Dnsmasq emits a warning when started in most neutron deployments:
dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
--bind-interfaces to avoid DNS amplification attacks via
these interface(s)
Since option --bind-dynamic is available since dnsmasq 2.63
(https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
we require 2.67, change to use this option instead.
Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
Closes-bug: #1828473
RPC notifier method can sometimes be time-consuming,
this will cause other parallel processing resources
fail to send notifications in time. This patch changes
the notify to asynchronous.
Closes-Bug: #1824911
Change-Id: I3f555a0c78fbc02d8214f12b62c37d140bc71da1
When openvswitch firewall driver is used, it is required to load
nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM
working properly.
This patch adds such info in ovs firewall documentation as it should be
deployer decision to load or not load this module.
This patch also adds sanity check which checks if nf_conntrack_proto_gre
module is loaded or not, and can warn user when this module is not
loaded.
It also adds loading of this kernel module in neutron devstack plugin.
Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869
Closes-Bug: #1828053
Test test_forbid_offline_migrations_starting_newton from
neutron.tests.functional.db.test_migrations.TestModelsMigrationsMysql
module can also fail because of db timeouts when are running on
overloaded test node.
To not fail job because of that, this patch adds skip_if_timeout
decorator to this additional test.
Change-Id: Ia255d331cbb24e1fdd12212580e85423da242eae
Related-Bug: #1687027
This prevents agent gw ports created in cases where the fip is not
serviced by a dvr enable router. Also, when the router is not DVR
enabled, deleting the gw port becomes a problem even after the router
attachments to the external network are deleted. This fix creates the
agent gw port only if the router associated with the fip is distributed.
Closes-Bug: #1810349
Co-Authored-By: Allain Legacy <allain.legacy@windriver.com>
Co-Authored-By: Matt Peters <Matt.Peters@windriver.com>
Co-Authored-By: Matt Welch <matt.welch@intel.com>
Change-Id: Ibcf087136e30535678c7600bac6ce4d621afe830
Signed-off-by: Enyinna Ochulor <enyinna.ochulor@intel.com>
Sometimes when port is created on dhcp agent's side, it may happend
that same port is already in network cache.
Before this patch if port with same IP address was already in cache,
resync was rescheduled because of duplicate IPs found in cache.
Now resync will be scheduled only if duplicate IP address belongs to
port with different MAC address or different id.
Change-Id: I23afbc10725f5dc78e3c63e6e505ef89ba8dc4a5
Closes-Bug: #1824802
The current code will remove the port from sg_port_map, but then it
won't be added into the map, when we resize/migrate this instance,
the related openflow won't be deleted, this will cause vm connectivity
problem.
Closes-Bug: #1825295
Change-Id: I94ddddda3c1960d43893c7a367a81279d429e469
Ignore a bandit B105 warning (hardcoded_password_string)
as there is a false positive in the xenapi_root_helper code.
Change-Id: Icb97ae49df0e138d30d8baf2da1b61165adac107
Reflect the changes to openstack/requirements introduced in change
Ib8c1bf08f5fa7463911602b0df19315907c81e04.
Change-Id: I89e5370ddcd4447d2e008626256d8a465a1fa710
"tc_lib._handle_from_hex_to_string" should print major and minor values
in hex format, not in decimal format:
0xMMMMmmmm -> "M:m"
0x123A456B -> "123A:456B"
Change-Id: I91eb5d9fc58e8233c48b6aabba772cd6ff65a156
Closes-Bug: #1826570
Pyroute2 is modifying the default logger, adding NullHandler to it. If
the logger is not properly configured, like in any service or agent
spawn in Neutron, the only handler will be NullHandler. This prevents
from rendering the message passed, as when StreamHandler is used.
This issue is present only in version 0.5.4 and 0.5.5. Current Pyroute2
master version implements a new logger which removes this problem.
[1]https://github.com/svinota/pyroute2/blob/0.5.5/pyroute2/__init__.py#L78-L79
Change-Id: Ic89d8503e9d1a7f622f0c3a148bf78766b92ed08
Related-Bug: #1811515
This patch switches over to the payload style kwargs for RBAC_POLICY
callback events.
NeutronLibImpact
Change-Id: Ibf39013bfec7f03f76be7decf63000df3f0f6ad3
Some policy rules e.g. for create_port are using rule "network:shared"
in which "shared" field is related to network resource instead of
port directly.
Because of that, "shared" was missing from "target" in policy
enforce module thus validation wasn't working properly for such rule.
This patch fixes it by adding to FieldCheck checker possibility to
get network object and use its "shared" field to validate policy.
Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
Closes-Bug: #1808112
There are some extreme conditions which will result the unbound
router gateway port. Then all the centralized floating IPs will
not be reachable since the gateway port was set to 4095 tag.
This patch adds the HA status to the router related port
processing code path. If it is HA router, the gateway port
will go to the right HA router processing code branch.
Closes-Bug: #1827754
Change-Id: Ida1c9f3a38171ea82adc2f11cb17945d6e2434be
This patch switches over to payload style callbacks for all
SEGMENT_HOST_MAPPING events.
NeutronLibImpact
Change-Id: I71888b2b72b486c32991d651cdc608adb2149500
This is to remove the unncessary slash when the line doesn't
exceed the length of 79, to make the code more readable.
Change-Id: I5e7c8d5fc6d4b3917b6e8e196f9cbcacb8807e6c
Once HA port is set, it must remain this value no matter
what the server return. Because there is race condition
between l3-agent side sync router info for processing
and server side router deleting.
This patch adds a helper function for every ha_port set
action. If the ha_port is not None, it will always stay
with original value.
Closes-Bug: #1826726
Change-Id: I96a088d25048be02a9c5b12c1d087df075b36fc4
In case of policy rule checks for rules like e.g.
"create_port:fixed_ips:subnet" couldn't be created to be
passed to policy enforcer because policy module could only
create rule checks for subattributes which are dict types.
With this patch checks for such rules can be created also for
attributes which are list of dicts, like e.g. fixed_ips in port
resource.
Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
Closes-Bug: #1822105
Based on some recent questions on IPv6 address generation in
guests, update the relevant section in the docs to make it
more up-to-date.
Partial-bug: #1827489
Change-Id: Ibbf4d5458293c9c0269f6a80f5519caa175994ec
There are a few places in network_segment_range service plugin in
Neutron that are not yet using the exceptions from neutron-lib.
After the merge of [1], this patch addresses these TODOs by switching
all uses of segment range exceptions to use neutron-lib.
[1] https://review.openstack.org/640777
Partially-implements: blueprint network-segment-range-management
Change-Id: I5b254de25c2781422437ab7d94b6f19dfc747efd