This reverts commit: b83fedbd78a441cf34d53dba35a3ccff7d8f4ac5.
Since port is set to dead by default after the commits of:
7aae31c9f9ed938760ca0be3c461826b598c7004
0ddca284542aed89df4a22607a2da03f193f083c
And we add the local vlan tag to the port right after it is
bound to aviod trunk port flood issue:
c63ebef2d58e15f4388cf064066f77b503a2f841
So that _add_port_tag_info function is not necessary anymore,
and we will save a large OVSDB read action which is dumping
the entire table of Port, for hosts with a huge number of
ports this is time-comsuming. So removed it.
Related-Bug: #1968896
Related-Bug: #1952567
Change-Id: Iefd765d497c7e2d4bb093052478185125b907025
Port admin state down will add 4095 tag to it while
it is adding a drop flow for this ofport.
When port is back UP again, remove the drop flow.
Closes-bug: #1968896
Change-Id: Ie8f67def69ae0e5d425d0e6fc43e35373a96bd88
After the monitor_cond_since/update3 support patch in ovs
(46d44cf3be0), directly setting table.condition is broken. This
isn't something that was every truly supported. Prior to that
patch, using Idl.cond_change() before a connection was made
did not work, but after that patch it does.
This patch uses the old behavior when the OVS library does not
have the ConditionState object, and uses cond_change() otherwise.
Related-Bug: #1965819
Change-Id: I0503037b803a3c99fb7988bc20394c111ac456db
In the DHCP agent, if an exception is raised during the driver call,
"DhcpAgent.schedule_resync" is called. Before this patch, the
exception instance was passed instead of a string. This instance
reference was stored in the dictionary "needs_resync_reasons" and
used in "_periodic_resync_helper" to resync the DHCP agent
information.
The call to "sync_state" passed the dictionary ".keys()" method. In
python2.7 when that was implemented, this method was creating a list
with the dictionary keys. In python3, this method is a generator
that holds the dictionary content.
This patch breaks this reference chain in two points (actually only
one is needed):
- "sync_state" now passes a list created from the mentioned generator.
- The dictionary "needs_resync_reasons" now stores the exception
strings only, instead of the exception instance.
Closes-Bug: #1969270
Change-Id: I07e9818021283d321fc32066be7e0f8e2b81e639
Importing some modules lead to registering config options that may
collide with config options from a project that calls the import. This
patch wraps the side effect that registers config options into a
function that needs to be called in case the caller wants to register
the options.
This solution is also not perfect as it guards the common options to be
registered only once even if the function is called multiple times. This
is to solve problems in unittests, ideally we should always call the
function just once even in our testing suites.
Resolves-Bug: #1968606
Change-Id: Ic1532eb8de887ff1b1085206df11f53e22f7f524
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
In the policy_enforcement module if policy.enforce() will raise
PolicyNotAuthorized exception, there is additional check if user is
trying to modify own or someone else resource. In case when user is not
allowed to show resource even, error 404 is raised to "hide" any
information about requested resource.
But that was also the case for POST (create resource) requests and 404
error when user is trying e.g. create network is confusing.
So this patch modifies that logic and in case of "create_" actions it
will return 403 if user was not authorized to do such operation.
Closes-Bug: #1965294
Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
This patch should finally complete phase 1 of Secure RBAC community
goal [1] where it was agreed that there will be just 4 personas:
* ADMIN
* PROJECT_ADMIN
* PROJECT_MEMBER
* PROJECT_READER
System scope personas will be added in next phases of the community
goal.
To complete phase 1 in Neutron, this patch removes hardcoded system scope
from the check strings in system scope personas - that way it can be
controlled by the config option and enforced by oslo_policy only when
enabled.
It also skips all SYSTEM_MEMBER and SYSTEM_READER related unit tests. We
can re-enable them in the future where we will have those personas
working in Neutron.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: Iafa8ec1d9710ff404450ad0a64baf56a0f993756
This Will help in troubleshooting failures related to high
memory or cpu usage.
Related-Bug: #1966394
Change-Id: I74b0d53bfc54b71d3e8b2d46739a944e5f5a6b6f
security_groups_db._check_security_group is supposed to check the
security_group_id of the _create_security_group_rule payload.
When using an integer e.g. 0, as security_group_id, the check
succededs because mysql accepts following query:
SELECT * FROM securitygroups WHERE id in (0)
Forcing validation of security_group_id as uuid fixes the problem
Closes-Bug: #1968343
Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
The parameter "data" passed to the method "ha_state_change" is not
a router but a dictionary with "router_id" info.
The method "NDPProxyAgentExtension._process_router" requires the
router ID and the "enable_ndp_proxy" value, stored in the agent
router cache.
Closes-Bug: #1967839
Related-Bug: #1877301
Change-Id: Iab163e69f7e3641e2e1a451374231b6ccfa74c3e
The goal of this patch is to make the Neutron code compliant
with SQLAlchemy 2.0.
All SQL transactions must be executed inside an explicit
writer/reader context. SQLAlchemy no longer will create an
implicit transaction if the session has no active transaction.
A warning message, only available in debug mode, is added. When
an ORM session calls "do_orm_execute", if there is no active
transaction, a warning message with a traceback will be logged
to help to debug the regression introduced.
Related-Bug: #1964575
Change-Id: I3da37fee205b8d67d10673075b9130147d9eab5f
[1] changed the signature of set_device_rate to be alligned with how
pyroute2 expects rate parameters, some method which calls
set_device_rate needs to be changed also to use the new dict format for
calling it.
[1]: https://review.opendev.org/q/Ibbb6d938355440c42850812e368224b76b1fce19
Related-Bug: #1962844
Closes-Bug: #1968206
Change-Id: I7256747f45308b011edbb0f8c802439ea277423d
Based on discussions during the Zed PTG (see [1]) mark Prefix Delegation
as experimental.
Add warning to cfg option ipv6_pd_enabled and to IPv6 documentation's
PD section that the feature has low test coverage, and dibbler is
concluded (the tool used for notifing Neutron that a prefix was changed)
see: [2].
[1]: https://etherpad.opendev.org/p/neutron-zed-ptg#L208
[2]: https://github.com/tomaszmrugalski/dibbler#project-status
Related-Bug: #1916428
Change-Id: Ia712eb6f5b6f947aeab89ba7c018771eb4104e37
Those jobs from periodic pipeline were run on Centos Stream 8
so far but lets switch them to new Centos Stream 9.
Change-Id: I9d87d1c6d2c5415a4bd602cb6968db4d155f15e1
During some ml2 ovs agent port processing performance test, we noticed
that some ports are missing tag before it really done processing. While
ovs treats those ports without tag as trunk port, so some packets will
be flooded to it. In large scale cloud, if too many port added to the
bridge, the ovs-vswitchd will consume a huge amount of CPU cores if
ports are not bound in a short time.
So, in the port_bound function of ovs-agent, we set the port tag to
it after a local_vlan id is allocated. Because after that, setup
security groups (setup_port_filters) and bind devices in DB
(update_device_list) are really time-consuming.
And also fix a potential bug, port is processed as created first,
but no tag in ovsdb, so openflow security group will not be processed
successfully [1]. It must be done in a update event during next loop,
after port bound and ovsdb set the required value.
This patch can also fix some upstream test failures of waiting too
long time to ping some cases.
[1] https://github.com/openstack/neutron/blob/master/neutron/agent/linux/openvswitch_firewall/firewall.py#L112
Closes-Bug: #1952567
Change-Id: I3533f0d416d32f8d0888ad58f975960d89a985d9
This is terrible hack but it seems that there is no other way to
fix/workaround the race which may happen during live-migration between:
- port update event comming from the OVN db (port DOWN on the src node),
- API call from nova-compute to activate port binding on the destination
node.
If those 2 events will be executed in specific order by different
workers it may happen that port binding activation will not update
"requested_chassis" of the port in OVN northd due to revision mismatch
(ovn_revision and neutron_revision will be already bumped by the worker
which processes "port update" OVN event).
If "requested_chassis" will not be updated, OVN will not claim port on
the dest node thus connectivity to the vm will be broken.
To workaround that issue, port_update_postcommit method from the OVN
mechanism driver will catch RevisionMismatch exception raised by the
ovn_client and in case that this was port_update after live_migration,
will get port data from neutron db and try to update port in the OVN
northd once again.
Closes-bug: #1967144
Change-Id: If6e1c6e0fc772101bcd3427601800aaae84381dd
