When we manually move a router from one dvr_snat node to
another dvr_snat node the snat_namespace should be removed in
the originating node by the agent and will be re-created in the
destination node by the destination agent.
But when the agent dies, the router_update message reaches the
agent after the agent restarts. At this time the agent should
remove the snat_namespace since it is no more hosted by the
current agent.
Even though we do have logic in agent to take care of cleaning
up the snat namespaces if the gw_port_host does not match with the
existing agent host, in this particular use case the self.snat_namespace
is always set to 'None' in the dvr_edge_router init call when agent
restarts.
This patch fixes the above issue by initializing the snat namespace
object during the router_init. Since we do have a valid snat
namespace object and if the gw_port_host mismatches, the agent
should clean up the namespace.
Change-Id: I30524dc77b743429ef70941479c9b6cccb21c23c
Closes-Bug: #1557909
(cherry picked from commit 9dc70ed77e)
Perform deletion of the stale flows in physical bridges consistently with
br-int and br-tun, respecting drop_flows_on_start configuration option.
Added tests for auxiliary bridge and functional tests for the physical
bridge using VLAN/flat external network. Fixes part of the bug 1514056;
together with [1] and [2], the bug should be considered fixed.
The commit also fixes inconsistency between netmask of allocated IP
addresses assigned in _create_test_port_dict and ip_len in _plug_ports
of base.py.
Further, this commit sets agent UUID to physical bridges similarly to
tun and int bridges. This is necessary for stale flows cleanup to work
correctly. In upstream, it is treated using OVSBridgeCookieMixin.
[1] https://review.openstack.org/#/c/297211/
[2] https://review.openstack.org/#/c/297818/
Conflicts:
neutron/tests/functional/agent/l2/base.py
neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py
Co-Authored-By: Jian Wen <wenjianhn@gmail.com>
Co-Authored-By: Clayton O'Neill <clayton@oneill.net>
Partial-Bug: 1514056
Change-Id: I9801b76829021c9a0e6358982e1136637634a521
(cherry picked from commit cacde308ee)
The fipnamespace is associated with an external network
on a given node. In the case of DVR there is just one
single FIP namespace for a given node.
We have seen some race conditions in the agent for creation
and deletion of the fip namespace. See the bug report for
details on the failure.
So in order to address this race condition and make the
code more stable, we will be cleaning up the fip namespace
only when an external network is removed.
The server will be sending a rpc notification message to
the agent to cleanup the fip namespace when the external
net is removed.
This patch address the above mentioned issue by not constantly
deleting and creating the fip namespace.
Conflicts:
neutron/tests/functional/agent/test_l3_agent.py
Closes-Bug: #1501873
(cherry picked from commit cb465d40f5)
Change-Id: I86869f66d4afffad7db09942578b1a456a9bd418
The change set of c5fa665de3
introduced a new test TestMl2PortsV2.test_update_port_host_id_changed
which isn't always correct depending on driver.
ML2 driver may change port status to ACTIVE on port binding.
With such driver, the test fails. Grep showed 5 decomposed driver
don't have the assumption.
So this patch makes the test to run only _process_bind_port() without
calling full update_port() so that precommit/postcommit don't get
involved.
Change-Id: Ib034e2121914e5f253eb673261f26b4c8487f431
Closes-Bug: #1545218
(cherry picked from commit ad7b72963d)
This patch adds all RPC workers to consumers of service
plugins queues such as metering and l3-plugin.
This is important for DVR-enabled deployments with hundreds
of agents.
Closes-Bug: #1498844
(cherry picked from commit 5be613490d)
===
Also include the following fix that keeps backwards compatibility with
plugins that don't implement start_rpc_listeners method:
Check if plugin supports starting rpc listeners
When neutron starts an rpc worker, it checks if the plugin has the method
"start_rpc_listeners". Since most plugins inherit from a base class, and
that base class implements the start_rpc_listeners method and raises
NotImplementedError, the rpc worker will attempt to call that method.
It should just catch the NotImplementedError and continue on.
Change-Id: Ie1830b6140acffffd0f283a0d8eefa52067f7650
Closes-Bug: 1551542
(cherry picked from commit cd7be292a8)
===
Change-Id: I6fea7f409c91b25d2c35b038d6100fdfa85d1905
This patch modifies the prevent_l3_port_deletion method to
actually look up the router_id in the device_owner field to
confirm that the router exists before claiming the port is
in use. This will allow users to delete ports that may have
been orphaned due to race conditions in the cleanup of router
interfaces.
Conflicts:
neutron/tests/unit/db/test_l3_db.py
Closes-Bug: #1566678
Partial-Bug: #1540271
Change-Id: Ieffe632f3f3098baf202d3795ab5182982e234bd
(cherry picked from commit 3b41808b86)
When starting up, we don't want to delete the patch port between br-int
and the physical bridges. In liberty the br-int bridge was changed to
not tear down flows on startup, and change
I9801b76829021c9a0e6358982e1136637634a521 will change the physical
bridges to not tear down flows also.
Without this patch the patch port is torn down and not reinstalled until
after the initial flows are set back up.
Partial-Bug: #1514056
Change-Id: I05bf5105a6f3acf6a313ce6799648a095cf8ec96
(cherry picked from commit a549f30fad)
This fixes the problem that when two or more ports in a network
are migrated to a host that did not previously have any ports in
the same network, the new host is sometimes not told about the
IP/MAC addresses of all the other ports in the network. In other
words, initial L2population does not work, for the new host.
This is because the l2pop mechanism driver only sends catch-up
information to the host when it thinks it is dealing with the first
active port on that host; and currently, when multiple ports are
migrated to a new host, there is always more than one active port so
the condition above is never triggered.
The fix is for the ML2 plugin to set a port's status to DOWN when
its binding info changes.
This patch also fixes the bug when nova thinks it should not wait
for any events from neutron because all ports are already active.
Closes-bug: #1483601
Closes-bug: #1443421
Closes-Bug: #1522824
Related-Bug: #1450604
(cherry picked from commit c5fa665de3)
Conflicts: neutron/plugins/ml2/drivers/l2pop/mech_driver.py
Change-Id: I342ad910360b21085316c25df2154854fd1001b2
The DHCP rules in the fixed iptables firewall rules were too permissive.
They permitted any UDP traffic with a source port of 68 and destination
port of 67. Care must be taken since these rules return before the IP
spoofing prevention rules. This patch splits the fixed DHCP rules into
two, one for the discovery and request messages which take place before
the instance has bound an IP address and a second to permit DHCP
renewals.
Conflicts:
neutron/tests/functional/agent/test_firewall.py
Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
Partial-Bug: #1558658
(cherry picked from commit 6a93ee8ac1)
fixtures 2.0.0 broke us wildly, so instead of trying to make it work
with new fixtures, I better just switch the mock to... mock.
Change-Id: I58d7a750e263e4af54589ace07ac00bec34b553a
Closes-Bug: #1567295
(cherry picked from commit 2af86b8f6f)
(cherry picked from commit ee32ea5e2b)
The current dvr_fip_ns.py file has FIP_LL_SUBNET configured
with a subnet prefixlen of /23 which only allows 255 pairs of
link-local addresses to be generated. If the number of routers
per-node increases beyond the 255 limit it raises an assertion.
This patch increases the link-local address cidr to be a /18
to allow for 8K routers. The new range was chosen to not
overlap with the original, allowing for in-place upgrades
without affecting existing routers.
Closes-Bug: #1562110
Change-Id: I6e11622ea9cc74b1d2428757f16aa0de504ac31a
(cherry picked from commit 7b1b8c2de5)
This fixes the iptables rules generated by the L3 agent
(SNAT, DNAT, set-mark and metadata), and the DHCP agent
(checksum-fill) to match the format that will be returned
by iptables-save to prevent excessive extra replacement
work done by the iptables manager.
It also fixes the iptables test that was not passing the
expected arguments (-p PROTO -m PROTO) for block rules.
A simple test was added to the L3 agent to ensure that the
rules have converged during the normal lifecycle tests.
Closes-Bug: #1566007
Change-Id: I5e8e27cdbf0d0448011881614671efe53bb1b6a1
(cherry picked from commit b8d520ffe2)
If protocol was present in the dict, but was None, then it was never
re-instantiated after being popped out of the dict. This later resulted
in KeyError when trying to access the key on the dict.
Change-Id: I4985e7b54117bee3241d7365cb438197a09b9b86
Closes-Bug: #1566327
(cherry picked from commit 5a41caa47a)
Right now we are seeing a race condition in the l3 agent
for DVR routers when a floatingip is deleted and created.
The agent tries to delete the floatingip namespace and
while it tries to delete there is another call to add a
namespace. There is a timing window in between these two
calls where sometimes the call to create a namespace succeeds
but, when tried to execute any commands in the namespace
it fails, since the namespace was deleted concurrently.
Since the fip namespace is associated with an external net
and each node has only one fip namespace for an external net,
we would like to only delete the fip namespace when the
external net is deleted.
The first step is to split the delete functionality into two.
The call to fip_ns.cleanup will only remove the dependency that
the fipnamespace has with the router namespace such as fpr and
rfp veth pairs.
The call to fip_ns.delete will actually delete the
the fip namespace and the fg device.
Partial-Bug: #1501873
(cherry picked from commit c874f6dada)
Change-Id: Ic94625d5a968f554af70c274b2b2c20ab64e2487
When starting up, we don't want to delete the patch port between br-int
and br-tun unless we're also dropping the flows.. In liberty both of
these bridges were switched to not dump flows on startup and to put the
bridges in secure mode so that default flood flows are not installed
when the bridge is created.
Without this patch the patch port is torn down and not reinstalled until
br-tun is setup again.
Partial-Bug: #1514056
Change-Id: Ia518a99a2de5d1bda467fde57892c43970f88bcd
(cherry picked from commit 8dce6a5c87)
Oleg Bondarev