diff options
-rw-r--r-- | doc/source/contributor/policies/neutron-teams.rst | 3 | ||||
-rw-r--r-- | doc/source/contributor/testing/ci_scenario_jobs.rst | 6 | ||||
-rw-r--r-- | etc/oslo-config-generator/neutron.conf | 1 | ||||
-rw-r--r-- | neutron/agent/ovn/metadata/agent.py | 4 | ||||
-rw-r--r-- | neutron/common/ovn/utils.py | 5 | ||||
-rw-r--r-- | neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py | 5 | ||||
-rw-r--r-- | neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py | 12 | ||||
-rw-r--r-- | neutron/tests/base.py | 3 | ||||
-rw-r--r-- | neutron/tests/functional/agent/test_dhcp_agent.py | 9 | ||||
-rw-r--r-- | neutron/tests/unit/db/test_db_base_plugin_v2.py | 16 | ||||
-rw-r--r-- | releasenotes/notes/bug-2003455-b502cc637427560e.yaml | 19 | ||||
-rw-r--r-- | releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml | 16 | ||||
-rw-r--r-- | zuul.d/tempest-multinode.yaml | 42 |
13 files changed, 113 insertions, 28 deletions
diff --git a/doc/source/contributor/policies/neutron-teams.rst b/doc/source/contributor/policies/neutron-teams.rst index 9d1f823d91..3f63cdd9bd 100644 --- a/doc/source/contributor/policies/neutron-teams.rst +++ b/doc/source/contributor/policies/neutron-teams.rst @@ -75,12 +75,14 @@ The following are the current Neutron Lieutenants. | Area | Lieutenant | IRC nick | +========================+===========================+======================+ | API | Akihiro Motoki | amotoki | +| | Slawomir Kaplonski | slaweq | +------------------------+---------------------------+----------------------+ | DB | Rodolfo Alonso Hernandez | ralonsoh | +------------------------+---------------------------+----------------------+ | Built-In Control Plane | Miguel Lavalle | mlavalle | +------------------------+---------------------------+----------------------+ | Client | Akihiro Motoki | amotoki | +| | Slawomir Kaplonski | slaweq | +------------------------+---------------------------+----------------------+ | Docs | Akihiro Motoki | amotoki | +------------------------+---------------------------+----------------------+ @@ -93,6 +95,7 @@ The following are the current Neutron Lieutenants. | | Yulong Liu | liuyulong | +------------------------+---------------------------+----------------------+ | Testing | Lajos Katona | lajoskatona | +| | Slawomir Kaplonski | slaweq | +------------------------+---------------------------+----------------------+ Some notes on the above: diff --git a/doc/source/contributor/testing/ci_scenario_jobs.rst b/doc/source/contributor/testing/ci_scenario_jobs.rst index fb544d93f9..af81cef608 100644 --- a/doc/source/contributor/testing/ci_scenario_jobs.rst +++ b/doc/source/contributor/testing/ci_scenario_jobs.rst @@ -73,9 +73,9 @@ Below is a summary of those jobs. | |(only tests related to | | | | | | | | | | | |Neutron and Nova) | | | | | | | | | | +----------------------------------------------+----------------------------------+-------+------------------+-------------+-----------------+----------+-------+--------+------------+-------------+ - |neutron-ovs-tempest-dvr-ha-multinode-full |tempest.api (without slow tests) | 3 | Ubuntu Jammy | openvswitch | openvswitch | dvr | True | True | True | No | - |(non-voting) |tempest.scenario | | | | | dvr_snat | | | | | - | | | | | | | dvr_snat | | | | | + |neutron-ovs-tempest-dvr-ha-multinode-full |tempest.api (without slow tests) | 3 | Ubuntu Jammy | openvswitch | openvswitch | dvr_snat | True | True | True | No | + |(non-voting) |tempest.scenario | | | | | dvr | | | | | + | | | | | | | dvr | | | | | +----------------------------------------------+----------------------------------+-------+------------------+-------------+-----------------+----------+-------+--------+------------+-------------+ |neutron-ovs-tempest-slow |tempest slow tests | 2 | Ubuntu Jammy | openvswitch | openvswitch | legacy | False | False | True | Yes | +----------------------------------------------+----------------------------------+-------+------------------+-------------+-----------------+----------+-------+--------+------------+-------------+ diff --git a/etc/oslo-config-generator/neutron.conf b/etc/oslo-config-generator/neutron.conf index 6426c24a5f..09191a02da 100644 --- a/etc/oslo-config-generator/neutron.conf +++ b/etc/oslo-config-generator/neutron.conf @@ -27,3 +27,4 @@ namespace = oslo.service.service namespace = oslo.service.sslutils namespace = oslo.service.wsgi namespace = keystonemiddleware.auth_token +namespace = osprofiler diff --git a/neutron/agent/ovn/metadata/agent.py b/neutron/agent/ovn/metadata/agent.py index 7f3aad6af5..0cd9ecb868 100644 --- a/neutron/agent/ovn/metadata/agent.py +++ b/neutron/agent/ovn/metadata/agent.py @@ -466,6 +466,10 @@ class MetadataAgent(object): def _get_port_ips(self, port): # Retrieve IPs from the port mac column which is in form # ["<port_mac> <ip1> <ip2> ... <ipN>"] + if not port.mac: + LOG.warning("Port %s MAC column is empty, cannot retrieve IP " + "addresses", port.uuid) + return [] mac_field_attrs = port.mac[0].split() ips = mac_field_attrs[1:] if not ips: diff --git a/neutron/common/ovn/utils.py b/neutron/common/ovn/utils.py index dfd90b73cc..684227d406 100644 --- a/neutron/common/ovn/utils.py +++ b/neutron/common/ovn/utils.py @@ -21,6 +21,7 @@ from neutron_lib.api.definitions import extra_dhcp_opt as edo_ext from neutron_lib.api.definitions import l3 from neutron_lib.api.definitions import port_security as psec from neutron_lib.api.definitions import portbindings +from neutron_lib.api.definitions import provider_net from neutron_lib.api import validators from neutron_lib import constants as const from neutron_lib import context as n_context @@ -635,6 +636,10 @@ def is_gateway_chassis_invalid(chassis_name, gw_chassis, def is_provider_network(network): + return network.get(provider_net.PHYSICAL_NETWORK, False) + + +def is_external_network(network): return network.get(external_net.EXTERNAL, False) diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py index c1870af96c..7e427e272a 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py @@ -725,7 +725,10 @@ class DBInconsistenciesPeriodics(SchemaAwarePeriodicsBase): # Get router ports belonging to VLAN networks vlan_nets = self._ovn_client._plugin.get_networks( context, {pnet.NETWORK_TYPE: [n_const.TYPE_VLAN]}) - vlan_net_ids = [vn['id'] for vn in vlan_nets] + # FIXME(ltomasbo): Once Bugzilla 2162756 is fixed the + # is_provider_network check should be removed + vlan_net_ids = [vn['id'] for vn in vlan_nets + if not utils.is_provider_network(vn)] router_ports = self._ovn_client._plugin.get_ports( context, {'network_id': vlan_net_ids, 'device_owner': n_const.ROUTER_PORT_OWNERS}) diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py index cab0b25937..1aa80f58cb 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py @@ -1252,7 +1252,7 @@ class OVNClient(object): # leak the RAs generated for the tenant networks via the # provider network ipv6_ra_configs['send_periodic'] = 'true' - if is_gw_port and utils.is_provider_network(net): + if is_gw_port and utils.is_external_network(net): ipv6_ra_configs['send_periodic'] = 'false' ipv6_ra_configs['mtu'] = str(net['mtu']) @@ -1578,9 +1578,12 @@ class OVNClient(object): # logical router port is centralized in the chassis hosting the # distributed gateway port. # https://github.com/openvswitch/ovs/commit/85706c34d53d4810f54bec1de662392a3c06a996 + # FIXME(ltomasbo): Once Bugzilla 2162756 is fixed the + # is_provider_network check should be removed if network.get(pnet.NETWORK_TYPE) == const.TYPE_VLAN: options[ovn_const.LRP_OPTIONS_RESIDE_REDIR_CH] = ( - 'false' if ovn_conf.is_ovn_distributed_floating_ip() + 'false' if (ovn_conf.is_ovn_distributed_floating_ip() and + not utils.is_provider_network(network)) else 'true') is_gw_port = const.DEVICE_OWNER_ROUTER_GW == port.get( @@ -1995,8 +1998,9 @@ class OVNClient(object): for subnet in subnets: self.update_subnet(context, subnet, network, txn) - if utils.is_provider_network(network): - # make sure to use admin context as this is a providernet + if utils.is_external_network(network): + # make sure to use admin context as this is a external + # network self.set_gateway_mtu(n_context.get_admin_context(), network, txn) diff --git a/neutron/tests/base.py b/neutron/tests/base.py index 6640fe245b..92782099f2 100644 --- a/neutron/tests/base.py +++ b/neutron/tests/base.py @@ -279,6 +279,8 @@ class DietTestCase(base.BaseTestCase, metaclass=_CatchTimeoutMetaclass): lib_test_tools.reset_random_seed() + config.register_common_config_options() + def addOnException(self, handler): def safe_handler(*args, **kwargs): @@ -382,7 +384,6 @@ class BaseTestCase(DietTestCase): self.useFixture(lockutils.ExternalLockFixture()) self.useFixture(fixture.APIDefinitionFixture()) - config.register_common_config_options() cfg.CONF.set_override('state_path', self.get_default_temp_dir().path) self.addCleanup(CONF.reset) diff --git a/neutron/tests/functional/agent/test_dhcp_agent.py b/neutron/tests/functional/agent/test_dhcp_agent.py index 0327919f66..47f38115e3 100644 --- a/neutron/tests/functional/agent/test_dhcp_agent.py +++ b/neutron/tests/functional/agent/test_dhcp_agent.py @@ -77,8 +77,9 @@ class DHCPAgentOVSTestFramework(base.BaseSudoTestCase): 'interface_driver', 'neutron.agent.linux.interface.OVSInterfaceDriver') self.conf.set_override('report_interval', 0, 'AGENT') - br_int = self.useFixture(net_helpers.OVSBridgeFixture()).bridge - self.conf.set_override('integration_bridge', br_int.br_name, 'OVS') + self.br_int = self.useFixture(net_helpers.OVSBridgeFixture()).bridge + self.conf.set_override('integration_bridge', self.br_int.br_name, + 'OVS') self.mock_plugin_api = mock.patch( 'neutron.agent.dhcp.agent.DhcpPluginApi').start().return_value @@ -223,6 +224,10 @@ class DHCPAgentOVSTestFramework(base.BaseSudoTestCase): def assert_good_allocation_for_port(self, network, port): vif_name = self.get_interface_name(network.id, port) + tag = self.br_int.ovsdb.db_get('Port', vif_name, 'tag').execute( + check_error=True) + self.assertEqual([], tag) + self._run_dhclient(vif_name, network) predicate = lambda: len( diff --git a/neutron/tests/unit/db/test_db_base_plugin_v2.py b/neutron/tests/unit/db/test_db_base_plugin_v2.py index 392c865501..a25ccc4f0d 100644 --- a/neutron/tests/unit/db/test_db_base_plugin_v2.py +++ b/neutron/tests/unit/db/test_db_base_plugin_v2.py @@ -4045,22 +4045,6 @@ class TestSubnetsV2(NeutronDbPluginV2TestCase): webob.exc.HTTPCreated.code, gateway_ip='100.0.0.1') - def test_create_subnet_gw_is_nw_addr_returns_400(self): - with self.network() as network: - self._create_subnet(self.fmt, - network['network']['id'], - '10.0.0.0/24', - webob.exc.HTTPClientError.code, - gateway_ip='10.0.0.0') - - def test_create_subnet_gw_is_broadcast_addr_returns_400(self): - with self.network() as network: - self._create_subnet(self.fmt, - network['network']['id'], - '10.0.0.0/24', - webob.exc.HTTPClientError.code, - gateway_ip='10.0.0.255') - def test_create_subnet_gw_of_network_returns_400(self): with self.network() as network: self._create_subnet(self.fmt, diff --git a/releasenotes/notes/bug-2003455-b502cc637427560e.yaml b/releasenotes/notes/bug-2003455-b502cc637427560e.yaml new file mode 100644 index 0000000000..2e89cf055f --- /dev/null +++ b/releasenotes/notes/bug-2003455-b502cc637427560e.yaml @@ -0,0 +1,19 @@ +--- +fixes: + - | + [`bug 2003455 <https://bugs.launchpad.net/neutron/+bug/2003455>`_] + It is added an extra checking to ensure the "reside-on-redirect-chassis" + is set to true for the logical router port associated to vlan provider + network despite having the "ovn_distributed_floating_ip" enabled or not. + This is needed as there is an OVN bug + (https://bugzilla.redhat.com/show_bug.cgi?id=2162756) making it not work + as expected. Until that is fixed, we need these workaround + that makes the traffic centrallized, but not tunneled, through the node + with the gateway port, thus avoiding MTU issues. +issues: + - | + Until the OVN bug (https://bugzilla.redhat.com/show_bug.cgi?id=2162756) + is fixed, setting the "reside-on-redirect-chassis" to true for the logical + router port associated to vlan provider network is needed. This workaround + makes the traffic centrallized, but not tunneled, through the node + with the gateway port, thus avoiding MTU issues. diff --git a/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml new file mode 100644 index 0000000000..f07dacc24c --- /dev/null +++ b/releasenotes/notes/secure-rbac-policies-fully-supported-e95271a3ab175dca.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Neutron now supports API policies with the new default roles + ``project_member`` and ``project_reader``. + Role ``admin`` is working in the same way as with old policies. +upgrade: + - | + New default API policies are not enabled by default. A cloud operator can + enable them by setting ``oslo_policy/enforce_new_defaults`` to ``true`` in + the Neutron config file. + It is also possible to switch the ``oslo_policy/enforce_scope`` config + option to ``true`` but currently Neutron does not support any system scope + APIs. All Neutron API policies are currently project scoped so setting + ``oslo_policy/enforce_scope`` to ``true`` will cause ``Forbidden`` responses + to any API calls made with the system scope token. diff --git a/zuul.d/tempest-multinode.yaml b/zuul.d/tempest-multinode.yaml index 24fea9085c..394cf49862 100644 --- a/zuul.d/tempest-multinode.yaml +++ b/zuul.d/tempest-multinode.yaml @@ -1,6 +1,41 @@ +- nodeset: + name: neutron-three-node-jammy + nodes: + - name: controller + label: ubuntu-jammy + - name: compute1 + label: ubuntu-jammy + - name: compute2 + label: ubuntu-jammy + groups: + # Node where tests are executed and test results collected + - name: tempest + nodes: + - controller + # Nodes running the compute service + - name: compute + nodes: + - compute1 + - compute2 + # Nodes that are not the controller + - name: subnode + nodes: + - compute1 + - compute2 + # Switch node for multinode networking setup + - name: switch + nodes: + - controller + # Peer nodes for multinode networking setup + - name: peers + nodes: + - compute1 + - compute2 + - job: name: neutron-ovs-tempest-dvr-ha-multinode-full parent: tempest-multinode-full-py3 + nodeset: neutron-three-node-jammy timeout: 10800 roles: - zuul: openstack/neutron-tempest-plugin @@ -51,6 +86,11 @@ devstack_services: br-ex-tcpdump: true br-int-flows: true + # Nova services + # NOTE(slaweq): this node is going to be only control plane and + # networker node with "dvr_snat" L3 agent mode. Other nodes in that job + # are compute nodes with L3 agent in "dvr" mode + n-cpu: false # Neutron services q-agt: true q-dhcp: true @@ -150,7 +190,7 @@ resource_provider_bandwidths: br-ex:1000000:1000000 $NEUTRON_L3_CONF: DEFAULT: - agent_mode: dvr_snat + agent_mode: dvr agent: availability_zone: nova debug_iptables_rules: True |