Synchronise master with upstream#308
Open
github-actions[bot] wants to merge 164 commits into
Open
Conversation
When the agent restarts, the "Clean conntrack entries with mark == CT_MARK_INVALID" routine only considers IPs from fixed_ips. Deployments that rely on allowed_address_pairs (both single IPs and CIDRs) are skipped, leaving stale invalid-marked entries in conntrack and causing drops (e.g., UDP DNS). This change extends the cleanup candidate list with the port’s allowed_address_pairs and switches to passing the full CIDR to conntrack, so both host (/32) and network prefixes (e.g., /20) are handled natively. Examples: conntrack -D -f ipv4 -m 0x1 -s 10.15.194.184/32 -w 1 conntrack -D -f ipv4 -m 0x1 -s 10.16.192.0/20 -w 1 Closes-Bug: #2122495 Change-Id: I6ed507df845d068e13955758be9b2325e206cb6c Signed-off-by: Jaroslav Pulchart <jaroslav.pulchart@gooddata.com> Signed-off-by: lajoskatona <lajos.katona@est.tech>
Devstack no longer supports it after eventlet deprecation so we can safely remove it. TrivialFix Change-Id: Ie69c99933d6a75771f24b144006e2e52b4aeb6f5 Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
10-stream support is available since [1] so we should switch to that now. Also 9-stream is broken since [2]. Two of the functional tests relied on dhclient availability, since in 10-stream dhclient is removed skipping these two tests. Also since RDO not released on 10-stream, switching to use DLRN repos. [1] https://review.opendev.org/c/openstack/devstack/+/937251 [2] https://review.opendev.org/c/openstack/devstack/+/960342 Change-Id: I0397bee2d09397c2b89d94b8f9bdf4e98f6eee2d Signed-off-by: Yatin Karel <ykarel@redhat.com>
Closes-Bug: #2112446 Change-Id: I4fe91d759c430c4d64cd22a940bd1c17cfa76d5b Signed-off-by: Dai, Dang Van <daikk115@gmail.com>
This option was introduced in the 2024.2 cycle and backported to 2024.1. As the default version of OVN has advanced past the v24.03.4 requirement, lets change the default to be True and mark it as deprecated so OVN matches the other back-ends in how it behaves wrt SNAT. Updated tests as needed. Related-bug: #2051935 Change-Id: Ic76f78547ec4b910b87ad8dbc1c34110c027a755 Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
Remove it from two tests that were setting it, otherwise it is unused in Neutron as we are already doing policy scope enforcement. It is safe to remove as oslo.policy is finally removing the option in [0]. [0] https://review.opendev.org/c/openstack/oslo.policy/+/986475 Change-Id: If042296d49d731e1412858d672b2727163fde901 Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
There are two distinct issues here: - Uncommitted reads (TOCTOU): The method creates its own get_admin_context() instead of accepting the caller’s. Any changes in the caller’s transaction that have not been committed yet are invisible to these queries — a floating IP associated to the subnet’s port by the caller would not be seen. Change to use passed context object. - Unguarded in_([]) with empty list: When the router has no floating IPs, fip_ids = [], and PortForwarding.get_objects(context, floatingip_id=[]) generates WHERE floatingip_id IN () — invalid SQL on some DB engines. Change to initialize pf_objs to [] if there are no floating IPs. TrivialFix Assisted-by: Claude Sonnet 4.6 Signed-off-by: Brian Haley <haleyb.dev@gmail.com> Change-Id: I1e68bc22b8c2d334039326b9b3aff44296abcb2d
The caller ``update_router()`` already computes ``ovn_router_ext_gw_lrps`` by filtering ``ovn_router.ports`` for gateway LRPs. Pass this list into ``_check_external_ips_changed`` so the no-subnet edge case can use the already-fetched LRP objects instead of re-querying OVN NB via ``get_lrouter_port()``. This eliminates one OVN NB round-trip per gateway port in the no-subnet edge case during router update. The LRP external_ids already contain the network name needed for the comparison. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Ibf5bbce04c469524ea4284b7662f599605c27943
When deleting a non-virtual port, ``_delete_port()`` fetched the Logical_Switch via ``ls_get().execute()``, which created a separate read transaction nested inside the existing write transaction. This is unnecessary since the IDL maintains an in-memory replica of the OVN NB database. Replace ``ls_get().execute()`` with a direct ``lookup()`` call, which performs an O(1) in-memory IDL access using the name index, eliminating the command/transaction overhead on every port deletion. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I1fd990d2d447e947ef23fdc0fe2f48aae2d4adec
``update_lsp_host_info()`` first called ``lookup()`` to check whether the Logical_Switch_Port exists, discarding the returned row, then called ``lsp_get_up().execute()`` which internally looked up the same LSP again inside a separate read transaction. Reuse the row already returned by ``lookup()`` and read the ``up`` column directly from the in-memory IDL replica, removing the redundant ``lsp_get_up().execute()`` round-trip on every port status change. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I6f825d9ff1b678d29650a0544635bacceb9b0f1c
This adds a generic RangeAllocator that uses the DB to select an unused integer value from a gap in the existing rows. It should work across all supported DBs. On top of this, a VNIVLANAllocator pairs a VNI and VLAN allocation together through a mapping table, providing a single interface for allocating and deallocating VNI/VLAN pairs scoped by physical network. The EVPN plugin uses VNIVLANAllocator via EVPNDbHelper to manage per-router VNI/VLAN assignments. The schema uses RESTRICT FKs from the mapping to allocations and CASCADE from evpn_l3_instances to the mapping, ensuring clean lifecycle management. Co-Authored-By: Jakub Libosvar <jlibosva@redhat.com> Assisted-By: Claude Opus 4.6 Change-Id: I62da7a1263aaf605b295af0c3e019754b4e4ecda Signed-off-by: Terry Wilson <twilson@redhat.com>
The OVN maintenance worker and the BGP topology reconciler used ``not idl.is_lock_contended`` to determine whether the current process holds the OVSDB lock. This is incorrect because ``is_lock_contended`` and ``has_lock`` are two independent boolean flags in the OVS IDL, not complementary ones. When the lock has been requested but the server has not yet replied, both flags are ``False``, so ``not is_lock_contended`` evaluates to ``True`` even though the lock is not held. During neutron-server startup or OVSDB reconnection, this race window could allow maintenance tasks (configured with ``run_immediately=True``) or BGP topology synchronization to be processed by a worker that does not actually own the lock, potentially causing duplicate or conflicting operations against the OVN Northbound DB. Replace all occurrences with ``idl.has_lock``, which is only ``True`` when the server has explicitly confirmed lock ownership. This is consistent with the approach already used in the BGP service IDL (``neutron/services/bgp/ovn.py``) and with the semantics documented in the upstream OVS IDL class. Closes-Bug: #2155155 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I80e74a399b7c3420baf49e0cbc50ddfee0a070e0
The delete path for floating ips currently only deletes the nat entry on the ovn side if it actually finds a nat entry for the floating ip. When quickly associating and then disassociating a floating ip through different neutron api instances, the nat entry may not yet have propagated from one api instance to the other through the northbound if load on the ovsdb is sufficiently high. Since the ovn revision entry is deleted anyways, the maintenance task has no chance of fixing it later on, leaving an orphaned nat entry in ovn which causes connectivity issues when the ip address gets reused. Keep the ovn revision entry in case we don't find a matching nat entry to give the maintenance task a chance to retry the deletion. Related-Bug: #1987530 Signed-off-by: Felix Moebius <felix.moebius@digits.schwarz> Change-Id: I6c598cbbca1e449cf67314d022f101f2f73cf1bc
... to detect unsupported values early. Also use the native interface to document available choices. Change-Id: I43848aebddc1819101f969a452560b5b37dc839b Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
When dependencies change in neutron, it occasionally breaks the gate.
This is a quick-and-dirty tool that will parse neutron, requiremnts,
and ovn/ovs branches and print out dependency changes that happend in
a date or neutron commit hash range. Example run for finding a recent
gate failure:
/tools/dep_version_diff.py --start 2026-06-04 --branch-commits
Dependency changes (neutron direct deps)
start : 2026-06-04
-> requirements bdc4e18f (2026-06-03)
end : HEAD
-> requirements e4a4f7d3 (2026-06-06)
neutron deps read from: 8e0d77da
Changed:
webob 1.8.9 -> 1.8.10 2026-06-06 [bot] Updated from generate-constraints (requirements@e4a4f7d3)
OVS/OVN binary branches:
OVN_BRANCH branch-26.03 (unchanged, branch (moving))
6 commit(s) on branch-26.03:
cbb71611b northd: Clear stale LSP tags on tag_request removal.
e43a84b21 tests: Add macro for running UDP "echo" service.
3888f8944 northd: Ignore LRP.status write-only column in northd.
7aa8875ca ovn-nbctl: Display tier in "acl-list" for multi-tier ACLs.
2a0ca98b7 ovn-nbctl: Display peer info in "show" for router ports.
9f04b8c50 tests: Fix flaky "Loadbalancer add-route option" system test.
OVS_BRANCH branch-3.7 (unchanged, branch (moving))
6 commit(s) on branch-3.7:
ea7f21658 packets: Add support for unicast ND NS compose.
e9082e2a6 ofproto-dpif-xlate: Track the last action through normal pipeline.
eb0555761 ofproto-dpif-xlate: Use datapath actions for reversibility check.
5b2f54ea0 tests: ovsdb: Fix negotiation error check with OpenSSL 4.0.
70a73ab72 dpdk: Use DPDK 25.11.2 release for OVS 3.7.
04b05b31a ofproto-dpif: Fix bundle floodable flag when disabling STP/RSTP.
It can also take zuul job names as filters, e.g.
--job neutron-functional-with-pyroute2-master won't show pyroute2
requirements changes.
Assisted-By: Claude Opus 4.6
Change-Id: I7403071949b1bfbdfa78aa0fd59739c1a42a8a6e
Signed-off-by: Terry Wilson <twilson@redhat.com>
Previously, PUT responses would input the old values of pvlan, pvlan_type and pvlan_community. The cause of this is that in plugin.py, _make_port_dict is calling _extend_port_pvlan before the DB is actually updated, so the old values are the ones being used. The modification of the desired state solves this timing issue. Closes-Bug: #2155636 Assisted-By: Claude Opus 4.6 Change-Id: I0d2b10a2ad8ece4738a4c2225dee42ad55740003 Signed-off-by: Elvira Garcia <egarciar@redhat.com>
Those base check strings were moved to neutron-lib with patch [1]. [1] https://review.opendev.org/c/openstack/neutron-lib/+/983214 Related-bug: #2143895 Change-Id: Ifaf22a010911de9c1dc7ccef6fd2aaaf73875b1d Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
This is a followup patch to I78fec86595fb358880b306ec1fe014adad007d87 The patch moves Netlink specific constants from evpn to netlink module. It moves the EVPN specific naming convention out of the Svd class and creates a new EvpnSvd that is used by the evpn-ovn driver. It adds back the functional tests from the patch it depends on, now that the Svd is generic and doesn't use same device names, we can test its integration because the device names can be generated and will not collide in a parallel run. Depends-On: https://review.opendev.org/c/openstack/neutron/+/989626 Related-Bug: #2144617 Assited-By: Claude Opus 4.6 Co-Authored-By: Helen Chen <ichen@redhat.com> Change-Id: I95fe3a93da6a8ec353c4f8de05ab6b281f5df6ec Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
This old module was just left overs from the dark old ages before Zuul v3 and jobs defined in its native way. Migration to zuul v3 was done many years ago and those scripts which were in neutron.tests.contrib are not used anymore. The only exception is `testing.filters` file which contains rootwrap filters to use in the CI jobs like e.g. functional tests. This file is now moved to the `tools/rootwrap/testing.filters` location which is "closer" to the scripts which actually are using it. Change-Id: I9199596a06c84d6f6b84ff43bc95d04a31074685 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
Add DevStack configuration to load the PVLAN service plugin when neutron-pvlan is enabled. This is required for neutron-tempest-plugin OVN jobs that exercise PVLAN scenario tests. Assisted-By: Cursor-composer-2-fast Related-Bug: #2138746 Change-Id: Ic6e8bbccbd6695eadb007952241c275a694f19c0 Signed-off-by: Fiorella Yanac <fyanac@redhat.com>
The patch implements resource creation for an EVPN router, its deletion and advertise-host option for the LSP associated with an EVPN router. Assisted-By: Claude Opus 4.6 Related-Bug: #2144617 Change-Id: I66c59707006b4351f637a14fee38f5fd3ebfd22d Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: I55d86d7a86eb4e65bfef884ff8822fb241c6bce6 Signed-off-by: Winicius Silva <winiciusab12@gmail.com>
OVN Agent EVPN Extension now creates an SVD at start up. The SVD consists of a Linux bridge with a name based on the pattern evpn.constants.EVPN_LB_NAME_PREFIX and a vxlan interface with a name based on the pattern evpn.constants.EVPN_VXLAN_IFNAME. Since the current plan is to create only one SVD per OVN Agent, the index for the Linux bridge and vxlan interface is the default 0. When an EVPN instance's finite state machine advances to the evpn.fsm.Evpn.ADVERTISING state, a vlan:vni mapping is added to the SVD and a vlan interface with its name based on the pattern evpn.constants.EVPN_VLAN_IFNAME_PATTERN is also created. Similarly, when the EVPN instance's finite state machine advances away from evpn.fsm.Evpn.ADVERTISING, the vlan:vni mapping is removed from the SVD and the vlan interface is deleted. Related-Bug: #2144617 Assisted-By: Claude Opus 4.6 Change-Id: Ia9aeb47a6b06b003b2ff3c65c525603a1b760bb9 Signed-off-by: Helen Chen <ichen@redhat.com>
Add EVPN_LRP_VLAN_EXT_ID_KEY constant and pass vid to fsm.advance() for port binding create events to support SVD vni:vlan mapping. Change-Id: Ibd06716a98e1e4addb00a616d3d8e46ad22d1aca Signed-off-by: Terry Wilson <twilson@redhat.com>
Provides common interface via EVPNRouterDriver class. This is so we can implement other evpn drivers in the future. E.g. frr gRPC driver. This patch Implements `FrrVtyshDriver` which uses python subprocess to call into vtysh on the system to configure a evpn driver. The configuration file is generated based on templates in templates.py. For now, there is no way for the operator to add their own custom frr configuration. Fortunately, FrrCommandBuilder can be extended with a new "loader" to allow overwrite files in future. Follow up patches: - Hook up FrrVtyshDriver to the EVPN state machine Assisted-By: Claude Opus 4.6 Change-Id: I746e30c2b2ab36ad706bff6f411790d27d85be1b Signed-off-by: Miro Tomaska <mtomaska@redhat.com> Related-Bug: #2144617
This patch adds `write memory` for each configuration it applies. Adds restart method and exposes start+stop methods in FrrFixture Adds tests which confirm that running config is used on reboots or explicit stop and starts. Related-Bug: #2144617 Change-Id: I5973492fc538946462d0fec0b1b93db73a032854 Signed-off-by: Miro Tomaska <mtomaska@redhat.com>
This reverts commit 07c07d9. Reason for revert: CI was switched to Centos10(with frr 10.x) which no longer requires this workaround. Centos 10 change: https://review.opendev.org/c/openstack/neutron/+/961093 Change-Id: I6c2f734255916762903f6e41f300f6d844bc64c3 Signed-off-by: Miro Tomaska <mtomaska@redhat.com>
Noticed one of these in an unrelated change, let's fix them and enable the pylint check. Removed accidental print() statement introduced in a previous commit. TrivialFix Assisted-by: Claude Sonnet 4.6 Change-Id: I45ff8f0529e02efb43ce43fe85ad9db11dfd46cd Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
Related-Bug: #2026489 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I8dac428539b9a475e03d4183b6d82270e6140af5
The patch enumerates LRP.options keys that ovn_client manages. In order to avoid overwriting key-value pairs that are added by other service plugins, such as EVPN, we replace only those that are known to the ovn_client. Assisted-By: Claude Opus 4.6 Closes-Bug: #2156617 Change-Id: I578835796a600f8d0527c7d44a1da1dbea19f7c8 Signed-off-by: Jakub Libosvar <jlibosva@redhat.com>
``LrDelCommand`` cleared the ``ha_chassis_group`` reference from gateway LRPs only when a matching ``HA_Chassis_Group`` was found, and only looked up the HCG named after the OVN router (``neutron-<router_id>``). The EVPN HCG (``evpn-hcg-<router_id>``) was never cleaned up. Move the EVPN HCG deletion into ``DeleteEVPNRouterCommand``, which now takes ``router_id`` and deletes ``evpn-hcg-<router_id>`` itself. This keeps each command responsible for its own resources: ``LrDelCommand`` handles the standard HCG, and ``DeleteEVPNRouterCommand`` handles the EVPN HCG. Closes-Bug: #2156753 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Ic5e4d2a09f8b17e34a6c91d0e7f2b8a3c4d5e6f7
NetlinkDumpInterrupted exception was seen during TestVrfHandlerLifecycle() failure. This is an excpetion that occurs when pyroute2 dumps devices but device changes occur in the system. This patch applies the same fix as what the pyroute2 author recommends, which is to retry with backoff documented here: https://review.opendev.org/q/Ie195ad596fd148708fc30946bde964d52444afee Additionally, log is flushed prior to nl_dispatcher thread crashes to get more backtrace in the future. Related-Bug: #2157785 Assisted-By: Claude Opus 4.6 Change-Id: I65fb52eda5b85ab5ba7996a0d5e2bd20a867bc7b Signed-off-by: Helen Chen <ichen@redhat.com>
Remove unnecessary .keys() calls in for loops iterating over dicts, and enable the consider-iterating-dictionary pylint check. At the same time fix all consider-using-dict-items warnings as there is some overlap with .keys() usage. TrivialFix Change-Id: Ic364be11458522f0c405aa0a320ef4819979f26a Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
The to-lport ACL match for traffic from promiscuous to isolated, promiscuous to community, and inter-community ports relied on the "inport" keyword. This works on single-node deployments because both source and destination ports are on the same chassis. However, for cross-chassis traffic the to-lport match is evaluated on the destination chassis, where "inport" does not resolve correctly for ports on a remote chassis. Adding ip4/ip6.src checks against OVN auto-generated address sets (derived from port group membership) allows matching traffic from remote ports. The "inport" keyword is kept alongside the address set checks for the metadata localport, which responds with ip4.src=169.254.169.254, not present in the address sets. Closes-Bug: #2156988 Assisted-By: Claude Opus 4.6 Change-Id: I4bfb571155cf40836016499319ae3a746f2073bf Signed-off-by: Elvira Garcia <egarciar@redhat.com>
The plugin callbacks rely on the resources created/deleted by the ovn-router service plugin. If the evpn plugin was configured before the ovn-router plugin then it gets called first but fails when configuring the LR because it does not exist yet. This patch adds priorities to the callbacks so they are always invoked after the ovn-router plugin callbacks. Assisted-By: Claude Opus 4.6 Closes-Bug: #2158112 Change-Id: Ibee3f470520d8d1bc169f5b3baf781b10bc3f0fb Signed-off-by: Jakub Libosvar <jlibosva@redhat.com>
EVPN Logical_Router_Ports do not carry the ``neutron:network_name`` external_id key. When ``LogicalRouterPortEvent.match_fn`` iterates sibling LRPs during a ROW_DELETE event, accessing this key with ``[]`` raises a KeyError. Use ``.get()`` instead to return None for LRPs that lack the key. Closes-Bug: #2156759 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Ic5164d4f956b40671827e55608b0602a66bae240
When a subnet is deleted before its segment, ``_delete_nova_inventory`` is called twice for the same resource provider. The second call now catches ``PlacementResourceProviderNotFound`` at DEBUG level instead of logging a misleading INFO message. Closes-Bug: #2158118 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Icf643cc9dff81ce65e26fe0bc704942d4772400d
The test used hardcoded nexthop IPs (``10.0.1.3``-``10.0.1.6``) that fall within the subnet allocation pool. Because the IPAM driver uses ``random.sample()`` to allocate port IPs, the router interface port could randomly receive one of these nexthop IPs. When that happened, ``_validate_routes_nexthop()`` rejected the route with "the nexthop is used by router" (HTTP 400) before the quota check could fire the expected ``OverQuota`` (HTTP 409). Use the actual IP of a second port (not added as a router interface) as the nexthop for all routes, matching the pattern already used by ``test_router_routes_quota_is_per_router``. Closes-Bug: #2158109 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Iba2e904505f876397111d89dcef374b6254fcf46
github-actions
Bot
added
automated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains a snapshot of master from upstream master.