26628 Commits

Author SHA1 Message Date
Zuul
ad742401b7 Merge "Fix missing [designate] options" 2022-11-25 09:07:33 +00:00
Zuul
22bd1b04a0 Merge "[S-RBAC] Allow admin user to do all API requests by default" 2022-11-24 20:05:53 +00:00
Zuul
970f9fbafa Merge "db: add segment_index to the unique constraint" 2022-11-24 10:23:22 +00:00
Slawek Kaplonski
6d8ada0ac9 [S-RBAC] Allow admin user to do all API requests by default
By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).

This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
used everywhere.

Closes-Bug: #1997089

Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
2022-11-24 09:17:18 +00:00
Zuul
faad9e6c79 Merge "Update tap ip in metadata agent when metadata port ip updated" 2022-11-24 06:31:33 +00:00
Zuul
cdc40d9f43 Merge "Code move for metadata haproxy" 2022-11-23 20:33:23 +00:00
Zuul
150be5bece Merge "Make MechanismDriverContext plugin_context public" 2022-11-23 20:33:10 +00:00
Zuul
9b8354540b Merge "Disable "test_live_migration_with_trunk" execution from dvr job" 2022-11-23 19:59:40 +00:00
Zuul
ea15470080 Merge "ovn: use dicts instead of sets of tuples" 2022-11-23 19:59:28 +00:00
Zuul
abe01d62be Merge "ovn: inline ensure_all_networks_provisioned method" 2022-11-23 19:59:24 +00:00
Slawek Kaplonski
e1d70f9cb0 Disable "test_live_migration_with_trunk" execution from dvr job
It's follow up for [1] which temporary disabled this test
on other multinode jobs.

[1] https://review.opendev.org/c/openstack/neutron/+/865295

Related-bug: #1997025
Change-Id: I3cb1e709bb6b4f6acea37fce8bec8bb35b3e84aa
2022-11-23 13:16:18 +01:00
Zuul
4ab56dbb51 Merge "Always create a "router_extra_attributes" register per router" 2022-11-23 08:05:48 +00:00
Sahid Orentino Ferdjaoui
eeff5b3c81 db: add segment_index to the unique constraint
For multi segments support we have update the unique contraint so
`segment_index` will be part of it.

Related-Bug: #1791233
Partial-Bug: #1956435
Partial-Bug: #1764738
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: Ic564131dcd7525fc5f24c3282688e3584cd2e2e0
2022-11-23 08:43:21 +01:00
Zuul
77fc7cd285 Merge "Add tempest job which will run on the oldest Ubuntu release" 2022-11-23 04:44:31 +00:00
Takashi Kajinami
67bd2badc9 Fix missing [designate] options
This change ensures the [designate] options, which is used by
the designate external DNS driver, are rendered into neutron.conf
generated by oslo-config-generator.

Change-Id: I56a1079fbfc044532aee64f4fbdec50d9524a580
2022-11-22 12:00:50 +09:00
Ihar Hrachyshka
631ad0ce6b ovn: use dicts instead of sets of tuples
This simplifies the code a bit.

TrivialFix

Change-Id: I5daf258d9bdce8a671d8311c89087da23b807ecd
2022-11-21 18:42:24 +00:00
Ihar Hrachyshka
ae845d572c ovn: inline ensure_all_networks_provisioned method
The method is now so short and simple that it's not worth having it.

TrivialFix

Change-Id: Ie9761ddfce24df7c5df358e1df7f39dbb375f16c
2022-11-21 18:38:44 +00:00
hailun.huang
686698284b Update tap ip in metadata agent when metadata port ip updated
Update neutron-ovn-metadata-agent, catch port_binding update event
of monitoring localport type, and judge if the neutron:cidrs field in
the external_ids of port_binding table has changed,
then update_datapath.

Closes-Bug: #1996677
Change-Id: Ibdc1b385b07a2ab1ca8e4b6278f6d39fb5839509
2022-11-21 09:42:35 +00:00
Zuul
a76b20dbc7 Merge "ovn: first tear down old metadata namespaces, then deploy new" 2022-11-19 16:10:34 +00:00
Ihar Hrachyshka
3093aaab13 ovn: first tear down old metadata namespaces, then deploy new
While the reverse order may work, it's considered invalid by OVN and not
guaranteed to work properly since OVN may not necessarily know which of
two ports is the one to configure.

This configuration also triggered a bug in OVN where tearing down a port
after deploying a new one resulted in removing flows that serve the
port.

There is a patch up for review for OVN [1] to better handle multiple
assignment of the same port, but it doesn't make the setup any more
valid.

[1] http://patchwork.ozlabs.org/project/ovn/patch/20221114092437.2807815-1-xsimonar@redhat.com/

Closes-Bug: #1997092
Change-Id: Ic7dbc4e8b00423e58f69646a9e3cedc6f72d6c63
2022-11-18 15:34:04 +00:00
Slawek Kaplonski
0ef4f98825 Remove policy rule for get_network:router:external
In legacy RBAC rules get of the network's router:external attribute was
available for everyone (rule:regular_user). In new S-RBAC rules it was
done to be available for admin users and for PROJECT_READER. This didn't
really had the same result as router:external attribute wasn't visible
for networks which belongs to other project.

Networks which are set to be external are automatically shared with all
other projects and each user from such project should be able to check
every of visible networks if it is external or not.
In overall, extra policy rule for "get_network:router:external" isn't
really necessary and this patch removes it.

Closes-Bug: #1996836
Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0
2022-11-18 16:09:20 +01:00
Rodolfo Alonso Hernandez
2081910d6d Always create a "router_extra_attributes" register per router
The table "router_extra_attributes" is a child of "router" table.
Each register contains extra information that completes the router
description. When using ML2/OVS mechanism driver, the methods that
create and populate the "router_extra_attributes" register are always
called from the L3 DVR, L3 HA and availability zones extensions.

When using ML2/OVN, those extensions are not loaded and therefore the
"router_extra_attributes" register is not created.

Despite this register is currently not used in ML2/OVN (it will be in
future features), there are some project expecting the
"router_extra_attributes" register to be always created (for example,
neutron-dynamic-routing [1]).

This patch enforces the child register creating always when a router is
created. This register is populated with the default values. This new
register does not affect any current operation related to ML2/OVN nor
ML2/OVS.

There is a 1:1 relationship between "routers" and
"router_extra_attributes". The child register is deleted by the database
engine when the "routers" register is deleted (ondelete="CASCADE").

[1]https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/863713

Closes-Bug: #1995974
Change-Id: Ic546e40513402fa101c9687acce382cd6b84356c
2022-11-18 08:51:43 +00:00
Zuul
c8f65b76c3 Merge "Replace Linux Bridge with Open vSwitch in installation docs" 2022-11-17 23:23:30 +00:00
Sebastian Lohff
9a483f02be Make MechanismDriverContext plugin_context public
MechanismDriverContext has an attribute _plugin_context, which carries
the current context with it. This is used by many ml2 drivers, as it is
the only way for them to get the current context. We now make this a
public API by adding a property to MechanismDriverContext that returns
_plugin_context as a read-only attribute.

Change-Id: If9b05655286f42081cf26c90c563429ca2e63244
2022-11-17 11:03:44 +01:00
Lucas Alvares Gomes
bf44e70db6 OVN: Add support for DHCP option "domain-search" for IPv4
Nothing much else, what the title says...

Change-Id: Ib1d41a6e4c869e108f31c1eb604f22c794d66467
Closes-Bug: #1996759
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
2022-11-16 14:14:59 +00:00
LIU Yulong
25d4e3862b Code move for metadata haproxy
Move common Exception class to one place. Move haproxy same
configuration to one place.

Partially-Implements: blueprint distributed-metadata-datapath
Change-Id: I3a0fc72da4520d6bc7193fb32a1bcf9a5585fbf4
2022-11-16 10:51:40 +08:00
Rodolfo Alonso Hernandez
ff66ca9275 Execute functional test "test_get_all_devices" alone
Since [1], the functional tests are being executed in Ubuntu 22.04.
The test "test_get_all_devices" is failing frequently, maybe because
other tests are interfering and modifying the root namespace
interface list.

Because this test cannot be executed inside a temporary namespace,
this patch moves the execution of this test to the section of
"concurrency=1". That will ensure no other test interferes the
result.

Closes-Bug: #1997341

Change-Id: If0631bf0cdfd5f0989c60d40e31f89cee317e497
2022-11-16 01:40:03 +01:00
Zuul
a358bb802b Merge "Fix some pylint indentation warnings" 2022-11-15 22:09:42 +00:00
Zuul
1acfe8aab3 Merge "Load the required configuration options in the UT classes" 2022-11-15 17:33:39 +00:00
Zuul
000efde9db Merge "Fix some pylint indentation warnings" 2022-11-15 17:33:34 +00:00
Rodolfo Alonso Hernandez
51827d8e78 Remove "test_live_migration_with_trunk" execution
Removed "test_live_migration_with_trunk" test execution from
"neutron-ovs-tempest-multinode-full" job until LP#1997025 is
fixed.

Related-Bug: #1997025
Change-Id: Id7a0565db9b014e2658002437a2f21facbe47a8f
2022-11-15 16:58:26 +01:00
Zuul
1e4cc72901 Merge "Doc: Capitalize keystone domain names" 2022-11-22 12:15:14 +00:00
Zuul
888d31014c Merge "[doc] Metadata service supports IPv6 networks" 2022-11-22 09:52:56 +00:00
Brian Haley
a2090e4cbc Doc: Capitalize keystone domain names
There is an inconsistency for keystone domain names
in the docs, 'default' and 'Default'. Should always
use the latter, 'Default'.

Change-Id: I4487de4e121362a02f839546721f007781f84057
Closes-bug: #1996889
2022-11-17 11:42:14 -05:00
Brian Haley
c5ee9f3495 Load the required configuration options in the UT classes
Some test classes are not loading the required configuration options
during the setup process. That prevents from launching thoses tests
or classes individually. This patch solves this issue by importing the
required options in the "setUp" test class method.

This is breaking python 3.11 on Debian, not possible to test
in the gate at the moment.

Closes-Bug: #1996527

Change-Id: Ie579df7126ca8d09dbedad8d2254c79ec0d3bc32
2022-11-14 18:06:20 -05:00
Zuul
320f54eba1 Merge "Code move for metadata signature function" 2022-11-14 16:59:33 +00:00
Zuul
91decc9514 Merge "Fix some pylint indentation warnings" 2022-11-14 13:10:49 +00:00
Zuul
2ed1d9aa24 Merge "Fix some pylint indentation warnings" 2022-11-14 13:10:45 +00:00
Rodolfo Alonso Hernandez
bb2d706107 [doc] Metadata service supports IPv6 networks
Metadata service now supports IPv6 networks. This patch removes
this limitation in the documentation.

Related-Bug: #1460177
Change-Id: I1c50aef5e4aa60705f923f399e8d36c37a9d6289
2022-11-14 08:26:10 +01:00
LIU Yulong
b7d04d5d92 Code move for metadata signature function
Move _sign_instance_id to common utils for distributed metadata.

Partially-Implements: blueprint distributed-metadata-datapath
Change-Id: I0ef9330232e2ed5dbda6e45917c291c7385d1e0d
2022-11-14 09:21:27 +08:00
Rodolfo Alonso Hernandez
c6a83988ea Replace Linux Bridge with Open vSwitch in installation docs
This patch replaces the Linux Bridge references with Open vSwitch in
the installation manuals.

Closes-Bug: #1996772
Change-Id: Ib63daad7fac52e1e10dca2e98add01d5ee7635a3
2022-11-13 19:46:56 +01:00
Brian Haley
9e2a0ac058 Use --exclude-regex in tox.ini
--black-regex has been deprecated and using it can sometimes
cause failures in the fullstack job.

Change-Id: Iac1d4c4004e1348ced388ee4dd44711f0e27bcc2
Closes-bug: #1995901
2022-11-07 18:46:30 -05:00
Zuul
c8aa65796f Merge "test: fix docstring validation function" 2022-11-07 16:24:24 +00:00
Zuul
c99792e213 Merge "Fix some pylint indentation warnings" 2022-11-07 12:45:51 +00:00
Zuul
f33bdd341a Merge "Fix some pylint indentation warnings" 2022-11-07 12:28:02 +00:00
Sahid Orentino Ferdjaoui
609ebd9504 test: fix docstring validation function
For some reason in Python even if using getattr with None and as
default value a string for the type __doc__ will return None.

>>> type(getattr(None, "__doc__", ""))
<class 'NoneType'>

The error reported was:

ft1.1: neutron.tests.functional.db.test_migrations.TestModelsMigrationsMySQL.test_branchestesttools.testresult.real._StringException: Traceback (most recent call last):
  File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/base.py", line 182, in func
    return f(self, *args, **kwargs)
  File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/functional/db/test_migrations.py", line 302, in test_branches
    find_migration_exceptions()
  File "/home/zuul/src/opendev.org/openstack/neutron/neutron/tests/functional/db/test_migrations.py", line 253, in find_migration_exceptions
    if len(explanation) < 1:
TypeError: object of type 'NoneType' has no len()

Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
Change-Id: I7c03bac9c6e8dd074325f511e555c10fec8e77fc
2022-11-07 13:21:00 +01:00
renliang17
562e9704f8 Update documentation link for openSUSE index.
Change-Id: Ie8dd684a7b79b0a322b1f2d17fffb4d58cfe94fc
2022-11-04 13:59:58 +08:00
Brian Haley
b1714a2b9d Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/plugins.

Trivialfix

Change-Id: Id9138652f5f07ef12fa682e182fe210019e8f975
2022-11-03 22:27:55 -04:00
Brian Haley
55b16d7b7c Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/db.

Trivialfix

Change-Id: I9311cfe5efc51552008072d84aa238e5d0c9de60
2022-11-03 19:50:54 -04:00
Brian Haley
3afa1b1471 Fix some pylint indentation warnings
Running with a stricter .pylintrc generates a lot of
C0330 warnings (hanging/continued indentation). Fix
the ones in neutron/ipam.

Trivialfix

Change-Id: I8312c9a0835ee9bdae9e3b2c565bf899899349c3
2022-11-02 10:47:38 -04:00