216772a3a3660e0421263527
Partially-Implements: quantum-qos-api
Enable set DNS and DHCP log of dnsmasq for dhcp agent
Add a new configuration named 'dnsmasq_base_log_dir'
in dhcp_agent.ini.
This entry should be a path of log file. It should
like this:
dnsmasq_base_log_dir=/tmp
And the DNS and DHCP log will be written into the file
"/tmp/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/dhcp_dns_log".
The dir path will be created if the given path doesn't exists.
DocImpact
Closes-Bug: #1475636
Change-Id: I87be346ec5059eaa8a29f48fe53933af82d1b155
This effectively disables qos extension in the OVS agent, but we don't
rely on it in any functional or fullstack tests so far.
To enable the extension, a user should add:
[agent]
extensions = qos
to their openvswitch_agent.ini file.
DocImpact
Partially-Implements: blueprint quantum-qos-api
Change-Id: Icfbf32c36f98cc6e203841b152c7f6fc4f48c20a
Also renamed service_notification_drivers into notification_drivers
since it's clear where it belongs anyway (it's in neutron.conf meaning
it's a server side configuration value).
Change-Id: I64610e4b60112daec982a8cacded9b9b936c10bd
Partially-Implements: blueprint quantum-qos-api
Bunch of neutron source code files are marked as executable which is not
appropriate, this patch just 'chmod -x' to all of them.
Closes-Bug: #1468564
Change-Id: Idec4ae16501d68e044e103db24ad3be0e0751e9a
Since this option is configured in the DEFAULT section of nsx.ini,
the name of the option clashes with that in the networking_l2gw repo.
Proposal is to prefix our option with "nsx_" to avoid such interference.
Unfortunately this module was not moved to openstack/vmware-nsx
during decomposition and therefore this patch is being proposed on
the neutron repository.
Change-Id: Ib568333a5ab8ad76600beb4981d7c6047c0603a0
Partial-bug: #1480485
As a part of vendor driver decomposition,
this patch moves the remaining Arista specific
code to openstack/networking-arista
Change-Id: Ie16b5ed936b116043dea36ec967bb5ae9cdacbdf
Partial-Implements: blueprint core-vendor-decomposition
If vxlan_group is specified in CIDR notation, it is interpreted as a
range of group addresses. VXLAN VNIs are mapped to group addresses in
a many-to-one round robin fashion, or one-to-one if a large enough
range is provided. Since VNIs are 24 bits, a /8 such as 239.0.0.0/8
allows each VNI to use a unique multicast group. (239.0.0.0/8 also
happens to be the "site-local" multicast range.)
With multiple VNIs on a single multicast group, it is likely that
VTEPs will unnecessarily receive broadcast/unknown/multicast
datagrams for VNIs in which they do not participate. Using a range of
groups mitigates or eliminates this issue. It is thus an alternative
to the l2_population extension and driver for environments where both
multicast and linuxbridge are used.
The default setting is unchanged, but the comments in the ini file
suggest 239.0.0.0/8 as an alternative. Administrators are free to use
any valid multicast range that can be expressed in CIDR notation, and
should choose a size and starting address that make sense for their
environment.
DocImpact
Closes-Bug: #1477331
Change-Id: If9a3487a28ba2b02a6ef934c5421cec5d505b53c
This patch simply renames quota modules introducing two
new packages:
1) neutron.quota
2) neutron.db.quota
This paves the way for adding more quota related modules.
Unit tests paths are changed accordingly, as well as references
to moved modules.
This patch hovewer preserves the ability of importing
neutron.db.quota_db in order to avoid breaking repositories which
use neutron as a requirement.
Change-Id: I946e87f1b2ebb3e80d64aecfe58aeff9f81896f3
Related-blueprint: better-quotas
As a part of the vendor decomposition effort, the
apic ML2 driver code is removed and replaced by
its version in the openstack/networking-cisco
repo.
Change-Id: Iffb5245b4c88b65afe62dd7435ee80489a654fee
Partial-implements: blueprint core-vendor-decomposition
Metaplugin is removed in Liberty.
Remove all metaplugin related codes.
DocImpact
APIImpact
Co-Authored-By: Itsuro Oda <oda@valinux.co.jp>
Change-Id: I9cf36e1fd3a009c175e0d475af407a30f4e5c408
Closes-Bug: #1465126
Also applied the following fixes:
===
1. cleaned up some pylint failures that were not spotted before:
Module neutron.objects.qos.policy: Metaclass class method __new__ should
have 'mcs' as first argument
Module neutron.objects.qos.rule: Lambda may not be necessary
===
2. Revert "Introduce the AFTER_READ callback for ports and networks"
This reverts commit e3dba1424114575581c153e02227282e036ad0a2.
We don't use callbacks to extend resources anymore, instead relying on
ml2 extension drivers. No need for the patch to achieve QoS, and it also
breaks test_delete_subnet_with_callback that was added in master
recently.
===
3. updated requirements.txt and test-requirements.txt based on:
https://review.openstack.org/#/c/204398/
to avoid requirements gate checks failing due to incompatible
requirements comparing to global-requirements.txt
Change-Id: I744ab2d8327a428a5467f2d07d073a5f8c333520
This patch introduces API and DB plugin for flavor framework.
API adds Flavors and Service Profiles which are resources
available only for admins to operate.
This framework then should be leveraged by advanced services.
Included tempest API tests in neutron tree
Implements: blueprint neutron-flavor-framework
Change-Id: I99ba0ce520ae3d8696eca5c994777c7d5ba3d4b1
Co-Authored-By: Doug Wiegley <dougw@a10networks.com>
Co-Authored-By: Madhusudhan Kandadai <madhusudhan.kandadai@hp.com>
[qos] section is introduced with qos driver for ovs agent. Similar
manner should follow for all l2 agents using qos with different default
drivers.
Change-Id: I3c6a3711d3cd9924d55cf6d0ed84be18c993c275
This patch adds the support for basic address scope CRUD.
Subsequent patches will be added to use this address scope
on subnet pools.
DocImpact
APIImpact
Co-Authored-By: Ryan Tidwell <rktidwell85@gmail.com>
Co-Authored-By: Numan Siddique <nusiddiq@redhat.com>
Change-Id: Icabdd22577cfda0e1fbf6042e4b05b8080e54fdb
Partially-implements: blueprint address-scopes
This is cruft left from the Linux bridge monolithic plugin,
or from pre-Havana versions of the code.
Change-Id: Id7bb7d7860859283b53f588a940ca21c94fd0e6a
This patch introduces the QoS service plugin which implements
a stub of the API extension.
This is patch is a basic step to be able to create an experimental
job enabling this service so we can do api tests.
Change-Id: Ib583e98c232ca628ba2a4bd48527eb84584c6212
This patch introduces the QoS API extension, in a basic
form where we could, in combination with the service plugin
stub, start creating some experimental test jobs that install
the service plugin.
Please not that URL mapping is not fully according to spec,
neither it does include any testing. We need to work that out.
blueprint quantum-qos-api
Change-Id: I86e8048e2d9b84690dbede9a94cfc884985069c5
When troubleshooting problems with cluster it would be
very convenient to have information about agent heartbeats
logged with some searchable identifier which could create
1-to-1 mapping between events in agent's logs and server's logs.
Currently agent's heartbeats are not logged at all on server side.
Since on a large cluster that could create too much logging
(even for troubleshooting cases), it might make sense to make
this configurable both on neutron-server side and on agent-side.
DocImpact
Change-Id: I0a127ef274a84bba5de47395d47b62f48bd4be16
Closes-Bug: #1452582
This commit moves the L2 agents (Linuxbridge and OVS) into the
ML2 directory, while at the same time also moving the ML2 server
bits into toplevel directories. It also moves the configuration
files and unit tests. We also move the l2pop RPC mixin while
here as well.
DocImpact
UpgradeImpact
Partially-Implements: blueprint reference-implementation-split
Partial-Bug: #1468433
Closes-Bug: #1427317
Change-Id: If6feca7b7a6bdd6c3c6feb929fa26fb4b1f72770
Signed-off-by: Kyle Mestery <mestery@mestery.com>
These 2 configuration options are no longer be necessary.
They are marked as deprecated in this release and will be removed in the
next release.
Change-Id: I4e02a291738b16c7c9b7600f0bc9a47fb1318569
Partial-Bug: #1418079
Add the variable to enable the admin to set the DHCP lease time.
This was added in commit 7681e4c50afda18fd75fe7207352d1a26ee0755b
DocImpact
Change-Id: Ic37932c09d3b4c88363a7f1f38a687cd6e090c1f
This patch simply adds a 'policy' directory with a few json
files into ./etc/neutron/plugins/vmware to provide default
policies specific to the VMware NSX plugin family.
These policy files can be loaded leveraging the policy_dirs
configuration option.
Change-Id: Icce41a6ee63715bc145694f27a2166a7fa884dba
NeutronDebugAgent.ping_all calls ping with "-c 1 -w <number>' so
the filter should accept this order, and not only "-w .. -c ..".
Not changing the existing filter to not break other tools
that might use -w -c in that order.
Change-Id: I5b3d67dfcdc15c53ac3bf2fb39de29fd97e98a19
NSXv plugin supports distributed locking using tooz library.
This patch adds the required parameter to the ini file.
DocImpact
Depends-On: Icbcec938c1c5ae7a528350f2f283388b81fa66b7
Change-Id: I8a7c36d044c4be29b0dfa3fbb8e9379723cebd61
This reverts commit 12a564cf03e612dda36df26df8d28dfc75f1af6e.
We should re-enable this feature on a controlled basis so that we can
flush out any outstanding issue we may have.
Related-bug: #1432189
Change-Id: I2cfd93fdb032b461022b729347390ff8636ccdeb
Since most of the n1kv plugin code resides in stackforge/networking-cisco
repo, it's best to move the n1kv section there
Change-Id: Ic1388980dea0d27dfa5e84869f1f20cc9bff78e5
Closes-Bug: #1441400