Add support for wallaby.
Below were the extra changes needed to support
the wallaby branch:
1. Add new attribute 'remote_address_group_id'
for the security group resource.
2. Handle new standard_attr_id argument for resources.
3. Fix kwargs passed to the alembic migrations
create_foreign_key and create_primary_key.
4. Change CONTEXT_WRITER to CONTEXT_READER in the
get_subnets function.
Change-Id: I3835df151cad2f7ca52afcb701de2bc508c90014
Add support for stable victoria. Changes include:
* https://review.opendev.org/#/c/716049/ switched to unittest for mock
Change-Id: I053657f535d985205ae9d3548291ec1d1409cb74
Add support for the ussuri stable branch.
* Removed use of services in devstack (e.g. FWaaS and LBaas), which
were only used by the deprecated legacy plugin.
* https://review.opendev.org/#/c/572767/ changed the return
value of _get_security_groups_on_port from a list of security
group IDs to a list of security group OVOs. The monkey patch
of this method has been updated to be consistent with this
upstream change.
* https://review.opendev.org/#/c/703143/ removed the upstream
get_binding_levels, which is replaced by the corresponding
OVO call, get_binding_level_objs.
* https://review.opendev.org/#/c/709122/ broke the __repr__
method in the AddressScope model class. This patch works
around this by using the dictionary representation instead.
* https://review.opendev.org/#/c/679399/ made the MTU field
of networks non-nullable, and sets it to a constant if not
set explicitly. This broke GBP APIs which create networks
as part of their implementation. This patch adds a monkey
patch to pass in a value of 0, if one wasn't specified.
* Fixed alias uncovered by PEP8 checks.
Change-Id: I219bc9a5c2034499e59788ab11ef0ae310e97e1e
Import stable/stein rather than stable/rocky branches of upstream
and ACI-specific repositories.
Changes include:
* https://review.opendev.org/#/c/634790/ removed the rpc module
from neutron.common, which was rehomed to neutron-lib.
* https://review.opendev.org/#/c/634497/ removed the exceptions
module from neutron.common, which was rehomed to neutron-lib.
* https://review.opendev.org/#/c/581377/ removed exercises from the
devstack gate. The shell scripts that ran the tests from the
devstack exercises are now called directly.
* https://review.opendev.org/#/c/619087/ removed the common_db_mixin
from the FlowClassifierDbPlugin, replacing it with the use of a
method in neutron-lib.
* https://review.opendev.org/#/c/595369/ removed _setUpExtension,
replacing it with the setup_extension method.
* https://review.opendev.org/#/c/623415/ added validation to host
route CIDRs. The metadata CIDRs have been corrected to pass
this new validation.
* https://review.opendev.org/#/c/615486/ added a call to get a
nova client, and https://review.opendev.org/#/c/368631/ was
added to ensure it was a singleton. These are now used to get
a notifier for nova.
* https://review.opendev.org/#/c/628033/ removed the use of the
_resource_extend module, which has been moved to neutron-lib.
* https://review.opendev.org/#/c/585037/ converted policy.json
to policy in code. This resulted in better policy enforcement,
and flagged problems with existing UTs, mainly in the use of
shared resources (requires admin privileges). These UTs have
been fixed.
Change-Id: Ia7bd0799a814e38ff37b7ff062fa1eae7928991c
Import stable/rocky rather than stable/queens branches of upstream
and ACI-specific repositories. Changes needed for compatability
with stable/rocky that were also compatible with stable/queens were
made in previous patches, so only rocky-specific changes are included
here.
Change-Id: If533a955fb4bc23d6e4081a43df7018b1b36a0ba
Enhance compatabilty with newer Neutron branches while maintaining
compatability with stable/queens Neutron, and improve the build/test
process. Highlights include:
* Eliminate unneeded requirements and test-requirements, and update
remaining ones to match upstream stable/queens Neutron.
* Use pip directly instead of the tox_install.sh script to install
dependencies, as is done on newer upstream branches.
* Use stestr directly instead of ostestr to run UTs, as is done in newer
upstream branches.
* Specify basepython as python2.7 for pep8, cover, functional and
dsvm-functional jobs, in case a python3 version of tox is used.
* Fix pep8 issues that result in failures with the versions of hacking
and flake8 used by Neutron's stable/rocky through stable/train
branches. These changes are not necessary with the hacking and
flake8 versions used in stable/queens, but we want to minimize code
differences across our currently supported stable branches.
* Enable flake8-import-order and fix all the pep8 issues that it
uncovered, particularly with order and grouping of import
statements.
* Update pep8 configuration in tox.ini to more closely match upstream
Neutron, and fix resulting issues. Remaining ignored checks that
should be fixed but haven't been are marked with REVISIT in tox.ini.
* Update devstack scripts with proper branches and repository URLs.
Change-Id: I538b8c95c61a09d834be4b7c28a3becf2f3e6a50
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: If9ab6d55cdc50cacc69134a5268861aed9dd7074
Previously, if an external network's AIM L3Outside referenced a VRF
that did not exist, validation would fail with a message that an
exception occurred, but with no indication of what caused the
problem. Now, the backtrace is logged when an exception is caught, a
specific error is reported if any of the resources needed for the
NetworkMapping DB record are missing, and a very specific error is
reported if the external VRF is missing.
Also, a requirement on acitoolkit is added to test-requirements.txt to
ensure that acitoolkit's noiro-lite branch is used. This is intended
to avoid acitoolkit's master branch's requirement on deepdiff, whose
latest version no longer supports python 2.
Similarly, the configuration files for the
legacy-group-based-policy-dsvm-aim CI job are modified to explicitly
install the noiro-lite branch of acitoolkit.
Change-Id: I7955f8e77633d9662a629c8c0628b128be3ae546
SCREEN_LOGDIR has already been deprecated [1]. We should
remove it.
[1] https://review.openstack.org/#/c/499186
Change-Id: I2922816fb6372e38c121e4287f055087826ae192
The following changes have been made to coordinate with the changes
made in Neutron for Pike:
* Partial use of Neutron context has been completely moved to neutron_lib's
context.
* The patching of neutron.db.api.get_session() has been replaced with
patching of sqlalchemy.orm.session to add the notification_queue attribute.
This significantly reduces the earlier complexity of patching.
* Use of top-level start of transaction in GBP plugins:
with context.session.begin(subtransactions=True):
has been migrated to use of:
with db_api.context_manager.writer.using(context):
or
with db_api.context_manager.reader.using(context)
as relevant.
* Calls to _make_resource_xxx_dict() in GBP plugins have been moved
to inside the transaction.
* The use of:
neutron.callbacks.events
neutron.callbacks.exceptions
neutron.callbacks.registry
to
neutron_lib.callbacks.events
neutron_lib.callbacks.exceptions
neutron_lib.callbacks.registry
* The use of:
neutron.api.v2.attributes.resource_xxx
neutron.extensions.extension_xxx
to:
from neutron_lib.api.definitions.resource_xxx
from neutron_lib.api.definitions.extension_xxx
resp.
* The use of:
neutron.db.db_base_plugin_v2.NeutronDbPluginV2.register_dict_extend_funcs
to:
neutron.db._resource_extend.resource_extend
(the latter is a decorator)
* The use of:
neutron.db.db_base_plugin_v2.NeutronDbPluginV2.register_model_query_hook()
to:
from neutron.db import _model_query as model_query.register_hook()
* The use of:
neutron.db.segments_db.NetworkSegment
to:
neutron.db.models.segment.NetworkSegment
* In the case of Neutron ml2plus plugin (used by APIC/AIM solution),
the use of get_admin_context() has been patched to return elevated
version of the current context in use. This helps to preserve the session
and transaction semantics. Ideally, context.elevated() would have been
directly used in all these places, however the current context is not
available in these places, and hence getting the current context and elevating
it is wrapped in the get_admin_context() patched method.
* In the case of the components used by the APIC/AIM solution (including
the ml2plus and l3_plugin) the use of:
with context.session.begin(subtransactions=True):
to
with db_api.context_manager.writer.using(context):
or
with db_api.context_manager.reader.using(context):
as relevant.
* Patching of methods from Neutron which is no longer relevant have been
removed from gbpservice.neutron.extensions.patch module.
* Setting up of UTs has been fixed to load and reset configurations
appropriately. This helps to eleminate some failures when tests are
run in non-deterministic orders.
* In tree devstack plugin has been updated (aim repo commit pin needs
to be reverted).
* Gate jobs have been updated as relevant (including fixes to the exercise
scripts and job configurations).
The associated repos, namely, client, UI and automation have also been
updated (the reference to the client's gerrit patch needs to be updated
once the patch has been merged).
Change-Id: I11dd089effbf40cf104afd720dc40a9911dcf28d
1. Allow devstack to auto create public network under nsx
2. Parametrise external route setting for external segment in gbp_fip
Change-Id: I1022184ae6744ffc2713fb06a1e743a2d3a5911c
The legacy plugin was deprecated in stable/newton, and
is removed in ocata. This patch removes the references to
the apic-ml2-driver library, which should only be required
by the legacy driver.
Change-Id: I027edc9b74137cd242fab6243536c8331b42ccda
Enforcement point was modified to hold single connection.
In addition, to avoid requirements conflict, modify devstack
scripts to work against stable/ocata branch of vmware-nsxlib.
Change-Id: I4b889851d1aa0e142e5b95a696ccaa60fa4a8448
This introduces driver for Vmware NSX Policy.
The driver assumes nsx_v3 core plugin.
It implements direct configuration of NSX Policy endpoint for security
and inherits connectivity functionality from resource mapping driver.
On startup, the driver will configure NSX Policy enforcement point to be
the NSX manager core plugin is running against.
The driver implements the following resource mapping:
Openstack project => NSX Policy domain
GBP group = > NSX Policy group + communication maps
GBP classifier => NSX Policy service
GBP rule set => NSX Policy communication profile
Change-Id: I0d5593b458f7e51c21fc2b34d1ab4d898abb6c51
This patch updates the setup for the various devstack gate jobs
to make them functional for Ocata and thus also validates
the parent patch Ocata sync patch.
Note that the NFP job still needs to be updated and has been
disabled in this patch. It can be re-enabled whenever its
updated in a followup patch.
Change-Id: I7cd5667fcc86577eb33c0233991cbb687c0ce8c9
Reading the correct option names from keystone_authtoken group for authentication.
Change-Id: If3d05592b67f9e75f34f14864e564084c991b9e7
Closes-Bug: 1678732
Vyos service day0 configuration installation. Vyos password is
by default 'vyos' after installation. User can still customize
the password in the day0 file before service launch.
Change-Id: I5041f8b8fcfe1e70c3c2b54076d586ca87b54925
Closes-Bug: 1681471
QoS support for PTs inside PTG, as 2 new NSP param types.
The new NSP param types, qos_maxrate and qos_burstrate, map to the
Neutron QoS Policy resource, which then gets associated to a QoS
bandwith limit rule with a certain maximum rate and/or burst rate (in
Kbps) set.
Change-Id: I4a15daf5e0edd76d2d436eac6fdfb6b9f64992b2
Currently lbaasv1 does not support in newton release,
so removing installation changes for lbaasv1.
Change-Id: I6b3bf3df2be6634c596c9084f2dcdec518d0e31e
Co-Authored-By: Ashutosh Mishra <mca.ashu4@gmail.com>
Closes-bug: 1673364
Also updates exercise script which will catch this.
And also fixes an issue due to which the AIM gate job was
running against the master branch of GBP source versus
the branch checked out for this patchset by the infra
job. This is fixed by changing the GBP devstack plugin name
to group-based-policy instead of the earlier name 'gbp'.
This allows the job to use the 'group-based-policy' source
directory cloned by the OpenStack infra job (for the current
patchset) as opposed to cloning into a new 'gbp' directory
from the master. Unfortunately, a lot of special casing
needs to be introduced for configuration of other services
as well. It is not possible to get away from this special
casing to be able to install from the intree devstack plugin
and the GBP master branch is behind the OpenStack master
release.
Closes-bug: 1674024
Change-Id: I5bd3f1c3ecfbedbd24243c2c111472dcff9059a2
Resolved following issues :
1) Added port security extension while configuring neutron for NFP,
2) Corrected polling time calculation in nfp_node_driver,
3) Explicitly making a dhcp request whenever service vm comes up,
4) Corrected svc_management group creation, to use different l3 policy
for gate tests.
Change-Id: I2e88103c174ce864f618c0eb4e0202dcb500a4fa
Closes-Bug: 1663134
This patch fixes the gate-group-based-policy-dsvm-aim-ubuntu-xenial-nv
integration job that exercises the aim_mapping policy driver and
the ml2plus plugin with the apic_mapping mechanism driver.
Other GBP integration jobs patch a devstack installation to run GBP, however
this patch configures the aforementioned job to use the in-tree GBP devstack
plugin. Based on the validation from this patch, the same approach can now be
extended to the other jobs as well and has the advantage of providing the
developer the ability to recreate the devstack setup used in the gate job.
Some variations do exist in the devstack setup on account of the environment
available in the gate job versus that in a developer's setup (for example, the
source repo is already cloned in the gate job and needs to be used), and in
such cases the ENABLE_APIC_AIM_GATE devstack env variable is used to
special case appropriately. Anyone wanting to replicate the exact devstack
gate configuration should set this variable to true in their local.conf
instead of the ENABLE_APIC_AIM variable referred to in the devref document
and which adds more configuration and starts neutron agents. Over time, the
ENABLE_APIC_AIM_GATE configuration will converge with that of the
ENABLE_APIC_AIM and the ENABLE_APIC_AIM_GATE variable will be eliminated.
The eventual goal of this job is to be able to test as much of the GBP/Neutron
workflowsi, and resulting AIM and system configuration, as possible (in spite
of the absence of the backend components). The first step towards that end
is to test the CRUD operations. This is achieved by running a basic GBP exercise
script that is a variant of the one run in the
gate-group-based-policy-dsvm-functional-ubuntu-xenial-nv job (it does not launch
the VMs since it will fail on account of the expected port binding failure).
The gbpfunctest functional test suite that is run against the
gate-group-based-policy-dsvm-functional-ubuntu-xenial-nv is also run in this
job with some minor adjustments to the test suite. The adjustments are mainly
to account for the variation in sharing semantics between the aim_mapping and
resource_mapping drivers (the former has more flexibility that the latter), and
the lack of support for hierarchical PRS in the aim_mapping driver.
All neutron agents are being disabled in this iteration to avoid logs being
inundated with port binding failure messages. A number of options are up for
consideration in terms of how to get the port binding to succeed, and will
be evaluated over time. The appropriate agents will be enabled accordingly.
Change-Id: I528b7fd2e66a0f7ef1bb00c887e5fbf2434cf966
It will check if all external network configuration there.
If it's there installation will create external network,
nat-pool, nsp. Otherwise, installation will skip creation of
external network, nat-pool, nsp.
Change-Id: I821aa7e33cd973ef1390212b17000f77cb17943b
Closes-Bug: 1638854
This changeset contains the changes in devstack installation,
NFP tools, and NFP integration test in gate to support,
(1) single ini file changes.
(2) LBaaS V2 service configuration.
(3) Daemonizing the processes in the controller.
(4) APIC specific configuration in setup script.
(5) NFP controller default user 'ubuntu' changed to 'admin'
Change-Id: Ifdce8d876728e1424a6ca292b262b35f5574a40b
Implements an L3 service plugin, apic_aim_l3, that, in conjunction
with the apic_aim mechanism driver, maps each Neutron router to an AIM
Contract and ContractSubject whose DNs and status are exposed via
extended attributes similar to those on the core Neutron resources. An
"any" Filter and FilterEntry are created per-tenant, and referenced in
this contract, allowing all traffic from EPGs providing and consuming
this contract to be routed.
The add_router_interface and remove_router_interface methods are stubs
that will be implemented in the next patch set. They will manage the
mapping of router interfaces to AIM Subnets, along with having the
default EPGs associated with those interfaces provide and consume the
router's Contract.
The corresponding GBP policy driver's extension is renamed
apic_aim_gbp for consistency with the apic_aim and apic_aim_l3
extensions at the Neutron level, and all extensions are now in the
gbpservice.neutron.extensions module.
The GBP policy driver's unit tests are updated to account for the
Filter and FilterEntry resources created by the mechanism driver.
The apic_aim unit tests wipe the AIM DB in tearDown, and use the
aci_integration_manager branch of the apicapi repo.
The GBP devstack plugin, when ENABLE_APIC_AIM=True, configures neutron
to use the apic_aim_l3 service plugin, and installs the
aci_integration_manager branch of the apicapi repo.
Change-Id: I1b7f0c80e66d55d58c27fe9e4cb461f62aec3c42
Neutron address scopes are mapped to AIM VRFs, with the DN and sync
status available via extended attributes.
Neutron networks are initially created with BDs that have routing
disabled and are associated with a common unrouted VRF.
The AIM display_name attribute has been implemented for the AIM
objects mapped from networks and address scopes.
New unit tests for the Neutron lifecyle operations have been added
that validate the state of AIM objects after each operation. These
also validate the apic:distinguished_name extension
attributes. Redundant unit tests have been eliminated.
Tracking the relationship between address scopes, subnetpools,
subnets, networks and routers is not yet implemented.
The original code mapping Neutron subnets to AIM Subnets has been
removed. A subsequent patch implementing routers will create/delete
AIM Subnets as Neutron subnets are added/deleted as router interfaces.
Neutron address scopes are mapped to AIM VRFs, but these VRFs are not
yet associatied with networks' BDs. This will also be done in a
subsequent patch as Neutron subnets on those networks that are
associated with address scopes are added as router interaces.
An obvious bug in sync_state handling is also fixed, but unit tests to
prevent regressions is still needed. The devstack plugin is also fixed
to include the proxy_group extension driver.
Change-Id: I8fef7809654924d4c3ff50bdf49188faba0684e0
This changeset contains the following changes:
1) Added configure NFP to the setup_nfp script
2) Replaced ssh keypair with nova keypair
3) Installs neutron-lib from python repository
Change-Id: I6d18d8a37e4bc5c1d15f0cb0e895553d64f5b015
Implements: blueprint gbp-network-services-framework
Co-Authored-By: Deepak S <in.live.in@live.in>
This changeset presents the changes for
root login to the controller VM through console.
SSH based root login is disabled.
Change-Id: Icf157a141d8c097b3dddfef4955f112810ec77d9
Implements: blueprint gbp-network-services-framework
This changeset contains the following,
(1) NFP controller image builder tool
This supports both devstack and Redhat RPM installations.
(2) NFP setup script to configure the NFP on RPM installed setup.
Change-Id: I074d713ad94286240fdae1887b0d4acd28f66144
Implements: blueprint gbp-network-services-framework
This changeset contains the following
(1) Changes to the NFP devstack to support configurator
(2) Changes to the NFP diskimage build script to build
configurator disk image
Change-Id: I1717e07b82073945752549c254ed8a39ce7257ff
Implements: blueprint gbp-network-services-framework
Co-Authored-By: Deepak S <in.live.in@live.in>
Co-Authored-By: ashutosh mishra <mca.ashu4@gmail.com>
This adds a AIM specific extension to reflect the APIC DN for
a GBP resource that maps to an AIM resource. This patch implements
this only for the PTG resource.
This also sets the status of the PTG based on the AIM EPG status.
This also updates the devstack setup to include the aim_mapping
GBP policy driver configuration.
Change-Id: I30f5e5e63b3b172eb79c8a9934eb662928d13f6c
This is a very preliminary version of a new APIC mechanism driver
utilizing the ACI Integration Module (AIM) library concurrently being
developed. A corresponding extension driver exposes details regarding
the mapping of the Neutron resources to APIC. These drivers require
the Ml2Plus extended driver APIs.
See the apic-aim-ml2-driver devref for implementation details and for
devstack configuration instructions.
Change-Id: I82df32f0880d6a0d53b305f6c6391fcbea049d1b