26412 Commits

Author SHA1 Message Date
Sahid Orentino Ferdjaoui
6ec0bc70a7 ovs: make vlanmanager to handle more vlan mapping per network
This change is updating the vlanmanager data structure to handle for a
given network more than one vlan mapping. This is a prerequisite work
needed to progress on accepting several segments per network per
host.

The work done here is trying to avoid changing logic in the
current implementation. Unit test should not have value updated,
but probably signatures changed.

Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ic3c147136549b17aea0fe78e930a41a5b33ab9d8
2022-09-01 14:48:08 +02:00
Zuul
7dfe41ab8f Merge "Update NDP proxy documentation" 2022-08-26 20:51:50 +00:00
Zuul
2f47d2bb55 Merge "Bump revision number of objects when description is changed" 2022-08-26 16:17:37 +00:00
Dr. Jens Harbott
7587d0dede Update NDP proxy documentation
- Use only the documentation prefix in examples
- Update some formatting and wording
- Add a reference in the OVN gaps document

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I2acf762008ce44b6a792c615c153071e1c10e0b3
2022-08-26 12:09:20 +02:00
Zuul
76b6388d4b Merge "Allow operator to disable usage of random-fully" 2022-08-26 08:42:03 +00:00
David Hill
bbefe5285e Allow operator to disable usage of random-fully
In some specific use case, the cloud operator expects the source port
of a packet to stay the same across all masquerading layer up to the
destination host.   With the implementation of the random-fully code,
this behavior was changed as source_port is always rewritten no matter
which type of architecture / network CIDRs is being used in the backend.
This setting allows a user to fallback to the original behavior of the
masquerading process which is to keep the source_port consistent across
all layers.  The initial random-fully fix  prevents packet drops when
duplicate tuples are generated from two different namespace when the
source_ip:source_port goes toward the same destination so enabling this
setting would allow this issue to show again.   Perhaps a right approach
here would be to fix this "racey" situation in the kernel by perhaps
using the mac address as a seed to the tuple ...

Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
Closes-bug: #1987396
2022-08-25 16:48:45 -04:00
Zuul
d4790238cd Merge "Allow shared net to be added on router" 2022-08-24 23:19:48 +00:00
Zuul
a2249b3cd3 Merge "[OVN] Remove ACLs with remote SG during deletion of SG" 2022-08-24 17:32:38 +00:00
Arnaud Morin
8619c104b8 Allow shared net to be added on router
This will subnets from shared networks to be added on routers using:
$ openstack router add subnet router_id subnet_id

Without this, neutron user must use a multi-router solution, which is
not convenient at all.

Closes-Bug: #1975603
Related-Bug: #1757482

Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I50f07d41428e57e6bed9be16980a6c605b7d130e
2022-08-24 17:23:14 +02:00
Zuul
67aab582dc Merge "Script to remove duplicated port bindings" 2022-08-24 00:54:47 +00:00
Zuul
47f30c4af9 Merge "[OVN] Remove session check in `update_network_postcommit`" 2022-08-23 11:58:59 +00:00
Zuul
a3a4030a52 Merge "Migrate "download_gerrit_change" to use "cliff"" 2022-08-23 10:32:10 +00:00
Rodolfo Alonso Hernandez
3202a5c19e [OVN] Remove session check in `update_network_postcommit`
Since [1], when a segment is deleted because the network is before,
the segment event handler method ``_handle_segment_change`` does not
call ``_notify_mechanism_driver_for_segment_change`` and thus the
check performed in ``OVNMechanismDriver.update_network_postcommit``
is not needed anymore.

[1]https://review.opendev.org/c/openstack/neutron/+/786373

Closes-Bug: #1739798
Change-Id: I4bb22a0a0a233609a4d23af55a050356049eb214
2022-08-23 07:56:52 +00:00
Zuul
b045046cd4 Merge "Migrate "migrate_names" to use "cliff"" 2022-08-23 01:25:25 +00:00
Zuul
7a743ad1d9 Merge "ovn: Don't fail db sync if new IP allocation fails for metadata" 2022-08-22 10:45:32 +00:00
Zuul
f1926c086a Merge "[OVN][QoS] Add minimum bandwidth rule support to ML2/OVN" 2022-08-22 10:04:30 +00:00
Zuul
466ec11492 Merge "[S-RBAC] Remove definitions of not used roles" 2022-08-22 09:42:10 +00:00
Zuul
e5e2024a36 Merge "[S-RBAC] Rename ProjectAdmin* unit tests to Admin*" 2022-08-19 23:31:49 +00:00
Zuul
3833bc7494 Merge "[S-RBAC] Use ADMIN rule instead of PROJECT_ADMIN in the new policies" 2022-08-19 23:31:43 +00:00
Zuul
7928db3321 Merge "[S-RBAC] Remove system scope from the API policies" 2022-08-19 23:31:37 +00:00
Jakub Libosvar
d237a2a830 ovn: Don't fail db sync if new IP allocation fails for metadata
There is a scenario where IP allocation pool is depleted but OVN
metadata port got removed its IP manually. The DB sync script will
attempt to allocate a new IP address if DHCP is enabled in the subnet.
Since the pool has no available IP addresses an exception is raised and
the whole db sync stops.

This patch simply catches the exception, logs and error and continues
syncing other resources.

Closes-bug: #1987135
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: Iaa7b0d7ceb244a38fddd7676066683bf2ca72341
2022-08-19 20:24:03 +00:00
Zuul
b0a257fd33 Merge "Add vpnaas to extensions supported by ovn" 2022-08-19 14:53:50 +00:00
Slawek Kaplonski
406601debe [S-RBAC] Remove definitions of not used roles
According to latest agreement about Secure RBAC [1] we are not using
PROJECT_ADMIN and SYSTEM_{ADMIN,MEMBER,READER} roles at all, at least
for now.
So there's no point to keep definitions of those roles in the code and
this patch removes them.

[1] https://review.opendev.org/c/openstack/governance/+/847418

Change-Id: I7ecfa39615375f71902d6fed4f3c82f9049c4c61
2022-08-19 11:39:09 +02:00
Slawek Kaplonski
a23f41071e [S-RBAC] Rename ProjectAdmin* unit tests to Admin*
This change reflects latest agreement from [1] that instead of
ProjectAdmin role there will be "legacy" Admin role which behaves as
"old" Admin basically.

[1] https://review.opendev.org/c/openstack/governance/+/847418

Change-Id: I11fe3293aef95f0096935c98e05b40f8d912bc09
2022-08-19 11:26:53 +02:00
Slawek Kaplonski
211d2d9561 [S-RBAC] Use ADMIN rule instead of PROJECT_ADMIN in the new policies
According to the new guidelines accepted in [1] for now there should be
only one ADMIN role and it should have access to everything (like ADMIN
in old rules).
This patch replaces usage of PROJECT_ADMIN to ADMIN and adjusts unit
tests to reflect that change as now ADMIN user have access to all
resources, no matter if it belongs to the own or other project.

[1] https://review.opendev.org/c/openstack/governance/+/847418

Change-Id: Ib88967b492af517931d42600da687d447bd55705
2022-08-19 11:17:04 +02:00
Slawek Kaplonski
32e16bf466 [S-RBAC] Remove system scope from the API policies
According to the new guidelines accepted in [1] for now all new default
API policy rules should have "project" scope only.
This patch adjusts neutron policies according to [1].

[1] https://review.opendev.org/c/openstack/governance/+/847418

Change-Id: I1e923cc268d80087120a9c4d8a7aa4f2780cd82f
2022-08-19 11:16:44 +02:00
Zuul
b551516e30 Merge "Doc: New bug tags: pyroute2 and stable" 2022-08-18 19:08:18 +00:00
Zuul
a0cdb83ff2 Merge "Use neutron-lib method is_session_active" 2022-08-18 14:39:17 +00:00
Zuul
197d0be323 Merge "[OVN] Try to bind ports only to the ovn-controller agents" 2022-08-18 13:37:02 +00:00
Zuul
09207ba731 Merge "Don't retrieve SG port bindings when deleting a SG" 2022-08-18 08:37:47 +00:00
Rodolfo Alonso Hernandez
c5b76a8393 Script to remove duplicated port bindings
A new script to remove the duplicated port bindings was added. This
script will list all ``ml2_port_bindings`` records in the database,
finding those ones with the same port ID. Then the script removes
those ones with status=INACTIVE. This script is useful to remove
those leftovers that remain in the database after a failed live
migration.

"dry_run" mode is possible if selected in "[cli_script] dry_run"
boolean config option. The duplicated port bindings are printed in
the shell but not deleted.

Related-Bug: #1979072

Change-Id: I0de5fbb70eb852f82bd311616557985d1ce89bbf
2022-08-18 08:13:56 +00:00
Slawek Kaplonski
eda45de839 [OVN] Try to bind ports only to the ovn-controller agents
Patch [1] added getting ovn agents from the agents cache and check
if agent is alive to bound port to it.
Small issue with it was that it could check e.g. ovn metadata agent from
the host as it was only filtering agents by the host on which they are.

This patch adds filter on the agent_type so only ovn-controller agents
are taken from the cache.

[1] https://review.opendev.org/c/openstack/neutron/+/825428

Related-Bug: #1958501
Change-Id: If065204d7521c480656a22fb078bbe6273b5fc70
2022-08-18 09:59:13 +02:00
elajkat
e2ccc12489 Doc: New bug tags: pyroute2 and stable
Change-Id: I27b76daa4bbbad09eee6891fbd63692c1977c431
2022-08-18 09:30:53 +02:00
Zuul
3e8f2325d6 Merge "Fix some pylint indentation warnings" 2022-08-17 16:07:29 +00:00
Zuul
d0ab555329 Merge "`Session.autocommit` parameter is removed" 2022-08-17 15:48:53 +00:00
Zuul
dcf38781a3 Merge "Fix deprecation warnings in pkg_resources" 2022-08-15 19:32:20 +00:00
Zuul
4ee55ec0e1 Merge "Fix a deprecation warning about escape sequence" 2022-08-15 15:20:38 +00:00
Zuul
08c7fbbf5f Merge "Fix deprecation warnings about oslo.context" 2022-08-15 13:53:39 +00:00
Zuul
129429c93f Merge "[ovn] Specify port type if it's a router port when updating" 2022-08-13 16:02:00 +00:00
Takashi Natsume
76cf6b4a9e Fix deprecation warnings in pkg_resources
Fix the following deprecation warnings.

  PkgResourcesDeprecationWarning:
  <MagicMock name='execute().split().__getitem__().__getitem__()'
  id='140417024565696'> is an invalid version and will not be
  supported in a future release

  DeprecationWarning: Creating a LegacyVersion has been
  deprecated and will be removed in the next major release

Change-Id: I23540114120f6ea52754116cfaaeac35e09543b4
Closes-Bug: 1986428
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
2022-08-13 22:53:21 +09:00
Takashi Natsume
e230301a7e Fix a deprecation warning about escape sequence
Fix the following deprecation warning.

  DeprecationWarning: invalid escape sequence \u

Change-Id: Iab460d6c9ff2dbcbf8285567708f169a856eb495
Closes-Bug: 1986421
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
2022-08-13 19:03:19 +09:00
Takashi Natsume
a641b2508d Fix deprecation warnings about oslo.context
Fix the following deprecation warnings.

  DeprecationWarning: Using the 'user' argument is deprecated
  in version '2.18' and will be removed in version '3.0',
  please use the 'user_id' argument instead

  DeprecationWarning: Property 'user' has moved to 'user_id'
  in version '2.6' and will be removed in version '3.0'

Change-Id: I3bda1f744f41ce82c4c3f2a4c9fc31582cce2253
Closes-Bug: 1986418
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
2022-08-13 09:08:00 +00:00
Rodolfo Alonso Hernandez
846737dac4 [OVN][QoS] Add minimum bandwidth rule support to ML2/OVN
This patch adds support for QoS egress minimum bandwidth rules in
ML2/OVN. The enforcement is done in the network backend.

Since [1], in v22.06.0, OVN is capable of guarantee a minimal
bandwidth for a logical switch port. The enforcement of this rule
is done in the physical bridge interface.

[1]dbf12e5fe1

Closes-Bug: #1982951

Change-Id: Ia3831b18463c29f676c253edb64419667b5f2c0b
2022-08-12 00:58:17 +02:00
Nurmatov Mamatisa
655001594b Use neutron-lib method is_session_active
In patch [1] temporary was added is_session_active
method before n-lib patch [2] release. Now modified to
n-lib method

1) https://review.opendev.org/c/openstack/neutron/+/828739
2) https://review.opendev.org/c/openstack/neutron-lib/+/828738

Change-Id: I1144215b72f7c435e1949b2d66f8bbb268b08c98
2022-08-11 05:58:44 +02:00
Rodolfo Alonso Hernandez
7857a3194b Don't retrieve SG port bindings when deleting a SG
Do not retrieve the security group port bindings in the database
transaction that deletes a security group. In the previous context,
if a security group port binding is present on the database,
the method raises a ``SecurityGroupInUse``. It is unneeded to
retrieve them again.

This patch also changes the
``SecurityGroupPortBinding.security_group_id`` foreign key. Now if
the security group is deleted, any security group port binding related
will be too, using the database engine. That will ensure no leftover
remains in the database. Although the check done in
"delete_security_group" before the security group is deleted, there is
a minimal possibility of race condition between the first database
transaction (SG port binding check)  and the second one (SG deletion).

Trivial-Fix

Change-Id: I1c9c2dd95b98a7cc77509b0d537d7c7766765275
2022-08-10 20:51:29 +02:00
Rodolfo Alonso Hernandez
800f863ccc Stop returning unneeded information from "pyroute2" method calls
"pyroute2" methods can include some objects that don't implement
any serialization method (e.g.: "nla_slot" [1]). In those methods
that require an output ("get_*", "list_*", etc.), the Neutron
IP library formats the output inside the privsep context only to
contain serializable objects.

However this library is also returning the blobs returned from
the "pyroute2" library, without parsing and formatting, from
methods that don't require an output ("set_*", "add_*", "delete_*",
etc.). This patch removes the "return" statement from those methods
because the output is not required and to avoid issues like those
reported in the related bug.

[1]8716b9b5c0/pyroute2/netlink/__init__.py (L1754)

Closes-Bug: #1986644
Change-Id: I491dbdabfda0ca010ca56355b71dfe150ed71a71
2022-08-10 19:27:52 +02:00
Rodolfo Alonso Hernandez
812ef0306f `Session.autocommit` parameter is removed
Since [1] (in oslo.db>9.1.0), the ``Session.autocommit`` member
is removed and should not be considered. This patch removes this
dependency while keeping backwards compatibility. This code will
be removed in future releases.

Due to the neutron-lib dependency, this patch bumps the needed
library version to 3.1.0.

[1]https://review.opendev.org/c/openstack/oslo.db/+/804775

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/851193

Closes-Bug: #1982818
Change-Id: Ibfcf9d5f6cd805f2d64fcd88049e2b43fedc3497
2022-08-10 17:15:04 +02:00
Zuul
f77ef29b87 Merge "[OVN] Fix updating network segmentation ID" 2022-08-10 14:48:49 +00:00
Zuul
4ead75733a Merge "Clean up db residual record from dvr port" 2022-08-10 10:52:12 +00:00
Lucas Alvares Gomes
982c22dd46 [OVN] Fix updating network segmentation ID
The ML2/OVN driver wasn't handling updates to the segmentation ID for a
given network. This patch fixes this problem.

This patch extends the _update_segmentation_id() method to check on
drivers which does not inherits from AgentMechanismDriverBase, which
is the case of OVN (which inherits from MechanismDriver). A new method
is now called for those drivers to get a list of supported VIF types,
called get_supported_vif_types().

Closes-Bug: #1944708
Change-Id: Ibe08bfbc2efc55b9d628cdd0605941b7486186b6
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2022-08-10 09:44:55 +01:00