Using noop driver to disable security group is confusing.
In this commit, we introduce enable_security_group in server side.
Implements bp: security-group-config-cleanup
We've been seeing things that appear to be races between the hosts
files being written out for dnsmasq and dhcp requests coming in. We
will get occasional errors from dnsmasq saying "no address available",
"duplicate IP address" but by the time you look, the corresponding
host file has long since been replaced.
If we had some debugging like this, we could at least correlate what
neutron thought dnsmasq knew at the time the requests were coming in.
We store the filename to avoid multiple lookups, and also
s/name/filename/ to avoid ambiguity and be more consistent with the
rest of the code.
report_interval is how often an agent sends out a heartbeat to the
service. The Neutron service responds to these 'report_state' RPC
messages by updating the agent's heartbeat DB record.
The last heartbeat is then compared to the configured
agent_down_time to determine if the agent is up or down.
The agent's status is used when scheduling networks on DHCP
and L3 agents.
In the spirit of sane defaults suited for production, these values
should be bumped to reduce the load on the Neutron service
dramatically, freeing up CPU time to perform intensive operations.
In current security group code, source_port_range_min
and source_port_range_max are used to specify icmp type
and code when security group rule protocol is icmp.
However, the code _port_arg in iptables_firewall called
by _convert_sgr_to_iptables_rules skips protocol icmp
when processing the arg. This happens to both ipv4 and
ipv6 icmp firewall rules.
This fix adds --icmp-type to iptables firewall rule when
icmp type is specified.
Remove hardcoded flow parameters from
'_build_flow_expr_str' method, so we can
define any flows we want and can rely on 'ovs-ofctl'
command to verify flow arguments correctness.
When building flow string inside _build_flow_expr_str
use the following approach:
1. Build prefix and remove prefix params from flow_dict.
2. Build postfix (actions) and remove 'actions' from
3. Inside the loop build flow array from everything
what's left in flow_dict.
4. Append postfix (actions) to the flow array.
5. 'Join' flow array into flow string.
Change _build_flow_expr_str() to be a function
instead of an object method because 'self'
parameter wasn't used.
Remove 'add_or_mod_flow_str' method because
we have to use separate logic when bulding flow
strings for 'add_flow' and 'mod_flow' methods.
Add more unit tests for OVSBridge class.
Sometimes a vm gets its tap interface unset and reset too fast to be caught in
an agent loop, and its vlan tag was not reset.
We now detect if an interface loses its vlan tag, and if it happens the
interface will be reconfigured.
Since the TAG ID is only available via the "Port" table (in the 'tag' column),
we couldn't reuse the get_vif_port_set() method's run_vsctl call which queries
the "Interface" table, and needed a specific run_vsct call to the "Port" table
in the new get_port_tag_dict() method.
Plugging a device usually involves checking for the existence of the
device twice, once before calling plug and once after. It turns out
that these calls are expensive, often taking a half second or more
each. For that reason, it is worth the effort to make sure we check
The device driver is now responsible for cleanly plugging/unplugging
the device without knowing whether it exists or not. Pushing this
responsibility to the device driver allows implementing it more
efficiently in terms of calls made out to the operating system.
This is targetted at the neutron-tempest-parallel bp because it shaves
time off the time to set up a router, something that hinders parallel
I saw some code in a couple of reviews today that check whether a
namespace is set and run it under "ip netns exec ..." if it is.
Otherwise, it runs the command without it in the default namespace.
This adds ML2 mechanism driver controlling OpenFlow switches
and an agent using Ryu as OpenFlow Python library.
- An agent acts as an OpenFlow controller on each compute nodes.
- OpenFlow 1.3 (vendor agnostic unlike OVS extensions).
Implements: blueprint ryu-ml2-driver
Add a new 'status' attribute to the floating IP resource.
Extend the plugin RPC interface for allowing status updates from agents,
and implement support for operational status in the L3 agent.
The default behaviour for all the plugins different from
neutron.services.l3_router.l3_router_plugin is to set the status of
a floating IP to ACTIVE upon creation.
Implements blueprint fip-op-status
In the process __init__.py involved have been emptied;
vim modelines and author lines have been dropped from
the license headers affected by the change as well.
Partial-implements blueprint nicira-plugin-renaming
This is returning any port, even if it's not on the switch that we're
looking at. As a side-effect, this means that we can actually manipulate
these ports while we really shouldn't.
Co-Authored-By: Rossella Sblendido <email@example.com>
Neutron namespace proxy handler and metadata agent were not setting the
Content-Type in its response. Both of them were returning only the response
data which is obtained from the nova-metadata-service. Since they were returning
only the response data, the Content-Type returned to the clients has the default
one which is - "text/html". Ideally this should be set to the data type which is
present in the HTTP Response. The fix now includes the Content-Type which is
returned by nova-metadata-service
Some config options(interface_driver, use_namespaces) are defined
multiple times in ad-hoc way. It causes DuplicateOptError exception
when using those module at the same time. Right now the exception is
avoided in ad-hoc way by each executable. Those duplicated
definitions should be consolidated and treated in uniformed way.
This is the blocker for blueprint: l3-agent-consolidation
conflicts with neutron.service one. Since there is no way to fix it
without changing existing behavior/default value, it is untouched for now.
Currrently, due to in dnsmasq host file, the IPv6 address does
not be wrapped with '', dnsmasq cannot distinguish IPv6 address
from MAC address, it will cause the deployed instances cannot get
IPv6 address via dnsmasq dhcp service.
Adds two configure options to support https client for metadata proxy
* auth_insecure: turn off verification of the certificate for ssl, or
* auth_ca_cert: CA cert to check against with for ssl.
When neutron router-interface-delete <router> <subnet> is ran
during L3-agent restart, the agent may fail to delete the old
internal device. After the restart, when the command "neutron
router-interface-add <router> <subnet>" is ran again, the
router ends up having two internal devices configured with the
same IP address.