We are happy to announce the release of: neutron-fwaas 9.0.0: OpenStack Networking FWaaS This release is part of the newton release series. For more details, please see below. 9.0.0 ^^^^^ The Cisco Firewall Driver is being moved from the FWaaS repo to the Cisco specific repo: https://github.com/openstack/networking-cisco The FWaaS team is pleased to release FWaaS v2.0. This release of FWaaS supports either the original FWaaS v1 or the new FWaaS v2. * The McAfee Firewall Driver is being removed from the FwaaS repo, due to lack of active maintainers. * The vArmour Firewall Driver is being removed from the FwaaS repo, as per decision to remove vendor drivers from the community repo. * The vyatta Firewall Driver is being removed from the FwaaS repo, as per decision to remove vendor drivers from the community repo. New Features ************ * In FWaaS v2 firewall policies are applied to router ports, as opposed to applying to routers in FWaaS v1. * Earlier the FWaaS agent integrated with the L3 agent by having the L3 Agent class inherit from the FWaaS Agent class. This meant that other service agents could not also integrate with the L3 agent. Now, using the L3 agent extensions mechanism, FWaaS (v1 and v2) plugs in to the L3 agent. This means that it can interoperate peacefully with other L3 advanced services that also implement the L3 agent extension mechanism, all without any code changes to Neutron. Upgrade Notes ************* * The Cisco FWaaS driver will not be available from the neutron- fwaas repo in Newton. For the Cisco FWaaS driver, refer to the openstack /networking-cisco repo. * There is not currently a defined upgrade path from FWaaS v1 to FWaaS v2. * FWaaS v1 can not be enabled at the same time as FWaaS v2; one or the other must be chosen. * The McAfee Firewall Driver will not be available for use in the Newton release. * The vArmour Firewall Driver will not be available for use in the Newton release. * The vyatta Firewall Driver will not be available for use in the Newton release from the community repo. Changes in neutron-fwaas 8.0.0.0rc1..9.0.0 ------------------------------------------ 591dcbe Fix KeyError when fw rule associated with a policy is updated f510618 Add devstack plugin support for fwaas v2 9b86e35 Check for _interfaces in updated_router 1245d31 Updated from global requirements 48e58a6 Switch upper-constraints and tox_install.sh to stable/newton 81a7c7e Update .gitreview for stable/newton bdcfdd7 Tag the alembic migration revisions for Newton 1da6c2f Fix neutron-fwaas tests after project_id addition 2dc23c0 Updated from global requirements a0a8ee5 Skip test test_update_firewall_shared_fails_for_non_admin e2ea1e3 Add reno note for FWaaS v2 c6c67f4 Updated from global requirements 9c79d0b Add tests ensuring models and migrations are in sync 6718fd8 FWaaS v2 utilize L3 Agent Extension framework 68b4bca Migrate FWaaS policy.json to FWaaS repo 357399b Use neutron-lib model_base instead of neutron models 91a2f22 Add FWaaS v1 and v2 entrypoints to setup.cfg 3e4fa75 Add special handling for functional tests f6aed8b Remove vendor driver: vyatta from community repo 82473d3 Use temporary directory for neutron install 2be5839 Remove Cisco driver from neutron-fwaas repo. 35797ac Updated from global requirements 3788294 FWaaS v2 Database rule insert/remove operations support ca7c5c2 Remove vendor driver: vArmour from community repo fd8d6d2 FWaaS v2 L3 Agent Extension a287146 FWaaS V2 Plugin 744e6fa Fix enum usage in db migration for postgresql 228d93d Fix db vs migration mismatches 84fb223 Fix db migration chain aff7fe1 Fix model/migration sync issues with FWaaS 33e1952 Updated from global requirements 39d40b2 Constrain remaining tox targets 39e4dd9 FWaaS v2 Database 85eb9c8 TrivialFix: Add validation for tenant_id 686197a FwaaS v2 REST API fd77859 Fix column_name in migration from project_id change 93a2e89 Fix db migration after project_id changes cf1b491 Remove temporary local HasProject 3132bfb Enable DeprecationWarning in test environments fc11d20 Updating imports as l3 agent config options 8ca0bec Updated from global requirements ea23bbc devstack: Don't bother to have our own l3 agent config file 211e00d Update imports (common.config -> conf.common) c3e491c Rename DB columns: tenant -> project c113550 add "reject" action to firewall rule doesn't work for postgresql ed114ec Updated from global requirements 3f6777d Delete mcafee FwaaS driver d981520 Updated from global requirements e70a782 DevStack plugin for fwaas a7b5abc Add python 3 classifiers b26f9f4 Add entrypoints for iptables and varmor drivers 482bdc3 Fix deprecation warnings 9363b9c Fix subunit trace help b1b2b2a Fix a few test cases in test_cisco_fwaas_plugin cd423e2 Follow the recent tempest change c800314 Remove unused POT file 9447fbb Updated from global requirements 0a4d218 Remove check_i18n files a59df89 Use call_and_ignore_notfound_exc directly 0e00b64 Updated from global requirements 6a74dd3 Fix neutron_lib deprecations 0bcd1e6 [Trivial] Remove unnecessary executable privilege 8e998f3 Remove unnecessary executable permissions 802776c Updated from global requirements debc359 Fix broken tempest tests 531759d Skip broken tests 5f3c257 Switch to using hacking checks from neutron-lib fadfe86 Fix "Not applying Firewall rules immediately" problem bddac14 Updated from global requirements f3e3c35 Updated from global requirements 30f9c69 Don't use zuul-cloner for venv env, for periodic jobs e32d526 Fix doc build if git is absent 6f24c6c Updated from global requirements ab56228 Constraint requirements using mitaka upper-constraints.txt file e30e192 FWaaS Disable nonstandard-exception due to neutron_lib shims 9858111 Update reno for stable/mitaka c213ddc Update .gitreview for stable/mitaka e94aca8 Translations: add in the locale directory e303dfb FWaaS: make use of neutron_lib exceptions Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .pylintrc | 2 + TESTING.rst | 4 + devstack/README.rst | 49 + devstack/lib/l2_agent | 16 + devstack/lib/l3_agent | 16 + devstack/plugin.sh | 134 ++ devstack/settings | 3 + etc/neutron/policy.d/neutron-fwaas.json | 35 + neutron_fwaas/common/fwaas_constants.py | 2 + neutron_fwaas/common/resources.py | 17 + neutron_fwaas/db/cisco/__init__.py | 0 neutron_fwaas/db/cisco/cisco_fwaas_db.py | 60 - neutron_fwaas/db/firewall/firewall_db.py | 10 +- .../db/firewall/firewall_router_insertion_db.py | 2 +- neutron_fwaas/db/firewall/v2/__init__.py | 0 neutron_fwaas/db/firewall/v2/firewall_db_v2.py | 796 ++++++++++ .../db/migration/alembic_migrations/env.py | 2 +- .../540142f314f4_fwaas_router_insertion.py | 14 +- .../alembic_migrations/versions/CONTRACT_HEAD | 2 +- .../alembic_migrations/versions/EXPAND_HEAD | 2 +- .../liberty/expand/4b47ea298795_add_reject_rule.py | 10 +- .../f83a0b2964d0_rename_tenant_to_project.py | 143 ++ .../expand/d6a12e637e28_neutron_fwaas_v2_0.py | 113 ++ neutron_fwaas/db/models/__init__.py | 0 neutron_fwaas/db/models/head.py | 21 + neutron_fwaas/extensions/cisco/__init__.py | 0 .../extensions/cisco/csr_firewall_insertion.py | 78 - neutron_fwaas/extensions/firewall.py | 62 +- neutron_fwaas/extensions/firewall_v2.py | 440 ++++++ .../extensions/firewallrouterinsertion.py | 6 +- .../services/firewall/agents/firewall_agent_api.py | 8 + .../agents/l3reference/firewall_l3_agent.py | 123 +- .../agents/l3reference/firewall_l3_agent_v2.py | 509 +++++++ .../services/firewall/agents/varmour/__init__.py | 0 .../firewall/agents/varmour/varmour_api.py | 146 -- .../firewall/agents/varmour/varmour_router.py | 347 ----- .../firewall/agents/varmour/varmour_utils.py | 70 - .../services/firewall/agents/vyatta/__init__.py | 0 .../firewall/agents/vyatta/firewall_service.py | 58 - .../services/firewall/agents/vyatta/fwaas_agent.py | 39 - .../firewall/agents/vyatta/vyatta_utils.py | 87 -- .../services/firewall/drivers/cisco/__init__.py | 0 .../firewall/drivers/cisco/csr_acl_driver.py | 370 ----- .../drivers/cisco/csr_firewall_svc_helper.py | 245 ---- .../services/firewall/drivers/fwaas_base.py | 30 +- .../services/firewall/drivers/fwaas_base_v2.py | 96 ++ .../firewall/drivers/linux/iptables_fwaas.py | 111 ++ .../firewall/drivers/linux/iptables_fwaas_v2.py | 459 ++++++ .../services/firewall/drivers/mcafee/README.rst | 11 - .../services/firewall/drivers/mcafee/__init__.py | 0 .../services/firewall/drivers/mcafee/constants.py | 258 ---- .../services/firewall/drivers/mcafee/ngfw_fwaas.py | 343 ----- .../services/firewall/drivers/mcafee/smc_api.py | 476 ------ .../services/firewall/drivers/varmour/__init__.py | 0 .../firewall/drivers/varmour/varmour_fwaas.py | 208 --- .../services/firewall/drivers/vyatta/README.rst | 11 - .../services/firewall/drivers/vyatta/__init__.py | 0 .../firewall/drivers/vyatta/vyatta_fwaas.py | 191 --- neutron_fwaas/services/firewall/fwaas_plugin.py | 6 +- neutron_fwaas/services/firewall/fwaas_plugin_v2.py | 347 +++++ .../services/firewall/plugins/cisco/__init__.py | 0 .../firewall/plugins/cisco/cisco_fwaas_plugin.py | 373 ----- .../unit/db/firewall/v2/test_firewall_db_v2.py | 1514 ++++++++++++++++++++ .../agents/l3reference/test_firewall_l3_agent.py | 41 +- .../l3reference/test_firewall_l3_agent_v2.py | 334 +++++ .../firewall/agents/test_firewall_agent_api.py | 33 +- .../services/firewall/agents/varmour/__init__.py | 0 .../firewall/agents/varmour/test_varmour_router.py | 202 --- .../services/firewall/agents/vyatta/__init__.py | 0 .../agents/vyatta/test_firewall_service.py | 100 -- .../firewall/agents/vyatta/test_vyatta_utils.py | 115 -- .../services/firewall/drivers/cisco/__init__.py | 0 .../firewall/drivers/cisco/test_csr_acl_driver.py | 469 ------ .../drivers/cisco/test_csr_firewall_svc_helper.py | 221 --- .../firewall/drivers/linux/test_iptables_fwaas.py | 105 +- .../drivers/linux/test_iptables_fwaas_v2.py | 389 +++++ .../services/firewall/drivers/mcafee/__init__.py | 0 .../firewall/drivers/mcafee/test_ngfw_fwaas.py | 226 --- .../services/firewall/drivers/varmour/__init__.py | 0 .../firewall/drivers/varmour/test_varmour_fwaas.py | 222 --- .../services/firewall/drivers/vyatta/__init__.py | 0 .../firewall/drivers/vyatta/test_vyatta_fwaas.py | 251 ---- .../services/firewall/plugins/cisco/__init__.py | 0 .../plugins/cisco/test_cisco_fwaas_plugin.py | 430 ------ .../unit/services/firewall/test_fwaas_plugin.py | 2 + .../unit/services/firewall/test_fwaas_plugin_v2.py | 566 ++++++++ .../cisco-fwaas-driver-move-8f46325d13c93543.yaml | 11 + releasenotes/notes/fwaas_v2-374471c215af0ca0.yaml | 18 + ...afee-fwaas-driver-removal-8915271e5d4288cf.yaml | 7 + ...mour-fwaas-driver-removal-f7aa304a4544134a.yaml | 7 + ...atta-fwaas-driver-removal-e38e6ecde5105084.yaml | 7 + releasenotes/source/index.rst | 1 + releasenotes/source/mitaka.rst | 6 + requirements.txt | 16 +- setup.cfg | 16 +- test-requirements.txt | 14 +- tools/check_i18n.py | 153 -- tools/check_i18n_test_case.txt | 67 - tools/i18n_cfg.py | 97 -- tools/subunit-trace.py | 2 +- tools/tox_install.sh | 48 +- tox.ini | 22 +- 115 files changed, 7118 insertions(+), 6104 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index f468157..df55525 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8 +8 @@ httplib2>=0.7.5 # MIT -netaddr!=0.7.16,>=0.7.12 # BSD +netaddr!=0.7.16,>=0.7.13 # BSD @@ -10 +10 @@ SQLAlchemy<1.1.0,>=1.0.10 # MIT -alembic>=0.8.0 # MIT +alembic>=0.8.4 # MIT @@ -12,3 +12,3 @@ six>=1.9.0 # MIT -neutron-lib>=0.0.1 # Apache-2.0 -oslo.config>=3.7.0 # Apache-2.0 -oslo.db>=4.1.0 # Apache-2.0 +neutron-lib>=0.4.0 # Apache-2.0 +oslo.config>=3.14.0 # Apache-2.0 +oslo.db!=4.13.1,!=4.13.2,>=4.10.0 # Apache-2.0 @@ -16 +16 @@ oslo.log>=1.14.0 # Apache-2.0 -oslo.messaging>=4.0.0 # Apache-2.0 +oslo.messaging>=5.2.0 # Apache-2.0 @@ -18,2 +18,2 @@ oslo.serialization>=1.10.0 # Apache-2.0 -oslo.service>=1.0.0 # Apache-2.0 -oslo.utils>=3.5.0 # Apache-2.0 +oslo.service>=1.10.0 # Apache-2.0 +oslo.utils>=3.16.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 165a1ce..595767d 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -7,2 +7,2 @@ coverage>=3.6 # Apache-2.0 -fixtures>=1.3.1 # Apache-2.0/BSD -mock>=1.2 # BSD +fixtures>=3.0.0 # Apache-2.0/BSD +mock>=2.0 # BSD @@ -10,2 +10,2 @@ python-subunit>=0.0.18 # Apache-2.0/BSD -requests-mock>=0.7.0 # Apache-2.0 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 # BSD +requests-mock>=1.0 # Apache-2.0 +sphinx!=1.3b1,<1.3,>=1.2.1 # BSD @@ -13 +13 @@ oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 -oslo.concurrency>=3.5.0 # Apache-2.0 +oslo.concurrency>=3.8.0 # Apache-2.0 @@ -21 +21,3 @@ oslotest>=1.10.0 # Apache-2.0 -reno>=0.1.1 # Apache2 +reno>=1.8.0 # Apache2 +PyMySQL!=0.7.7,>=0.6.2 # MIT License +psycopg2>=2.5 # LGPL/ZPL