Enforcement point was modified to hold single connection.
In addition, to avoid requirements conflict, modify devstack
scripts to work against stable/ocata branch of vmware-nsxlib.
Change-Id: I4b889851d1aa0e142e5b95a696ccaa60fa4a8448
This introduces driver for Vmware NSX Policy.
The driver assumes nsx_v3 core plugin.
It implements direct configuration of NSX Policy endpoint for security
and inherits connectivity functionality from resource mapping driver.
On startup, the driver will configure NSX Policy enforcement point to be
the NSX manager core plugin is running against.
The driver implements the following resource mapping:
Openstack project => NSX Policy domain
GBP group = > NSX Policy group + communication maps
GBP classifier => NSX Policy service
GBP rule set => NSX Policy communication profile
Change-Id: I0d5593b458f7e51c21fc2b34d1ab4d898abb6c51
The length of the ip_pool parameter in L3 policies is limited,
and needs to be increased in order to support multiple prefixes,
as well as prefixes from all address families (v4 and v6).
Change-Id: I9dc03ac4275e0f269746011a075bf3b78e0d5233
This patch updates the setup for the various devstack gate jobs
to make them functional for Ocata and thus also validates
the parent patch Ocata sync patch.
Note that the NFP job still needs to be updated and has been
disabled in this patch. It can be re-enabled whenever its
updated in a followup patch.
Change-Id: I7cd5667fcc86577eb33c0233991cbb687c0ce8c9
* use neutron_lib.directory for plugin retrieval
* switch to neutron_lib for neutron constants, exceptions,
extensions
* add neutron.plugins.ml2.ovo_rpc to OUT_OF_PROCESS_NOTIFICATIONS:
neutron added ovo rpc callback mechanism for ovo objects, and aim
notification manager needs to recognize those as out of process.
Since neutron moved away from get_session API to get_reader_session
and get_writer_session, override for these was added.
Few bugs were fixed in the delayed notification area as well.
* new engine facade: make use of reader and writer to grab db engine
* remove _update_fip_assoc override (didn't find a reason for the
override)
* aim driver: a fix in update_subnetpool_precommit - not to assume
address_scope_id field is returned from neutron update call if it
was not updated.
* extend_XXX_dict call was switched to receive ovo instead of db
object. As a result, foreign keys are not part of the object
anymore, and need to be retrieved from db.
* remove_router_interface - receive port dictinary rather than port
object
* fix patched neutron functions to receive correct parameter types
(like patched_get_locked_port_and_binding)
* use add_agent_status_check_worker instead of add_agent_status_check
* advertise_mtu configuration parameter was removed from neutron. It
is used in aim driver, hence added to aim driver config.
* use of project_id instead of tenant_id where required
* use segments_db module for network segments
* test_aim_mapping_driver: the test used to override uuid generation
in order to get predictable uuid results. New neutron code makes
use of python uuid module where overrides are complicated. It was
easire to remove all uuid-based values from dictionaries under test
* add filters parameter to get_address_scopes calls, otherwise the
call fails (probably should be fixed in neutron)
* in routing tests, remove the assumption that routes are returned in
specific order
Change-Id: I1943fd4196ea6199d825ae53f0e9f5b54d54a260
The standard-attr-description extension isn't being honored during
floatingip update operations, due to the fact that the upstream neutron
code has been monkey-patched by GBP. This change set fixes the GBP
monkey-patch to properly support the standard-attr-description extension.
Change-Id: I874052879d3a51545a5b47cc362071d3f3e031d0
Closes-Bug: 1702073
Following are the NFP side changes to support async operations.
1. Added get_status api in nfp_node_driver to update operational
state of servicechain node.
2. Using queue notifications to send rpc to orchestrator.
3. Extended ncp_node_instance_network_function_mappings table to
have status and status_details of an network_function.
Change-Id: I5375066fb640d53c6bc5f0a7cf65902faa221519
Co-Authored-By: Ashutosh Mishra <mca.ashu4@gmail.com>
Closes-Bug: 1671077
This adds support to the AIM mapping driver, by invoking
postcommit calls in precommit.
Change-Id: I8ce3a86ca6b46a029eb68daa85b3184692b91189
Closes-Bug: 1672674
Modified ncp plugin to support status retrieval of servicechain resources.
Updating chain mapping driver to compute status of group based on its associated
servicechain.
Closes-Bug: 1668174
Change-Id: I1841c0c04012cb3d58d152a6f4bdd348d3d701dd
The APIC mapping policy driver was deprecated in mitaka and
replaced with the AIM mapping driver. This patch removes the
APIC mapping driver, starting with the ocata release.
Change-Id: I5f33cd2c0e06cf45e092e74e664809475904c047
This plugin is subsumed by the Node Composition plugin
starting in the liberty cycle.
Switching to the NCP as default invalidated some UTs (since
NCP does not support more than one service_chain_spec
per service_chain_instance). These tests are being skipped.
Change-Id: I03383145eaa72681695e12649f731ba1a6b8bad8
In concurrent execution cases a failure can occur in the Neutron
IPAM component due to failure to obtaining a lock. In such cases
the IPAM component raises a retry exception which should be not
be eaten, but relayed as is so that the operation can be retried.
This patch checks if the exception raised during a subnet allocation
from a subnetpool fails due to a retry exception, and if so, raises
it as is to facilitate a retry.
Change-Id: I381cdf533b27d710f68903f0cfb516043b4607d6
The implicit policy created for the auto-PTG does not allow traffic
for IPv6. This prevents IPv6 traffic from flowing between PTs in the
auto-PTG and user-created PTGs, which includes things like ICMPv6,
DHCPv6, and IPv6 DNS and HTTP traffic between the DHCP server and PTs.
Change-Id: I28fe713e24744e36e2912d7f5d830b64a658f8bd
Closes-Bug: 1696438
Pass create_if_absent=False to AIM's get_status() to hopefully reduce
transaction retries due to DBDuplicateEntry exceptions. This required
unpinning the version of AIM used, as well as a couple of fixes in the
AIM repo.
Change the RPC handlers to use Neutron's retry_db_errors decorator
rather than its own, so that DBDuplicateEntry exceptions are retried.
Avoid logging at error level when processing retriable exceptions.
Change-Id: I53740eea3cb7cacafceae589deec3b573ef6a68a
In certain cases of concurrent operations we are seeing an error
which suggests that a rolled back transaction is be reused. On debugging
it has been observed that the error manifests when the code path
executes the queries that are using with_lockmode in a couple of
places in the ml2 plugin component. Removing the with_lockmode usage
seems to prevent this issue and does not seem to be affecting the
correctness of behavior even in concurrent execution situations.
This patch removes the use of the with_lockmode in the identified place
when the ml2plus plugin configured.
Change-Id: If65c238cbf49a9cfd2546ca26d37ee721f6f986c
A previous commit (https://review.openstack.org/#/c/450309/) added DB
tables mapping Neutron resource identities to APIC resource
identities, but did not include a data migration. This patch populates
the new tables during the DB migration with the APIC resource
identities for existing Neutron resources, using information from both
the Neutron and AIM DB tables.
Mechanism driver code that had been kept around in case it was needed
for the migration is also cleaned up.
Change-Id: Ia8a74b9c2289060234716ce89fb4b7b3d1c29596
This adds dual-stack support for L3 Policy. It leverages
the existing parameters for subnetpools and address scopes,
and adds behaviors to support the implicit workflow.
Change-Id: Idedbb3d08b09e76abdba6d1aba0f62ba53a19a99
partially-implements: blueprint address-scope-mapping
The oslo_db code catches the pymysql SAVEPOINT exception, logs it error level,
and then raises it as an oslo_db exception, and due to which the operation
is retried. As such, the ERROR level logging of the pymysql exeption is a
bit misleading. This patch works around it by patching the oslo_db module
to log at debug level instead of error level.
Change-Id: If8afe36706f5d07d7ab9b840c877854b8ed11c42
We retry on this exception, hence the ERROR level of this exception
in the logs is misleading. Reducing it to info level.
Change-Id: I8e97b0aadfbc01bde6625ed86abe85c35bb3dec5
As part of ocata sync effort, stop using PLURALS defined in neutron,
as it was removed by Ifdf29b8fc4c824c0ee840c4f51593a5aa8a22127.
Use locally defined dictionary instead.
Change-Id: I763e6036177b57c0bc8ef7311b9c8bbbcefbe634
Add DB tables mapping Neutron resource identities to APIC resource
identities. This reduces the amount of DB querying, and helps unify
the handling of pre-existing APIC resources with those fully
orchestrated by the apic_aim drivers.
Currently, the mappings of address scopes and networks are
persisted. Persisting the relationship between routers and VRFs will
be considered later.
Note that since this patch will be back-ported to stable/newton and
the QoS feature will not, this patch's DB migration is sequenced
before the QoS DB migration.
Change-Id: Ie06281dde965d349d7fa1035f14124b35d60d85c
Allow subnets with different address scopes, as well as unscoped
subnets, to be attached as interfaces to the same router. Note that no
East/West routing is provided between differently scoped interfaces of
a router, but East/West routing is provided within each scope and
North/South routing is provided between each scope and the router's
gateway.
Routed IPv4 and IPv6 subnets on the same network currently either must
both be unscoped or each must be associated with isomorphic address
scopes (referencing the same VRF). Adding a subnet to a router results
in a NonIsomorphicNetworkRoutingUnsupported exception if this
constraint would be violated. Eventually, use of identity NAT to move
IPv6 traffic from the network's IPv4 VRF to its IPv6 VRF will allow
this constraint to be removed or relaxed.
A flag in interface_info is added for GBP to override network routing
topology validation when adding router interfaces. This should not be
used for any other purpose, and will eventually be removed without
warning.
External connectivity for routers associated with multiple VRFs will
require some follow-on work to correctly handle all cases.
Change-Id: Idbbd4400e570654937c2bee4577422a91224430e
This patch facilitates migrating a deployment which had l3_policies prior to the
aim_mapping policy driver moving to per-l3p implicit AIM contracts (see commit:
f50db6f1ce)
The following configuration:
[aim_mapping]
create_per_l3p_implicit_contracts=True
controls if the migration step is perform. This configuration is set to True by default
and hence the migration step is always performed at the time of the initialization of the
aim_mapping driver. For l3_policies which already have associated implicit contracts,
this step is a no-op.
The migration step can be turned off by setting the above configuration to False.
A Neutron server restart is required for the config change to take effect.
Since this mogration option is only for migrating newton or prior deployments, it
will be removed in the O release.
Change-Id: I7e5f793bdf3618655600898feba64aac7c099239
In the following commit:
456e169f46
we updated ml2plus plugin to subscribe for subnet delete events. The
handlers for these event notifications had been added in stable/newton.
However, Red Hat OSP distro has not yet picked up these changes in
stable/newton, and hence the ml2plus plugin intialization fails (since
the event handlers are not found).
This patch allows ml2plus initialization to proceed if the event handlers
are not present. It is expected that nothing else will break by skipping
the subscription of these events.
Change-Id: Idd76eb4e5d2d66f8d05e1da8ba89ba40d16a5bb2
1. only associate the domain with the EPG when a port is created on
a host that belongs to this domain.
2. also dis-associate the domain when the last port among all the hosts
under this domain is deleted.
3. User has to use:
'aimctl manager host-domain-mapping-create <host_name>
--vmm_domain_name=<vmm_dom> --physical_domain_name=<phys_dom>'
to create the host -> domain mapping.
Change-Id: Ie0882117b75ada3c2f32770adc7bc147a61dfd14
The implicit AIM contracts were being earlier created
per tenant (lazily created when the first l2p is created)
and used by the default_epg and all other epgs created by
a consequence of the user actions. As we move towards a model
of supporting multiple l3ps in the same AIM VRF, we will
need per-l3p contracts to enforce isolation between l3ps. This
patch is the first step in that direction where the per-tenant
implicit contracts are now created per-l3p. Contracts are created
when l3p is created and deleted when l3p is deleted.
This patch also fixes the problem of implicit contracts being
not cleaned up when the last two l2ps in a tenant were being
deleted concurrently.
Existing AIM deployments might need to be migrated to this new model.
Migration strategies would differ per deployment but might at least
require running a script that creates the implicit contracts per
existing l3ps.
Change-Id: I7f18c672db5ffcec9ce445bc1a32d508a685c9c6
Allow a single IPv4 address scope and a single IPv6 address scope to
reference the same VRF, which may be pre-existing or mapped from one
of the address scopes.
Change-Id: Ibe5288a3a6d5032e4c0ac509a0857ce5defafa9c
The aim_mapping policy driver currently leverages a scheme of delaying
dispatching notifications until the outermost transaction, which
initiated the notification, has committed. However, Neutron ML2 plugin
is moving to a model of more in-process notifications, and some of these
changes are being backported to stable/newton as well (see:
4a96b962b5).
These in-process notifications need not be delayed, and in fact they
should be dispatched and processed immediately, and within the scope
of the transaction.
This patch attempts to identify the notifications that need to be dispatched
immediately versus those that need to be delayed based on the module
names of the notfication handlers. The currently known list of agent and
registry notification handlers (used by the aim_mapping driver) is captured
in the OUT_OF_PROCESS_NOTIFICATIONS list in:
gbpservice/network/neutronv2/local_api.py
If a notification handler does not belong to the above list, it is dispatched
immediately.
As and when additional notification handlers are identified for which the
notification needs to be queued for delayed dispath, they should be added to
the above OUT_OF_PROCESS_NOTIFICATIONS list.
Change-Id: Ib5beb9c8056463c875c775ad19d2d3cbee3430dd
Reading the correct option names from keystone_authtoken group for authentication.
Change-Id: If3d05592b67f9e75f34f14864e564084c991b9e7
Closes-Bug: 1678732