483 Commits

Author SHA1 Message Date
Rodolfo Alonso Hernandez
6ec7ba8695 Add radvd_user config option
In some deployments, the "neutron" user does not have the permissions
to modify the kernel interfaces. In those cases the radvd user should
be defined. This patch introduces a new config option: "radvd_user".

This config option is the username passed to radvd, used to drop root
privileges and change user ID to username and group ID to the primary
group of username. If no user specified (by default is an empty string),
the user executing the L3 agent will be passed. If "root" specified,
because radvd is spawned as root, no "username" parameter will be
passed.

Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
Closes-Bug: #1844688
(cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
2019-10-25 08:14:45 +00:00
Harald Jensås
a59bc98edd fixed_configured=True when Add/Remove port IPs
When updating a port with the fixed_ips request the
fixed_configured argument should be set to true when
calling _ipam_get_subnets() so that all subnets are
returned if host is not set.

Otherwise the ip allocation will be deffered and an
empty list of possible subnets for the port is
returned. Which in turn led to raising an error that
the network requires subnets to allocate an IP
address.

Closes-Bug: #1844124
Change-Id: I2e690ea0cf5fa0614e39be2b0e83afad3daa7f48
(cherry picked from commit def8e95aad1e4588c369d537ee66234245eefdf6)
2019-10-09 09:36:26 +00:00
Zuul
9fdac1e887 Merge "train release notes: Do not use prelude" 2019-09-25 10:29:25 +00:00
Akihiro Motoki
ae3de39544 train release notes: Do not use prelude
The prelude section is usually used for release highlights.
As of now, the prelude section has only one contents on SmartNIC
support, but it is not necessarily most important topic.
It is already covered by "features" section, so it looks natural
to drop it from the prelude section.

Change-Id: Ibfe773f93ee5d805dcad27938209275197dadadb
2019-09-25 04:43:43 +09:00
Bence Romsics
b3eda71638 Release note for API extension: extraroute-atomic
Change-Id: Idb1be0ed3ca65aecb0d59d0b8644213774959807
Partial-Bug: #1826396 (rfe)
Related-Change: https://review.opendev.org/655680 (spec)
2019-09-24 16:35:48 +02:00
Zuul
a63f344748 Merge "Remove Neutron LBaaS" 2019-09-24 03:40:39 +00:00
Michael Johnson
d1d0a04c37 Remove Neutron LBaaS
Neutron-LBaaS has now been retired and there will be no Train
release[1]. This patch removes neutron-lbaas references from
neutron.

[1] https://review.opendev.org/658494

Closes-Bug: #1833125
Change-Id: I0fe3fbaf4adf7fb104632fd94cd093e701e12289
2019-09-20 07:46:06 +00:00
Harald Jensås
2c095811af L3 Conntrack Helper - Release Note
The releasenote for the L3 Conntrack helper extension.

Related-Bug: #1823633
Change-Id: I4fe429f7fd938f428fa80d2d51deb755c9c59c91
2019-09-16 09:10:23 +00:00
Mark Goddard
fea2d9091f Create _mech_context before delete to avoid race
When a network is deleted, precommit handlers are notified prior to the
deletion of the network from the database. One handler exists in the ML2
plugin - _network_delete_precommit_handler. This handler queries the
database for the current state of the network and uses it to create a
NetworkContext which it saves under context._mech_context. When the
postcommit handler _network_delete_after_delete_handler is triggered
later, it passess the saved context._mech_context to mechanism drivers.

A problem can occur with provider networks since the segments service
also registers a precommit handler - _delete_segments_for_network. Both
precommit handlers use the default priority, so the order in which they
are called is random, and determined by dict ordering. If the segment
precommit handler executes first, it will delete the segments associated
with the network. When the ML2 plugin precommit handler runs it then
sees no segments for the network and sets the provider attributes of the
network in the NetworkContext to None.

A mechanism driver that is passed a NetworkContext without provider
attributes in its delete_network_postcommit method will not have the
information to perform the necessary actions.  In the case of the
networking-generic-switch mechanism driver where this was observed, this
resulted in the driver ignoring the event, because the network did not
look like a VLAN.

This change uses a priority of zero for ML2 network delete precommit
handler, to ensure they query the network and store the NetworkContext
before the segments service has a chance to delete segments.

A similar change has been made for subnets, both to keep the pattern
consistent and avoid any similar issues.

Change-Id: I6482223ed2a479de4f5ef4cef056c311c0281408
Closes-Bug: #1841967
Depends-On: https://review.opendev.org/680001
2019-09-10 05:46:26 +00:00
LIU Yulong
aa58542e82 Add VLAN type conntrack direct flow
For vlan type network, we add a segment match flow
to the openflow security group ingress table. Then
the packets will be recorded in conntrack table, and
the reply packets can be processed properly.

Change-Id: Ieded0654d0ad16235ec923b822dcd842bd7735e5
Closes-Bug: #1831534
2019-08-27 23:43:52 +08:00
LIU Yulong
8f057fb49a DVR: Ignore DHCP port during DVR host query
For large scale deployment, the dvr router will be installed to
the scheduled DHCP host. This will definitely increase the l3
agent service pressure, especially in large number of concurrent
updates, creation, or agent restart.

This patch adds a config ``host_dvr_for_dhcp`` for the DHCP port
device_owner filter during DVR host query. Then if we set
``host_dvr_for_dhcp = False``, L3-agent will not host the DVR router
namespace in its connected networks' DHCP agent hosts.

Closes-Bug: #1609217
Change-Id: I53e20be9b306bf9d3b34ec6a31e3afabd5a0fd6f
2019-08-21 05:35:19 +00:00
Zuul
0cde163967 Merge "Remove 'gateway_external_network_id' config option" 2019-08-05 12:40:08 +00:00
Ryan Tidwell
32182010c2
Relax subnet pool network affinity constraints
This change relaxes the constraint that all subnets of the same
address family on a network must be allocated from the same subnet
pool. It allows subnets that share the same address scope to
co-exist on a network. If there is no address scope involved the
subnet pool / network affinity constraints continue to  enforced
as done previously.

Change-Id: I33bd17c723b3e8d409415bda008440f8ed9cfa68
Closes: 1830240
Implements: subnets-different-pools-same-net
2019-07-31 10:01:55 -05:00
Zuul
2f224c90fe Merge "Enforce router admin state before distributed" 2019-07-27 02:11:49 +00:00
Slawek Kaplonski
9b2e472ae9 Remove 'gateway_external_network_id' config option
This option was deprecated since couple of releases already.
In Stein we removed 'external_network_bridge' option from L3 agent's
config so now it's time to remove also this one.

There is also new upgrade check introduced to check and warn
users if gateway_external_network_id was used in the deployment.

This patch also removes method _check_router_needs_rescheduling() from
neutron/db/l3_db.py module as it is not needed anymore.

This patch also removes unit tests:
test_update_gateway_agent_exists_supporting_network
test_update_gateway_agent_exists_supporting_multiple_network
test_router_update_gateway_no_eligible_l3_agent
from neutron/tests/unit/extensions/test_l3.py module as those
tests are not needed when there is no "gateway_external_network_id"
config option anymore.

Change-Id: Id01571cd42cfe9c5ce91e90159917c7d3c963878
2019-07-26 13:19:14 +02:00
LIU Yulong
76c0280635 Remove the l2pop agent_boot_time config
It was marked as deprecated, so let's do a quick
removal.

Related-Bug: #1813714
Change-Id: Ibc039b34b826641811a7e08b0d1bff0fd21b9193
2019-07-10 19:34:25 +00:00
LIU Yulong
ab57410ec8 Minimizing L3 agent QoS extensions lock granularity
If agent is concurrently processing large set of resources,
the bottleneck lock will multiply increase processing time
of those resources which have been waiting for the lock for
a long time.

This patch moves the lock to the core cache resource, and
leverage the coordination lock to the resource prcessing
and notification thread functions.

Closes-Bug: #1824911
Change-Id: Id43829b11631727f1a46362ffea5c22d2177fd79
2019-07-02 23:13:29 +08:00
Matt Welch
00b6460df2 Enforce router admin state before distributed
Enforce that a user updates the admin state of a router before modifying
the distributed state. The API currently allows setting admin state to
false concurrently with changing the distributed state.
This is fine for a transition of centralized->distributed, but the
distributed->centralized transition could leave other nodes configured
as distributed until an audit is performed.

Commit adds shim api extension which should be replaced by neutron-lib
shim extension once https://review.openstack.org/#/c/634509/ is merged.
New method 'is_admin_state_down_necessary' checks that shim extension
is loaded.

Set extension as standard by adding to _supported_extension_aliases in
neutron/services/l3_router/l3_router_plugin.py

Closes-Bug: #1811166
Co-Authored-By: Allain Legacy <allain.legacy@windriver.com>
Co-Authored-By: Enyinna Ochulor <enyinna.ochulor@intel.com>
Change-Id: Ie624aeb3f3aeb4db176d2ca0b22020208d4b408a
Signed-off-by: Matt Welch <matt.welch@intel.com>
2019-07-02 14:00:17 +00:00
Nate Johnston
9ea6a61665 Add custom ethertype processing
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present.  This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.

This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization.  This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.

Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0
Related-Bug: #1832758
2019-06-28 14:07:16 -04:00
Zuul
566a57a22e Merge "Release notes for dns_domain behavioural changes" 2019-06-20 23:00:25 +00:00
James Page
8b1442c708 Release notes for dns_domain behavioural changes
As part of the fix for bug 1826419, a prior release note was
deleted and no new release note was added to document the
change in behaviour as a result of upgrading.

Add new release note to detail the behaviour of
{network,conf}.dns_domain with respect to the DHCP agent
post upgrade.

The deleted release note will be restored in the stable
branches where it was removed.

Change-Id: Ic668d64c28cdc1068cb2413b09839a127bad46d3
Related-Bug: 1826419
2019-06-20 10:40:34 -04:00
Zuul
cd2940fade Merge "Add a generic coordination lock mechanism" 2019-06-13 03:40:47 +00:00
Zuul
81ffd710c0 Merge "Revert "Pass network's dns_domain to dnsmasq conf"" 2019-06-10 17:28:17 +00:00
LIU Yulong
975143fd08 Add a generic coordination lock mechanism
For various synchronized scenarios, this decorator
allows flexible lock name with parameters and names
of underlying functions.
For instance:
    @synchronized('{f_name}-{resource.id}-{snap[name]}')
    def foo(self, resource, snap):

Change-Id: I4bf75be2902cd598a5a5a2c5887d4b4262f3e042
Related-Bug: #1824911
2019-06-06 09:56:58 +08:00
Zuul
15c5eef58d Merge "Canonicalize IPv6 ICMP protocol name in security groups" 2019-06-05 22:19:10 +00:00
Zuul
c3e611eaf1 Merge "Add kill hooks for external processes" 2019-06-05 01:09:51 +00:00
Slawek Kaplonski
93015527f0 Add kill hooks for external processes
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.

Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
2019-06-03 14:39:51 +02:00
James Page
8f5020120e Revert "Pass network's dns_domain to dnsmasq conf"
The dns_domain attribute of a network is intended for use
by neutron when creating DNS records in an external DNS
system such as Designate.

By using the networks dns_domain, the configured search
path on booted instances mismatches with the generated
dns assignments for instance ports in the hosts file
for dnsmasq which creates a mismatched forward/reverse
lookup behaviour.

This reverts commit 137a6d61053fb1cfb9a0a583b5a5c0f6253c75e6
and commit 7fdd6adc7acf99e74fbe1c12606f8c867ae134ae.

Closes-Bug: 1826419
Depends-On: I145144c042b100f7e12a02a8ac7e0fbbe41e984d
Change-Id: I5ff03b5ad8af432a9f7919ef953d7d8c434b93bd
2019-06-03 09:26:32 +01:00
Zuul
8c774d3f1d Merge "Fix bug: AttributeError arises while sorting with standard attributes" 2019-06-02 03:48:34 +00:00
Zuul
0e2508c8b1 Merge "Notify ironic on port status changes" 2019-06-01 02:07:46 +00:00
Zuul
3e6376f428 Merge "Add Smart NIC representor port to integration bridge" 2019-05-31 12:05:36 +00:00
Zuul
e79d71677f Merge "OVS DPDK port representors support" 2019-05-29 23:32:12 +00:00
pandatt
335ac4e2d9 Fix bug: AttributeError arises while sorting with standard attributes
Common neutron resource(e.g, Port) consists of:
1. Resource Attributes, e.g: Port.mac_address, etc.
2. Standard Attributes, e.g: created_at, and are shared among all
   neutron resources.
The `sort` opt only supports limited attributes. We need to filter
attributes that are defined with `is_sort_key=True` and it's preferred
to explicitly warn CLI & API users of illegal sort keys rather than
just accept without check, pass forward and then hit a internal error
which's quite confusing.

Depends-on: https://review.opendev.org/#/c/660097/
Change-Id: I8d206f909b09f1279dfcdc25c39989a67bff93d5
Closes-Bug: #1659175
2019-05-29 17:58:51 +08:00
Harald Jensås
afff649a39 Notify ironic on port status changes
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.

Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
2019-05-27 13:38:42 +02:00
Hamdy Khader
47390226f5 OVS DPDK port representors support
Adds support for OVS DPDK port representors[1], a direct port on
a netdev datapath is considered a DPDK representor port.

get_vif_type returns OVS VIF type in case of a direct port.

[1] http://docs.openvswitch.org/en/latest/topics/dpdk/phy/#representors

Closes-Bug: #1829734
Change-Id: I3956eeda19ebc93fdb0b13c1cfb3dc64abffee9f
2019-05-27 13:30:49 +03:00
Brian Haley
42074a6725 Canonicalize IPv6 ICMP protocol name in security groups
Currently, 'icmp', 'ipv6-icmp' and 'icmpv6' can be
specified as an IPv6 ICMP protocol value.  This can
lead to duplicate entries in the DB for doing exactly
the same thing.

Change to always be 'ipv6-icmp' so this doesn't happen.

Existing rules using one of the old values will now be
returned with 'ipv6-icmp' as the protocol value.

Depends-on: https://review.opendev.org/660206
Depends-on: https://review.opendev.org/660387

Change-Id: I7cd146691dce1a690e1d2c309dfd54b4a0032f76
Partial-Bug: #1582500
2019-05-24 20:05:48 -05:00
Ihar Hrachyshka
4aeec20001 Drop of_interface option
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.

Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
2019-05-24 10:33:48 +02:00
Hamdy Khader
b4243ad3f7 Add Smart NIC representor port to integration bridge
In case of Smart NIC vNIC type neutron should mimic nova-compute
that plug the port to the ovs bridge.

Extend the Neutron OVS mechanism driver and Neutron OVS Agent to bind
the Neutron port for the baremetal host with Smart NIC. This will allow
the Neutron OVS Agent to configure the pipeline of the OVS running on
the Smart NIC and leverage the pipeline features such as: VXLAN,
Security Groups and ARP Responder.

Story: #2003346
Closes-Bug: #1785608
Change-Id: I6d520d3bac2e9ceb30b5b6197c6eb0f958cc3659
2019-05-23 10:54:36 +03:00
Zuul
8887343782 Merge "Change provider network segmentation ID in OVS agent" 2019-05-22 12:36:20 +00:00
Nate Johnston
1916bc5c06 Allow first address in an IPv6 subnet as valid unicast
When looking at the RFC [1], there's no mention that this can't be the
gateway address.  Permit it.

[1] https://tools.ietf.org/html/rfc4291#section-2.6.1

Change-Id: I3f2905c2c4fca02406dfa3c801c166c14389ba41
Fixes-Bug: #1682094
2019-05-21 16:31:18 +00:00
Rodolfo Alonso Hernandez
2bcc178be1 Change provider network segmentation ID in OVS agent
Added the ability to change the segmentation ID of a network
with ports bound to OVS agent. The rules, both in the integration
bridge and the physical bridge, to convert the internal VLAN tag
and the external segmentation ID (external VLAN tag) are deleted
and created again with the new value. The traffic from the tenant
networks will be tagged then with the new segmentation ID.

Added get network details agent RPC call to retrieve the information
of the updated network.

Partial-Bug: #1806052

Change-Id: I69f6f3ef717c3ed40218099b1f389afd3d39bd62
2019-05-20 18:53:17 +00:00
Darragh O'Reilly
540d00f68e Make OVS controller inactivity_probe configurable
This parameter applies to the OVSDB Controller table when the
native openflow driver is used. There are reports that increasing
it can reduce errors on busy systems. This patch also sets the
default value to 10s which is more than the OVS default of 5s.
See the ovs-vswitchd.conf.db man page for full description.

Change-Id: If0d42919412dac75deb4d7f484c42cea630fbc59
Partial-Bug: #1817022
2019-05-17 16:08:21 +00:00
Zuul
554b7cd228 Merge "Add router_factory to l3-agent and L3 extension API" 2019-04-27 06:37:15 +00:00
Yang Youseok
ec875b42b6 Add router_factory to l3-agent and L3 extension API
Currently, most implementations override the L3NatAgent class itself
for their own logic since there is no proper interface to extend
RouterInfo class. This adds unnecessary complexity for developers
who just want to extend router mechanism instead of whole RPC.

Add a RouterFactory class that developer can registers RouterInfo class
and delegate it for RouterInfo creation. Seperate functions and variables
which currently used externally to abstract class from RouterInfo, so that
extension can use the basic interface.

Provide the router registration function to the l3 extension API so that
extension can extend RouterInfo itself which correspond to each features
(ha, distribtued, ha + distributed)

Depends-On: https://review.openstack.org/#/c/620348/
Closes-Bug: #1804634
Partially-Implements: blueprint openflow-based-dvr
Change-Id: I1eff726900a8e67596814ca9a5f392938f154d7b
2019-04-26 10:22:50 +09:00
Zuul
540449cfbd Merge "Add log file for neutron-keepalived-state-change" 2019-04-24 19:04:47 +00:00
LIU Yulong
ccf76c36bb Add log file for neutron-keepalived-state-change
neutron-keepalived-state-change may not start but have no method
to find out why. This patch adds the log file for it.

Change-Id: I688a6e6d0ac42c00d87571484f726e0eae091675
Related-Bug: #1822155
2019-04-18 01:04:16 +00:00
LIU Yulong
64ea642359 Change default local ovs connection timeout
Large number of flows can cause local ovs connection
timeout. Ultimately getting succeed will be better
than a retry or fullsync.

Related-Bug: #1813703
Related-Bug: #1813705
Related-Bug: #1813707
Related-Bug: #1813709

Change-Id: Ifa0608a7e131df3cad2f7727426720afce641a58
2019-03-25 02:51:20 +00:00
Bence Romsics
d1696619c5 Reject min-bw rule operations on non-physnet networks/ports
Change-Id: I54d421d0993bd9515ab5ba32f75f40d1ef46eccb
Closes-Bug: #1819029
Depends-On: https://review.openstack.org/644847
2019-03-23 15:44:31 +00:00
Zuul
c42287eef3 Merge "More accurate agent restart state transfer" 2019-03-23 04:46:44 +00:00
Brian Haley
7369b69e2e Dynamically increase DHCP process queue green pool size
As done for the l3-agent in 837c9283abd4ccb56d5b4ad0eb1ca435cd2fdf3b,
dynamically resize the DHCP process queue green pool.

This patch adds a new measurement based on the network quantity to
indicate the DHCP process queue green pool size. The pool size
will be limited from 8 (original value) to 32, because we do not want
to increase the DHCP agent processing cost on the node.

Change-Id: Ic0e7bc15f138273c7a6ad41f228c9f315e6c7a91
Related-Bug: #1813787
2019-03-21 21:55:04 +00:00