When we manually move a router from one dvr_snat node to
another dvr_snat node the snat_namespace should be removed in
the originating node by the agent and will be re-created in the
destination node by the destination agent.
But when the agent dies, the router_update message reaches the
agent after the agent restarts. At this time the agent should
remove the snat_namespace since it is no more hosted by the
current agent.
Even though we do have logic in agent to take care of cleaning
up the snat namespaces if the gw_port_host does not match with the
existing agent host, in this particular use case the self.snat_namespace
is always set to 'None' in the dvr_edge_router init call when agent
restarts.
This patch fixes the above issue by initializing the snat namespace
object during the router_init. Since we do have a valid snat
namespace object and if the gw_port_host mismatches, the agent
should clean up the namespace.
Change-Id: I30524dc77b743429ef70941479c9b6cccb21c23c
Closes-Bug: #1557909
(cherry picked from commit 9dc70ed77e)
Perform deletion of the stale flows in physical bridges consistently with
br-int and br-tun, respecting drop_flows_on_start configuration option.
Added tests for auxiliary bridge and functional tests for the physical
bridge using VLAN/flat external network. Fixes part of the bug 1514056;
together with [1] and [2], the bug should be considered fixed.
The commit also fixes inconsistency between netmask of allocated IP
addresses assigned in _create_test_port_dict and ip_len in _plug_ports
of base.py.
Further, this commit sets agent UUID to physical bridges similarly to
tun and int bridges. This is necessary for stale flows cleanup to work
correctly. In upstream, it is treated using OVSBridgeCookieMixin.
[1] https://review.openstack.org/#/c/297211/
[2] https://review.openstack.org/#/c/297818/
Conflicts:
neutron/tests/functional/agent/l2/base.py
neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py
Co-Authored-By: Jian Wen <wenjianhn@gmail.com>
Co-Authored-By: Clayton O'Neill <clayton@oneill.net>
Partial-Bug: 1514056
Change-Id: I9801b76829021c9a0e6358982e1136637634a521
(cherry picked from commit cacde308ee)
The fipnamespace is associated with an external network
on a given node. In the case of DVR there is just one
single FIP namespace for a given node.
We have seen some race conditions in the agent for creation
and deletion of the fip namespace. See the bug report for
details on the failure.
So in order to address this race condition and make the
code more stable, we will be cleaning up the fip namespace
only when an external network is removed.
The server will be sending a rpc notification message to
the agent to cleanup the fip namespace when the external
net is removed.
This patch address the above mentioned issue by not constantly
deleting and creating the fip namespace.
Conflicts:
neutron/tests/functional/agent/test_l3_agent.py
Closes-Bug: #1501873
(cherry picked from commit cb465d40f5)
Change-Id: I86869f66d4afffad7db09942578b1a456a9bd418
The change set of c5fa665de3
introduced a new test TestMl2PortsV2.test_update_port_host_id_changed
which isn't always correct depending on driver.
ML2 driver may change port status to ACTIVE on port binding.
With such driver, the test fails. Grep showed 5 decomposed driver
don't have the assumption.
So this patch makes the test to run only _process_bind_port() without
calling full update_port() so that precommit/postcommit don't get
involved.
Change-Id: Ib034e2121914e5f253eb673261f26b4c8487f431
Closes-Bug: #1545218
(cherry picked from commit ad7b72963d)
This patch modifies the prevent_l3_port_deletion method to
actually look up the router_id in the device_owner field to
confirm that the router exists before claiming the port is
in use. This will allow users to delete ports that may have
been orphaned due to race conditions in the cleanup of router
interfaces.
Conflicts:
neutron/tests/unit/db/test_l3_db.py
Closes-Bug: #1566678
Partial-Bug: #1540271
Change-Id: Ieffe632f3f3098baf202d3795ab5182982e234bd
(cherry picked from commit 3b41808b86)
When starting up, we don't want to delete the patch port between br-int
and the physical bridges. In liberty the br-int bridge was changed to
not tear down flows on startup, and change
I9801b76829021c9a0e6358982e1136637634a521 will change the physical
bridges to not tear down flows also.
Without this patch the patch port is torn down and not reinstalled until
after the initial flows are set back up.
Partial-Bug: #1514056
Change-Id: I05bf5105a6f3acf6a313ce6799648a095cf8ec96
(cherry picked from commit a549f30fad)
This fixes the problem that when two or more ports in a network
are migrated to a host that did not previously have any ports in
the same network, the new host is sometimes not told about the
IP/MAC addresses of all the other ports in the network. In other
words, initial L2population does not work, for the new host.
This is because the l2pop mechanism driver only sends catch-up
information to the host when it thinks it is dealing with the first
active port on that host; and currently, when multiple ports are
migrated to a new host, there is always more than one active port so
the condition above is never triggered.
The fix is for the ML2 plugin to set a port's status to DOWN when
its binding info changes.
This patch also fixes the bug when nova thinks it should not wait
for any events from neutron because all ports are already active.
Closes-bug: #1483601
Closes-bug: #1443421
Closes-Bug: #1522824
Related-Bug: #1450604
(cherry picked from commit c5fa665de3)
Conflicts: neutron/plugins/ml2/drivers/l2pop/mech_driver.py
Change-Id: I342ad910360b21085316c25df2154854fd1001b2
The DHCP rules in the fixed iptables firewall rules were too permissive.
They permitted any UDP traffic with a source port of 68 and destination
port of 67. Care must be taken since these rules return before the IP
spoofing prevention rules. This patch splits the fixed DHCP rules into
two, one for the discovery and request messages which take place before
the instance has bound an IP address and a second to permit DHCP
renewals.
Conflicts:
neutron/tests/functional/agent/test_firewall.py
Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
Partial-Bug: #1558658
(cherry picked from commit 6a93ee8ac1)
fixtures 2.0.0 broke us wildly, so instead of trying to make it work
with new fixtures, I better just switch the mock to... mock.
Change-Id: I58d7a750e263e4af54589ace07ac00bec34b553a
Closes-Bug: #1567295
(cherry picked from commit 2af86b8f6f)
(cherry picked from commit ee32ea5e2b)
This fixes the iptables rules generated by the L3 agent
(SNAT, DNAT, set-mark and metadata), and the DHCP agent
(checksum-fill) to match the format that will be returned
by iptables-save to prevent excessive extra replacement
work done by the iptables manager.
It also fixes the iptables test that was not passing the
expected arguments (-p PROTO -m PROTO) for block rules.
A simple test was added to the L3 agent to ensure that the
rules have converged during the normal lifecycle tests.
Closes-Bug: #1566007
Change-Id: I5e8e27cdbf0d0448011881614671efe53bb1b6a1
(cherry picked from commit b8d520ffe2)
If protocol was present in the dict, but was None, then it was never
re-instantiated after being popped out of the dict. This later resulted
in KeyError when trying to access the key on the dict.
Change-Id: I4985e7b54117bee3241d7365cb438197a09b9b86
Closes-Bug: #1566327
(cherry picked from commit 5a41caa47a)
Right now we are seeing a race condition in the l3 agent
for DVR routers when a floatingip is deleted and created.
The agent tries to delete the floatingip namespace and
while it tries to delete there is another call to add a
namespace. There is a timing window in between these two
calls where sometimes the call to create a namespace succeeds
but, when tried to execute any commands in the namespace
it fails, since the namespace was deleted concurrently.
Since the fip namespace is associated with an external net
and each node has only one fip namespace for an external net,
we would like to only delete the fip namespace when the
external net is deleted.
The first step is to split the delete functionality into two.
The call to fip_ns.cleanup will only remove the dependency that
the fipnamespace has with the router namespace such as fpr and
rfp veth pairs.
The call to fip_ns.delete will actually delete the
the fip namespace and the fg device.
Partial-Bug: #1501873
(cherry picked from commit c874f6dada)
Change-Id: Ic94625d5a968f554af70c274b2b2c20ab64e2487
When starting up, we don't want to delete the patch port between br-int
and br-tun unless we're also dropping the flows.. In liberty both of
these bridges were switched to not dump flows on startup and to put the
bridges in secure mode so that default flood flows are not installed
when the bridge is created.
Without this patch the patch port is torn down and not reinstalled until
br-tun is setup again.
Partial-Bug: #1514056
Change-Id: Ia518a99a2de5d1bda467fde57892c43970f88bcd
(cherry picked from commit 8dce6a5c87)
Currently, once the metadata_process is created for the network,
it will never be eliminated unless the network is deleted. Even if
user disable the metadata for network and restart dhcp agent, the
metdata proxy for network will still be there. This will waste the
resource of neutron host. This patch will let the dhcp-agent
delete useless metadata_proxy at startup.
Additional functional tests are added to for related scenario.
Change-Id: Id867b211fe7c01a11ba73a5ebc275c595933becf
Closes-Bug: #1507950
(cherry picked from commit dc0c7b5588)
Adds some utility methods and a couple of base test cases that
can be added to. These first tests exercise the ovs driver (dnsmasq)
and so the code is organised accordingly - OVS specific test cases
are defined in a DHCPAgentOVSTestFramework
Partial-Bug: #1469065
Co-Authored-By: Cedric Brandily <zzelle@gmail.com>
Co-Authored-By: Sergey Belous <sbelous@mirantis.com>
Conflicts:
neutron/tests/contrib/functional-testing.filters
Change-Id: Ic9d5a2f2b8014e4d81f5e5f6fa58b119a86de075
(cherry picked from commit 31bdb9bffd)
When the ARP responder is enabled, secondary IP addresses explicitly
allowed by via the allowed-address-pairs extensions do not resolve.
This change adds the ability to enable the local ARP responder similar
to the feature in the OVS agent. This change disables local ARP
responses by default, so ARP traffic will be sent over the overlay.
DocImpact
UpgradeImpact
Change-Id: I5da4afa44fc94032880ea59ec574df504470fb4a
Closes-Bug: 1445089
(cherry picked from commit bbd881f3a9)
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
If state_less parameter is not specified then
neutron-postrouting-bottom rule goes up in POSTROUTING
chain, which causes premature NATing of traffic,
for ex. traffic between internal networks becomes NATed.
Closes-Bug: 1544508
Co-Authored-By: Sergey Belous <sbelous@mirantis.com>
Change-Id: I2e0011237d50a59d417cfee01dcd5f9d0da2e7f5
(cherry picked from commit 5d2d1120fc)
OVSDB implementation refuses to set options:peer column value
as there is no such column in the Interface table. The correct way
is to set 'options' column value to a map containing key 'peer', as
already used in ovs_lib.
Change-Id: Ib5e956f425b36f54cda017c91ac71d9d7ee9747c
Closes-Bug: 1528894
(cherry picked from commit d130245967)
Extracting the test fixture that creates a new process and leaves it
running for a given amount of time into helpers where other fixtures for
functional tests live. This both keeps the fixtures at one place and
increases visibility of the fixture so that it can be reused in other
tests. At the same time, the fixture is fixed as the original code
omitted starting the process.
Conflicts:
neutron/tests/functional/agent/linux/helpers.py
Change-Id: I97aeb8d1d5773ef3d59e8f908aea34ccceb38378
Related-Bug: 1561046
(cherry picked from commit 2690eed19a)
keepalived refuses to start and claims "daemon already started"
when there is already a process with the same PID as found in
either the VRRP or the main process PID file. This happens even
in case when the new process is not keepalived. The situation
can happen when the neutron node is reset and the obsolete PID
files are not cleaned before neutron is started.
This commit adds PID file cleanup before keepalived start.
Conflicts:
neutron/agent/linux/keepalived.py
Closes-Bug: 1561046
Change-Id: Ib6b6f2fe76fe82253f195c9eab6b243d9eb76fa2
(cherry picked from commit e98fabb583)
Oleg Bondarev