If one runs the lbaas agent from packages and does not have the l3-agent
installed on the same box as the lbaas agent it will fail to add the
default gw route. This is because it's missing the rootwrap filter for
route which is only present in l3.filters.
(cherry picked from commit c9a0eaacaa)
The section name [security_group] in Sample config files of
ML2 and Big Switch plugins was wrong and it should be
(cherry picked from commit ec24d2cb3a)
Replace HTTPSConnection in NEC plugin PFC driver with Requests.
SSL Verification is from now on enabled by default.
This changes the default behaviour and is the primary intention of this
change: verify SSL certificates.
This might break existing configuration/setups where the SSL certificate
used by the NEC PFC driver would not pass the verification.
(cherry picked from commit 264b4a2523)
Using noop driver to disable security group is confusing.
In this commit, we introduce enable_security_group in server side.
Implements bp: security-group-config-cleanup
A backend OpenFlow controller nec plugin talks to can return
503 response with retry-after header when it is busy.
It is better to honor retry-after header to avoid unnecessary
user-visible errors due to temporary busy condition.
Add temporary solution in order to support multiple physical networks
by mlnx ML2 MechanismDriver.
Due to non merged patches in nova that should support propagating
physical_network retrieved from port binding:profile attribute
to VIF/Network object.
The code will be removed once relevant nova patches are merged.
The code is disabled by default and should be enabled via
ml2_conf_mlnx.ini config file.
Multiple plugins under metaplugin become 'q-plugin' topic
consumers and a request from an agent is handled by one of
them randomly. Fortunatly most of RPC callbacks are common
for plugins but a problem occurs if an RPC is not supported
by the received plugin.
This is one of risks when using metaplugin. Fundamental fix
of this problem (such as RPC delegation handling of metaplugin)
is difficult since each plugin needs to modify.
But when only one plugin has plugin specific RPCs and other
RPCs are independet of plugins, if the plugin can be selected
for RPC handling, the problem does not happen. Typical use
case of metaplugin such as combination of an agent-based
plugin and a controller-based plugin often applies to this
This patch adds 'rpc_flavor' configuration parameter to
select an RPC handling plugin. If 'rpc_flavor' is specified,
only the specified plugin becomes 'q-plugin' topic consumer.
If 'rpc_flavor' is not specified, the behavior is same as
This is the device driver for the vendor specific VPNaaS plugin. This
change relies on the service driver code (review 74144), which is also
out for review.
Note: Support for sharing of IKE/IPSec policies (which is currently
prevented by the service driver code), will be done as a later
Note: Needs Tempest tests updated/created to test this.
Note: To run, this needs an out-of-band Cisco CSR installed and
Note: This uses a newer version of requests library and a new httmock
library. Until these are approved (75296), the UT will be
renamed to prevent testing the REST client API to the CSR.
Paritally-Implements: blueprint vpnaas-cisco-driver
The replication mode on switches and routers should have been configurable
to use source replication if one did not want to deploy service node(s).
This patch fixes that by making this option configurable.
One Convergence Neutron Plugin implements Neutron API to provide a network
virtualization solution. The plugin works with One Convergence NVSD controller
to provide the functionality. This checkin implements the Neutron core APIs
and the plugin will be extended to support the L3 and service plugin extension
Implements: blueprint oc-nvsd-neutron-plugin
This patch adds the option to use SSL certificate
validation on the backend controller using SSH-style
sticky authentication, individual trusted
certificates, and/or certificate authorities.
Also adds caching of connections to deal with
increased overhead of TLS/SSL handshake.
Default is now sticky-style enforcement.
Implements: blueprint bsn-certificate-enforcement
If the controller supports it, pass a hash to the
controller indicating the expected state that a
REST transaction is updating. If the state is
inconsistent, the controller will return an error
indicating a conflict and the plugin/driver will
trigger a full synchronization.
For controllers that don't support the consistency
hash, trigger a full background synchronization
if the plugin tries to create a port and receives
a 404 error due to the parent network not existing.
Implements: blueprint bsn-auto-resync
This commit adds support for OpenDaylight as an ML2 MechanismDriver. The
ODL MechanismDriver does not need an agent since ODL itself handles
programming bridges, tunnels, and ports on the host.
Implements bp ml2-opendaylight-mechanism-driver
This patch bumps the state_sync_interval from 120 seconds to 10 seconds
so that resource's operation status are synced to the db quicker. This cuts
the amount of time that tempest takes to run by half.
Co-Authored-By: Salvatore Orlando <firstname.lastname@example.org>
This commit adds support for currently provided Mellanox Plugin
embedded switch functionality as part of the VPI (Ethernet/InfiniBand)
HCA as an ML2 MechanismDriver.
MechanismDriver adds support for VNIC_DIRECT and VNIC_MACVTAP vnic types.
MechanismDriver provides configurable default vif_type for neutron port created
with default VNIC_NORMAL vnic type till nova api support for vnic_type is available.
Implements blueprint mlnx-ml2-support
This adds ML2 mechanism driver controlling OpenFlow switches
and an agent using Ryu as OpenFlow Python library.
- An agent acts as an OpenFlow controller on each compute nodes.
- OpenFlow 1.3 (vendor agnostic unlike OVS extensions).
Implements: blueprint ryu-ml2-driver
Makes rest calls for port creation an async
operation so create_port calls immediately
return in a BUILD state.
Implements: blueprint bsn-port-async
Adds a BigSwitch Agent responsible for supporting
neutron security groups on the compute node. Adds
the mixin classes to the plugin to support the
security group calls.
Implements: blueprint bsn-neutron-sec-groups
It adds a new plugin for SDN-VE, the IBM SDN
controller. The plugin supports the core API
and the port binding and L3 extensions.
Implements: blueprint ibm-sdn-ve-plugin
This patch changes tenant network type usage for InfiniBand Fabric
to vlan type. Add the indication of Fabric Type (Ethernet/InfiniBand)
to the provider_network via the plugin configuration file.
If physical network type is not specified for some provider network
listed in the network_vlan_ranges, use default physical network type.
Co-authored-by: Roey Chen <email@example.com>
"l3_plugin_list" configuration parameter of the metaplugin is permitted
If "l3_plugin_list" is blank, router extension and extensions which extend
the router extension don't be included in "supported-extension-aliases" of
This makes the metaplugin be able to be used with a router service plugin.
Note that if "l3_plugin_list" is not blank, a router service plugin must
not be specified, otherwise the error of the bug report still occurs.
This patch removes some router extension related meaningless codes also.
(e.g. external-net extension belongs to L2 functionality and be handled
by core plugins properly.)
No functionality change. Separates the config,
rest call, and backend server management from
the main plugin.py file. Necessary to make
downstream patches more managable and easier
Implements: blueprint bigswitch-separate-server-module
The "Sample Configurations" section of ovs_neutron_plugin.ini
has uppercased section headers. In Havana the section headers
were normalized to lowercase, but the sample configs were never
This is feature patch (3 of 3) that introduces support for
transitioning existing NSX-based deployments from the agent
based model of providing dhcp and metadata proxy services
to the new agentless based mode. In 'combined' mode, existing
networks will still be served by the existing infrastructure,
whereas new networks will be served by the new infrastructure.
Networks may be migrated to the model using a new CLI tool
provided, called 'neutron-nsx-manage'. Currently the tool
provides two admin-only commands:
neutron-nsx-manage net-report <net-id-or-name>
This will check that the network can be migrated and returns
the resources currently in use. And:
neutron-nsx-manage net-migrate <net-id-or-name>
This will move the network over the new model and deallocate
resources from the agent. Once a network has been migrated
there is no turning back.
It looks like sdist does not support symlinks, therefore
letting nvp.ini point to nsx.ini is not a good solution.
Since nvp.ini is going away, leave a copy for now, but
add a warning so that users are aware of the switch,
whilst preserving full backward-compatibility.
- Every config item prefixed with nvp is prefixed with nsx
- deprecation qualifiers are added to preserve bw compatibility
- nicira/nvp.ini is renamed to vmware/nsx.ini
- symlink nicira/nvp.ini is created to point to vmware/nsx.ini
- UT added to verify that nvp.ini and old config items can still
parsed correctly; bw-compat will be dropped in Juno
Partial-implements blueprint nicira-plugin-renaming
This is a feature patch (2 of 3) that adds support for
Metadata services provided by the NSX (aka NVP) platform.
It also implements the handling of port events so that
dhcp and metadata configuration in NSX/NVP is updated
if port attributes such as fixed_ips and device_id are
Partial-implements blueprint nsx-integrated-services
As root_helper is defined in neutron.conf, root_helper in plugin ini
is unnecessary and brings confusion when configuring the parameter.
This patch updates plugin ini of NEC plugin and Brocade plugin.