In some deployments, the "neutron" user does not have the permissions
to modify the kernel interfaces. In those cases the radvd user should
be defined. This patch introduces a new config option: "radvd_user".
This config option is the username passed to radvd, used to drop root
privileges and change user ID to username and group ID to the primary
group of username. If no user specified (by default is an empty string),
the user executing the L3 agent will be passed. If "root" specified,
because radvd is spawned as root, no "username" parameter will be
passed.
Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
Closes-Bug: #1844688
(cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
When updating a port with the fixed_ips request the
fixed_configured argument should be set to true when
calling _ipam_get_subnets() so that all subnets are
returned if host is not set.
Otherwise the ip allocation will be deffered and an
empty list of possible subnets for the port is
returned. Which in turn led to raising an error that
the network requires subnets to allocate an IP
address.
Closes-Bug: #1844124
Change-Id: I2e690ea0cf5fa0614e39be2b0e83afad3daa7f48
(cherry picked from commit def8e95aad1e4588c369d537ee66234245eefdf6)
The prelude section is usually used for release highlights.
As of now, the prelude section has only one contents on SmartNIC
support, but it is not necessarily most important topic.
It is already covered by "features" section, so it looks natural
to drop it from the prelude section.
Change-Id: Ibfe773f93ee5d805dcad27938209275197dadadb
Neutron-LBaaS has now been retired and there will be no Train
release[1]. This patch removes neutron-lbaas references from
neutron.
[1] https://review.opendev.org/658494
Closes-Bug: #1833125
Change-Id: I0fe3fbaf4adf7fb104632fd94cd093e701e12289
When a network is deleted, precommit handlers are notified prior to the
deletion of the network from the database. One handler exists in the ML2
plugin - _network_delete_precommit_handler. This handler queries the
database for the current state of the network and uses it to create a
NetworkContext which it saves under context._mech_context. When the
postcommit handler _network_delete_after_delete_handler is triggered
later, it passess the saved context._mech_context to mechanism drivers.
A problem can occur with provider networks since the segments service
also registers a precommit handler - _delete_segments_for_network. Both
precommit handlers use the default priority, so the order in which they
are called is random, and determined by dict ordering. If the segment
precommit handler executes first, it will delete the segments associated
with the network. When the ML2 plugin precommit handler runs it then
sees no segments for the network and sets the provider attributes of the
network in the NetworkContext to None.
A mechanism driver that is passed a NetworkContext without provider
attributes in its delete_network_postcommit method will not have the
information to perform the necessary actions. In the case of the
networking-generic-switch mechanism driver where this was observed, this
resulted in the driver ignoring the event, because the network did not
look like a VLAN.
This change uses a priority of zero for ML2 network delete precommit
handler, to ensure they query the network and store the NetworkContext
before the segments service has a chance to delete segments.
A similar change has been made for subnets, both to keep the pattern
consistent and avoid any similar issues.
Change-Id: I6482223ed2a479de4f5ef4cef056c311c0281408
Closes-Bug: #1841967
Depends-On: https://review.opendev.org/680001
For vlan type network, we add a segment match flow
to the openflow security group ingress table. Then
the packets will be recorded in conntrack table, and
the reply packets can be processed properly.
Change-Id: Ieded0654d0ad16235ec923b822dcd842bd7735e5
Closes-Bug: #1831534
For large scale deployment, the dvr router will be installed to
the scheduled DHCP host. This will definitely increase the l3
agent service pressure, especially in large number of concurrent
updates, creation, or agent restart.
This patch adds a config ``host_dvr_for_dhcp`` for the DHCP port
device_owner filter during DVR host query. Then if we set
``host_dvr_for_dhcp = False``, L3-agent will not host the DVR router
namespace in its connected networks' DHCP agent hosts.
Closes-Bug: #1609217
Change-Id: I53e20be9b306bf9d3b34ec6a31e3afabd5a0fd6f
This change relaxes the constraint that all subnets of the same
address family on a network must be allocated from the same subnet
pool. It allows subnets that share the same address scope to
co-exist on a network. If there is no address scope involved the
subnet pool / network affinity constraints continue to enforced
as done previously.
Change-Id: I33bd17c723b3e8d409415bda008440f8ed9cfa68
Closes: 1830240
Implements: subnets-different-pools-same-net
This option was deprecated since couple of releases already.
In Stein we removed 'external_network_bridge' option from L3 agent's
config so now it's time to remove also this one.
There is also new upgrade check introduced to check and warn
users if gateway_external_network_id was used in the deployment.
This patch also removes method _check_router_needs_rescheduling() from
neutron/db/l3_db.py module as it is not needed anymore.
This patch also removes unit tests:
test_update_gateway_agent_exists_supporting_network
test_update_gateway_agent_exists_supporting_multiple_network
test_router_update_gateway_no_eligible_l3_agent
from neutron/tests/unit/extensions/test_l3.py module as those
tests are not needed when there is no "gateway_external_network_id"
config option anymore.
Change-Id: Id01571cd42cfe9c5ce91e90159917c7d3c963878
If agent is concurrently processing large set of resources,
the bottleneck lock will multiply increase processing time
of those resources which have been waiting for the lock for
a long time.
This patch moves the lock to the core cache resource, and
leverage the coordination lock to the resource prcessing
and notification thread functions.
Closes-Bug: #1824911
Change-Id: Id43829b11631727f1a46362ffea5c22d2177fd79
Enforce that a user updates the admin state of a router before modifying
the distributed state. The API currently allows setting admin state to
false concurrently with changing the distributed state.
This is fine for a transition of centralized->distributed, but the
distributed->centralized transition could leave other nodes configured
as distributed until an audit is performed.
Commit adds shim api extension which should be replaced by neutron-lib
shim extension once https://review.openstack.org/#/c/634509/ is merged.
New method 'is_admin_state_down_necessary' checks that shim extension
is loaded.
Set extension as standard by adding to _supported_extension_aliases in
neutron/services/l3_router/l3_router_plugin.py
Closes-Bug: #1811166
Co-Authored-By: Allain Legacy <allain.legacy@windriver.com>
Co-Authored-By: Enyinna Ochulor <enyinna.ochulor@intel.com>
Change-Id: Ie624aeb3f3aeb4db176d2ca0b22020208d4b408a
Signed-off-by: Matt Welch <matt.welch@intel.com>
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0
Related-Bug: #1832758
As part of the fix for bug 1826419, a prior release note was
deleted and no new release note was added to document the
change in behaviour as a result of upgrading.
Add new release note to detail the behaviour of
{network,conf}.dns_domain with respect to the DHCP agent
post upgrade.
The deleted release note will be restored in the stable
branches where it was removed.
Change-Id: Ic668d64c28cdc1068cb2413b09839a127bad46d3
Related-Bug: 1826419
For various synchronized scenarios, this decorator
allows flexible lock name with parameters and names
of underlying functions.
For instance:
@synchronized('{f_name}-{resource.id}-{snap[name]}')
def foo(self, resource, snap):
Change-Id: I4bf75be2902cd598a5a5a2c5887d4b4262f3e042
Related-Bug: #1824911
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.
Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
The dns_domain attribute of a network is intended for use
by neutron when creating DNS records in an external DNS
system such as Designate.
By using the networks dns_domain, the configured search
path on booted instances mismatches with the generated
dns assignments for instance ports in the hosts file
for dnsmasq which creates a mismatched forward/reverse
lookup behaviour.
This reverts commit 137a6d61053fb1cfb9a0a583b5a5c0f6253c75e6
and commit 7fdd6adc7acf99e74fbe1c12606f8c867ae134ae.
Closes-Bug: 1826419
Depends-On: I145144c042b100f7e12a02a8ac7e0fbbe41e984d
Change-Id: I5ff03b5ad8af432a9f7919ef953d7d8c434b93bd
Common neutron resource(e.g, Port) consists of:
1. Resource Attributes, e.g: Port.mac_address, etc.
2. Standard Attributes, e.g: created_at, and are shared among all
neutron resources.
The `sort` opt only supports limited attributes. We need to filter
attributes that are defined with `is_sort_key=True` and it's preferred
to explicitly warn CLI & API users of illegal sort keys rather than
just accept without check, pass forward and then hit a internal error
which's quite confusing.
Depends-on: https://review.opendev.org/#/c/660097/
Change-Id: I8d206f909b09f1279dfcdc25c39989a67bff93d5
Closes-Bug: #1659175
This patch adds an ironic notifier that sends notifications
to ironic endpoint /v1/events. The events are triggered by
port updates and deletions. Only ports with vnic_type
baremetal are honored.
Story: 1304673
Task: 22263
Closes-Bug: #1828367
Implements: blueprint event-notifier-ironic
Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I0bb3187a88a7f20adb8c60e24945db159afb83f1
Adds support for OVS DPDK port representors[1], a direct port on
a netdev datapath is considered a DPDK representor port.
get_vif_type returns OVS VIF type in case of a direct port.
[1] http://docs.openvswitch.org/en/latest/topics/dpdk/phy/#representors
Closes-Bug: #1829734
Change-Id: I3956eeda19ebc93fdb0b13c1cfb3dc64abffee9f
Currently, 'icmp', 'ipv6-icmp' and 'icmpv6' can be
specified as an IPv6 ICMP protocol value. This can
lead to duplicate entries in the DB for doing exactly
the same thing.
Change to always be 'ipv6-icmp' so this doesn't happen.
Existing rules using one of the old values will now be
returned with 'ipv6-icmp' as the protocol value.
Depends-on: https://review.opendev.org/660206
Depends-on: https://review.opendev.org/660387
Change-Id: I7cd146691dce1a690e1d2c309dfd54b4a0032f76
Partial-Bug: #1582500
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.
Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
In case of Smart NIC vNIC type neutron should mimic nova-compute
that plug the port to the ovs bridge.
Extend the Neutron OVS mechanism driver and Neutron OVS Agent to bind
the Neutron port for the baremetal host with Smart NIC. This will allow
the Neutron OVS Agent to configure the pipeline of the OVS running on
the Smart NIC and leverage the pipeline features such as: VXLAN,
Security Groups and ARP Responder.
Story: #2003346
Closes-Bug: #1785608
Change-Id: I6d520d3bac2e9ceb30b5b6197c6eb0f958cc3659
Added the ability to change the segmentation ID of a network
with ports bound to OVS agent. The rules, both in the integration
bridge and the physical bridge, to convert the internal VLAN tag
and the external segmentation ID (external VLAN tag) are deleted
and created again with the new value. The traffic from the tenant
networks will be tagged then with the new segmentation ID.
Added get network details agent RPC call to retrieve the information
of the updated network.
Partial-Bug: #1806052
Change-Id: I69f6f3ef717c3ed40218099b1f389afd3d39bd62
This parameter applies to the OVSDB Controller table when the
native openflow driver is used. There are reports that increasing
it can reduce errors on busy systems. This patch also sets the
default value to 10s which is more than the OVS default of 5s.
See the ovs-vswitchd.conf.db man page for full description.
Change-Id: If0d42919412dac75deb4d7f484c42cea630fbc59
Partial-Bug: #1817022
Currently, most implementations override the L3NatAgent class itself
for their own logic since there is no proper interface to extend
RouterInfo class. This adds unnecessary complexity for developers
who just want to extend router mechanism instead of whole RPC.
Add a RouterFactory class that developer can registers RouterInfo class
and delegate it for RouterInfo creation. Seperate functions and variables
which currently used externally to abstract class from RouterInfo, so that
extension can use the basic interface.
Provide the router registration function to the l3 extension API so that
extension can extend RouterInfo itself which correspond to each features
(ha, distribtued, ha + distributed)
Depends-On: https://review.openstack.org/#/c/620348/
Closes-Bug: #1804634
Partially-Implements: blueprint openflow-based-dvr
Change-Id: I1eff726900a8e67596814ca9a5f392938f154d7b
neutron-keepalived-state-change may not start but have no method
to find out why. This patch adds the log file for it.
Change-Id: I688a6e6d0ac42c00d87571484f726e0eae091675
Related-Bug: #1822155
Large number of flows can cause local ovs connection
timeout. Ultimately getting succeed will be better
than a retry or fullsync.
Related-Bug: #1813703
Related-Bug: #1813705
Related-Bug: #1813707
Related-Bug: #1813709
Change-Id: Ifa0608a7e131df3cad2f7727426720afce641a58
As done for the l3-agent in 837c9283abd4ccb56d5b4ad0eb1ca435cd2fdf3b,
dynamically resize the DHCP process queue green pool.
This patch adds a new measurement based on the network quantity to
indicate the DHCP process queue green pool size. The pool size
will be limited from 8 (original value) to 32, because we do not want
to increase the DHCP agent processing cost on the node.
Change-Id: Ic0e7bc15f138273c7a6ad41f228c9f315e6c7a91
Related-Bug: #1813787