This change replaces a usage of the deprecated root_helper option
by the usage of get_root_helper result.
Change-Id: Icfc698243784557cbf987a817c13d0b80969e5d3
Closes-Bug: #1297145
Using noop driver to disable security group is confusing.
In this commit, we introduce enable_security_group in server side.
DocImpact
UpgradeImpact
Implements bp: security-group-config-cleanup
Related-Bug: 1112912
Change-Id: Ice44a4e2a519c64e613eeb24372de46726473339
We've been seeing things that appear to be races between the hosts
files being written out for dnsmasq and dhcp requests coming in. We
will get occasional errors from dnsmasq saying "no address available",
"duplicate IP address" but by the time you look, the corresponding
host file has long since been replaced.
If we had some debugging like this, we could at least correlate what
neutron thought dnsmasq knew at the time the requests were coming in.
We store the filename to avoid multiple lookups, and also
s/name/filename/ to avoid ambiguity and be more consistent with the
rest of the code.
Closes-Bug: #1294892
Change-Id: Ifa92ca71419ce0155b28d2015eff9e82557a0825
Set reraise=False for the cases where the purpose of exception
handler is to reraise proper type of exception
Change-Id: Id6595ba1e160b9033d519ded16e0fbd2f91ccb5d
Closes-Bug: #1288188
report_interval is how often an agent sends out a heartbeat to the
service. The Neutron service responds to these 'report_state' RPC
messages by updating the agent's heartbeat DB record.
The last heartbeat is then compared to the configured
agent_down_time to determine if the agent is up or down.
The agent's status is used when scheduling networks on DHCP
and L3 agents.
In the spirit of sane defaults suited for production, these values
should be bumped to reduce the load on the Neutron service
dramatically, freeing up CPU time to perform intensive operations.
DocImpact
Closes-Bug: #1293083
Change-Id: I77bcf8f66f74ba55513c989caead1f96c92b9832
In current security group code, source_port_range_min
and source_port_range_max are used to specify icmp type
and code when security group rule protocol is icmp.
However, the code _port_arg in iptables_firewall called
by _convert_sgr_to_iptables_rules skips protocol icmp
when processing the arg. This happens to both ipv4 and
ipv6 icmp firewall rules.
This fix adds --icmp-type to iptables firewall rule when
icmp type is specified.
Closes-Bug: 1289088
Change-Id: Iebf109f246d47cffc26ab3c2cf113234a4b2cffe
Remove hardcoded flow parameters from
'_build_flow_expr_str' method, so we can
define any flows we want and can rely on 'ovs-ofctl'
command to verify flow arguments correctness.
When building flow string inside _build_flow_expr_str
use the following approach:
1. Build prefix and remove prefix params from flow_dict.
2. Build postfix (actions) and remove 'actions' from
flow dict.
3. Inside the loop build flow array from everything
what's left in flow_dict.
4. Append postfix (actions) to the flow array.
5. 'Join' flow array into flow string.
Change _build_flow_expr_str() to be a function
instead of an object method because 'self'
parameter wasn't used.
Remove 'add_or_mod_flow_str' method because
we have to use separate logic when bulding flow
strings for 'add_flow' and 'mod_flow' methods.
Add more unit tests for OVSBridge class.
Closes-Bug: #1255058
Closes-Bug: #1240572
Change-Id: Ic89221d006a626aa2fc40314a9acffc0ea6fd61c
Sometimes a vm gets its tap interface unset and reset too fast to be caught in
an agent loop, and its vlan tag was not reset.
We now detect if an interface loses its vlan tag, and if it happens the
interface will be reconfigured.
Since the TAG ID is only available via the "Port" table (in the 'tag' column),
we couldn't reuse the get_vif_port_set() method's run_vsctl call which queries
the "Interface" table, and needed a specific run_vsct call to the "Port" table
in the new get_port_tag_dict() method.
Change-Id: I7f59e2c1e757c28dae35c44ebfad9d764ae1d3c5
Closes-Bug: 1240849
This patch replaces all occurences of the strings
prefixed by network:* by their constant equivalent.
Closes-bug: #1270863
Change-Id: I149cc0ab7bde08ea83057e6c0697f668edbe29db
Plugging a device usually involves checking for the existence of the
device twice, once before calling plug and once after. It turns out
that these calls are expensive, often taking a half second or more
each. For that reason, it is worth the effort to make sure we check
only once.
The device driver is now responsible for cleanly plugging/unplugging
the device without knowing whether it exists or not. Pushing this
responsibility to the device driver allows implementing it more
efficiently in terms of calls made out to the operating system.
This is targetted at the neutron-tempest-parallel bp because it shaves
time off the time to set up a router, something that hinders parallel
performance.
Change-Id: I391fafe68b76e1c620d2b25e8613ba507fd25dfd
Partial-Bug: #1287824
I saw some code in a couple of reviews today that check whether a
namespace is set and run it under "ip netns exec ..." if it is.
Otherwise, it runs the command without it in the default namespace.
Change-Id: I55e8f4f3523ec7a7c5a6f082addf918952a05741
Closes-Bug: #1287524
This adds ML2 mechanism driver controlling OpenFlow switches
and an agent using Ryu as OpenFlow Python library.
- An agent acts as an OpenFlow controller on each compute nodes.
- OpenFlow 1.3 (vendor agnostic unlike OVS extensions).
Implements: blueprint ryu-ml2-driver
Change-Id: I6a8168d24f911996639179d91c4da49151751057
Add a new 'status' attribute to the floating IP resource.
Extend the plugin RPC interface for allowing status updates from agents,
and implement support for operational status in the L3 agent.
The default behaviour for all the plugins different from
neutron.services.l3_router.l3_router_plugin is to set the status of
a floating IP to ACTIVE upon creation.
Implements blueprint fip-op-status
Change-Id: Ib0176fbcde95b0db5dfdabd4fc297d1d29c0d604
In the process __init__.py involved have been emptied;
vim modelines and author lines have been dropped from
the license headers affected by the change as well.
Partial-implements blueprint nicira-plugin-renaming
Change-Id: I9c535b59bb2e83f275816472e0e32b41444d3bbe
This is returning any port, even if it's not on the switch that we're
looking at. As a side-effect, this means that we can actually manipulate
these ports while we really shouldn't.
Co-Authored-By: Rossella Sblendido <rsblendido@suse.com>
Change-Id: Ia4f4e93237c1c2ea6cb4b6c2f5adf78d6b34c7bf
Closes-Bug: #1283765
Neutron namespace proxy handler and metadata agent were not setting the
Content-Type in its response. Both of them were returning only the response
data which is obtained from the nova-metadata-service. Since they were returning
only the response data, the Content-Type returned to the clients has the default
one which is - "text/html". Ideally this should be set to the data type which is
present in the HTTP Response. The fix now includes the Content-Type which is
returned by nova-metadata-service
Closes-Bug: #1243878
Change-Id: If68f0b508fbea4ecd1eb0e58d602b5ba6ccbe263
Some config options(interface_driver, use_namespaces) are defined
multiple times in ad-hoc way. It causes DuplicateOptError exception
when using those module at the same time. Right now the exception is
avoided in ad-hoc way by each executable. Those duplicated
definitions should be consolidated and treated in uniformed way.
This is the blocker for blueprint: l3-agent-consolidation
neutron.services.loadbalancer.drivers.haproxy.agent periodic_interval
conflicts with neutron.service one. Since there is no way to fix it
without changing existing behavior/default value, it is untouched for now.
Closes-bug: #1279769
Change-Id: Ifed79b7ee0033644854499416f8a2b22a20416fe
Currrently, due to in dnsmasq host file, the IPv6 address does
not be wrapped with '[]', dnsmasq cannot distinguish IPv6 address
from MAC address, it will cause the deployed instances cannot get
IPv6 address via dnsmasq dhcp service.
Change-Id: I023e44667a238664d11f2ac2cc484432cd301bcc
Closes-Bug: #1281916
This patch fixes issues when using wrap target
for add_rule and remove_rule methods.
Change-Id: I01926719ef5ccf229748b9ceb1553e5314ab623e
Closes-bug: #1269189
Adds two configure options to support https client for metadata proxy
* auth_insecure: turn off verification of the certificate for ssl, or
* auth_ca_cert: CA cert to check against with for ssl.
Change-Id: I3ffb86ae9ce31931436a4e13957aae30eebf9d92
Closes-Bug: #1263872
When neutron router-interface-delete <router> <subnet> is ran
during L3-agent restart, the agent may fail to delete the old
internal device. After the restart, when the command "neutron
router-interface-add <router> <subnet>" is ran again, the
router ends up having two internal devices configured with the
same IP address.
Closes-Bug: #1244853
Change-Id: I0d7e2db6aa7dae26d0fc3fe1b1527762cb1e3b23
Cedric Brandily