If one runs the lbaas agent from packages and does not have the l3-agent
installed on the same box as the lbaas agent it will fail to add the
default gw route. This is because it's missing the rootwrap filter for
route which is only present in l3.filters.
Conflicts:
etc/neutron/rootwrap.d/lbaas-haproxy.filters
Change-Id: I59cd0a549a1f1d1564d139d42daf55d02898bf76
Closes-bug: 1325406
(cherry picked from commit c9a0eaacaa)
The section name [security_group] in Sample config files of
ML2 and Big Switch plugins was wrong and it should be
[securitygroup].
Change-Id: I8204b2f37f96a5e46038e117853ac8637a9705fd
Closes-Bug: #1304105
(cherry picked from commit ec24d2cb3a)
Replace HTTPSConnection in NEC plugin PFC driver with Requests.
SSL Verification is from now on enabled by default.
This changes the default behaviour and is the primary intention of this
change: verify SSL certificates.
This might break existing configuration/setups where the SSL certificate
used by the NEC PFC driver would not pass the verification.
SecurityImpact
DocImpact
Partial-Bug: 1188189
Change-Id: I1e5fdc9c2ed5b812aa6509d1639bd499acc5c337
(cherry picked from commit 264b4a2523)
Using noop driver to disable security group is confusing.
In this commit, we introduce enable_security_group in server side.
DocImpact
UpgradeImpact
Implements bp: security-group-config-cleanup
Related-Bug: 1112912
Change-Id: Ice44a4e2a519c64e613eeb24372de46726473339
A backend OpenFlow controller nec plugin talks to can return
503 response with retry-after header when it is busy.
It is better to honor retry-after header to avoid unnecessary
user-visible errors due to temporary busy condition.
Change-Id: I2ff1c3ac8402a2207bd955e9a9bb61e147950c5c
Closes-Bug: #1294527
Add temporary solution in order to support multiple physical networks
by mlnx ML2 MechanismDriver.
Due to non merged patches in nova that should support propagating
physical_network retrieved from port binding:profile attribute
to VIF/Network object.
The code will be removed once relevant nova patches are merged.
The code is disabled by default and should be enabled via
ml2_conf_mlnx.ini config file.
Change-Id: I815f9e28774efd47bccd1c57481e6ba89075792b
Closes-bug: #1291209
Multiple plugins under metaplugin become 'q-plugin' topic
consumers and a request from an agent is handled by one of
them randomly. Fortunatly most of RPC callbacks are common
for plugins but a problem occurs if an RPC is not supported
by the received plugin.
This is one of risks when using metaplugin. Fundamental fix
of this problem (such as RPC delegation handling of metaplugin)
is difficult since each plugin needs to modify.
But when only one plugin has plugin specific RPCs and other
RPCs are independet of plugins, if the plugin can be selected
for RPC handling, the problem does not happen. Typical use
case of metaplugin such as combination of an agent-based
plugin and a controller-based plugin often applies to this
condition.
This patch adds 'rpc_flavor' configuration parameter to
select an RPC handling plugin. If 'rpc_flavor' is specified,
only the specified plugin becomes 'q-plugin' topic consumer.
If 'rpc_flavor' is not specified, the behavior is same as
previous one.
Change-Id: If133b054bba53829cebe63c1e0ebe6099eb1fd95
Closes-bug: #1267330
DocImpact
This is the device driver for the vendor specific VPNaaS plugin. This
change relies on the service driver code (review 74144), which is also
out for review.
Note: Support for sharing of IKE/IPSec policies (which is currently
prevented by the service driver code), will be done as a later
enhancement.
Note: Needs Tempest tests updated/created to test this.
Note: To run, this needs an out-of-band Cisco CSR installed and
configured.
Note: This uses a newer version of requests library and a new httmock
library. Until these are approved (75296), the UT will be
renamed to prevent testing the REST client API to the CSR.
Change-Id: I4f73f7fa1bfcdc89a35ffe63dd253f8eede98485
Paritally-Implements: blueprint vpnaas-cisco-driver
The replication mode on switches and routers should have been configurable
to use source replication if one did not want to deploy service node(s).
This patch fixes that by making this option configurable.
Change-Id: Id9e8043c602b5e9349c10247eab993e59db5a52c
Closes-bug: #1285383
Adding support for l3 extensions and security-groups.
Change-Id: I7007dba1cc8f73496a2a40099581d07ae697520a
Implements: blueprint oc-nvsd-neutron-plugin
One Convergence Neutron Plugin implements Neutron API to provide a network
virtualization solution. The plugin works with One Convergence NVSD controller
to provide the functionality. This checkin implements the Neutron core APIs
and the plugin will be extended to support the L3 and service plugin extension
APIs.
Change-Id: Ic8a0dc0f5950d41b9b253c0d61b6812dbfd161c7
Implements: blueprint oc-nvsd-neutron-plugin
This patch adds the option to use SSL certificate
validation on the backend controller using SSH-style
sticky authentication, individual trusted
certificates, and/or certificate authorities.
Also adds caching of connections to deal with
increased overhead of TLS/SSL handshake.
Default is now sticky-style enforcement.
Partial-Bug: 1188189
Implements: blueprint bsn-certificate-enforcement
Change-Id: If0bab196495c4944a53e0e394c956cca36269883
If the controller supports it, pass a hash to the
controller indicating the expected state that a
REST transaction is updating. If the state is
inconsistent, the controller will return an error
indicating a conflict and the plugin/driver will
trigger a full synchronization.
For controllers that don't support the consistency
hash, trigger a full background synchronization
if the plugin tries to create a port and receives
a 404 error due to the parent network not existing.
Implements: blueprint bsn-auto-resync
Change-Id: I07c92b011453f6bf81b8ee12661170817287cdd7
This commit adds support for OpenDaylight as an ML2 MechanismDriver. The
ODL MechanismDriver does not need an agent since ODL itself handles
programming bridges, tunnels, and ports on the host.
Implements bp ml2-opendaylight-mechanism-driver
Change-Id: Ic1612cd3e8efd39e74a7ed8cff28e91b1f388971
This patch bumps the state_sync_interval from 120 seconds to 10 seconds
so that resource's operation status are synced to the db quicker. This cuts
the amount of time that tempest takes to run by half.
Closes-bug: 1285338
Co-Authored-By: Salvatore Orlando <salv.orlando@gmail.com>
Change-Id: I494a6f95c2321befc3c0bfedc719e18a1826d9d5
This commit adds support for currently provided Mellanox Plugin
embedded switch functionality as part of the VPI (Ethernet/InfiniBand)
HCA as an ML2 MechanismDriver.
MechanismDriver adds support for VNIC_DIRECT and VNIC_MACVTAP vnic types.
MechanismDriver provides configurable default vif_type for neutron port created
with default VNIC_NORMAL vnic type till nova api support for vnic_type is available.
Implements blueprint mlnx-ml2-support
Change-Id: I16ad318f095b7af879e1b99dcc7f5f9e92facd2b
This adds ML2 mechanism driver controlling OpenFlow switches
and an agent using Ryu as OpenFlow Python library.
- An agent acts as an OpenFlow controller on each compute nodes.
- OpenFlow 1.3 (vendor agnostic unlike OVS extensions).
Implements: blueprint ryu-ml2-driver
Change-Id: I6a8168d24f911996639179d91c4da49151751057
Makes rest calls for port creation an async
operation so create_port calls immediately
return in a BUILD state.
Implements: blueprint bsn-port-async
Change-Id: Ib512a846fa878ec33205df08a3b2464b7ea0941a
Adds a BigSwitch Agent responsible for supporting
neutron security groups on the compute node. Adds
the mixin classes to the plugin to support the
security group calls.
Implements: blueprint bsn-neutron-sec-groups
Change-Id: I3a09888a3ba7d565c2dce8293821919c1e5d0d15
It adds a new plugin for SDN-VE, the IBM SDN
controller. The plugin supports the core API
and the port binding and L3 extensions.
Implements: blueprint ibm-sdn-ve-plugin
DocImpact
Change-Id: I92619a95bca2ae0c37e7fdd39da30119b43d1ad6
This patch changes tenant network type usage for InfiniBand Fabric
to vlan type. Add the indication of Fabric Type (Ethernet/InfiniBand)
to the provider_network via the plugin configuration file.
If physical network type is not specified for some provider network
listed in the network_vlan_ranges, use default physical network type.
Co-authored-by: Roey Chen <roeyc@mellanox.com>
Change-Id: Id45acfb8234359a43303c2eee2205a44998c039a
Closes-Bug: 1263638
"l3_plugin_list" configuration parameter of the metaplugin is permitted
blank now.
If "l3_plugin_list" is blank, router extension and extensions which extend
the router extension don't be included in "supported-extension-aliases" of
the metaplugin.
This makes the metaplugin be able to be used with a router service plugin.
Note that if "l3_plugin_list" is not blank, a router service plugin must
not be specified, otherwise the error of the bug report still occurs.
This patch removes some router extension related meaningless codes also.
(e.g. external-net extension belongs to L2 functionality and be handled
by core plugins properly.)
Closes-bug: 1266347
DocImpact
Change-Id: I0454bc0a4bd7eda5dad18b0538fb7baebe0b9f91
No functionality change. Separates the config,
rest call, and backend server management from
the main plugin.py file. Necessary to make
downstream patches more managable and easier
to review.
Implements: blueprint bigswitch-separate-server-module
Change-Id: Ie1fd18a9d8cde24945513c06f7b62239202258a3
The "Sample Configurations" section of ovs_neutron_plugin.ini
has uppercased section headers. In Havana the section headers
were normalized to lowercase, but the sample configs were never
updated.
Change-Id: Ic33392788317adcd6eb86caeef4f25aa4a3d10c8
Closes-Bug: #1279418
This is feature patch (3 of 3) that introduces support for
transitioning existing NSX-based deployments from the agent
based model of providing dhcp and metadata proxy services
to the new agentless based mode. In 'combined' mode, existing
networks will still be served by the existing infrastructure,
whereas new networks will be served by the new infrastructure.
Networks may be migrated to the model using a new CLI tool
provided, called 'neutron-nsx-manage'. Currently the tool
provides two admin-only commands:
neutron-nsx-manage net-report <net-id-or-name>
This will check that the network can be migrated and returns
the resources currently in use. And:
neutron-nsx-manage net-migrate <net-id-or-name>
This will move the network over the new model and deallocate
resources from the agent. Once a network has been migrated
there is no turning back.
Completes-blueprint nsx-integrated-services
Change-Id: I37c9aa0e76124e1023899106406de7be6714c24d
It looks like sdist does not support symlinks, therefore
letting nvp.ini point to nsx.ini is not a good solution.
Since nvp.ini is going away, leave a copy for now, but
add a warning so that users are aware of the switch,
whilst preserving full backward-compatibility.
Closes-bug: #1266555
Change-Id: Id98c41145712583072a8e63a5de31ecc1074e420
- Every config item prefixed with nvp is prefixed with nsx
- deprecation qualifiers are added to preserve bw compatibility
- nicira/nvp.ini is renamed to vmware/nsx.ini
- symlink nicira/nvp.ini is created to point to vmware/nsx.ini
- UT added to verify that nvp.ini and old config items can still
parsed correctly; bw-compat will be dropped in Juno
Partial-implements blueprint nicira-plugin-renaming
Change-Id: I676b868e61064cc5ff17e2246e83ba5c5e4a3449
This is a feature patch (2 of 3) that adds support for
Metadata services provided by the NSX (aka NVP) platform.
It also implements the handling of port events so that
dhcp and metadata configuration in NSX/NVP is updated
if port attributes such as fixed_ips and device_id are
updated.
Partial-implements blueprint nsx-integrated-services
Change-Id: Id2b9125b49c0e15e717605ec6ba3dea5d32ee755
As root_helper is defined in neutron.conf, root_helper in plugin ini
is unnecessary and brings confusion when configuring the parameter.
This patch updates plugin ini of NEC plugin and Brocade plugin.
Change-Id: I5b1c36d8d6ffc20ae0b4191a73aaa51f2b3d9a1b
Closes-Bug: #1259242
Aaron Rosen