244 Commits

Author SHA1 Message Date
Jenkins
1b24e8761b Merge "adds support for vhost user reconnect." 2017-01-27 02:08:11 +00:00
Miguel Angel Ajo
38c1812015 Transition qos notification driver into qos driver
This will deprecate the notification_driver config setting,
and no config setting will be needed.

Also it lays down the foundation for a more decoupled interaction
with mechanism drivers.

Closes-Bug: #1657379
Related-Bug: #1627749
DocImpact

Change-Id: I2f166a43f0b980ad22617f8a3f7b4cc7f4786c48
2017-01-25 14:13:36 +01:00
Jenkins
4157c2888e Merge "Linux Bridge: driver support for QoS egress minimum bandwidth" 2017-01-25 10:13:03 +00:00
Jenkins
96a51ad742 Merge "Add a ReST client for placement API" 2017-01-20 00:17:40 +00:00
Jenkins
6f1c727267 Merge "Remove deprecated dhcp_domain from dhcp_agent.ini" 2017-01-19 08:41:02 +00:00
Miguel Lavalle
ebe62dcd33 Add a ReST client for placement API
This patchset adds a ReST client for the placement API. This
client is used to update the IPv4 inventories associated with
routed networks segments. This information is used by the
Nova scheduler to decide the placement of instances in hosts,
based on the availability of IPv4 addresses in routed
networks segments

DocImpact: Adds [placement] section to neutron.conf with two
           options: region_name and endpoint_type

Change-Id: I2aa614d4e6229161047b08c8bdcbca0e2e5d1f0b
Partially-Implements: blueprint routed-networks
2017-01-17 16:41:46 -06:00
Assaf Muller
dd5aca38f9 Remove deprecated min_l3_agents_per_router
The option was deprecated [1] for removal in Newton
and is being removed in Ocata.

[1] Deprecated in patch with Gerrit Change-Id of:
    I8a5fc74a96c784d474aefe2d9b27eeb66521ca82

DocImpact remove all references to the option.

Change-Id: I3a9195ff6fd18fad9f85cec03a632e7e52d954e7
Closes-Bug: #1555042
2017-01-16 14:25:22 -05:00
Rodolfo Alonso Hernandez
84b3ae3ae9 Linux Bridge: driver support for QoS egress minimum bandwidth
This patch provides the Linux Bridge agent driver the ability to control
Linux Traffic Control (TC) to set the minimum required transmission rate
for an interface.

The TC library is refactored to use HTB qdiscs. This allows TC to
define, for several flows in the same interface, the maximum and the
minimum network bandwidth and the burst size.

To be able to do traffic shaping (instead of policing) for ingress
traffic, a new element, the Intermediate Functional Block device (IFB)
is introduced.

DocImpact
Partial-Bug: #1560963

Change-Id: I4d4db54519f1435068d1af38819404d1e5d9cd52
2017-01-13 15:44:16 +00:00
Sean Mooney
ca60a91cbd adds support for vhost user reconnect.
- vhost-user reconnect is a new feature added
  in dpdk 16.07 and qemu 2.7.
- vhost-user reconnect allows VMs using vhost-user
  interfaces to reconnect to the vhost-user backend if
  the backend terminates either as a result of a graceful
  shutdown or a crash with out requiring the vm to reboot.
- vhost-user reconnect requires qemu to be the vhost-user server
  and ovs to be the client.
- dpdk prior to 16.07 only supports qemu client/ dpdk server mode.
- This change extends the ovs mech driver to select the correct qemu
  vhost user socket mode based on the available interface types
  reported by the agent.

Change-Id: Iec89eaa597311e086c5f6e8d67308d446b07ac33
Closes-Bug: #1604924
Depends-on: Ia5da5b3ef28d1b23b217adc5196199df47b54ed9
2017-01-10 13:20:29 +00:00
Ihar Hrachyshka
b09a380f95 Remove advertise_mtu config option
It was deprecated in Newton timeframe. Now we just clean it up from the
tree.

DocImpact: Any advertise_mtu option notions in documentation should be
removed.

UpgradeImpact: After upgrade, all DHCPv4 subnets will see the MTU option
served via corresponding DHCPv4 option. Also, all IPv6 subnets connected
to routers will see MTU set in Router Advertisement messages.

NeutronLibImpact: This patch will break any 3party plugins that directly
access the configuration option.

Change-Id: I31e15018fe764de0fe4d6de7da3c1d9f2cc1d532
2017-01-09 22:17:09 +00:00
Jenkins
7836516808 Merge "Allow keystone v3 in the designate driver" 2016-12-23 16:23:48 +00:00
Jenkins
77de472680 Merge "Adopt privsep and read routing table with pyroute2" 2016-12-22 12:00:03 +00:00
Omer Anson
9183da7c96 Adopt privsep and read routing table with pyroute2
Make use of oslo.privsep to support namespaces. This includes all
relevant code necessary for oslo.privsep to work.

Change ip_lib's get_routing_table method to use pyroute2, rather than
parsing the output of 'ip route'.

Change-Id: I89bfa3dbf1776da973cfca389b2841019a520f75
Partial-Bug: 1492714
Co-Authored-By: Angus Lees <gus@inodes.org>
2016-12-21 17:52:58 +02:00
Daniel Alvarez
1d38f30555 Kill processes when cleaning up namespaces
This patch will kill processes that are listening on any port/UNIX
socket within the namespace to be cleaned up. To kill them it will
issue a SIGTERM to them (or to their parents if they were forked) and,
if they don't die after a few seconds, a SIGKILL to them and all their
children.

This is intended for those cases when there's no specific cleanup and
serves as a fallback method.

Change-Id: I4195f633ef4a1788496d1293846f19eef89416aa
Partial-Bug: #1403455
2016-12-20 10:52:41 +00:00
Jenkins
640b127a5a Merge "Fix typo in release note filename" 2016-12-20 10:43:26 +00:00
Jenkins
aa8b017911 Merge "Fix DHCP Port Creation on Service Subnets" 2016-12-19 11:35:14 +00:00
Jenkins
920ddeaf58 Merge "DSCP packet marking support in Linuxbridge agent" 2016-12-13 23:04:24 +00:00
Jenkins
2d6422ba3b Merge "Correctly configure IPv6 addresses on upgrades" 2016-12-13 23:00:16 +00:00
Sławek Kapłoński
fd3bf3327c DSCP packet marking support in Linuxbridge agent
Linuxbridge agent uses iptable rules in POSTROUTING chain
in the mangle table to mark outgoing packets with the
DSCP mark value configured by the user in QoS policy.

DocImpact: DSCP Marking rule support is extended to the
           Linuxbridge L2 agent

Closes-Bug: #1644369

Change-Id: I47e44cb2e67ab73bd5ee0aa4cca47cb3d07e43f3
2016-12-13 11:14:27 +00:00
John Davidge
1800ae63c2 Fix DHCP Port Creation on Service Subnets
This changes the IPAM logic for service subnets to allow DHCP ports
to be created on subnets of any service type, provided that the subnet
has DHCP enabled.. This ensures that DHCP ports can still be created
automatically on 'nova:compute' service subnets, for example.

DocImpact

Change-Id: I736262f2a7d3f3d7dfdc5276e2364aca7187d18b
Closes-Bug: #1636963
2016-12-12 12:40:03 +00:00
Jenkins
fe9541f224 Merge "Add janitor to cleanup orphaned fip ports" 2016-12-10 02:29:09 +00:00
Jenkins
a405b42a03 Merge "Trivial Fix - Update code to use Pike as the code name" 2016-12-07 22:13:35 +00:00
Brian Haley
6578c531ad Remove deprecated dhcp_domain from dhcp_agent.ini
The dhcp_domain value in dhcp_agent.ini value had been
marked for deprecation in favor of using dns_domain in
neutron.conf back in Liberty [1].  Remove it.

[1] https://review.openstack.org/#/c/200952/

Change-Id: Iebde452559f88ca95713664136da1613cac9b32c
Closes-bug: #1583769
2016-12-07 15:37:57 -05:00
Brian Haley
21bb776670 Correctly configure IPv6 addresses on upgrades
When starting the dhcp-agent after an upgrade, there could
be stale IPv6 addresses in the namespace that had been
configured via SLAAC.  These need to be removed, and the
same address added back statically, in order for the
agent to start up correctly.

To avoid the race condition where an IPv6 RA could arrive
while we are making this change, we must move the call
to disable RAs in the namespace from plug(), since devices
may already exist that are receiving packets.

Uncovered by the grenade tests.

Change-Id: I7e1e5d6c1fa938918aac3fb63888d20ff4088ba7
Closes-bug: #1627902
2016-12-07 12:32:06 -05:00
Kevin Benton
6948467b77 Add janitor to cleanup orphaned fip ports
This adds a janitor worker to the L3 DB module that
will run every 5 minutes looking for floating IP ports
with the device_id of 'PENDING'. If it finds any, it
will keep track of the port ID to see if any stay in
'PENDING' with the next iteration.

If the device ID is still PENDING after 5 minutes, it
means one of two things has happened. Either the server
died after creating the floating IP port, but before
creating the floating IP itself; or, it died after creating
the floating IP port and the floating IP record, but before
updating the device_id of the floating IP port to the
floating IP ID.

The janitor handles both cases by deleting the floating IP
port if it has no associated floating IP and by updating
the floating IP port device ID if it does have an associated
floating IP.

Related-Bug: #1540844
Closes-Bug: #1648098
Change-Id: I684a822553a5a0c54513ca7d20ccaf3c74180593
2016-12-07 11:38:29 -05:00
Gyorgy Szombathelyi
91d048dbde Allow keystone v3 in the designate driver
Using the loader from keystoneauth1, it is possible to easily use
keystone v3 options in [designate].
For the end user, it means she/he must specify designate.auth_type,
then she/he can specify an Keystone v3 endpoint in designate.auth_url.

Change-Id: I8bb02f11e60767dacdf6ac852979cfa82de1e08b
Closes-bug: #1585976
DocImpact
2016-12-05 17:54:41 +01:00
Ihar Hrachyshka
61eb74af31 Remove allow_pagination and allow_sorting config options
They were deprecated in Newton. This patch cleans them up.

Note: it does not mean that the features will not work anymore. On the
contrary, now API will consistently sort and paginate for plugins that
honour the relevant sorting/pagination parameters.

Note2: base resource controller still allows to pass
allow_pagination=False and allow_sorting=False parameters to disable the
features if a registered plugin does not support the features yet.

Change-Id: I5fd30b20f645846d9366740372c4815c4b33e2eb
Related-Bug: #1566514
2016-11-29 12:34:19 +00:00
Jenkins
6c46e55232 Merge "Revert "Deprecate SR-IOV 'physical_device_mappings' config option"" 2016-11-29 07:28:58 +00:00
Moshe Levi
b25e29ca24 Revert "Deprecate SR-IOV 'physical_device_mappings' config option"
There are still valid use cases to keep using physical_device_mappings
config option. We still want to allow neutron user to restrict physnets,
for example, if API user does not enforce compatible segments chosen for
a SR-IOV port.

This reverts commit 03b84bc920b5499e1fef23c646268fffa1d859d7.

Change-Id: Ic373a0ab62c610fae1cbdaf489ba27e9cf02ba5b
2016-11-28 13:25:08 +00:00
Henry Gessau
562b6380b8 Remove legacy oslo.messaging.notify.drivers
These were deprecated in https://review.openstack.org/247906

Now that Liberty is EOL we can remove these legacy entrypoints.

Closes-Bug: #1639103

Change-Id: I94e61cb219b23ce2f5d0f34dc9ae1c87650568bd
2016-11-23 16:07:57 +00:00
Nguyen Hung Phuong
9dbaf1c488 Trivial Fix - Update code to use Pike as the code name
This patch updates code to use Pike as the code name:

Pike is the code name for the P release
Ocata is the code name for the O release

Change-Id: Iec8494b40fed2d427c1edf4609f8b3dd8c770dce
2016-11-17 10:08:34 +07:00
Gary Kotton
653972f548 Fix typo in release note filename
deivce => device

TrivialFix

Change-Id: Id69951958d9d74e51c1cab9b992d286c8e852713
2016-11-14 07:49:57 -08:00
Jenkins
1edd34f7c2 Merge "Deprecate SR-IOV 'physical_device_mappings' config option" 2016-11-13 17:22:46 +00:00
Jakub Libosvar
4fdd89e94f l3-ha: Send gratuitous ARP when new floating IP is added
We rely on keepalived to send gratuitous ARPs when floating IP is added.
Older versions of keepalived up to 1.2.20 (exclusive) contain bug [1] where
keepalived does not send GARP on receiving SIGHUP. Unfortunately, newer
versions containing the fix are not packaged yet for some distributions
like RHEL or CentOS or Ubuntu Xenial, so this patch adds a workaround for
such distributions until new packages are available.

The patch also sets net.ipv4.ip_nonlocal_bind kernel parameter to 0 for
Snat and HA router namespaces in order to avoid sending gratuitous ARPs
for IP addresses that are not bound to the interface anymore - possibly
because of failover or removal. Note that kernel < 3.19 contain a bug
where this knob is missing. In case it attempts to set the parameter and
it's missing on the system, it doesn't set the knob in root
namespace like it's done for fip namespaces, but only issues a warning
message.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1391553

Change-Id: Ieab53624dc34dc687a0e8eebd84778f7fc95dd77
Closes-bug: 1639315
2016-11-10 15:27:21 -05:00
Edan David
03b84bc920 Deprecate SR-IOV 'physical_device_mappings' config option
The device to physnet validation is made in Nova by pci_whitelist config option.
Therefore it is redundant to validate it in Neutron with physical_device_mappings
config option.

Closes-Bug: #1640220
DocImpact

Change-Id: I5f363347b327212a49a9b78a7164c11d9e457b10
2016-11-08 18:27:02 +00:00
Ihar Hrachyshka
6b59cc72a4 Deprecate send_arp_for_ha option
It puzzles me why we would want to have it configurable. Having it = 0
is just plain bad (it breaks a floating IP roaming around HA routers),
having it = 1 may be unsafe if clients miss the update, having it more
than 3 (the default) is probably wasteful. That makes me think that
maybe we should not have it in the first place.

The patch that introduced the option also introduced the feature itself,
and does not provide any clue around why we would need it:
I125dbc57b90027dc5e99ff0a5d6877843a0b02a5

Maybe the option is in the tree because, in Assaf Muller's words, "we're
a bunch of lazy developers that like to shift the responsibility to our
poor users that have to deal with thousands of configuration options".

I suggest we just move with deprecation and removal here.

Change-Id: I9d12b8f4c25ddf91312153f236915c0c14302e2d
Related-Bug: #1639879
2016-11-07 19:51:58 +00:00
Jenkins
22bb0b9b36 Merge "Removes remaining Hyper-V plugin" 2016-10-26 10:18:04 +00:00
Jenkins
a6c5737eb7 Merge "iptables: fail to start ovs/linuxbridge agents on missing sysctl knobs" 2016-10-21 02:14:02 +00:00
Juan Antonio Osorio Robles
19c354aacd Add http_proxy_to_wsgi to api-paste
This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The
purpose of this middleware is to set up the request URL correctly in
case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Neutron.

So, for instance, when TLS connections are being terminated in the
proxy, and one tries to get the versions from the / resource of
Neutron, one will notice that the protocol is incorrect; It will show
'http' instead of 'https'. So this middleware handles such cases.
Thus helping Keystone discovery work correctly.

The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.

Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b
Closes-Bug: #1590608
2016-10-14 11:24:03 +03:00
Claudiu Belu
03be4044f8 Removes remaining Hyper-V plugin
The Hyper-V Neutron plugin was fully decomposed from neutron
and moved into the networking-hyperv project.

The only thing that remained was a debtcollector move for the
HyperVSecurityGroupsDriver, in order to prevent deployments from
breaking when upgrading to Mitaka or Newton from older versions.

Co-Authored-By: Gary Kotton <gkotton@vmware.com>

Change-Id: Iddc14fc4c52ba1a851e79bcd4cf4f09c63b52312
2016-10-12 09:17:41 -07:00
Jenkins
571999037f Merge "New option for num_threads for state change server" 2016-09-28 14:59:55 +00:00
Ihar Hrachyshka
e83a44b96a iptables: fail to start ovs/linuxbridge agents on missing sysctl knobs
For new kernels (3.18+), bridge module is split into two pieces: bridge
and br_netfilter. The latter provides firewall support for bridged
traffic, as well as the following sysctl knobs:

* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables

Before kernel 3.18, any brctl command was loading the 'bridge' module
with the knobs, so at the moment where we reached iptables setup, they
were always available.

With new 3.18+ kernels, brctl still loads 'bridge' module, but not
br_netfilter. So bridge existance no longer guarantees us knobs'
presence. If we reach _enable_netfilter_for_bridges before the new
module is loaded, then the code will fail, triggering agent resync. It
will also fail to enable bridge firewalling on systems where it's
disabled by default (examples of those systems are most if not all Red
Hat/Fedora based systems), making security groups completely
ineffective.

Systems that don't override default settings for those knobs would work
fine except for this exception in the log file and agent resync. This is
because the first attempt to add a iptables rule using 'physdev' module
(-m physdev) will trigger the kernel module loading. In theory, we could
silently swallow missing knobs, and still operate correctly. But on
second thought, it's quite fragile to rely on that implicit module
loading. In the case where we can't detect whether firewall is enabled,
it's better to fail than hope for the best.

An alternative to the proposed path could be trying
to fix broken deployment, meaning we would need to load the missing
kernel module on agent startup. It's not even clear whether we can
assume the operation would be available to us. Even with that, adding a
rootwrap filter to allow loading code in the kernel sounds quite scary.
If we would follow the path, we would also hit an issue of
distinguishing between cases of built-in kernel module vs. modular one.
A complexity that is probably beyond what Neutron should fix.

The patch introduces a sanity check that would fail on missing
configuration knobs.

DocImpact: document the new deployment requirement in operations guide
UpgradeImpact: deployers relying on agents fixing wrong sysctl defaults
               will need to make sure bridge firewalling is enabled.
               Also, the kernel module providing sysctl knobs must be
               loaded before starting the agent, otherwise it will fail
               to start.

Depends-On: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Change-Id: I9137ea017624ac92a05f73863b77f9ee4681bbe7
Related-Bug: #1622914
2016-09-26 14:49:05 +00:00
venkata anil
70ea188f5d New option for num_threads for state change server
Currently max number of client connections(i.e greenlets spawned at
a time) opened at any time by the WSGI server is set to 100 with
wsgi_default_pool_size[1].

This configuration may be fine for neutron api server. But with
wsgi_default_pool_size(=100) requests, state change server
is creating heavy cpu load on agent.
So this server(which run on agents) need lesser value i.e
can be configured to half the number of cpu on agent

We use "ha_keepalived_state_change_server_threads" config option
to configure number of threads in state change server instead of
wsgi_default_pool_size.

[1] https://review.openstack.org/#/c/278007/

DocImpact: Add new config option -
ha_keepalived_state_change_server_threads, to configure number
of threads in state change server.

Closes-Bug: #1581580
Change-Id: I822ea3844792a7731fd24419b7e90e5aef141993
2016-09-23 17:07:12 +00:00
YAMAMOTO Takashi
e80112ca62 Fix a release note typo for implicit provider loading deprecation
Don't repeat --config-dir option twice.

Related-Bug: #1492069
Related-Bug: #1599936
Change-Id: I002b80ba8e5496c164d08357e4cce9e0b4abf5cf
2016-09-21 16:44:08 +09:00
Jenkins
52d4ed22ea Merge "DHCP: enhance DHCP release log" 2016-09-20 00:24:18 +00:00
Gary Kotton
d9cc6deac6 DHCP: enhance DHCP release log
Commit 2aa23de58f55f7b1001508326c5ac2627ba3a429 added in a warning
in the event that a release failed. This would have no information
that can help anyone deal with it.

Also updated the release note to include a recommendation to use
a version of dnsmasq including dhcp_release6 on an upgrade, so
that the warning we are logging here will not happen.

Closes-bug: #1619535
Change-Id: Ia73dcf5170aaf3f874a6abe83fefb8e85b6e67e3
2016-09-16 19:49:51 +00:00
Jenkins
c0d379f047 Merge "Include timezone in timestamp fields" 2016-09-16 16:35:34 +00:00
Jenkins
1a51051836 Merge "Add release note for blueprint vlan-aware-vms" 2016-09-15 08:49:47 +00:00
Kevin Benton
424a633fd9 Include timezone in timestamp fields
The Neutron 'created_at'/'updated_at' fields on API resources
were inconsistent with other OpenStack projects because we did
not include timezone information. This patch addressed that
problem by adding the zulu time indicator onto the end of the
fields.

Because this could break clients expecting no timezone, this patch
also eliminates the 'timestamp_core' and 'timestamp_ext' extensions
and consolidates them into a new 'timestamp' extension. This makes
the change discoverable via the API.

This is assuming the current API development paradigm where
extensions can come and go depending on the deployment and the client
is expected to handle this by checking the loaded extensions.
Once we decide extensions are permanent, this type of change will
no longer be possible.

Even though this is being proposed late in the cycle, it is better
to get this change in before the release where we expose even more
resources with incorrectly formatted timestamps.

APIImpact
Closes-Bug: #1561200
Change-Id: I2ee2ed4c713d88345adc55b022feb95653eec663
2016-09-14 12:04:15 -07:00
Dariusz Smigiel
dd5976b7ab Accept and return project_id for API calls
Update the API to accept project_id in requests and return
project_id in responses.

For now, the API treats tenant_id and project_id equivalently.
It accepts either or both in requests.
It returns both in responses, depending on filters.

We include an extension to indicate that support for project_id
is enabled in the API.

Completes: blueprint keystone-v3

APIImpact: Describe how the Networking API supports Keystone V3.

Co-Authored-By: Henry Gessau <HenryG@gessau.net>
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>

Change-Id: I8775aa8a477191ef21e7c3c6da31d098befefc3c
2016-09-12 19:23:53 +00:00