The service tagging policy engine should consider the parent resource or
the upper parent resource project ID when checking the policies against
the caller project ID.
Before this patch, as introduced in [1], the target was incorrectly
populated with the caller project ID instead of using the resource ID.
[1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py
OSSA-2024-005 CVE-2024-53916
Conflitcs:
neutron/extensions/tagging.py
Closes-Bug: #2088986
Change-Id: Id7d0c8e7ba37993b1084519d05e7e2eac095b81b
(cherry picked from commit fb75d3c4f185bb082f69c121090382d9eb803b94)
(cherry picked from commit 93e86fa84175b525f5b1dc5df1651a44d60219ba)
The ``TestOvnNbSync`` test cases perform intensive operations on both
the Neutron database and the OVN databases. These test are frequently
hitting an issue with the Neutron database, that in the functional test
is, by default, SQLite.
When a port is being deleted, the database raises an exception with the
following message:
DELETE failed.: oslo_db.exception.DBReferenceError:
(sqlite3.IntegrityError) FOREIGN KEY constraint failed
[SQL: DELETE FROM ports WHERE ports.id = ?]
[parameters: ('64720ac5-72a0-4e88-8193-fd54a97ccef3',)]
This resource (port) and the one referring to it (floating IP), have
been created and updated in previous API calls, thus the transactions
to the database should be commited and finished.
This patch is changing the database backend to MySQL, that should
provide better transaction isolation.
Closes-Bug: #2088423
Change-Id: If1da6c5992aa4635da5a4b5c6eaa06db56d693b4
(cherry picked from commit abb527d1e4ec8ac34f6e277089b59687f9c3307e)
In PostgreSQL, it is needed to add the field used in the query
field ("select") clause in the "group_by" one. This patch changes
the scope of the query to only select the filtered fields (availability
zones and agent type).
Because the PostgreSQL support has been dropped in master branch
(Epoxy, 2025.1), this patch is only for stable branches.
Closes-Bug: #2086787
Change-Id: Ifb5ab94ca68a9ab84407b54ac632164860b7a3a8
(cherry picked from commit ebafc58e692c1533137be2fcc8a8027e262f84ce)
When a RBAC with action=access_as_shared is removed from a network, it
is checked first that there are no elements (ports) in this network
that could no longer exist due to the RBAC permissions reduction.
The floating IP related ports, that have project_id='' by definition,
should be removed from this check. These ports can be created due to
a RBAC with action=access_as_external. If a floating IP port is present
in the network, it should not block the RBAC with
action=access_as_shared removal.
Closes-Bug: #2075529
Change-Id: I7e31c21c04dc1ef26f5f05537ca0d2cb8f5ca505
(cherry picked from commit 90d836bc420ccd309196ece7908b41b9e2c4f766)
The patch changes how additional_chassis column support is handled in
events. We cannot call to IDL from the match methods because the post
fork event might not be set yet right after IDL was instantiated. If
between the IDL instantiation and the post fork event set an event
calling to IDL is processed, the match event method will wait
indefinitely. This patch removes the call to IDL in the match method.
Closes-Bug: #2086740
Change-Id: Ibc7d9b4dd196bed65cff73b79d78122f70aac1a7
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
(cherry picked from commit d8884a99e03533533f7bacef598e9a6af592e3fa)
These jobs are currently broken due to a partial migration to um/2023.1.
Because the older branch is now in unmantained mode, these jobs are
not longer executed in this stable branch.
Related-Bug: #2089522
Change-Id: Id17831323822b4c2aa89442c8bfc6b089809b9b8
The patch introduces a new maintenance routine that always sets
NB_Global.external_ids:fip-distributed value in Northbound OVN DB to the
same value that enable_distributed_floating_ip config option has.
This is useful for projects that do not use RPC and rely on data only in
the OVN database.
Conflicts:
neutron/common/ovn/constants.py
neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
neutron/tests/functional/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py
Closes-Bug: #2083456
Change-Id: I7f30e6e030292b762dc9fc785c494c0dc215c749
Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
(cherry picked from commit 1300110ccb9963e48a7c19e70599194d5c7da92c)
By default number of threads used by the neutron-keepalived-state-change
service is set to "1 + <num_of_cpus> / 2" which in CI results with "4".
This is definitely not needed for the fullstack tests where L3 agent is
spawned for the single test and don't need to handle more than one
router ever.
To safe some CPU resources this patch sets this config option to '1' in
fullstack tests.
Related-bug: #2083609
Change-Id: I18cfb18abe481f47db870f210188e1a570844077
(cherry picked from commit df177b15db2b92b6e8050f812a8ee0b3fcfd460f)
During a security group creation, the default security group rules are
also added. This patch is creating the security group rules revision
number registers and bumping them to their first revision.
Closes-Bug: #2086205
Change-Id: Idc6ad29bcac23c2397e32f290addfd1877b8b3e0
(cherry picked from commit e0ee8bd7726a24747ee5028cb31f9b62cfcfcc29)
In unit tests where neutron resources are created by "fake" http
requests, it was always only raised webob.exc.HTTPClientError in case when
response from the neutron server was >= webob.exc.HTTPClientError.code,
without any explanation what was real issue in the response.
To make it hopefully easier to debug failures in such tests in the
future this patch adds explanation with original response from the
server to such HTTPClientError exception.
Related-bug: #2081868
Change-Id: Ice15dd05d95422236e5901865865d77925adc44d
(cherry picked from commit 4af0d333aa8732a1092ca02e01a4949a103b7371)
Before executing updating the Logical_Swith_Port host information, it
is needed to check the current status of the port. If it doesn't match
with the event calling this update, the host information is not updated.
Closes-Bug: #2085543
Change-Id: I92afb190375caf27c815f9fe1cb627e87c49d4ca
(cherry picked from commit c0bdb0c8a33286acb4d44ad865f0000309fc79b6)
The "ovn_revision_numbers" table has a unique constraint that is a
combination of the "resource_uuid" and the "resource_type". There is
a case where the resource_uuid can be the same for two registers.
A router interface will create a single Neutron DB register ("ports")
but it will require two OVN DB registers ("Logical_Switch_Port" and
"Logical_Router_Ports"). In this case is needed to define the
"resource_type" when retrieving the revision number.
The exception "RevisionNumberNotDefined" will be thrown if only the
"resource_uuid" is provided in the related case.
Closes-Bug: #2085946
Change-Id: I12079de78773f7409503392d4791848aea90cb7b
(cherry picked from commit a298a37fe7ee41d25db02fdde36e134b01ef5d9a)
During the creation of SG, not to exceed the SG rule quota, the number
of default SG rules that will be automatically created must be counted.
It is always 2 (in case of the default SG, it is 4), but it is wrong
since it depends on the default SG rules.
Closes-Bug: #2067239
Change-Id: Ic86826b71c1160a6891f09ca1e40135049a8948a
(cherry picked from commit 1a440dd61b04b37d0e2a9434e802f5a1ee3c198b)
When a chassisredirect port is updated with chassis, the
PortBindingChassisEvent event would only update the binding
host id in the neutron database, while it is also usefull to keep the
information in the OVN database up to date with the host information.
Similar to change [1], but for router's gateway ports.
[1] https://review.opendev.org/c/openstack/neutron/+/896883
Other plugins that connect to the OVN database can then also rely on the
information stored in the OVN DB's
Closes-Bug: #2083832
Change-Id: Ibe8bda2f81bda7a89e3a994db55cd394a18decb8
(cherry picked from commit 4b032bdbb2a6843b776c367486d1620ea6ae71a5)
In ML2/OVN, the subports bindings are not updated with the host
information. This patch skips the LSP update in that case.
Currently the method ``update_lsp_host_info`` is stuck executing
``_wait_for_port_bindings_host``. During this time the subport
can be deleted or removed from the trunk. That will clash with
the newer operation that tries to remove the LSP port host info
and is the cause of the related bug.
Closes-Bug: #2085462
Change-Id: Ic68f9b5aa3b06bc4e1cbfbe577efc33b4b617b45
(cherry picked from commit 63d14a3ff225faa75a825991cf0b33b2fd745b9b)
When building the security group dictionary, it is not needed to
build the security group rules objects individually. These objects
(OVO) are built along with the security group OVO and added in
the result dictionary in ``_make_security_group_dict``.
Related-Bug: #2083682
Change-Id: I66fbf8487b390f7685ef0a4e44c3f58b79cab05f
(cherry picked from commit 232d1d26ea096c1e3b5f92b46029e67689185ae1)
There are some operations where the SG DB object can be used instead of
the SG OVO. That saves conversion time, including the conversion of the
SG rule OVOs, that are child resources of the SG OVO.
This optimization applies to the following methods:
* SecurityGroupDbMixin.get_security_groups
* SecurityGroupDbMixin.update_security_group (partially)
The Nova query to retrieve the SG list in the "server list" command,
has been benchmarked. The testing environment had a single SG with
250 SG rules. Call:
"GET /networking/v2.0/security-groups?id=81f64aa4-2cea-46db-8fea-cd944f106aab
&fields=id&fields=name HTTP/1.1"
* Without this patch: around 1.25 seconds
* With this patch: around 0.025 second (50x improvement).
Closes-bug: #2083682
Change-Id: Ibd032ea77c5bfbc1fa80b3b3ee9ba7d5c36bb1bc
(cherry picked from commit adbc3e23b7d2251cc7de088e2a757674a41c2f6a)
Since [1], the OVN Metadata agent has support for IPv6. If the agent
is updated, the HA proxy instances need to be reconfigured and
restarted. However, that needs to be done only once; the next time
the OVN agent is restarted, if the HA proxy instances are updated
(have IPv6 support), they won't be restarted.
[1]https://review.opendev.org/c/openstack/neutron/+/894026
Conflicts:
neutron/agent/linux/utils.py
neutron/tests/unit/agent/dhcp/test_agent.py
Closes-Bug: #2079996
Change-Id: Id0f678c7ffe162df42e18dfebb97dce677fc79fc
(cherry picked from commit 7b7f8d986a4f818d289149c6960c9eb8b62b432d)
In those Neutron objects and DB definitions where the declarative
attribute ``standard_attr_id`` is defined, use it instead of accessing
to the ``standard_attr`` child object.
Closes-Bug: #2081945
Change-Id: Iadfbeff79c0200c3a6b90f785b910dc391f9deb3
(cherry picked from commit 144e140e750987a286e6adc74ff0ffad1da474d6)
Functional tests started to fail with
"Too many open files" randomly, the default ulimit in
OS is configured to 1024, increasing this to 4096
to avoid these random failures.
Closes-Bug: #2080199
Change-Id: Iff86599678ebdd5189d5b56d11f3373c9b138562
(cherry picked from commit 6970f39a49b83f279b9e0479f7637d03a123a40e)
Fixes a logic error which meant that we didn't iterate over all logical
switches when associating a FIP to an OVN loadbalancer. The symptom was
that the FIP would show in neutron, but would not exist in OVN.
Closes-Bug: #2068644
Change-Id: I6d1979dfb4d6f455ca419e64248087047fbf73d7
Co-Authored-By: Brian Haley <haleyb.dev@gmail.com>
(cherry picked from commit d8a4ad9167afd824a3f823d86a8fd33fb67c4abd)
Currently if the nova endpoint do not exist
exception is raised. Even the endpoint gets created
notification keeps on failing until the session
expires.
If the endpoint not exist the session is not useful
so marking it as invalid, this will ensure if endpoint is
created later the notification do not fail.
Closes-Bug: #2081174
Change-Id: I1f7fd1d1371ca0a3c4edb409cffd2177d44a1f23
(cherry picked from commit 7d1a20ed4d458c6682a52679b71b6bc8dea20d07)
Since [1], the SG rule SQL view also retrieves the table
"default_security_group", using a complex relationship [2].
When the number of SG rules of a SG is high (above 50 it
is clearly noticeable the performance degradation), the
API call can take several seconds. For example, for 100
SG rules it can take up to one minute.
This patch changes the load method of the SG rule
"default_security_group" relationship to "selectin".
Benchmarks with a single default SG and 100 rules,
doing "openstack security group show $sg":
* 2023.2 (without this feature): around 0.05 seconds
* master: between 45-50 seconds (1000x time increase)
* loading method "selectin" or "dynamic": around 0.5 seconds.
NOTE: this feature [1] was implemented in 2024.1. At this
time, SQLAlchemy version was <2.0 and "selectin" method was
not available. For this version, "dynamic" can be used instead.
[1]https://review.opendev.org/q/topic:%22bug/2019960%22
[2]08fff4087d/neutron/db/models/securitygroup.py (L120-L121)
Closes-Bug: #2081087
Change-Id: I46af1179f6905307c0d60b5c0fdee264a40a4eac
(cherry picked from commit c1b05e29adf9d0d68c1ac636013a8a363a92eb85)
The method ``_extend_tags_dict`` can be called from a "list" operation.
If one resource and its "standardattr" register is deleted concurrently,
the "standard_attr" field retrieval will fail.
The "list" operation is protected with a READER transaction context;
however this is failing with the DB PostgreSQL backend.
Closes-Bug: #2078787
Change-Id: I55142ce21cec8bd8e2d6b7b8b20c0147873699da
(cherry picked from commit c7d07b7421034c2722fb0d0cfd2371e052928b97)
If a ML2/SR-IOV port is disabled (status=DOWN), it will have precedence
on the VF link state value over the "auto" value. That will stop any
transmission from the VF.
Closes-Bug: #2078789
Change-Id: I11d973d245dd391623e501aa14b470daa780b4db
(cherry picked from commit 8211c29158d6fc8a1af938c326dfbaa685428a4a)
This patch fixes 2 issues related to that port_hardware_offload_type
extension:
1. API extension is now not supported by the ML2 plugin directly so if
ml2 extension is not loaded Neutron will not report that API
extension is available,
2. Fix error 500 when creating port with hardware_offload_type
attribute set but when binding:profile is not set (is of type
Sentinel).
Conflicts:
neutron/plugins/ml2/plugin.py
Closes-bug: #2078432
Closes-bug: #2078434
Change-Id: Ib0038dd39d8d210104ee8a70e4519124f09292da
(cherry picked from commit fbb7c9ae3d672796b72b796c53f89865ea6b3763)
When an IPv6 only network is used as the sole network for a VM and
there are no other bound ports on the same network in the same chassis,
the OVN metadata agent concludes that the associated namespace is not
needed and deletes it. As a consequence, the VM cannot access the
metadata service. With this change, the namespace is preserved if there
is at least one bound port on the chassis with either IPv4 or IPv6
addresses.
Closes-Bug: #2069482
Change-Id: Ie15c3344161ad521bf10b98303c7bb730351e2d8
(cherry picked from commit f7000f3d57bc59732522c4943d6ff2e9dfcf7d31)
Currently, is_valid_ipv6 accepts ipv6 addresses with scope. However
netaddr library won't accept an address with scope. Now,
get_noscope_ipv6() can be used to avoid this situation. In a future we
will be able to use the same function which is also being defined on
oslo.utils. https://review.opendev.org/c/openstack/oslo.utils/+/925469
Closes-Bug: #2073894
Signed-off-by: Elvira García <egarciar@redhat.com>
Change-Id: I27f25f90c54d7aaa3c4a7b5317b4b8a4122e4068
(cherry picked from commit 1ed8609a6818d99133bf56483adb9bce8c886fd6)
For openvswitch security group, due to some extreme
case, if ofport is processed once, the openvswitch
security driver will cache some old ofport informations
with different local vlan from current assignment.
So this patch changes the local_vlan get method
to the port other_config, this value should be
managed by ovs_agent properly, we can rely on
that.
Closes-Bug: #2071451
Change-Id: I7ad7df72807c95571ef3156c99072852d1c4f494
(cherry picked from commit ae587c34ab59a5717630eded2fab84413f3c1742)
Required since the Depends-On patch included, without
it postgres job fails with:-
AttributeError: 'NoneType' object has no attribute 'id'
Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/923926
Related-Bug: #2072567
Change-Id: I8f2229eb0a9d8dce927ded004037eda93ce3650d
(cherry picked from commit f17cc24e8adb2bf18af32a45a44e68790c50dc6b)
