[Openstack-security] [Bug 1274034] Related fix merged to neutron (feature/pecan)
OpenStack Infra
1274034 at bugs.launchpad.net
Thu Sep 17 22:35:54 UTC 2015
Reviewed: https://review.openstack.org/224357
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fdc3431ccd219accf6a795079d9b67b8656eed8e
Submitter: Jenkins
Branch: feature/pecan
commit fe236bdaadb949661a0bfb9b62ddbe432b4cf5f1
Author: Miguel Angel Ajo <mangelajo at redhat.com>
Date: Thu Sep 3 15:40:12 2015 +0200
No network devices on network attached qos policies
Network devices, like internal router legs, or dhcp ports
should not be affected by bandwidth limiting rules.
This patch disables application of network attached policies
to network/neutron owned ports.
Closes-bug: #1486039
DocImpact
Change-Id: I75d80227f1e6c4b3f5fa7762b8dc3b0c0f1abd46
commit db4a06f7caa20a4c7879b58b20e95b223ed8eeaf
Author: Ken'ichi Ohmichi <ken-oomichi at wx.jp.nec.com>
Date: Wed Sep 16 10:04:32 2015 +0000
Use tempest-lib's token_client
Now tempest-lib provides token_client modules as library and the
interface is stable. So neutron repogitory doesn't need to contain
these modules.
This patch makes neutron use tempest-lib's token_client and removes
the own modules for the maintenance.
Change-Id: Ieff7eb003f6e8257d83368dbc80e332aa66a156c
commit 78aed58edbe6eb8a71339c7add491fe9de9a0546
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Thu Aug 13 09:08:20 2015 +0000
Fix establishing UDP connection
Previously, in establish_connection() for UDP protocol data were sent
but never read on peer socket. That lead to successful read on peer side
if this connection was filtered. Having constant testing string masked
this issue as we can't distinguish to which test of connectivity data
belong.
This patch makes unique data string per test_connectivity() and
also makes establish_connection() to create an ASSURED entry in
conntrack table. Finally, in last test after firewall filter was
removed, connection is re-established in order to avoid troubles with
terminated processes or TCP continuing sending packets which weren't
successfully delivered.
Closes-Bug: 1478847
Change-Id: I2920d587d8df8d96dc1c752c28f48ba495f3cf0f
commit e6292fcdd6262434a7b713ad8802db6bc8a6d3dc
Author: YAMAMOTO Takashi <yamamoto at midokura.com>
Date: Wed Sep 16 13:20:51 2015 +0900
ovsdb: Fix a few docstring
Change-Id: I53e1e21655b28fe5da60e58aeeb7cbbd103ae014
commit c22949a4449d96a67caa616290cf76b67b182917
Author: fumihiko kakuma <kakuma at valinux.co.jp>
Date: Wed Sep 16 11:52:59 2015 +0900
Remove requirements.txt for the ofagent mechanism driver
It is no longer used.
Related-Blueprint: core-vendor-decomposition
https://blueprints.launchpad.net/neutron/+spec/core-vendor-decomposition
Change-Id: Ib31fb3febf8968e50d86dd66e1e6e1ea2313f8ac
commit d1d4de19d85f961d388c91e70f31b3bafec418c5
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Sep 3 20:25:57 2015 -0700
Always return iterables in L3 get_candidates
The caller of this function expects iterables.
Closes-Bug: #1494996
Change-Id: I3d103e63f4e127a77268502415c0ddb0d804b54a
commit 1ad6ac448067306fcf7ea562840e63fd257f0556
Author: Sudhakar Babu Gariganti <sudhakar-babu.gariganti at hp.com>
Date: Fri Sep 11 14:53:27 2015 +0530
Prevent full sync in dhcp_agent when possible
If an exception occurs in sync_state method, we try for a full sync
even in the case where we have fewer networks to resync for.
This turns out to be pretty costly in scaled environments.
This patch addresses the above behavior by resyncing only for the
eariler set of failed networks.
Closes-Bug: #1495592
Change-Id: I069e992b3b7814370d409236b6a3c81a25829cc1
commit 1b94f3f3d9c84a20f46000c0801eeb8bad84a6fb
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Wed Jul 15 10:46:35 2015 +0000
Add QoS fullstack test
Test the qos policy and rule CRUD lifecycle with port. Future plans are
to add similar testing with ports belonging to network with set qos
policy.
Change-Id: Iebe9b3e9d612d3533381a8cf4d0b9c587f8fda42
commit cc698b2ba578e5bc1475f6229bfebd1316c41ffb
Author: Moshe Levi <moshele at mellanox.com>
Date: Mon Aug 10 12:25:59 2015 +0300
QoS agent extension and driver refactoring
Moved some code common to all drivers into base
qos driver abstract class, so related bugfixes go all in one
place and we simplify the logic for every qos drivers.
Port/Policy mapping moved out to a separate class.
Support delete per rule_type or delete all rules.
Related-bug: #1486039
Co-Authored-By: Miguel Angel Ajo <mangelajo at redhat.com>
Partially-Implements: blueprint ml2-qos
Change-Id: Ia9d8638b9268b5aa8512cbb9d001413751f82649
commit 17765114292217d109c15b220be57fea6c9eed4a
Author: sridhargaddam <sridhar.gaddam at enovance.com>
Date: Tue Jul 14 16:18:06 2015 +0000
Add IPv6 Address Resolution protection
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.
For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
DocImpact
SecurityImpact
Closes-Bug: #1491690
Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88
commit 53c64ff1ac3e92fa1cb8945cfae26b2624f2697d
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Tue Sep 15 11:52:03 2015 +0000
Revert "AsyncProcess: try to kill tender"
This change introduced bug 1495937.
This reverts commit 470a7d8a106a274e06fb1311c6738f333a98f59c.
Change-Id: I84fea4fdac71141da335ccd9e0d4c9d6174dfd86
commit 25e4e13565690fc4bc9e08e34598e18f04b921b7
Author: Cedric Brandily <zzelle at gmail.com>
Date: Mon Aug 24 22:24:10 2015 +0200
Remove out-of-tree vendor AGENT_TYPE_* constant
AGENT_TYPE_* constants[1] defines all agent types BUT the only vendor
one(AGENT_TYPE_NEC) is only used in out-of-tree networking-nec repo.
This changes removes out-of-tree AGENT_TYPE_NEC constant (dependant
change defines it in networking-nec repo).
[1] in neutron.extensions.portbindings
Change-Id: Ia80c33ee7970cfe167c2c9ca6d512f23561455a2
Closes-Bug: #1487598
Depends-On: I955fa48ee2120900e422bab57db250303c3d7bb4
commit f4a76a7a26c0902d61f4fe61091e7fe556923592
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Mon Sep 14 14:54:34 2015 +0000
func: Don't use private method of AsyncProcess
In functional test we simulate crash of AsyncProcess by calling
_kill_process(). This method is a private method and such usage
introduced a race where process was respawned prior to calling wait() of
killed process, leading to infinite wait on newly spawned process.
This patch adds manual send of kill and then active waiting for process
to be respawned, similarly like done with recent keepalived patch [1].
[1] https://review.openstack.org/#/c/222460/7/neutron/tests/functional/agent/linux/test_keepalived.py
Closes-Bug: #1477860
Change-Id: I1c91393304d65a0695311416ecc5b64fd549b192
commit a13f5afcc821e24e40227965491b964fa85c003c
Author: lzklibj <lzklibj at cn.ibm.com>
Date: Fri Sep 11 02:37:47 2015 +0800
Remove unused ovs_lib method reset_bridge
Per [1] we are using a better way to keep tunnel connectivity,
so reset_bridge isn't used anymore. Bug in [2] was caused by
using method reset_bridge which will delete and recreate bridge.
For [1] makes method reset_bridge deprecated, it makes sense to
remove this method, and make [2] no longer produce.
[1] https://review.openstack.org/#/c/182920
[2] Related-bug: #1332450
Change-Id: I155f66a37b8d4081126467fe576e8315c2d5560c
commit 573c14659a953164ba556c694062e9242dcca807
Author: Brian Haley <brian.haley at hp.com>
Date: Mon Sep 14 16:12:18 2015 -0400
Fix TypeError caused by delete_agent_gateway_port()
A recent change used a keyword argument when it didn't need to,
correct it to fix the multinode DVR job.
End of typical traceback:
File "/opt/stack/new/neutron/neutron/api/rpc/handlers/l3_rpc.py",
in delete_agent_gateway_port(admin_ctx, network_id, host_id=host)
TypeError: delete_floatingip_agent_gateway_port() got multiple
values for keyword argument 'host_id'
Introduced in commit 639f1893dde0d393a97b29ca5309dba716831a7
Related-bug: #1495147
Change-Id: Id2522bc843bc7b089b7783d3f765900a50a0033f
commit b01f2f08257f5156084ac3e2644e79f220b15b6d
Author: Kyle Mestery <mestery at mestery.com>
Date: Thu Sep 10 15:46:04 2015 +0000
sub_project_guidelines: Add richer documentation
Add additional documentation around releasing sub-projects.
Change-Id: I71f31b6b8ed085066491e181074b467435f8d66d
Signed-off-by: Kyle Mestery <mestery at mestery.com>
commit bfebc9f8af05b5d4a5dcd2c2b0d521fe2fefa265
Author: Ryan Moats <rmoats at us.ibm.com>
Date: Mon Sep 14 11:29:28 2015 -0500
Fix typo: Large Ops, not Large Opts
Change-Id: I73e64e19275f002fcc2ae2e903611835bfd98f8a
Signed-off-by: Ryan Moats <rmoats at us.ibm.com>
commit 5eaff5fa0720b860ec4c0c75abee942313f93e94
Author: Ann Kamyshnikova <akamyshnikova at mirantis.com>
Date: Mon Sep 14 17:29:22 2015 +0300
Fix query in get_l3_agent_with_min_routers
For PostgreSQL if you're using GROUP BY everything in the SELECT
list must be an aggregate count(...) or used in the GROUP BY.
Closes-bug: #1495523
Change-Id: Ieb75d0666ec2f6d2e61686bf2bacea2b9ad6c521
commit a8d0586fdebfd28e407e2d30f72c92e3711d0a1e
Author: Ilya Shakhat <ishakhat at mirantis.com>
Date: Mon Sep 14 15:43:05 2015 +0300
Do not specify host for l2population topics
When creating topics oslo.messaging automatically creates
topic with hostname suffix (e.g. topic.hostname), there's
no need to do this explicitly.
Change-Id: Ia396452e8deb2c8f10bbead936245eeece8066a6
Closes-Bug: #1495508
commit 638d16c8a019cfdafa2b6bb12c95775544bb58df
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Sep 3 10:01:40 2015 -0700
Add utility function for checking trusted port
Ports that have a device_owner that starts with 'network:'
are trusted in several places throughout the codebase. Each
of these did a startswith check on each field and it's not
immediately obvious why it's done.
This patch adds a utility function called 'is_port_trusted'
that performs the same check and makes it obvious what is
being done.
Change-Id: I542c753776d5cfb2fd736b25ea6e111867c89c89
commit 691fae47a4e7468884cb58692ecaf48b9737dae1
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Mon Sep 14 09:19:14 2015 +0000
Fix typo in error message in NetcatTester
Change-Id: Ie00901b1dab6c0c5ad4ec0f0c437426afc60396e
commit a466531aec4cb02469d12756c0151deb59dd4d13
Author: Saju Madhavan <sajuptpm at gmail.com>
Date: Mon Sep 14 14:03:28 2015 +0530
docstring fix
Change-Id: I35e44872c3dc7508d5991dc967bbceb22d6bea51
commit 470a7d8a106a274e06fb1311c6738f333a98f59c
Author: IWAMOTO Toshihiro <iwamoto at valinux.co.jp>
Date: Fri Sep 11 19:01:20 2015 +0900
AsyncProcess: try to kill tender
_kill_process kills processes with SIGKILL, which prevents the
processes' cleanup from running. Issue SIGTERM first and wait a bit.
Change-Id: Ie7b94011bbd11b1d672c95e3be19bb3c84ef77ec
Closes-bug: 1494363
commit a57b37fc56ffe3c1dade796c4663e95b1bbeea80
Author: Hong Hui Xiao <xiaohhui at cn.ibm.com>
Date: Thu Sep 10 06:38:01 2015 -0400
Enable servicing lbaasV2 vip by DVR
Currently, the vip of lbaasV2 will not have l3 network with DVR.
This prevent the usercase of lbaasV2 + DVR. This patch aims to
enable servicing lbaasv2 vip by DVR.
Change-Id: I1b51550437994fbe78d4db904641d4d9fb75d82e
Closes-Bug: #1493809
commit e5f635ee4fd1fe8a0bd2e5c58db068b51fc94c0b
Author: armando-migliaccio <armamig at gmail.com>
Date: Fri Sep 11 02:32:42 2015 -0700
Switch scheduler drivers to load based schedulers
Cloud deployed at scale most likely will use these scheduler
drivers because they allow a fairer resource allocation compared
to chance schedulers (which randomly place resources on the hosts).
Because of their importance, it's only wise to test them in
the gate on a continuous basis, so that we do not get surprised
by accidental regressions.
Rather than pushing this down through devstack-gate/project-config
patches, this chance alters the default of the scheduler
drivers, so that users can also pick these up out of the box.
This means that after an upgrade they would observe a change in
the scheduling behavior, if they relied on the default config.
DocImpact
UpgradeImpact
Closes-bug: #1494667
Change-Id: I5927914cb88eff66bc7a045340ff68cb8da95ad6
commit dafa61bd46b7eacbc708d17a3fa492de971d6dd2
Author: armando-migliaccio <armamig at gmail.com>
Date: Sat Sep 12 12:07:35 2015 -0700
Fix BadRequest error on add_router_interface for DVR
This operation for DVR is made of multiple steps, some of
which are not within the same DB transaction. For this
reason, if a failure occurs, the rollback will be partial.
This inconsistent state leads the retry logic to fail with
BadRequest, because the router is believed to be already
connected to the subnet.
To fix this condition, it is necessary to delete the port
should the DB deadlock occur.
Closes-bug: #1494114
Change-Id: Ia2a73d6f9d1e4746e761ad072d954e64267a3ad1
commit 57b6a651a39099ea76178bdcea51b06bde587e25
Author: Sergey Vilgelm <sergey at vilgelm.info>
Date: Sat Sep 12 21:55:01 2015 +0300
Fix missing value types for log message
This patch add missing value types for some log message of exception.
Change-Id: Ie9f512bc804f0cd70df991b1910c975a2f9d6fcf
Closes-Bug: #1494574
commit 5405d9742b94f203389f555c56727a66925e9454
Author: armando-migliaccio <armamig at gmail.com>
Date: Thu Sep 10 21:54:33 2015 -0700
Tweak test_keepalived_respawns test logic
This test initial design is problematic: it spawns keepalived,
it asserts the process is up, then it attempts to kill it.
However, this is when problems may arise:
a) it does so by using the disable method on the process - we
should be more rude than that if we want to simulate a crash!
b) keepalived may be forking while it is starting and it is
possible that for a moment the ppid changes and the process
owner invoking the kill has no rights to kill the spawned
process. This is the most plausible explaination I could find
as to why kill returns 1 with no standard error
c) it does not verify that the process has indeed disappeared
(what if the pm.disable didn't work?) - this means that the
test can pass, and yet the monitor may not work.
Bottom line: this test relied on the correctness of the very code
that was meant to validate...and that's not cool. To this aim, we
wait for the process to be active, kill the process with a kill -9
and verify that the process after the kill is indeed different.
Closes-bug: #1490043
Change-Id: Idaf419a1464d9d0d75b9106a7acd5cd960a7c623
commit 3c9482eb78b8a1e459ea9876a3b9a977690fce0d
Author: Salvatore Orlando <salv.orlando at gmail.com>
Date: Fri Aug 28 08:55:42 2015 -0700
Reservations: Don't count usage if resource is unlimited
If a resource is unlimited (ie: limit<0) then there is no need
to verify headroom for it. This also means that there no need for
counting it; therefore it is possible to save some DB operations
by skipping the count phase.
Change-Id: Ibe9ca8a1c29fb8ba12df187c25f8f9515968a54d
Related-blueprint: better-quotas
commit 14ef151fe0ca193c341098fcd3910d5e523c140c
Author: Salvatore Orlando <salv.orlando at gmail.com>
Date: Tue Aug 25 02:28:08 2015 -0700
Restore reservations in API controller
This patch restores the reservation logic in the API controller,
as the DB issues arising from the pymysql switch has been solved.
Change-Id: I98b40925fdceba13d6a2b5a4d0c5793aeb5cf077
Related-Bug: #1486134
Related-Blueprint: better-quotas
commit a19e64c9d95781982d28113c667dbc90d0ea11eb
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Fri Sep 11 14:46:51 2015 -0400
ovs: don't use ARP responder for IPv6 addresses
ARP does not support IPv6 addresses, so when we try to apply the flow, it
fails, with all other flows deferred for the same transaction. It results in
random flow breakages, depending on the order of the bad flow in the
transaction.
Change-Id: I0ecf167653e5a7d0916e091e05050406a026a1e2
Co-Authored-By: Thomas Carroll <Thomas.Carroll at pnnl.gov>
Closes-Bug: #1477253
commit 6ee4343c4ce90423ea6477216519bcb0ef21b816
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Fri Sep 11 16:32:06 2015 +0200
Install sriov-agent.ini on 'setup.py install'
The previous change [1] that split the configuration file into two pieces
missed the update of setup.cfg, so the file was not installed.
[1]: Ie1eda925e051f85d53ad9624d6617d095cf8c7be
Change-Id: Idcdc71b5614463fc0d81a8bc2d2833159be9e6c9
Related-Bug: #1489060
commit c89a4fdd88b0f8832b32af55f64e0d3a35c84388
Author: sridhargaddam <sridhar.gaddam at enovance.com>
Date: Thu Sep 10 16:14:13 2015 +0000
Configure gw_iface for RAs only in Master HA Router
For an HA Router which does not have any IPv6 subnets in the external network
and when ipv6_gateway is not set, Neutron configures the gateway interface of
the router to receive Router Advts for default route. In an HA router, only
the Master instance has the IP addresses while the Backup instance does not
have any addresses (including LLA). In Kernel version 3.10, when the last
IPv6 address is removed from the interface, IPv6 proc entries corresponding
to the iface are also deleted. This is however reverted in the later versions
of kernel code.
This patch addresses this issue by configuring the proc entry only for the
Master HA Router instance instead of doing it un-conditionally.
Closes-Bug: #1494336
Change-Id: Ibf8e0ff64cda00314f8fa649ef5019c95c2d6004
commit fb8014294530ac83f209a79612c09c897d80227f
Author: Ryan Moats <rmoats at us.ibm.com>
Date: Fri Sep 11 07:41:38 2015 -0500
Remove useless log from periodic_sync_routers_task
Logging that peridoic_sync_routers_task is starting with fullsync
False just adds noise to devstack logs. Reposition the log
statement to indicate that the task is starting if it is going
to be doing real processing.
Change-Id: I73def1e20218b01c135769d0b8fbce449dad17ea
Signed-off-by: Ryan Moats <rmoats at us.ibm.com>
commit 0f44a874b421e7dc055f409cffddbe52ca96b956
Author: Swaminathan Vasudevan <swaminathan.vasudevan at hp.com>
Date: Thu Sep 10 13:48:46 2015 -0700
Replace is_this_snat_host validation with internal function
There is already a function to validate if it is an snat
host or not. So just use that function instead of additional
validation.
Change-Id: I004d94d1d4b632880ed289ccdc9bf45cffc0e095
commit bcafe20a14048b90d1f3153dad6076e42bf571f5
Author: Assaf Muller <amuller at redhat.com>
Date: Thu Jun 11 17:13:44 2015 -0400
Add l2pop support to full stack tests
Add the l2pop mechanism driver to the ML2 plugin configuration, and set
l2_population = True, in the OVS agent configuration.
Each test class can enable or disable l2pop in its environment.
Change-Id: If4f2bf07883b763073b5a53f1aa557acb131d176
commit a885c4075ad983b8d68c4843359fa3578c48b575
Author: Assaf Muller <amuller at redhat.com>
Date: Tue Jun 16 08:56:41 2015 -0400
Add tunneling support to full stack tests
* EnvironmentDescription class now accepts 'network_type'.
It sets the ML2 segmentation type, passes it to the OVS agents
configuration files, and sets up the host configuration. If
tunnelling type is selected, it sets up a veth pair with an IP
address from the 240.0.0.1+ range. The addressed end of
this pair is configured as the local_ip for tunneling purposes
in each of the OVS agents. If network type is not tunnelled, it
sets up provider bridges instead and interconnects them.
* For now we run the basic L3 HA test with VLANs and tunneling just
so we have something to show for.
* I started using scenarios in fullstack tests to run the same test
with VLANs or tunneling, and because test names are used for log
dirs, and testscenarios changes test names to include characters
that are not shell friendly (Space, parenthesis), I 'sanitized'
some of those characters.
Change-Id: Ic45cc27396452111678cf85ab26b07275846ce44
commit 590ed69918efabc173144f170f2ea5ff0d445a78
Author: IWAMOTO Toshihiro <iwamoto at valinux.co.jp>
Date: Thu Sep 10 17:24:47 2015 +0900
Remove an unused DVR function
is_dvr_router_interface isn't used since commit
c5fafcb30a5b86e87309ad4650f7d05a2ca038dc.
Change-Id: Id902e7b4aafcf61f8da29bf7ab543559ea6b7937
commit 29ac69ebe365b597ad5d1510381d3f02643edb3e
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Thu Sep 10 10:51:10 2015 +0300
Handle ObjectDeletedError when deleting network ports/subnets
It appeared there is still a race on port deletion when deleting
networks. So commit a55e10cfd6369533f0cc22edd6611c9549b8f1b4
introduced a regression. It's a bit of ironic that commit message
was "Avoid DB errors when deleting network's ports and subnets".
Shame on me!
Closes-Bug: #1494157
Change-Id: I37727eca5d68e6440f0f93e0f6bbe63b2f18b443
commit d5a8074ec3c67ed68e64a96827da990f1c34e10f
Author: Stephen Ma <stephen.ma at hp.com>
Date: Fri Aug 28 14:00:48 2015 +0000
Descheduling DVR routers when ports are unbound from VM
When a VM is deleted, the DVR port used by the VM could be unbound
from the compute node. When it is unbounded, it is no longer
in use on the node. Currently the unbind doesn't trigger a check
to determine whether the DVR router can be unscheduled from the
L3-agent running on the compute node. This patch makes the check
and unschedule the router, if necessary.
Closes-Bug: 1489184
Change-Id: I882e0682bfc7695b3b23e36eb4d7e35a5d19748e
commit 81dd69caddced348ed26d7a732dc93c9bd10b953
Author: OpenStack Proposal Bot <openstack-infra at lists.openstack.org>
Date: Thu Sep 10 00:06:08 2015 +0000
Updated from global requirements
Change-Id: I78f123c8e49b6dcd23bda1def9e021df74ffb0ea
commit 4a8c2b875e4abb8e99d62f1530f209147faada2f
Author: ajmiller <al.miller at ajmiller.net>
Date: Wed Sep 9 14:38:41 2015 -0700
Reduce the chance of random check/gate test failures
As previously implemented, the TestTrackedResource class is designed
to inject random failures into the gate. It generates random numbers
within the range of 0..10000, and will fail if it generates duplicate
random numbers during its run.
This patch creates UUIDs instead of random numbers, and makes the
chance of an collision vanishingly small.
Change-Id: I0cf535d1c5a3995a50b506aafce10e983872dcb7
Closes-bug: #1494021
commit 9b7ff6d3bd4059699c54180aca02e11d5fe07f21
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Mon Aug 31 21:31:57 2015 +0000
Allow passing arbitrary ip route parameters to add/delete_route
There are arguments to ip route like scope and dev that will need to
be passed to add_route and delete_route. This patch allows them to be
passed using kwargs.
Change-Id: I06d46bee9ca333c6a308d1af961bd9eadab9db97
Partially-Implements: blueprint address-scopes
commit 46e59d312a46d96860fc1226ec6024d10ef2b1e0
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Tue Sep 1 16:58:22 2015 +0000
Make ip address optional to add_route and delete_route
The add_route and delete_route methods require that the ip (actually
"via" in ip route terms) be passed. Some routes don't require this.
This patch makes it optional while maintaining the position for those
callers who do pass it by position.
Change-Id: Ic16408c00c77898d8f7663c92e56aa30427469f3
Partially-Implements: blueprint address-scopes
commit da4ee8c8d26880b6b1a20d18f5cbd38e7d5e4b04
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Fri Aug 28 21:28:39 2015 +0000
Add list routes
This adds list routes while refactoring list_onlink_routes to share
implementation. It changes test_onlink_routes to be consistent in the
type of data that it returns with the new list_routes.
Change-Id: I386a8e2cb146385bb59a7a8387a29dddbec48d8a
Partially-Implements: blueprint address-scopes
commit 24fa37e05544316b58357b753360b147878e5d94
Author: lzklibj <lzklibj at cn.ibm.com>
Date: Mon Mar 2 02:13:41 2015 -0800
Fix dvr update for subnet attach multi subnets
Fix method dvr_update_router_addvm to notify every
router attached to subnet where the vm will boot
on.
In dvr case, when a subnet only attaches to one router,
the subnet will only have one distributed router interface,
which device_owner is "network:router_interface_distributed".
So in this case, get_ports in this method will only get
one port, and it should be unnecessary to break in for loop.
But when a subnet attaches multiple routers, get_ports in
this method will return all distributed router interfaces
and the routers hold those interfaces should be notified
when an instance booted on the subnet. So it should also
be unnecessary to break in for loop.
Change-Id: I3a5808e5b6e8b78abd1a5b924395844507da0764
Closes-Bug: #1427122
Co-Authored-By: Ryan Moats <rmoats at us.ibm.com>
commit 7bd30aa49c24dc65332740e4fa74da28533b92ed
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Fri Aug 28 21:19:40 2015 +0000
Make ip rule comparison more robust
I found that ip rules would be added multiple times in new address
scopes code because the _exists method was unable to reliably
determine if the rule already existed. This commit improves this by
more robustly canonicalizing what it reads from the ip rule command so
that like rules always compare the same.
Change-Id: I6d0c208f0ed8e65cdb750789321a7ad6ca1b77c2
Partially-Implements: blueprint address-scopes
commit ce5761f15388888038f9c39da886cd0343b734fc
Author: Andrey Kurilin <akurilin at mirantis.com>
Date: Wed Sep 9 16:48:59 2015 +0300
Remove hack for discovery novaclients extension
novaclient provides a common way to discover all extensions, so we can
remove import based on novaclient versioned client object.
Closes-Bug: #1493886
Change-Id: I7ae2eeb2d7e5c56e9284f3b059ff6e3545f42d5f
commit 91c476dcc5cd2192d0c43ca51a1b258b9c331fc4
Author: huangpengtao <huangpengtao at huawei.com>
Date: Sun Aug 30 10:43:50 2015 +0800
Check ICMP codes in range [0,255]
ICMP allows codes between 0 and 255, this change
adds a check for codes range min value.
DocImpact
APIImpact
Closes-Bug: #1486300
Change-Id: Ic7a49458448fad16447b914bb15742515661a851
commit cc9957c747b3caa84ea52c7960d863e587ac66ac
Author: Carl Baldwin <carl.baldwin at hpe.com>
Date: Tue Sep 8 21:04:23 2015 +0000
Remove address scopes from supported extensions
This feature is not ready for prime time, but the cli code is
already landed and shipped.
In order to prevent users from getting mad about an uncooked feature,
let's disable it until it becomes more robust.
Tests must be disabled unconditionally because our CI API test framework
execute tests for 'all' extensions available.
Related-blueprint: address-scopes
Change-Id: I71dc333e210b1f4acf30569711b4442ed8a1dfc3
commit bbaa4abdd5500d30576d63b5a5eb1503363e2f67
Author: Ann Kamyshnikova <akamyshnikova at mirantis.com>
Date: Wed Sep 9 14:32:36 2015 +0300
Add test to check that correct functions is used in expand/contract
This test will check that expand branch does not contain drop SQLAlchemy
operations and contract branch does not contain create/add SQLAlchemy
operations.
Partially-Implements: blueprint online-schema-migrations
Change-Id: Ifda31c0599651931c1a98f673f3b10e64538f18b
Related-bug: #1490767
commit bd07b74045d93c46483aa261b8686072d9b448e8
Author: Moshe Levi <moshele at mellanox.com>
Date: Tue Aug 25 15:50:09 2015 +0300
SR-IOV: devstack support for SR-IOV agent
Change-Id: Ia0649962bd0c68d9c99fd54cc84ce8dd67d792e8
commit 4d831a462e2510ab080be7abae49ca3cff056e61
Author: Ann Kamyshnikova <akamyshnikova at mirantis.com>
Date: Tue Sep 1 15:15:53 2015 +0300
Fix test_external_tables_not_changed
test_external_tables_not_changed was not
executed properly as new engine was created in env.py.
Related-bug: #1466704
Change-Id: If02415d7abd17024946f7aee8fb6abc374a7aefe
commit 37430d4bd096a04a0b3e23165ac244ac1f47a774
Author: Yi Zhao <zhaoyi at cmss.chinamobile.com>
Date: Thu Aug 27 15:24:21 2015 +0800
Delete gateway conntrack state when remove external gateway
This fixed the problem that a gateway ip conntrack state not cleared
when user clears a router external gateway.
Change-Id: I77f22d9504430259b01366e6296a99ba1cd6a046
Closes-Bug: #1488730
commit 319920303a22988e418a982eef60f67af321148b
Author: OpenStack Proposal Bot <openstack-infra at lists.openstack.org>
Date: Tue Sep 8 22:03:54 2015 +0000
Updated from global requirements
Change-Id: Ib9d2e669f3d6e68cced7cd6674ff23ff7642f997
commit 7ca5a26c982084ed0b4cf036917a64580da6385c
Author: Mike Bayer <mike_mp at zzzcomputing.com>
Date: Fri Aug 14 14:44:28 2015 -0400
Add non-model index names to autogen exclude filters
The SQLAlchemy MySQL dialect generates implicit indexes
in the less-common case of an integer column within a composite
primary key where autoincrement is not set to False.
Add a rule to ignore these indexes when performing
autogenerate against a target database.
Change-Id: I49abb3f7ad9731cde046fa2862cdb9ec16c3aeb3
Partially-Implements: blueprint online-schema-migrations
commit 6576bea07c6c268b16e6c1f118b858e698452e2b
Author: Mike Bayer <mike_mp at zzzcomputing.com>
Date: Mon Jul 20 18:34:15 2015 -0400
Implement expand/contract autogenerate extension
Makes use of new Alembic 0.8 features to allow
altering of the "alembic revision" stream such
that operations for expand and contract are
directed into separate branches.
Change-Id: Ifa743e2f5b90e59a8de8f4e7a67c4bbe46686804
Partially-Implements: blueprint online-schema-migrations
commit cd45f16442b7c56c4876bef527c9c83ea0907c40
Author: Swaminathan Vasudevan <swaminathan.vasudevan at hp.com>
Date: Mon Jun 22 17:17:15 2015 -0700
Cleanup the fip agent gateway port delete routines
Based on the parent patch, right now the Floatingip
agent gateway ports will only be deleted when the
last gateway port associated with the external
network is deleted.
The Floatingip agent gateway port will not be deleted
for every floatingip dis-association and deletion.
The Floatingip agent gateway port was created on all
nodes as a substitute for the gateway port. So it
makes sense to delete those ports only when the last
gateway port on the external network is deleted.
The agent should be able to delete the floatingip agent
gateway port on a given external network when it is not
required.
This would substantially reduce the burden on the server
to validate, read and delete the port form the DB.
Change-Id: Ie561b19a2e58a2a563d79b75421e9e24c70f36f9
Closes-Bug: #1468007
Closes-Bug: #1408855
Closes-Bug: #1450982
commit 639f1893dde0d393a97b29ca5309dba716831a7f
Author: Swaminathan Vasudevan <swaminathan.vasudevan at hp.com>
Date: Mon Jun 22 16:50:43 2015 -0700
Add RPC command and delete if last FIP on Agent
Today FloatingIP Agent gateway port is deleted and
re-created for DVR based routers based on floatingip
association and disassociation with VMs on compute
nodes by the plugin.
This introduces lot more strain on the plugin to
create and delete these ports when VMs come up and
get deleted that are associated with FloatingIps.
This patch will introduce an RPC call for the agent
to initiate a agent gateway port delete.
Also the agent will look for the last floatingip that
it manages, and if condition satisfies, the agent will
request the server to remove the FloatingIP Agent
Gateway port.
Change-Id: I47694b2ee60c363e2fe59ad5f7d168252da08a45
Related-Bug: #1468007
Related-Bug: #1408855
Related-Bug: #1450982
commit d5aa1659f56601d8f4d5e17273d5ade7a0e202dd
Author: Swaminathan Vasudevan <swaminathan.vasudevan at hp.com>
Date: Mon Jun 22 16:33:32 2015 -0700
Delete FIP agent gateway port with external gw port
FIP agent gateway ports are associated with external
networks and specific host.
Today FIP agent gateway ports are deleted for
every floatingip associate and disassociate. This
introduces race conditions in the port delete and also
un-necessary access to the db.
This patch will delete the FIP agent gateway port when
the last gateway port of the external network is deleted.
The child patch linked to this parent patch will clean
up the FIP agent gateway port delete when associate,
disassociate and delete of floatingip happens.
This should also cover the case when an agent for some
reason was unable to request agent gw port delete.
(agent died).
Related-Bug: #1408855
Related-Bug: #1468007
Related-Bug: #1450982
Change-Id: I6637a771e6a6ce74e848cb74b779043e16a54a84
commit b62b92da9b9dbba953573bc212279c719e08f3ef
Author: Cedric Brandily <zzelle at gmail.com>
Date: Tue Sep 8 15:23:49 2015 +0000
Remove ebtables_driver/manager dead code
Previous changes[1] have been merged as enablers[2] to fix the bug
1274034 but an alternative solution has been choosen and now we can
consider the introduced code as dead code.
This changes removes [2], associated tests and rootwrap filters.
[1] I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0
I3c66e92cbe8883dcad843ad243388def3a96dbe5
[2] neutron.agent.linux.ebtables_driver
neutron.agent.linux.ebtables_manager
Closes-Bug: #1493422
Related-Bug: #1274034
Change-Id: I61e38fc0d8cf8e79252aabc19a70240be57e4a32
commit bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Author: Kevin Benton <blak111 at gmail.com>
Date: Tue Aug 25 22:03:27 2015 -0700
Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.
This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.
Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.
Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
commit c0ee8cbcbf98698411e3618b95b1d8c7676c76ad
Author: Assaf Muller <amuller at redhat.com>
Date: Tue Sep 8 10:48:11 2015 -0400
Add oslo rootwrap daemon logging during functional tests
Change-Id: Ie688a1df6e256c0195b8f3937228f65c0463e9c3
Closes-Bug: #1493396
commit d6d0853be34ce783b133a9c39aeb608033f3073b
Author: Aman Kumar <amank at hp.com>
Date: Tue Mar 17 03:41:54 2015 -0700
ovs agent resync may miss port remove event
In OVS Agent rpc_loop() resync mechanism clears the registered ports and
rescans them again, and it might result in missing some "port removed"
event and treat_devices_removed will not be called.
This fix rescans the newly updated ports when resync mechanism called,
without clearing the current registered ports.
The registered ports will be cleared only if there are too many
consecutive resyncs to avoid resycing forever because of the same
faulty port.
Closes-Bug: #1329223
Co-Authored-By: Andrey Epifanov <aepifanov at mirantis.com>
Co-Authored-By: Gandharva S <gandharva.s at hp.com>
Co-Authored-By: Romil Gupta <romilg at hp.com>
Co-Authored-By: Rossella Sblendido <rsblendido at gmail.com>
Change-Id: Ib0db9dcf889d9fd90b623857782c9a6b091e18f5
commit 1b67012794932a06ce90976f9759fc588da269b5
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Tue Sep 8 11:20:10 2015 +0200
tests: disable process monitor before managers
Otherwise the monitor may respawn managers later, leaving them running.
Issue spotted in:
http://logs.openstack.org/02/216902/4/check/gate-neutron-dsvm-functional/a97df90
Change-Id: I0e68b06c87b5770756fdf7b9201e1986cc67e07b
Related-Bug: #1490051
commit 4b2e6842f320405cd963f560bc06849b4b7bb1eb
Author: armando-migliaccio <armamig at gmail.com>
Date: Mon Sep 7 04:53:50 2015 -0700
Retry metadata request on connection refused error
This testcase may fail intermittently on 'Connection refused' error.
This could be due to the fact that the metadata proxy setup is not exactly
complete at the time the request is issued; in fact there is no
synchronization between the router being up and the metadata request being
issued, and clearly this may be the reason of accidental but seldom failures.
In order to rule out this possibility and stabilize the test, let's retry
on connection refused only. If we continue to fail, then the next step would
be to dump the content of iptables to figure out why the error occurs.
Closes-bug: #1461172
Change-Id: I65a5bf4fbbcad6ba93a46d36cabe7844ff528d8d
commit 9e178e42e46317a6f1ac7688340f0f84e4c16c80
Author: Sergey Belous <sbelous at mirantis.com>
Date: Thu Sep 3 16:53:21 2015 +0300
Add ability to use custom config in DHCP-agent
This patch doesn't changes behaviour of dhcp-agent
but adds the opportunity to use user-defined config,
that will make dhcp-agent more flexible
and allows to run functional tests correctly
(without changing global oslo.config CONF)
Closes-Bug: #1492283
Change-Id: Ice807e8fc872b56bb3960b7a3de4110c7675d9d6
commit 7da1724d446b6804c6be7a602532fbae58d9f008
Author: Salvatore Orlando <salv.orlando at gmail.com>
Date: Tue Aug 25 02:21:06 2015 -0700
Improve DB operations for quota reservation
This patch deals with the lock wait timeout and the deadlock errors
observed under high concurrency (api_workers >= 4) with the pymysql
driver. It includes the following changes:
- Stop setting dirty status for resource usage when creating
reservation, as usage of reserved resources is not tracked anymore;
- Add a variable, increasing delay when retrying make_reservation
upon a DBDeadlock error in order to reduce the chances of further
collisions;
- Enable transaction retry upon DBDeadlock errors for set_quota_usage;
- Do not resync quota usage while making reservation. This puts a lot
of stress on the database and is also wasteful since resource usage
is very likely to change again once the transaction is committed;
- Use autonested_transaction to simplify logic around when the
nested flag should be used.
Change-Id: I7a335f9ebea3c0d6fee6e6b757554e045a66075c
Closes-Bug: #1486134
Related-Blueprint: better-quotas
commit 13901bdf6941d17069073f489798faaa86151fae
Author: Moshe Levi <moshele at mellanox.com>
Date: Tue Aug 18 08:48:24 2015 +0300
Qos SR-IOV: Refactor extension delete to get mac and pci slot
When calling delete we need the pci slot details to reset the VF rate. The problem
is that when the VM is deleted libvirt return the VF to the hypervisor and eswitch
manager will mark the pci_slot as unassigned so can't know from the mac which pci slot (VF)
to reset. Also newer libvirt version reset the mac when deleteing VM, so than it is
not possible at all.
The solution is to keep pci slot details locally in the agent since upon removal event
you cannot get pci_slot from the neutron server as it is for create/update since port
is already removed from neutron.
This patch pairs the mac and pci_slot for a device (VF) so when calling the extension
port delete api we can have the pci_slot and reset the VF rate.
It is also add a mapping between mac to port_id so we can pass the port_id
when calling the extention port delete api.
Partially-Implements: blueprint ml2-sriov-qos-with-bwlimiting
Closes-Bug: #1492909
Change-Id: Icc3a9599c6d7a4de9c56b452dfab7909c8d0a576
commit b89879c286cdc5718ee540c2c581a3f500c18b3e
Author: root <mamtaprabhu at in.ibm.com>
Date: Sat Sep 5 10:47:41 2015 -0700
Adds support to provide the csum option for the OVS tunnels
The new option for the ovs agent will enable to set/unset the
csum option for the vxlan/gre tunnels. The default is maintained as False.
Change-Id: I18dcd8946b585e70f8890a5c222ea37059c4a0c5
Implements: bp ovs-tunnel-csum-option
Closes-bug: #1492111
commit 597be0028952f57e6083a674d724978cd9fe599c
Author: huangpengtao <huangpengtao at huawei.com>
Date: Sun Sep 6 23:32:49 2015 +0800
Delete the useless variable agent_host
Change-Id: I7fb9da4b4b5316ddbc93a89317ee57718da178d3
commit 42f80682d3eff58af60199f817ac402f457491a0
Author: Neil Jerram <Neil.Jerram at metaswitch.com>
Date: Sun Sep 6 01:09:16 2015 +0100
Handle process disappearing before we ask for its PPID
Change-Id: I573aba8e11dca16f8a6565f7e9704be18e938566
Closes-Bug: #1478190
commit 6d51ef5d2e275d0d260a592d3ab8ed8a76a63421
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Thu Sep 3 16:31:33 2015 +0300
OVS agent: handle deleted ports on each rpc_loop iteration
Currently rpc loop processes ports only in case polling is required
(message from ovsdb monitor) or there are port_updated notifications from
server or security group notifications.
In case of just port_deleted notifications port processing is not
triggered during rpc loop.
This may lead to agent accumulating a big amount of deleted ports
and processing all of them at once during next iteration when polling is
required or any notification from server, which might be quite tough for
the agent. Tough means agent will be irresponsive while processing deleted
ports.
The patch makes port deletion processing more gradual.
Closes-Bug: #1491922
Change-Id: I0e1f6dfbf5b56fb18a978d6214e1768560d8ac98
commit b61cd4eaedc3a65657d5dbf8b09ec3c39f250637
Author: Shweta P <shpadubi at cisco.com>
Date: Thu Aug 27 16:53:13 2015 -0400
Final decomposition of Cisco plugin
This patch follows the previous patch(listed as dependent) and moves
the remaining cisco db models from neutron to networking-cisco.
The patch deletes l3_model and cisco_router_plugin and their associated
config and helper files from neutron
Change-Id: I5b71e1dfb683e633e1cd11386dfb7c2ed7cc7d62
Partial-Bug: #1489609
commit d12017ad511a202a12422245cce6204a5731250c
Author: Abhishek Raut <rauta at vmware.com>
Date: Mon Aug 10 20:52:15 2015 -0700
Remove Cisco Meta and N1KV monolithic plugins
This patch removes the Cisco meta plugin and the Cisco
Nexus1000V monolithic plugin as they were deprecated in the
previous cycle.
Closes-bug: #1473217
Change-Id: Id170b9512b2f52a971264336d83b083d487359ee
commit 065275e51ff3852462586d01f5d3dd750bf2d663
Author: Robert Collins <rbtcollins at hp.com>
Date: Sat Sep 5 16:04:42 2015 +1200
Workaround test stream corruption issue.
Change-Id: I4c88f1891f53c6559bca71bf657aa30df2101280
Closes-Bug: #1492505
commit ad9aaa63e5ea427d24c07e6a36a2976d83f1a26f
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Sep 4 18:27:42 2015 -0700
Fix RBAC filter query for negative case
The query to find networks that aren't shared to the querier was
broken. It was querying for the inverse of RBAC entries that shared
to the querier, so it would return the network for each other tenant
it was shared to. This meant that if a network had multiple RBAC
entries, a shared=False filter wouldn't work in the API.
This patch corrects the behavior by adjusting the query that looks
for objects not shared to the caller to make sure the object ID doesn't
appear in the shared subquery.
This patch also adds a test that reliably reproduces the original issue.
The sporadically failing filter test that revealed this issue depended
on a race to have a network be shared to another tenant and to the wildcard
at the same time.
Change-Id: I9dcd869c1640b223221ba12e97284bbfcabbeb2b
Closes-Bug: #1495040
commit 1886964890e1ba9d13df43d0caeff1546f2090a9
Author: OpenStack Proposal Bot <openstack-infra at lists.openstack.org>
Date: Fri Sep 4 23:06:43 2015 +0000
Updated from global requirements
Change-Id: I6f3dbf989cb6d9d110c2ee6a3a2e2b557bced28f
commit ed3c317ed9182538747f74713154ad94e9d866db
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Fri Sep 4 22:21:41 2015 +0200
Fixed functional test that validates graceful ovs agent restart
The async_ping function returns a callable that returns True when all ping
futures are done. Since those futures are running for 10 secs, there was no
chance that the result of the callable was True.
The test was bailing out without calling bridge reset even a single time,
effectively leaving the feature untested in gate.
Another thing to note is that for some reason the patch fixed oslo rootwrap
errors in the test when executed locally. Since I still don't understand how
it's possible that it fixes the issue for me, I mark the bug as related only,
and will track logstash after it's merged to see whether it applies unknown
magic to gate jobs too.
Change-Id: Iaa977abddf1a0c6af7e964f1a5cd545ffb79585a
Related-Bug: #1490051
commit 1b25e30800c869dacca58afa6b8bf92f4cf9d377
Author: rossella <rsblendido at suse.com>
Date: Wed Aug 26 16:06:25 2015 +0000
_bind_devices query only existing ports
If a port is deleted right before _bind_devices is called,
get_ports_attributes will throw an exception since the row
corresponding to the port doesn't exist in the OVS DB.
Avoid that setting if_exists to True. The port will be
processed as deleted by the agent in the following iteration.
Change-Id: Ia6590d76f8683e6cba562cde3c39b051549f6c04
Closes-bug: #1489014
commit a93886278f1308ae78c65b4ad36ee7648cad2914
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Sep 4 05:33:46 2015 -0700
Stop logging deadlock tracebacks
The oslo db retry decorator logs a traceback everytime a deadlock
is encountered even though it is being retried. With multiple workers
and a Galera cluster, deadlocks are common occurences due to our use
of with_lockmode update so we should not be polluting the logs.
This patch adjusts our usage of the retry decorator to catch deadlocks
with the exception checker which does not log them until the retries
are exhausted.
Change-Id: I433fbbad61070e20ebe934b9247e36fc190fa3e0
commit e959e474d65211991c12f9495b227da5e4d99ed7
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Sep 4 04:22:35 2015 -0700
Don't log exceptions in GW update on router create
The LOG.exception statement is not necessary because the exception
is re-raised so if it's a real error it will be logged like any
other failure.
Related-Bug: #1494886
Change-Id: I29aacd8c1187ddf8653009865ed9a62be948c5a7
commit 9b66c82483ab70caf3e09d8dcf5cb8d4d4ecfd60
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Sep 4 04:28:58 2015 -0700
Remove an unnecessary extension check for rbac
This removes some logic to detect the RBAC extension
that was written when RBAC was being developed as a
service plugin. Since it's part of db base plugin there
is nothing to enable in devstack so it's not necessary.
Change-Id: I37f8060c14d8ad74f5cea649c18ee9ef3912cb2d
commit da81ae88929c389f0ba8660c4c8dfb79eec7c0fd
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Thu Sep 3 15:13:25 2015 +0300
OVS agent: flush firewall rules for all deleted ports at once
In some cases, under high load OVS agent has to delete a big amount of
ports during rpc_loop. remove_devices_filter() does iptables-save/restore
for IPv4 and IPv6 which is 4 system calls. It is very expensive and
inefficient to call it for each port individually.
Closes-Bug: #1491922
Change-Id: I4cfb2dfcef5088436c7aaae22c8f66e1ea052311
commit ef409d9da2ecbf12f9916a9a933231146538cf04
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Tue Sep 1 21:45:55 2015 +0200
Enable most unit tests for py34 job
* Skip TestWSGIServerWithSSL[1] for Python 3 since it seems wsgi + ssl +
eventlet setup does not behave correctly now,
* Skip test_json_with_utf8[2] until we solve unicode/utf8 encode/decode,
* Fix some more tests to pass for py3,
* Replace print by print() in docs/docstrings.
[1] neutron.tests.unit.test_wsgi (bug 1482633)
[2] neutron.tests.unit.test_wsgi.JSONDictSerializerTest (bug 1491824)
Related-Bug: #1482633
Related-Bug: #1491824
Blueprint: neutron-python3
Co-Authored-By: Cyril Roelandt <cyril at redhat.com>
Co-Authored-By: Cedric Brandily <zzelle at gmail.com>
Co-Authored-By: sonu.kumar <sonu.kumar at nectechnologies.in>
Change-Id: I26e513d4dcf473f4cd79728382fc94af3d901b5d
commit cd524065e2ac4f48d8b9810fa9735f0fd925c4d8
Author: Tu Hong Jun <tuhongj at cn.ibm.com>
Date: Thu Aug 20 14:08:07 2015 +0800
Changed filter field to router_id
The get_sync_interfaces query will always return all router ports
from database even it is supposed to query specific ones that
belong to a certain router. In large L3 scale environment with
number of route ports in place, this would lag the response time
for adding router interface and router L3 agent binding.
Closes-Bug: #1489671
Change-Id: Ib78ca766f91783ad2ecca5b728c31602b4ed15d8
commit 997aa86fa12e3209b65741ef95906d491895a493
Author: Sergey Vilgelm <sergey at vilgelm.info>
Date: Mon Aug 31 17:06:48 2015 +0300
Fix a wrong condition for the _purge_metering_info function
Fix a situation for the _purge_metering_info function
when the items will never be deleted from the metering_info.
Delete the metering_info dict and use the metering_infos instead.
Fix the problem with changing a dictionary during iteration.
Add the unit tests for the _purge_metering_info and
_add_metering_info functions.
Co-Authored-By: Yaroslav Isakov <yisakov at mirantis.com>
Change-Id: I9031a5f27ae6438ffd5c5a48b0cf5cdc6867eff3
Closes-Bug: #1490581
commit 2d65cccba29220e46b490871210014b94f086984
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Sep 3 17:43:37 2015 -0700
Don't log deadlock or retry exceptions in L3 DB
We don't want to log exceptions in the l3 DB that will be retried
by the DB retry decorator because it will look like a failure in
the log when it actually ends up being retried.
Change-Id: I024fc2db9022809194178c227d994bc6ed33c78b
Closes-Bug: #1494886
commit f347939fd6c7b5a9e93af2007a0c01d00f29dc2b
Author: armando-migliaccio <armamig at gmail.com>
Date: Thu Sep 3 10:29:12 2015 -0700
Make sure service providers can be loaded correctly
This patch fixes a regression where, if neutron was loaded using
--config-dir, the service_providers option was no longer available.
We bring the logic back (removed by 61121c5f2af), alongside the ability
to load the option auto-magically. This is especially required for DevStack
deployments as of today, because neutron-server is only loaded by passing
--config-file (...)neutron.conf and --config-file (...)ml2_conf.ini
Change-Id: I9bfaed9e19a5506e27795a0b7ad47f4c31fefa40
Closes-bug: #1490990
commit 9c466f4d0effa4686ca6744d7b9d015857830cb7
Author: Roman Bogorodskiy <rbogorodskiy at mirantis.com>
Date: Wed Jun 24 14:40:35 2015 +0200
sriov: update port state even if ip link fails
Some SRIOV drivers/devices don't support link state setting,
meaning that 'ip link' fails like this when trying to set state:
# ip l set dev p2p1 vf 6 state disable
RTNETLINK answers: Operation not supported
The sriov-nic-agent tries to do that in
SriovNicSwitchAgent.treat_device() and fails because of non-zero
exit status from 'ip link' and, therefore, doesn't reach the code
that updates the actual port status, so port could hang in a BUILD
state even if binding was successful.
This patch fixes problem of nova not being able to successfully bind
or cleanup such a port. It does not fix a case when user manually
updates admin_state_up for a port via API, it's subject to a separate
fix.
Also, replace LOG.exception with LOG.warning for set_device_state()
as the exception would be logged by PciDeviceIPWrapper.set_vf_state()
anyway.
Closes-bug: #1468332
Change-Id: Ifa7c128d369ced60b5986aa0ed92527868f7efab
commit a97fd4dabb31019ac7926b4445cd8d8f319b1b6a
Author: armando-migliaccio <armamig at gmail.com>
Date: Wed Sep 2 17:23:56 2015 -0700
Retain logs for functional test cases
This helps greatly the debugging process in face of race conditions.
Change-Id: I74235307183cbb15a7179b18b417b38ffb1d2cc9
commit da1ac497d2d10d008925311e3f14e9750f7b86b2
Author: Kevin Benton <blak111 at gmail.com>
Date: Wed Sep 2 06:50:36 2015 -0700
Don't setup ARP protection on OVS for network ports
Skip adding ARP spoofing protection on OVS ports with a
device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.
Closes-Bug: #1487338
Change-Id: I32cef17ff47fd62e6db16b9083104f07239be25f
commit 051ff13771026b015c893a19a89654bf2ca4d018
Author: Kevin Benton <blak111 at gmail.com>
Date: Wed Sep 2 07:04:55 2015 -0700
Don't setup ARP protection on LB for network ports
Skip adding ARP spoofing protection on Linux bridge ports
with a device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.
Change-Id: If53733fb3060e5ab44bac5388f42bdc384bcdb93
Closes-Bug: #1483315
commit 9f6bd17703b7286be9e7d439d15f4dec2774e13a
Author: Terry Wilson <twilson at redhat.com>
Date: Mon Jun 15 22:52:28 2015 -0500
Add support for PluginWorker and Process creation notification
There are several cases where plugin initialization should be
handled after neutron-server forks API/RPC workers. For example,
starting a client connection to an SDN controller before forking
copies the fd of the socket to the child process, but then you have
multiple processes trying to read/write the same socket connection.
It is also useful for a plugin to be able to do something in only
one process, regardless of how many workers are forked. One example
would be handling syncing from an external system to the neutron
database.
This patch does 3 things:
1) Treats rpc_workers=0 as = 1. This simplifies the code for
handling notification that forking has completed. In the
existing code, calling the notification in the Worker object's
start() method would happen twice in the case where both api
and rpc workers were 0, despite there being only one process.
An earlier patch already changed the default api_workers to be
the number of processors.
2) Adds notification of forking via the callbacks mechanism.
Plugins can subscribe to resources.PROCESS, event.AFTER_CREATE
and do any post-fork initialization that needs to be done for
every spawned process.
3) Adds core/service plugin calls to get_workers() which defaults
to returning (). Plugins that need additional processes to spawn
should just return an iterable of NeutronWorkers that will be
spawned in their own process.
DocImpact
Closes-Bug: #1463129
Change-Id: Ib99954678c2b4f32f486b537979d446aafbea07b
commit bd734811753a99d61e30998c734e465a8d507b8f
Author: Nick <skywalker.nick at gmail.com>
Date: Sun Jul 19 22:41:27 2015 +0800
Implement external physical bridge mapping in linuxbridge
In some deployment scenario, it is not allowed to remove system
ethernet configuration from physical interface to newly-created
physical bridge by neutron due to some IT regulations.
End-users require to take advantage of the pre-existed(user-defined)
physical bridge to connect tap devices for neutron.
Closes-Bug: #1105488
Implements: blueprint phy-net-bridge-mapping
DocImpact
Change-Id: Ia0eaa6233d8da93da32e86404b15184b77937d0a
commit a55e10cfd6369533f0cc22edd6611c9549b8f1b4
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Wed Aug 12 20:02:01 2015 +0300
Avoid DB errors when deleting network's ports and subnets
DB errors may occur when accessing query results
after the transaction was closed (like ObjectDeletedError).
Hence it's better to avoid DB object access especially
when it's not needed.
This patch changes _delete_ports() and _delete_subnets() to accept
only ids. Indeed, there is no need to pass db objects to these methods.
Closes-Bug: #1484135
Related-Bug: #1454408
Change-Id: I7507cb1c85defb2e6d5144e5832aea713d6251ae
commit 8c3cb79aa54b0ffcdc840c7e95ab809835d05001
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Aug 27 22:12:48 2015 -0700
Better message on allowed address pairs error
Neutron was throwing a 500 error when a non-iterable was passed
into allowed address pairs. This patch just catches that and
converts it into a regular badrequest message.
Closes-Bug: #1477829
Change-Id: I3c6f55df4912c7a9480fa097988f910b254572fd
Signed-off-by: Kevin Benton <blak111 at gmail.com>
commit cc20673d673113974c78a2b17a9ff4da47ad6665
Author: Assaf Muller <amuller at redhat.com>
Date: Sat Aug 29 11:32:19 2015 -0400
Add info to debug test_keepalived_respawns gate failure
Current theory is that there's a bug in external_process.active,
it returns True when it shouldn't, then kill -15 on the process
pid fails because the process isn't up. Added ps -p output to
see if the process is up or not.
Change-Id: Ic062be829d5f05a1294f6b2fa54820422871ffcb
Related-Bug: #1490043
commit d02bcb9c3917028948b08c319d1443d487c36846
Author: Hirofumi Ichihara <ichihara.hirofumi at lab.ntt.co.jp>
Date: Tue Aug 25 09:10:00 2015 +0900
Enable to update external network subnet's gateway-ip
This patch enables users to update gateway_ip of a subnet even if
the subnet is in use for an external network of a router.
Change-Id: I78d2b024c99b1af0001bd454465d2fc02692cbf2
Closes-Bug: #1317363
commit c43cc3eb20101b2d2b19344690fed9892383621b
Author: James Arendt <james.arendt at hp.com>
Date: Fri Aug 28 16:33:44 2015 -0700
Make Neutron service flavor save service_type
While the service_type exists in the resource attributes and as
a database field for a Flavor, the creation dictionary did not
pass the value so the service_type was not being persisted
in the database nor returned.
Enhanced unit test to show problem. Test fails on old code
to save or return the input service_type.
Change-Id: I4dba287f5972ecebd193d65e7f542dd0a65f055b
Closes-Bug: 1490063
commit db4ea4517886741c2bd3e15e39bee0ecbd1356ae
Author: James Arendt <james.arendt at hp.com>
Date: Wed Aug 26 16:53:24 2015 -0700
Add tenant_id to flavor service profiles attributes
Neutron v2 base.py auto populates a 'tenant_id' attribute on
calls if the attribute is not passed. This causes a POST
to create a flavor service binding to fail when verifying
attributes with:
Unrecognized attribute(s) 'tenant_id'
Solution is to add tenant_id as expected attribute in the
attribute map as done in other sub resources like QOS.
Fix unit test for non-keystone case.
Change-Id: Ic2bd1271f297fc10b49304ffd5fe617637e3d8f4
Closes-Bug: 1489197
commit 9022fb1ae8f90df59c4da64450eb96de8c011715
Author: armando-migliaccio <armamig at gmail.com>
Date: Mon Jul 27 14:11:46 2015 -0700
Remove implicit registration of *-aas service providers
Implicit registration can be dropped when explicit registration
for load balancer and vpn is implemented. Firewall does not
use service providers and the ServiceTypeManager, so the
precautionary step can be dropped altogether.
Support for configuring providers via the service_providers section
in neutron.conf, is no longer available, hence clear the stale
entry points.
DocImpact
Closes-bug: #1473110
Change-Id: I5e1d254b9a3a24121d9e9d3cb82f877d44079296
commit 0a258afc7ee3c03974dffa2c0dd0b7b367034cc7
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Aug 28 00:50:59 2015 -0700
Process user iptables rules before INVALID
Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.
Closes-Bug: #1460741
Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b
commit b3e7e21c32a251ba0b7123aa909edeaedd08152a
Author: YAMAMOTO Takashi <yamamoto at valinux.co.jp>
Date: Mon Mar 2 16:40:11 2015 +0900
OVS-agent: Introduce Ryu based OpenFlow implementation
Introduce an alternative OpenFlow implementation, "native",
implemented using Ryu ofproto python library from Ryu SDN Framework.
Make it selectable with of_driver=native agent option.
The aim is to replace the existing ovs-ofctl based implementation
eventually.
It introduces node-local OpenFlow controller embedded in
OVS agent. Benefits include:
* Reduce the overhead of invoking ovs-ofctl command (and associated
rootwrap)
* Make future uses of OpenFlow asynchronous messages (e.g. Packet-In,
Port-Status, etc) easier
* Make XenAPI integration simpler
Highlights:
* Switch to OpenFlow 1.3.
* Make OVS-agent act as an OpenFlow controller
* Configure OVS on the node to connect to the controller
DocImpact
Implements: blueprint ovs-ofctl-to-python
Co-Authored-by: IWAMOTO Toshihiro <iwamoto at valinux.co.jp>
Change-Id: I02e65ea7c6083b2c0a686fed2ab04da4d92b21a3
commit 5aab6a577950525d8f656d373f2e46a229fa600b
Author: Kevin Benton <blak111 at gmail.com>
Date: Tue Sep 1 19:35:33 2015 -0700
Deprecate external_network_bridge option in L3 agent
This option provides another way to attach to a specific bridge
that is not quite equivalent with how bridge_mappings work in the
L2 agent. This creates inconsistencies between how the L3 agent
behaves when configured with a bridge_mapping and provider properties
of the Neutron network vs. when it just ignores all L2 stuff and
plugs itself directly into the bridge.
See the bug report for more info.
Change-Id: I37de3cd6eaaf34856fa72753f471f4f0a9381836
Closes-Bug: #1491668
commit e10b008f7a2a1cb45ae5f77082f8d45b51274489
Author: salvatore <salv.orlando at gmail.com>
Date: Fri Aug 21 10:44:25 2015 +0200
Do not track active reservations
Reservations have a transient nature: a reservation lifespan
typically begins and ends with a single request.
Therefore tracking reserved amounts for each tenant and resource
is not nearly as efficient as tracking resource usage.
Indeed it is fairly easy to verify that the overhead for tracking
reserved amounts is much greater than the one needed for counting
active reservations for each tenant and resource.
This patch removes the logic for tracking reservations, and
replaces it with an explicit count of active reservations.
Please note that this patch does not adjust accordingly the
ResourceUsage DB model. This will be done in a separate patch with
an expand migration; this should avoid most merge conflicts before
the final patch for restoring reservation logic merges.
Related-Blueprint: better-quotas
Change-Id: Ib5e3bd61c1bc0fc8a5d612dae5c1740a8834a980
commit 8ba57a2bf1ce3693db47de4ff8dd5a7a9b5347d7
Author: Henry Gessau <gessau at cisco.com>
Date: Tue Sep 1 17:17:01 2015 -0400
Deprecate --service option for neutron-db-manage
Now that https://review.openstack.org/198542 has merged we can
deprecate the --service option. From now on instead of
--service fwaas
we should instead use
--subproject neutron-fwaas
This puts the *aas subprojects on equal footing with the other
projects in the Neutron Stadium for neutron-db-manage.
In the Liberty release the --service option will be marked as
deprecated. It will be removed in Mitaka.
Related-Bug: #1470625
Change-Id: Iecc678efafd798b62bb83e6e85333c64760f16b5
commit c029954c8ae041e5f15b14ceef0e2aa060928e05
Author: Sachi King <nakato at nakato.io>
Date: Tue Sep 1 15:10:54 2015 +1000
Add constraint target to tox.ini
This adds a pip install command to tox.ini that is only used when the
tox env is passed with the 'constraints' factor appended onto it.
As such this will not effect developer workflows or current unit tests.
The initial use of this will be in a non-voting job, to verify that the
constrained checks with tox are stable. DevStack is already running
constrained jobs, as such problems are no expected.
To run a tox with pip using constraints on a developer system a
developer should run the desired tox environment with -constraints.
For example: $(tox -epy27-constraints)
Pip will pull the current version of the upper-constraints.txt file down
from the git.openstack.org, however this method can be overriden to use
a local file setting the environment variable "UPPER_CONSTRAINTS_FILE"
to the local path or a different URL, it is passed directly to pip.
This is currently not enabled in the default tox run, however it is
possible to enable it as a default by adding it to 'envlist' in tox.ini
Change-Id: I13579599dfdf846d06d8c39f33265e8b46db6e68
Depends-On: I17ac389f78af241917b6da7f049085f2b13d30f2
Implements Blueprint: Requirements-Management
commit f3f5940201a9e010c188f83aead7d93e7e8c9b6d
Author: Neil Jerram <Neil.Jerram at metaswitch.com>
Date: Mon Jul 27 14:41:29 2015 +0100
DHCP agent: allow using gateway IPs instead of uniquely allocated
In each place where the DHCP agent runs, and for each subnet for which
DHCP is handing out IP addresses, the DHCP port needs - at the Linux
level - to have an IP address within that subnet. Generally this
needs to be a unique Neutron-allocated IP address, because the
subnet's underlying L2 domain is bridged across multiple compute hosts
and network nodes, and for HA there may be multiple DHCP agents
running on that same bridged L2 domain.
However, if the DHCP ports - on multiple compute/network nodes but for
the same network - are _not_ bridged to each other, they do not need
each to have a unique IP address. Instead they can all share the same
address from the relevant subnet. This works, without creating any
ambiguity, because those ports are not all present on the same L2
domain, and because no data within the network is ever sent to that
address. (DHCP requests are broadcast, and it is the network's job to
ensure that such a broadcast will reach at least one of the available
DHCP servers. DHCP responses will be sent _from_ the DHCP port
address.)
Specifically, for some networking backends it makes sense to allow all
DHCP ports to use the subnet's gateway IP address, and thereby to
completely avoid any unique IP address allocation.
This change therefore enhances the DHCP agent code to be able to use
gateway IPs as an alternative to uniquely allocated ones, with the
choice between those being made by a new interface driver property,
'use_gateway_ips'. The back-compatible default is to use unique IPs.
An interface driver that wants the DHCP agent to use gateway IPs can
achieve that by overriding as follows:
@property
def use_gateway_ips(self):
return True
Partial-Bug: #1486649
Change-Id: I17e1dc9231a5ec35bd6f84c4c7aca6350d76e8ec
commit 3de01b39b74d0a23f765b1f9b1a4ba1eb457068c
Author: Stephen Ma <stephen.ma at hp.com>
Date: Thu Aug 27 04:50:14 2015 +0000
Resolve issue where router can't be removed from L3-agent in dvr mode
Fixes the problem where the L3 DVR Scheduler is unable
to remove a DVR router from a L3 agent running in
'dvr' mode.
Closes-bug: 1489091
Change-Id: Id128a81d2cf7108936715ee305012fbff23ffdbf
commit c5d182da588d8dcf107d22735eb37250362043c0
Author: rossella <rsblendido at suse.com>
Date: Thu Jul 23 19:41:20 2015 +0200
OVS agent add functional tests of OVS status
Add a functional tests to verify that the agent
behaves correctly when OVS restarted.
Partially-Implements: blueprint restructure-l2-agent
Change-Id: Ifeb0f2f6a06baead93df2c016ea26bfea990734d
commit 71dd3a0f87eb69072696f6905f8380924dd67c1a
Author: rossella <rsblendido at suse.com>
Date: Fri Jul 31 17:25:37 2015 +0000
check_changed_vlans doesn't need registered_ports as param
check_changed_vlans doesn't need registered_ports since the
ports processed by the agent are accessible from local_vlan_map
Partially-Implements: blueprint restructure-l2-agent
Change-Id: I279dcaff469337c553b358f6f5476c7238e89a59
commit 4ea6810d50c0d960c4640f0c12c6ec025449b64d
Author: YAMAMOTO Takashi <yamamoto at midokura.com>
Date: Tue Sep 1 16:26:03 2015 +0900
test_migrations: Remove unnecessary midonetclient mocks
These seem leftovers from plugin decomposition.
Change-Id: Ib05ebbbd6627a1b69c413761b0e5a8e53817d8f2
commit ed392dc5354131b377ebf6aea518fb8e2ca7f893
Author: Sergey Belous <sbelous at mirantis.com>
Date: Mon Aug 31 17:44:19 2015 +0300
Fixed filters for functional tests
Removed filter for unused tee utility.
CommandFilter for curl replaced with more stricted RegExpFilter
and now allow run curl only with specified parameters.
Change-Id: I5d151a63f85cb969f79d4d92f5422e8e88855be5
Closes-Bug: #1487139
commit 599977e20bd480305434168400055fa417aad8b1
Author: Lajos Katona <lajos.katona at ericsson.com>
Date: Tue Jul 7 15:04:35 2015 +0200
Fix locale problem in execute()
Change from new format string to old style formatting.
Change-Id: Ib39de7169416c2cc053d4aa909075c68cd2d7f0b
Closes-bug: #1449897
commit e77eac8611f8fbb333168dc344c0056acaebb8b5
Author: Edgar Magana <emagana at gmail.com>
Date: Sat Aug 29 08:00:17 2015 -0700
Improve python code for missing suggestion
Include a missing suggestion in code already merged
Related-Blueprint: better-quotas
Change-Id: I5983ccf6e2f98d2df41403b3be06748d5556c181
commit 34a329b4de7c801c15b3c214cc2b122ac82d0b72
Author: Swaminathan Vasudevan <swaminathan.vasudevan at hp.com>
Date: Tue Aug 25 16:24:05 2015 -0700
Add a functional test to validate dvr snat namespace
Add a functional test to validate the dvr snat
namespace and its internal interfaces when internal
networks are removed and added.
Change-Id: Id44f5e5899e959be53b09e6f9bc732f553ae9a5a
Related-Bug: #1479130
commit 3a9e778399af8380b11c968da39e08b4a97a9f1f
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Tue Aug 25 22:32:50 2015 +0000
Add snat ports cache to dvr router
This reverses the effect of [1] but in a way that works with the
current structure of the code and keeps DVR details in DVR classes
[1] https://review.openstack.org/#/c/200293
Change-Id: Ia8468881de6538882d4a14725b55db53e23d2e4c
Closes-Bug: #1479130
commit 72e388445eb6f6903ccfc5079aa206ac2cbcfd5e
Author: Sachi King <nakato at nakato.io>
Date: Mon Dec 8 17:42:48 2014 +1100
Return exception when attempting to add duplicate VIP
Neutron should never attempt to add a VIP to keepalived's config
multiple times, and to do so is an error. As such this adds an
exception if this is ever attempted.
Change-Id: If1c41c3164e8a998c73f9b7aa566e2ba6570f54b
Closes-Bug: #1400217
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1274034
Title:
Neutron firewall anti-spoofing does not prevent ARP poisoning
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Invalid
Status in OpenStack Security Notes:
Fix Released
Bug description:
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only
MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/
[2] http://paste.openstack.org/show/62112/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions
More information about the Openstack-security
mailing list