1014 Commits

Author SHA1 Message Date
Kevin Benton
4595899f7f Neutron RBAC API and network support
This adds the new API endpoint to create, update, and delete
role-based access control entries. These entries enable tenants
to grant access to other tenants to perform an action on an object
they do not own.

This was previously done using a single 'shared' flag; however, this
was too coarse because an object would either be private to a tenant
or it would be shared with every tenant.

In addition to introducing the API, this patch also adds support to
for the new entries in Neutron networks. This means tenants can now
share their networks with specific tenants as long as they know the
tenant ID.

This feature is backwards-compatible with the previous 'shared'
attribute in the API. So if a deployer doesn't want this new feature
enabled, all of the RBAC operations can be blocked in policy.json and
networks can still be globally shared in the legacy manner.

Even though this feature is referred to as role-based access control,
this first version only supports sharing networks with specific
tenant IDs because Neutron currently doesn't have integration with
Keystone to handle changes in a tenant's roles/groups/etc.

DocImpact
APIImpact

Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867
Partially-Implements: blueprint rbac-networks
2015-08-20 20:00:17 -07:00
Jenkins
194489b0f4 Merge "Final decomposition of ML2 Cisco UCSM driver" 2015-08-20 04:42:41 +00:00
Sandhya Dasu
d91cd8dc1a Final decomposition of ML2 Cisco UCSM driver
The ML2 Cisco UCSM driver's entry point is being switched to the
networking-cisco vendor repo. The definition of the driver's db
file and all references to it in the neutron branch are removed.

Change-Id: I75eb165f3bb78d31bece26762ca0ff47cab2b79b
Implements: blueprint: core-vendor-decomposition
Closes-bug: #1484165
2015-08-19 11:32:03 -04:00
Miguel Angel Ajo
6d6980903c Fix tenant access to qos policies
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.

Closes-Bug: #1485858

Change-Id: Ide1cd30979f99612fe89dddf3dc0e029d3f4d34a
2015-08-19 04:58:41 +00:00
Ihar Hrachyshka
70727ba781 Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Note to reviewers: gerrit diff for merge patches is very limited, and
leaving comments in global section won't scale, so please comment here:

https://etherpad.openstack.org/p/qos-merge-back-review

This merge commit introduces QoS feature into Liberty release of
Neutron.

The feature is documented in: doc/source/devref/quality_of_service.rst
included with the merge patch.

It includes:

- QoS API service plugin with QoS policy and QoS bandwidth limit
  (egress) rule support;
- core plugin mechanism to determine supported rule types, with its ML2
  implementation;
- new agent extension manager;
- QoS agent extension with pluggable backend QoS drivers (Open vSwitch
  and SR-IOV support is included).

To extend network and port core resources with qos_policy_id attribute,
a new ML2 extension driver (qos) was introduced that relies on the QoS
core resource extension (the idea is that eventually we'll get a core
resource extension manager that can be directly reused by core plugins).

Agent-server interaction is based on:

- get_device_details() method that is extended with qos_policy_id;
- a new push/pull mechanism that allows agents and servers to
  communicate using oslo.versionedobjects based objects sent on the
  wire.

The merge includes the following types of test coverage:

- unit tests;
- functional tests for OVS agent, QoS agent extension, and low level
  ovs_lib changes;
- API tests to cover port/network qos_policy_id attribute and new QoS
  resources.

The client changes can be found at:

* https://review.openstack.org/189655
* https://review.openstack.org/198277

The team also prepared fullstack test but it needs to wait for client
merge before it can pass in the gate:

* https://review.openstack.org/202492

Gerrit does not show diff for merge changes that did not result in any
conflict, so to facilitate review, rely on the following steps:

- fetch the patch locally
- git fetch origin
- git diff origin/master...

This merge also disables qos extension API tests until the service is
enabled in master gate.

Local changes apart from conflicts:
- updated down_revision for qos migration to reflect master expand head;
- disabled qos API tests with gate_hook.sh until we have it enabled in
  master gate;
- bumped oslo.versionedobjects requirement to reflect what is in
  openstack/requirements' global-requirements.txt

DocImpact
APIImpact
Partially-Implements: blueprint quantum-qos-api
Partially-Implements: blueprint ml2-qos
Partially-Implements: blueprint ml2-qos-ovs-bwlimiting
Partially-Implements: blueprint ml2-sriov-qos-with-bwlimiting
Change-Id: I92916d0e391791187e9a25ff172fb4b3504857b1
2015-08-17 15:16:55 +02:00
Jenkins
bd7e6d267c Merge "Remove vmware plugin from neutron (etc part)" 2015-08-15 18:03:52 +00:00
Shih-Hao Li
0b19a1ef55 Remove vmware plugin from neutron (etc part)
Remove neutron:/etc/neutron/plugins/vmware/ because
it has been moved to vmware-nsx:/vmware_nsx/etc/
in commit# b27bc1942195ff551cd22ddaf6853a25302cbb7e.

This is the first part of vmware plugin decomposition
(etc, extensions, and database).

Partial-bug: #1483453
Change-Id: Ic6fe5e256369a1b6aabdaadf019989f0e6a6e444
2015-08-13 13:22:33 -07:00
John Schwarz
98618644ce Add configurable options for HA networks
The L3 HA mechanism creates a project network for HA (VRRP) traffic
among routers. The HA project network uses the first (default) network
type in 'tenant_network_types'. Depending on the environment, this
combination may not provide a desirable path for HA traffic. For
example, some operators may prefer to use a specific network for HA
traffic to prevent split-brain issues.

This patch adds configurable options that target the network_type and
the physical_network of the created HA network.

Doc-Impact
Closes-Bug: #1481443
Change-Id: I3527a780179b5982d6e0eb0b8c32d6dafeeab730
2015-08-13 16:02:19 +03:00
Ihar Hrachyshka
ca0d7bce21 Removed configuration option for qos agent driver selection
There is no (general) use case to allow users to configure qos driver to
load by qos l2 agent extension. So instead of getting the driver name
from the configuration file, hardcode it and potentially reuse for other
extensions that may also be interested in splitting extension into
agent agnostic and agent specific pieces.

Added driver_type parameter to AgentCoreResourceExtension.initialize().
Also updated the method signature to reflect that we expect l2
extensions to receive connection.

Finally, removed #noqa import for openvswitch.common.config from qos
extension unit test since it seems unneeded.

Change-Id: Iae4dcc20c967d1da216772a3a3660e0421263527
Partially-Implements: quantum-qos-api
2015-08-10 18:08:16 +02:00
YAMAMOTO Takashi
3cb75c4dd7 Remove a few obsolete options from midonet.ini example
Relevant change:
    0ee831b5e8

Change-Id: Ib437209d026fc83b7885101d3813ffae29f8b240
2015-08-07 14:06:20 +09:00
Jenkins
453d20996b Merge "NSX: Rename default_interface_name option" 2015-08-06 21:22:55 +00:00
Ihar Hrachyshka
cc0ae6dd49 Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Change-Id: I683102e617202e0ffc953a0d3cc179879f8faf82
2015-08-05 17:15:40 +02:00
Jenkins
6ee7b12d94 Merge "Add DNS and DHCP log into dhcp agent" 2015-08-04 04:08:09 +00:00
Jenkins
d031411b55 Merge "L2 agent extension manager: read extensions list from config file" into feature/qos 2015-08-03 22:40:49 +00:00
Jenkins
0ce542ff00 Merge "Extend vxlan_group option to allow a range of group addresses" 2015-08-03 20:37:01 +00:00
changzhi
e79d602e38 Add DNS and DHCP log into dhcp agent
Enable set DNS and DHCP log of dnsmasq for dhcp agent
Add a new configuration named 'dnsmasq_base_log_dir'
in dhcp_agent.ini.

This entry should be a path of log file. It should
like this:

    dnsmasq_base_log_dir=/tmp

And the DNS and DHCP log will be written into the file
"/tmp/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/dhcp_dns_log".
The dir path will be created if the given path doesn't exists.

DocImpact

Closes-Bug: #1475636
Change-Id: I87be346ec5059eaa8a29f48fe53933af82d1b155
2015-08-03 16:10:20 +08:00
Ihar Hrachyshka
336a547aad L2 agent extension manager: read extensions list from config file
This effectively disables qos extension in the OVS agent, but we don't
rely on it in any functional or fullstack tests so far.

To enable the extension, a user should add:

[agent]
extensions = qos

to their openvswitch_agent.ini file.

DocImpact
Partially-Implements: blueprint quantum-qos-api
Change-Id: Icfbf32c36f98cc6e203841b152c7f6fc4f48c20a
2015-08-02 22:38:58 +02:00
Ihar Hrachyshka
f80aa722a6 Added missing [qos] section into neutron.conf
Also renamed service_notification_drivers into notification_drivers
since it's clear where it belongs anyway (it's in neutron.conf meaning
it's a server side configuration value).

Change-Id: I64610e4b60112daec982a8cacded9b9b936c10bd
Partially-Implements: blueprint quantum-qos-api
2015-08-01 22:19:07 +02:00
Qiaowei Ren
78ff49ecf9 Remove unnecessary executable permission
Bunch of neutron source code files are marked as executable which is not
appropriate, this patch just 'chmod -x' to all of them.

Closes-Bug: #1468564

Change-Id: Idec4ae16501d68e044e103db24ad3be0e0751e9a
2015-08-01 05:16:32 +00:00
Abhishek Raut
e4896b30e6 NSX: Rename default_interface_name option
Since this option is configured in the DEFAULT section of nsx.ini,
the name of the option clashes with that in the networking_l2gw repo.
Proposal is to prefix our option with "nsx_" to avoid such interference.
Unfortunately this module was not moved to openstack/vmware-nsx
during decomposition and therefore this patch is being proposed on
the neutron repository.

Change-Id: Ib568333a5ab8ad76600beb4981d7c6047c0603a0
Partial-bug: #1480485
2015-07-31 15:11:37 -07:00
Sukhdev Kapur
50eb8041bd Arista Drivers decomposition part II
As a part of vendor driver decomposition,
this patch moves the remaining Arista specific
code to openstack/networking-arista

Change-Id: Ie16b5ed936b116043dea36ec967bb5ae9cdacbdf
Partial-Implements: blueprint core-vendor-decomposition
2015-07-31 12:38:40 -07:00
John Nielsen
e34e67b8e6 Extend vxlan_group option to allow a range of group addresses
If vxlan_group is specified in CIDR notation, it is interpreted as a
range of group addresses. VXLAN VNIs are mapped to group addresses in
a many-to-one round robin fashion, or one-to-one if a large enough
range is provided. Since VNIs are 24 bits, a /8 such as 239.0.0.0/8
allows each VNI to use a unique multicast group. (239.0.0.0/8 also
happens to be the "site-local" multicast range.)

With multiple VNIs on a single multicast group, it is likely that
VTEPs will unnecessarily receive broadcast/unknown/multicast
datagrams for VNIs in which they do not participate. Using a range of
groups mitigates or eliminates this issue. It is thus an alternative
to the l2_population extension and driver for environments where both
multicast and linuxbridge are used.

The default setting is unchanged, but the comments in the ini file
suggest 239.0.0.0/8 as an alternative. Administrators are free to use
any valid multicast range that can be expressed in CIDR notation, and
should choose a size and starting address that make sense for their
environment.

DocImpact
Closes-Bug: #1477331
Change-Id: If9a3487a28ba2b02a6ef934c5421cec5d505b53c
2015-07-28 18:28:14 -06:00
Salvatore Orlando
1663f5c197 Create packages for quota modules
This patch simply renames quota modules introducing two
new packages:
1) neutron.quota
2) neutron.db.quota

This paves the way for adding more quota related modules.
Unit tests paths are changed accordingly, as well as references
to moved modules.
This patch hovewer preserves the ability of importing
neutron.db.quota_db in order to avoid breaking repositories which
use neutron as a requirement.

Change-Id: I946e87f1b2ebb3e80d64aecfe58aeff9f81896f3
Related-blueprint: better-quotas
2015-07-28 11:55:01 -07:00
Ivar Lazzaro
e0ba53a09a Decompose Apic ML2 mechanism driver
As a part of the vendor decomposition effort, the
apic ML2 driver code is removed and replaced by
its version in the openstack/networking-cisco
repo.

Change-Id: Iffb5245b4c88b65afe62dd7435ee80489a654fee
Partial-implements: blueprint core-vendor-decomposition
2015-07-24 19:32:49 +00:00
Ihar Hrachyshka
fcc5d5bcf7 Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Change-Id: I1c1fd593235fda1cdd053980f50eff21ca9011b6
2015-07-24 14:24:10 +02:00
Jenkins
95f8831344 Merge "Fix a property comment in metadata_agent files" 2015-07-24 08:17:36 +00:00
Hirofumi Ichihara
6ff8582896 Metaplugin removal
Metaplugin is removed in Liberty.
Remove all metaplugin related codes.

DocImpact
APIImpact

Co-Authored-By: Itsuro Oda <oda@valinux.co.jp>
Change-Id: I9cf36e1fd3a009c175e0d475af407a30f4e5c408
Closes-Bug: #1465126
2015-07-23 19:05:05 +09:00
Ihar Hrachyshka
d3708de0cb Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Also applied the following fixes:

===

1. cleaned up some pylint failures that were not spotted before:

Module neutron.objects.qos.policy: Metaclass class method __new__ should
have 'mcs' as first argument

Module neutron.objects.qos.rule: Lambda may not be necessary

===

2. Revert "Introduce the AFTER_READ callback for ports and networks"

This reverts commit e3dba1424114575581c153e02227282e036ad0a2.

We don't use callbacks to extend resources anymore, instead relying on
ml2 extension drivers. No need for the patch to achieve QoS, and it also
breaks test_delete_subnet_with_callback that was added in master
recently.

===

3. updated requirements.txt and test-requirements.txt based on:

https://review.openstack.org/#/c/204398/

to avoid requirements gate checks failing due to incompatible
requirements comparing to global-requirements.txt

Change-Id: I744ab2d8327a428a5467f2d07d073a5f8c333520
2015-07-23 11:48:57 +02:00
Bertrand Lallau
b70bf5c1fe Fix a property comment in metadata_agent files
Metadata Proxy UNIX domain socket mode allows 4 values not 3.

Change-Id: I83787856acda48608e1f0997329a92876afed613
2015-07-23 11:20:01 +02:00
Eugene Nikanorov
e0eed14a1e Flavor Framework implementation
This patch introduces API and DB plugin for flavor framework.
API adds Flavors and Service Profiles which are resources
available only for admins to operate.

This framework then should be leveraged by advanced services.

Included tempest API tests in neutron tree

Implements: blueprint neutron-flavor-framework
Change-Id: I99ba0ce520ae3d8696eca5c994777c7d5ba3d4b1
Co-Authored-By: Doug Wiegley <dougw@a10networks.com>
Co-Authored-By: Madhusudhan Kandadai <madhusudhan.kandadai@hp.com>
2015-07-16 09:07:41 -07:00
Jakub Libosvar
a1c05891a5 Add qos section to ovs agent config
[qos] section is introduced with qos driver for ovs agent. Similar
manner should follow for all l2 agents using qos with different default
drivers.

Change-Id: I3c6a3711d3cd9924d55cf6d0ed84be18c993c275
2015-07-15 19:16:35 +02:00
Ihar Hrachyshka
2fed2617cd Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Change-Id: I7f2342d62634f5b4af3a083cc1aaff46efe28519
2015-07-07 16:01:17 +02:00
Jenkins
211c035577 Merge "Add policy files specific to NSX plugins" 2015-07-05 17:45:24 +00:00
Jenkins
32eda8628c Merge "Remove unused linux bridge agent configuration options" 2015-07-03 03:04:49 +00:00
vikram.choudhary
cbd95318ad Support Basic Address Scope CRUD as extensions
This patch adds the support for basic address scope CRUD.
Subsequent patches will be added to use this address scope
on subnet pools.

DocImpact
APIImpact

Co-Authored-By: Ryan Tidwell <rktidwell85@gmail.com>
Co-Authored-By: Numan Siddique <nusiddiq@redhat.com>
Change-Id: Icabdd22577cfda0e1fbf6042e4b05b8080e54fdb
Partially-implements:  blueprint address-scopes
2015-07-02 13:49:06 +05:30
Kyle Mestery
d7e60d59a3 Merge remote-tracking branch 'origin/master' into merge-branch
Change-Id: I7bd5d0568e773365eaab1ebd99dcd7186da22dae
2015-07-01 21:55:54 +00:00
Assaf Muller
abb7124a51 Remove unused linux bridge agent configuration options
This is cruft left from the Linux bridge monolithic plugin,
or from pre-Havana versions of the code.

Change-Id: Id7bb7d7860859283b53f588a940ca21c94fd0e6a
2015-07-01 10:38:34 -04:00
Jenkins
d7cb7e0533 Merge "NSXv: update ini file to support dhcp_lease_time" 2015-07-01 07:17:54 +00:00
Miguel Angel Ajo
2ff19be1db QoS service plugin stub
This patch introduces the QoS service plugin which implements
a stub of the API extension.

This is patch is a basic step to be able to create an experimental
job enabling this service so we can do api tests.

Change-Id: Ib583e98c232ca628ba2a4bd48527eb84584c6212
2015-06-29 17:51:10 +03:00
Miguel Angel Ajo
96d1cb1ae2 Create the QoS API extension stub
This patch introduces the QoS API extension, in a basic
form where we could, in combination with the service plugin
stub, start creating some experimental test jobs that install
the service plugin.

Please not that URL mapping is not fully according to spec,
neither it does include any testing. We need to work that out.

blueprint quantum-qos-api
Change-Id: I86e8048e2d9b84690dbede9a94cfc884985069c5
2015-06-29 17:50:43 +03:00
Eugene Nikanorov
e50e1a2369 Add logging of agent heartbeats
When troubleshooting problems with cluster it would be
very convenient to have information about agent heartbeats
logged with some searchable identifier which could create
1-to-1 mapping between events in agent's logs and server's logs.

Currently agent's heartbeats are not logged at all on server side.
Since on a large cluster that could create too much logging
(even for troubleshooting cases), it might make sense to make
this configurable both on neutron-server side and on agent-side.

DocImpact

Change-Id: I0a127ef274a84bba5de47395d47b62f48bd4be16
Closes-Bug: #1452582
2015-06-29 05:40:26 +04:00
Kyle Mestery
724c78071d Restructure agent code in preparation for decomp
This commit moves the L2 agents (Linuxbridge and OVS) into the
ML2 directory, while at the same time also moving the ML2 server
bits into toplevel directories. It also moves the configuration
files and unit tests. We also move the l2pop RPC mixin while
here as well.

DocImpact
UpgradeImpact

Partially-Implements: blueprint reference-implementation-split
Partial-Bug: #1468433
Closes-Bug: #1427317
Change-Id: If6feca7b7a6bdd6c3c6feb929fa26fb4b1f72770
Signed-off-by: Kyle Mestery <mestery@mestery.com>
2015-06-26 15:06:49 +00:00
Anthony Chow
830e911481 Deprecate "router_delete_namespaces" and "dhcp_delete_namespaces"
These 2 configuration options are no longer be necessary.

They are marked as deprecated in this release and will be removed in the
next release.

Change-Id: I4e02a291738b16c7c9b7600f0bc9a47fb1318569
Partial-Bug: #1418079
2015-06-24 06:51:58 -07:00
Gary Kotton
0eb44ca1f2 NSXv: update ini file to support dhcp_lease_time
Add the variable to enable the admin to set the DHCP lease time.

This was added in commit 7681e4c50afda18fd75fe7207352d1a26ee0755b

DocImpact

Change-Id: Ic37932c09d3b4c88363a7f1f38a687cd6e090c1f
2015-06-23 11:35:22 +03:00
Jenkins
4d734cbbcd Merge "VMWare NSXv: Add distributed URL locking to ini" 2015-06-23 08:09:03 +00:00
Salvatore Orlando
a391178c21 Add policy files specific to NSX plugins
This patch simply adds a 'policy' directory with a few json
files into ./etc/neutron/plugins/vmware to provide default
policies specific to the VMware NSX plugin family.

These policy files can be loaded leveraging the policy_dirs
configuration option.

Change-Id: Icce41a6ee63715bc145694f27a2166a7fa884dba
2015-06-17 04:36:02 -07:00
Thomas Morin
7a73776811 fix rootwrap debug filter for ping all
NeutronDebugAgent.ping_all calls ping with "-c 1 -w <number>' so
the filter should accept this order, and not only "-w .. -c ..".

Not changing the existing filter to not break other tools
that might use -w -c in that order.

Change-Id: I5b3d67dfcdc15c53ac3bf2fb39de29fd97e98a19
2015-06-17 12:15:41 +02:00
Kobi Samoray
1710f7c72f VMWare NSXv: Add distributed URL locking to ini
NSXv plugin supports distributed locking using tooz library.
This patch adds the required parameter to the ini file.

DocImpact

Depends-On: Icbcec938c1c5ae7a528350f2f283388b81fa66b7
Change-Id: I8a7c36d044c4be29b0dfa3fbb8e9379723cebd61
2015-06-14 17:22:31 +03:00
armando-migliaccio
ba2c44ef00 Revert "Revert "Set default of api_workers to number of CPUs""
This reverts commit 12a564cf03e612dda36df26df8d28dfc75f1af6e.

We should re-enable this feature on a controlled basis so that we can
flush out any outstanding issue we may have.

Related-bug: #1432189

Change-Id: I2cfd93fdb032b461022b729347390ff8636ccdeb
2015-06-12 16:43:27 +00:00
Saksham Varma
c34ce7c984 Moving out the cisco n1kv section to stackforge
Since most of the n1kv plugin code resides in stackforge/networking-cisco
repo, it's best to move the n1kv section there

Change-Id: Ic1388980dea0d27dfa5e84869f1f20cc9bff78e5
Closes-Bug: #1441400
2015-06-10 11:07:08 -07:00