This change is updating the vlanmanager data structure to handle for a
given network more than one vlan mapping. This is a prerequisite work
needed to progress on accepting several segments per network per
host.
The work done here is trying to avoid changing logic in the
current implementation. Unit test should not have value updated,
but probably signatures changed.
Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ic3c147136549b17aea0fe78e930a41a5b33ab9d8
- Use only the documentation prefix in examples
- Update some formatting and wording
- Add a reference in the OVN gaps document
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I2acf762008ce44b6a792c615c153071e1c10e0b3
In some specific use case, the cloud operator expects the source port
of a packet to stay the same across all masquerading layer up to the
destination host. With the implementation of the random-fully code,
this behavior was changed as source_port is always rewritten no matter
which type of architecture / network CIDRs is being used in the backend.
This setting allows a user to fallback to the original behavior of the
masquerading process which is to keep the source_port consistent across
all layers. The initial random-fully fix prevents packet drops when
duplicate tuples are generated from two different namespace when the
source_ip:source_port goes toward the same destination so enabling this
setting would allow this issue to show again. Perhaps a right approach
here would be to fix this "racey" situation in the kernel by perhaps
using the mac address as a seed to the tuple ...
Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
Closes-bug: #1987396
This will subnets from shared networks to be added on routers using:
$ openstack router add subnet router_id subnet_id
Without this, neutron user must use a multi-router solution, which is
not convenient at all.
Closes-Bug: #1975603
Related-Bug: #1757482
Signed-off-by: Arnaud Morin <arnaud.morin@ovhcloud.com>
Change-Id: I50f07d41428e57e6bed9be16980a6c605b7d130e
Since [1], when a segment is deleted because the network is before,
the segment event handler method ``_handle_segment_change`` does not
call ``_notify_mechanism_driver_for_segment_change`` and thus the
check performed in ``OVNMechanismDriver.update_network_postcommit``
is not needed anymore.
[1]https://review.opendev.org/c/openstack/neutron/+/786373
Closes-Bug: #1739798
Change-Id: I4bb22a0a0a233609a4d23af55a050356049eb214
There is a scenario where IP allocation pool is depleted but OVN
metadata port got removed its IP manually. The DB sync script will
attempt to allocate a new IP address if DHCP is enabled in the subnet.
Since the pool has no available IP addresses an exception is raised and
the whole db sync stops.
This patch simply catches the exception, logs and error and continues
syncing other resources.
Closes-bug: #1987135
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: Iaa7b0d7ceb244a38fddd7676066683bf2ca72341
According to latest agreement about Secure RBAC [1] we are not using
PROJECT_ADMIN and SYSTEM_{ADMIN,MEMBER,READER} roles at all, at least
for now.
So there's no point to keep definitions of those roles in the code and
this patch removes them.
[1] https://review.opendev.org/c/openstack/governance/+/847418
Change-Id: I7ecfa39615375f71902d6fed4f3c82f9049c4c61
This change reflects latest agreement from [1] that instead of
ProjectAdmin role there will be "legacy" Admin role which behaves as
"old" Admin basically.
[1] https://review.opendev.org/c/openstack/governance/+/847418
Change-Id: I11fe3293aef95f0096935c98e05b40f8d912bc09
According to the new guidelines accepted in [1] for now there should be
only one ADMIN role and it should have access to everything (like ADMIN
in old rules).
This patch replaces usage of PROJECT_ADMIN to ADMIN and adjusts unit
tests to reflect that change as now ADMIN user have access to all
resources, no matter if it belongs to the own or other project.
[1] https://review.opendev.org/c/openstack/governance/+/847418
Change-Id: Ib88967b492af517931d42600da687d447bd55705
According to the new guidelines accepted in [1] for now all new default
API policy rules should have "project" scope only.
This patch adjusts neutron policies according to [1].
[1] https://review.opendev.org/c/openstack/governance/+/847418
Change-Id: I1e923cc268d80087120a9c4d8a7aa4f2780cd82f
A new script to remove the duplicated port bindings was added. This
script will list all ``ml2_port_bindings`` records in the database,
finding those ones with the same port ID. Then the script removes
those ones with status=INACTIVE. This script is useful to remove
those leftovers that remain in the database after a failed live
migration.
"dry_run" mode is possible if selected in "[cli_script] dry_run"
boolean config option. The duplicated port bindings are printed in
the shell but not deleted.
Related-Bug: #1979072
Change-Id: I0de5fbb70eb852f82bd311616557985d1ce89bbf
Patch [1] added getting ovn agents from the agents cache and check
if agent is alive to bound port to it.
Small issue with it was that it could check e.g. ovn metadata agent from
the host as it was only filtering agents by the host on which they are.
This patch adds filter on the agent_type so only ovn-controller agents
are taken from the cache.
[1] https://review.opendev.org/c/openstack/neutron/+/825428
Related-Bug: #1958501
Change-Id: If065204d7521c480656a22fb078bbe6273b5fc70
Fix the following deprecation warnings.
PkgResourcesDeprecationWarning:
<MagicMock name='execute().split().__getitem__().__getitem__()'
id='140417024565696'> is an invalid version and will not be
supported in a future release
DeprecationWarning: Creating a LegacyVersion has been
deprecated and will be removed in the next major release
Change-Id: I23540114120f6ea52754116cfaaeac35e09543b4
Closes-Bug: 1986428
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
Fix the following deprecation warnings.
DeprecationWarning: Using the 'user' argument is deprecated
in version '2.18' and will be removed in version '3.0',
please use the 'user_id' argument instead
DeprecationWarning: Property 'user' has moved to 'user_id'
in version '2.6' and will be removed in version '3.0'
Change-Id: I3bda1f744f41ce82c4c3f2a4c9fc31582cce2253
Closes-Bug: 1986418
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
This patch adds support for QoS egress minimum bandwidth rules in
ML2/OVN. The enforcement is done in the network backend.
Since [1], in v22.06.0, OVN is capable of guarantee a minimal
bandwidth for a logical switch port. The enforcement of this rule
is done in the physical bridge interface.
[1]dbf12e5fe1
Closes-Bug: #1982951
Change-Id: Ia3831b18463c29f676c253edb64419667b5f2c0b
Do not retrieve the security group port bindings in the database
transaction that deletes a security group. In the previous context,
if a security group port binding is present on the database,
the method raises a ``SecurityGroupInUse``. It is unneeded to
retrieve them again.
This patch also changes the
``SecurityGroupPortBinding.security_group_id`` foreign key. Now if
the security group is deleted, any security group port binding related
will be too, using the database engine. That will ensure no leftover
remains in the database. Although the check done in
"delete_security_group" before the security group is deleted, there is
a minimal possibility of race condition between the first database
transaction (SG port binding check) and the second one (SG deletion).
Trivial-Fix
Change-Id: I1c9c2dd95b98a7cc77509b0d537d7c7766765275
"pyroute2" methods can include some objects that don't implement
any serialization method (e.g.: "nla_slot" [1]). In those methods
that require an output ("get_*", "list_*", etc.), the Neutron
IP library formats the output inside the privsep context only to
contain serializable objects.
However this library is also returning the blobs returned from
the "pyroute2" library, without parsing and formatting, from
methods that don't require an output ("set_*", "add_*", "delete_*",
etc.). This patch removes the "return" statement from those methods
because the output is not required and to avoid issues like those
reported in the related bug.
[1]8716b9b5c0/pyroute2/netlink/__init__.py (L1754)
Closes-Bug: #1986644
Change-Id: I491dbdabfda0ca010ca56355b71dfe150ed71a71
Since [1] (in oslo.db>9.1.0), the ``Session.autocommit`` member
is removed and should not be considered. This patch removes this
dependency while keeping backwards compatibility. This code will
be removed in future releases.
Due to the neutron-lib dependency, this patch bumps the needed
library version to 3.1.0.
[1]https://review.opendev.org/c/openstack/oslo.db/+/804775
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/851193
Closes-Bug: #1982818
Change-Id: Ibfcf9d5f6cd805f2d64fcd88049e2b43fedc3497
The ML2/OVN driver wasn't handling updates to the segmentation ID for a
given network. This patch fixes this problem.
This patch extends the _update_segmentation_id() method to check on
drivers which does not inherits from AgentMechanismDriverBase, which
is the case of OVN (which inherits from MechanismDriver). A new method
is now called for those drivers to get a list of supported VIF types,
called get_supported_vif_types().
Closes-Bug: #1944708
Change-Id: Ibe08bfbc2efc55b9d628cdd0605941b7486186b6
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>