1014 Commits

Author SHA1 Message Date
Jeremy Stanley
f08e9f1f53 Switch from MySQL-python to PyMySQL
As discussed in the Liberty Design Summit "Moving apps to Python 3"
cross-project workshop, the way forward in the near future is to
switch to the pure-python PyMySQL library as a default.

https://etherpad.openstack.org/p/liberty-cross-project-python3

Change-Id: I73e0fdb6eca70e7d029a40a2f6f17a7c0797a21d
2015-06-09 19:48:20 -04:00
Jenkins
250ffef9fa Merge "Decompose the NCS ML2 Mechanism Driver" 2015-06-05 21:30:30 +00:00
Elena Ezhova
8c5ef2cd6e Start linuxbridge neutron agent using a launcher
This change ports linuxbridge neutron agent on common/service code
that will allow to handle termination signals (SIGHUP, SIGTERM, SIGINT).

Note that this patch allows changing only logging options.
All other config options are not handled explicitly and changing
them using SIGHUP can lead to unpredictable circumstances.
So, until changing other options is handled it is highly recommended
to use SIGHUP for changing ONLY logging options.

DocImpact
Change-Id: I1d834e0683b04111ef04c148cbd8d4acf2964065
Closes-Bug: #1461539
2015-06-05 12:31:09 +03:00
Henry Gessau
9cac5c3a9f Decompose the NCS ML2 Mechanism Driver
The last of the Cisco drivers to decompose.

Closes-bug: #1416713
Co-Authored-By: Nikolay Fedotov <nfedotov@cisco.com>

Change-Id: Icd2b358fb0db3d859ee287225ab8eeb10d7da871
2015-06-04 07:11:10 -04:00
Jenkins
b49783edaa Merge "Update rootwrap.conf to add /usr/local/bin" 2015-06-02 15:02:22 +00:00
Gal Sagie
490bdabd4c Update rootwrap.conf to add /usr/local/bin
When working with OVN i found on Fedora 21 that
my ovs-vsctl is installed in /usr/local/bin, since this wasnt in
rootwrap DHCP didnt work properly.
This change adds it to rootwrap

Change-Id: Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12
2015-06-02 05:53:24 +00:00
Pavel Bondar
bacd69386d Implement IPAM Driver loader
IPAM Driver is loaded based on value of 'ipam_driver'.
Added new variable 'ipam_driver' in config.

DocImpact
Partially-Implements: blueprint neutron-ipam

Change-Id: Ia52ad70ef4f0b02cf82cfefcf50b9f1e30b05b79
2015-06-01 20:05:19 +03:00
Rich Curran
818a797693 ML2: Incorrect commented cisco mechanism driver name
The ml2_conf.ini example for the cisco mechanism driver is incorrect.
Update to remove confusion.

Change-Id: I0d3aff31a3bc78ef5ee042ff1f37dbb6e1459635
Closes-Bug: 1459723
2015-05-28 11:38:56 -04:00
YAMAMOTO Takashi
eab71473c3 OVS-agent: Separate ovs-ofctl using code as a driver
This is a preparation to introduce another Ryu-based implementation.
The aim is to replace this with the new Ryu-based implementation
eventually.

Add a config option for OVS-agent which selects the implementation.
Currently, the only available choice is 'ovs-ofctl'.

Also, this commit simplifies DVR logics by reducing duplications
and makes some of DVR UTs actually check the flows rather than just
"add_flow is called".

Partially-Implements: blueprint ovs-ofctl-to-python
Change-Id: Ie1224f8a1c17268cd7d1c474ed82fdfb8852eaa8
2015-05-25 18:48:02 +09:00
Jenkins
79db200fe2 Merge "VMware NSXV: update configuration file" 2015-05-21 17:44:15 +00:00
Sripriya
86d5944fcc Fix minor errors in the Vyatta L3 Plugin:
update management_network to management_network_id in vrouter.ini
Fix copyright header to refer to Brocade in vrouter_neutron_plugin.py
Fix neutron.service_plugins brocade_vyatta_l3 entry in setup.cfg

Change-Id: Ib9eb4a825454d99607deca61ceeb7acb43a9b248
Closes-Bug: #1457235
2015-05-20 17:38:39 -07:00
Gary Kotton
fdf7107dec VMware NSXV: update configuration file
Update the configuration file to show the variables for configuring
the Edge username and password. This is very useful for administrators
when they wish to debug issues.

Change-Id: I7340b3b408a6edaf9b4b307909631e628befe921
2015-05-19 17:37:31 -07:00
Jenkins
6da51bdaa6 Merge "Deprecate quota_items, register resources upon REST initialization" 2015-05-14 20:56:54 +00:00
Moshe Levi
3488559aba mlnx MD: mlnx_direct removal
mlnx_direct is deprecated from Juno release. sriov-nic-switch
with macvtap port is the replacement for it.
This patch removes the mlnx_direct from mlnx MD and
from the supported vif_types.

Closes-Bug: #1453410

Change-Id: I7ee528dc04cdafa27455d5f8fd18c04c858466d8
2015-05-12 12:44:25 +03:00
Salvatore Orlando
a6b6e5597f Deprecate quota_items, register resources upon REST initialization
Register 'core' resources when the respective rest controllers are
instantiated, rather than at module load time.

Since in this way there will not be any need to iterate over
quota_items, the option is being deprecated.

This patch does not supply unit tests as the already-existing
routine for registering a resource from quota_items is being
deprecated as well (and was not covered by any unit test beforehand).

DocImpact

Change-Id: Icdb744adfd86d38363239a454ccf04f3c6b9c158
Closes-Bug: #1453322
2015-05-11 04:03:40 -07:00
Jenkins
3d168d12c0 Merge "Add missed actions into policy.json" 2015-05-07 21:37:02 +00:00
Yushiro FURUKAWA
f1b4dfd52b Add missed actions into policy.json
This patch adds following actions into policy.json.

  1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule
  2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule

Closes-Bug: #1439383
Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062
2015-05-08 07:29:04 +09:00
Jenkins
f09f88609c Merge "VMware: add in router types for NSXv" 2015-05-07 20:33:16 +00:00
Cedric Brandily
cf84ec4c10 Allow to define enable_snat default value
Currently neutron resets enable_snat attribute to True when enable_snat
is not provided in router external_gateway_info. But in some deployments
(private/enterprise clouds) such behavior is not the expected default
one as snat/nat/floating-ips is not used (at least by default).

This change defines the option enable_snat_by_default which allows
deployers to set enable_snat default value when neutron resets it. The
option default value is True for backward compatibility.

DocImpact
APIImpact
Closes-Bug: #1388858
Change-Id: I455a552230ec89fe907a087c1de8c8144b5d086e
2015-05-07 00:10:50 +02:00
Gary Kotton
a5a4ebfe5a VMware: add in router types for NSXv
The configuration file was updated to include the configuration
variable for the tenant_router_types

Change-Id: Id6d544f0d11bad3fa2fe33781a14c299f4043aff
2015-05-06 05:37:06 +00:00
Jenkins
478c3ba065 Merge "remove metadata_proxy_local filters for rootwrap" 2015-05-04 15:50:27 +00:00
Jenkins
0beb6a0fec Merge "Drop use of 'oslo' namespace package" 2015-05-01 23:30:23 +00:00
Jenkins
31819f5d8a Merge "Finally let L3 and DHCP agents cleanup namespaces by default" 2015-05-01 23:30:10 +00:00
Eugene Nikanorov
723162501a Finally let L3 and DHCP agents cleanup namespaces by default
There has been a problem with iproute package that resulted in errors
when deleting the namespaces, so deleting was turned off by default.
According to tests with iproute version 3.12.0 there is no such issue
so the option could be safely turned on by default.

DocImpact
Related-Bug: #1052535
Related-Bug: #1402739

Change-Id: I4c831f98fb2462382ef0f9216e265555186b965a
2015-05-01 14:26:40 +00:00
Romil Gupta
b65b1e6645 Updated ovsvapp_agent.ini in neutron
we have added the vxlan support for OVSvApp l2 Agent.

References:
https://review.openstack.org/#/c/168866/
https://review.openstack.org/#/c/175148/
https://review.openstack.org/#/c/177616/

Change-Id: I8061a1280b765e71aa682711c55c469f8425dac6
2015-04-30 01:40:22 -07:00
Doug Hellmann
5281e52512 Drop use of 'oslo' namespace package
The Oslo libraries have moved all of their code out of the 'oslo'
namespace package into per-library packages. The namespace package was
retained during kilo for backwards compatibility, but will be removed by
the liberty-2 milestone. This change removes the use of the namespace
package, replacing it with the new package names.

The patches in the libraries will be put on hold until application
patches have landed, or L2, whichever comes first. At that point, new
versions of the libraries without namespace packages will be released as
a major version update.

Please merge this patch, or an equivalent, before L2 to avoid problems
with those library releases.

Blueprint: remove-namespace-packages
https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages

Change-Id: If8a132de65ba1e57ea93f98daac66816a3cefaa8
2015-04-28 22:08:39 +00:00
Jenkins
bc1dc8d288 Merge "ARP spoofing patch: Low level ebtables integration" 2015-04-24 04:58:33 +00:00
Jenkins
a5bb5f82ef Merge "Block allowed address pairs on other tenants' net" 2015-04-24 04:58:19 +00:00
Jenkins
dfcfbff4db Merge "Add block name to switch config options for MLX plug-ins." 2015-04-24 01:09:06 +00:00
Jenkins
6661dcda6b Merge "Added note about removing bridge from mappings" 2015-04-22 20:35:53 +00:00
Robert Li
3b53703320 remove metadata_proxy_local filters for rootwrap
With the dependent patch Iade8b5b09bb53018485c85f8372fb94dbc2ad2da,
/usr/local/bin is added to exec_dirs in rootwrap.conf. Therefore, these
filters are no longer needed for devstack use case.

Depends-On: Iade8b5b09bb53018485c85f8372fb94dbc2ad2da
Change-Id: I98bff3cc679dfe19315f2b9b028ff48e4296e0de
2015-04-22 09:15:03 -04:00
Édouard Thuleau
2414834ffe ARP spoofing patch: Low level ebtables integration
ARP cache poisoning is not actually prevented by the firewall
driver 'iptables_firewall'. We are adding the use of the ebtables
command - with a corresponding ebtables-driver - in order to create
Ethernet frame filtering rules, which prevent the sending of ARP
cache poisoning frames.

The complete patch is broken into a set of smaller patches for easier review.

This patch here is th first of the series and includes the low-level ebtables
integration, unit and functional tests.

Note:
    This commit is based greatly on an original, now abandoned patch,
    presented for review here:

        https://review.openstack.org/#/c/70067/

    Full spec can be found here:

        https://review.openstack.org/#/c/129090/

SecurityImpact

Change-Id: I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0
Implements: blueprint arp-spoof-patch-ebtables
Related-Bug: 1274034
Co-Authored-By: jbrendel <jbrendel@cisco.com>
2015-04-22 09:32:02 +12:00
Kevin Benton
927399c011 Block allowed address pairs on other tenants' net
Don't allow tenants to use the allowed address pairs extension
when they are attaching a port to a network that does not belong
to them.

This is done because allowed address pairs can allow things like
ARP spoofing and all tenants attached to a shared network might not
implicitly trust each other.

Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #1447242
2015-04-21 11:28:59 -07:00
Jenkins
c48ba4c7b0 Merge "Added config variable for External Network type in ML2" 2015-04-17 09:13:59 +00:00
Jenkins
af01974564 Merge "Revert "Add ipset element and hashsize tunables"" 2015-04-16 22:12:03 +00:00
Jenkins
68c97444ed Merge "Provide details for configure multiple DHCP agents" 2015-04-16 13:13:39 +00:00
Aman Kumar
26b4e57858 Added config variable for External Network type in ML2
Description:
With the ML2 Plugin, every network created has segments with
provider:network_types being tenant_network_types.
When applied to external networks, the types that could be in
tenant_network_types parameter (like vxlan or gre) are not appropriate.

Implementation:
Added new config variable 'external_network_type' in ml2_conf.ini
which contains the default network type for external networks
when no provider attributes are specified, by default it is None.

It also includes small code re-factoring/renaming of import statement.

DocImpact

Closes-Bug: #1328991

Co-Authored-By: Romil Gupta <romilg@hp.com>

Change-Id: Idbbe6bced73cfedbe0f8e7abba35f87589b1a004
2015-04-15 04:59:22 +00:00
Li Ma
8be4e4d5fc Provide details for configure multiple DHCP agents
The help text is not that good for operation. This fix adds more
information about the option 'dhcp_agents_per_network'.

Change-Id: I955c1e9989a9c65b0ffdbbdca9113c795ec72fe6
Closes-Bug: #1370934
2015-04-14 18:33:16 -07:00
Jenkins
bc688115ad Merge "Enable ARP spoofing prevention by default" 2015-04-15 00:36:38 +00:00
Angela Smith
594353722c Add block name to switch config options for MLX plug-ins.
In the INI files, the switch_names option uses a dynamic
value to determine the block names for the switch options.
In order to create proper config option reference docs,
there needs to be an example block name for the switch
options.

Change-Id: Ic5bf6de02ba1b7d1bc90ee29a5a0570fb45b9956
Closes-Bug: #1442357
2015-04-13 15:15:56 -04:00
Ihar Hrachyshka
b3334eca0a Removed ml2_conf_odl.ini config file
The file is already packaged into decomposed networking-odl repo [1].

[1]: https://git.openstack.org/cgit/stackforge/networking-odl/tree/etc/neutron/plugins/ml2/ml2_conf_odl.ini

Closes-Bug: #1442615
Change-Id: Ic280454190aab4e3b881cde15a882808b652861e
2015-04-10 15:13:37 +02:00
Jenkins
483de6313f Merge "Add simple ARP spoofing protection" 2015-04-09 01:21:53 +00:00
Edgar Magana
3d1277555e Add missing config parameters in neutron.conf
Include all missing configuration parameters already
integrated in Neutron code.

Change-Id: Iefa344a2f9ec2c74f6314e7c783ff3b213d76ea3
Closes-bug: #1438329
2015-04-08 10:40:30 -07:00
Jenkins
4543a4cefa Merge "Add ipset element and hashsize tunables" 2015-04-08 15:57:10 +00:00
Jenkins
7f143e75ee Merge "Stop using deprecated DEFAULT group for lock_path" 2015-04-07 18:38:52 +00:00
Brian Haley
b5b919a7a3 Add ipset element and hashsize tunables
Recently, these messages have been noticed in both tempest
logs, as well as reported by downstream users syslog:

  Set IPv4915d358d-2c5b-43b5-9862 is full, maxelem 65536 reached

So the default of 64K is not sufficient enough.

This change adds two config options to control both the number
of elements as well as the hashsize, since they should be
tuned together for best performance.  Slightly different
formats were required for 'ipset create' and 'ipset restore'.

The default values for these are now set to 131072 (maxelem) and
2048 (hashsize), which is an increase over their typical default values
of 65536/1024 (respectively), in order to fix the errors seen in
the tempest tests.

DocImpact

Change-Id: Ic0b5b38a840e737dc6be938230f4052974c8620f
Closes-bug: #1439817
2015-04-06 15:33:01 -04:00
Cedric Brandily
80bea7a386 Allow metadata proxy running with nobody user/group
Currently metadata proxy cannot run with nobody user/group as metadata
proxy requires to connect to metadata_proxy_socket when queried.

This change allows to run metadata proxy with nobody user/group by
allowing to choose the metadata_proxy_socket mode with the new option
metadata_proxy_socket_mode (4 choices) in order to adapt socket
permissions to metadata proxy user/group.

This change refactors also where options are defined to enable
metadata_proxy_user/group options in the metadata agent.

In practice:
* if metadata_proxy_user is agent effective user or root, then:
  * metadata proxy is allowed to use rootwrap (unsecure)
  * set metadata_proxy_socket_mode = user (0o644)
* else if metadata_proxy_group is agent effective group, then:
  * metadata proxy is not allowed to use rootwrap (secure)
  * set metadata_proxy_socket_mode = group (0o664)
  * set metadata_proxy_log_watch = false
* else:
  * metadata proxy has lowest permissions (securest) but metadata proxy
    socket can be opened by everyone
  * set metadata_proxy_socket_mode = all (0o666)
  * set metadata_proxy_log_watch = false

An alternative is to set metadata_proxy_socket_mode = deduce, in such
case metadata agent uses previous rules to choose the correct mode.

DocImpact
Closes-Bug: #1427228
Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d
2015-04-06 18:31:37 +02:00
Jenkins
3f45031d68 Merge "Allow metadata proxy to log with nobody user/group" 2015-04-02 11:39:27 +00:00
Jenkins
029bd0b95a Merge "Implement default subnet pool configuration settings" 2015-04-01 21:54:03 +00:00
Cedric Brandily
fbc2278414 Allow metadata proxy to log with nobody user/group
Currently metadata proxy cannot run with nobody user/group as
metadata proxy (as other services) uses WatchedFileHandler handler to
log to file which does not support permissions drop (the process must
be able to r/w after permissions drop to "watch" the file).

This change allows to enable/disable log watch in metadata proxies with
the new option metadata_proxy_log_watch. It should be disabled when
metadata_proxy_user/group is not allowed to read/write metadata proxy
log files. Option default value is deduced from metadata_proxy_user:

* True if metadata_proxy_user is agent effective user id/name,
* False otherwise.

When log watch is disabled and logrotate is enabled on metadata proxy
logging files, 'copytruncate' logrotate option must be used otherwise
metadata proxy logs will be lost after the first log rotation.

DocImpact
Change-Id: I40a7bd82a2c60d9198312fdb52e3010c60db3511
Partial-Bug: #1427228
2015-04-01 22:41:07 +02:00