Synchronise master with upstream#303
Open
github-actions[bot] wants to merge 125 commits into
Open
Conversation
When the agent restarts, the "Clean conntrack entries with mark == CT_MARK_INVALID" routine only considers IPs from fixed_ips. Deployments that rely on allowed_address_pairs (both single IPs and CIDRs) are skipped, leaving stale invalid-marked entries in conntrack and causing drops (e.g., UDP DNS). This change extends the cleanup candidate list with the port’s allowed_address_pairs and switches to passing the full CIDR to conntrack, so both host (/32) and network prefixes (e.g., /20) are handled natively. Examples: conntrack -D -f ipv4 -m 0x1 -s 10.15.194.184/32 -w 1 conntrack -D -f ipv4 -m 0x1 -s 10.16.192.0/20 -w 1 Closes-Bug: #2122495 Change-Id: I6ed507df845d068e13955758be9b2325e206cb6c Signed-off-by: Jaroslav Pulchart <jaroslav.pulchart@gooddata.com> Signed-off-by: lajoskatona <lajos.katona@est.tech>
Devstack no longer supports it after eventlet deprecation so we can safely remove it. TrivialFix Change-Id: Ie69c99933d6a75771f24b144006e2e52b4aeb6f5 Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
Closes-Bug: #2112446 Change-Id: I4fe91d759c430c4d64cd22a940bd1c17cfa76d5b Signed-off-by: Dai, Dang Van <daikk115@gmail.com>
Remove it from two tests that were setting it, otherwise it is unused in Neutron as we are already doing policy scope enforcement. It is safe to remove as oslo.policy is finally removing the option in [0]. [0] https://review.opendev.org/c/openstack/oslo.policy/+/986475 Change-Id: If042296d49d731e1412858d672b2727163fde901 Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
There are two distinct issues here: - Uncommitted reads (TOCTOU): The method creates its own get_admin_context() instead of accepting the caller’s. Any changes in the caller’s transaction that have not been committed yet are invisible to these queries — a floating IP associated to the subnet’s port by the caller would not be seen. Change to use passed context object. - Unguarded in_([]) with empty list: When the router has no floating IPs, fip_ids = [], and PortForwarding.get_objects(context, floatingip_id=[]) generates WHERE floatingip_id IN () — invalid SQL on some DB engines. Change to initialize pf_objs to [] if there are no floating IPs. TrivialFix Assisted-by: Claude Sonnet 4.6 Signed-off-by: Brian Haley <haleyb.dev@gmail.com> Change-Id: I1e68bc22b8c2d334039326b9b3aff44296abcb2d
The caller ``update_router()`` already computes ``ovn_router_ext_gw_lrps`` by filtering ``ovn_router.ports`` for gateway LRPs. Pass this list into ``_check_external_ips_changed`` so the no-subnet edge case can use the already-fetched LRP objects instead of re-querying OVN NB via ``get_lrouter_port()``. This eliminates one OVN NB round-trip per gateway port in the no-subnet edge case during router update. The LRP external_ids already contain the network name needed for the comparison. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Ibf5bbce04c469524ea4284b7662f599605c27943
When deleting a non-virtual port, ``_delete_port()`` fetched the Logical_Switch via ``ls_get().execute()``, which created a separate read transaction nested inside the existing write transaction. This is unnecessary since the IDL maintains an in-memory replica of the OVN NB database. Replace ``ls_get().execute()`` with a direct ``lookup()`` call, which performs an O(1) in-memory IDL access using the name index, eliminating the command/transaction overhead on every port deletion. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I1fd990d2d447e947ef23fdc0fe2f48aae2d4adec
``update_lsp_host_info()`` first called ``lookup()`` to check whether the Logical_Switch_Port exists, discarding the returned row, then called ``lsp_get_up().execute()`` which internally looked up the same LSP again inside a separate read transaction. Reuse the row already returned by ``lookup()`` and read the ``up`` column directly from the in-memory IDL replica, removing the redundant ``lsp_get_up().execute()`` round-trip on every port status change. Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I6f825d9ff1b678d29650a0544635bacceb9b0f1c
This adds a generic RangeAllocator that uses the DB to select an unused integer value from a gap in the existing rows. It should work across all supported DBs. On top of this, a VNIVLANAllocator pairs a VNI and VLAN allocation together through a mapping table, providing a single interface for allocating and deallocating VNI/VLAN pairs scoped by physical network. The EVPN plugin uses VNIVLANAllocator via EVPNDbHelper to manage per-router VNI/VLAN assignments. The schema uses RESTRICT FKs from the mapping to allocations and CASCADE from evpn_l3_instances to the mapping, ensuring clean lifecycle management. Co-Authored-By: Jakub Libosvar <jlibosva@redhat.com> Assisted-By: Claude Opus 4.6 Change-Id: I62da7a1263aaf605b295af0c3e019754b4e4ecda Signed-off-by: Terry Wilson <twilson@redhat.com>
The OVN maintenance worker and the BGP topology reconciler used ``not idl.is_lock_contended`` to determine whether the current process holds the OVSDB lock. This is incorrect because ``is_lock_contended`` and ``has_lock`` are two independent boolean flags in the OVS IDL, not complementary ones. When the lock has been requested but the server has not yet replied, both flags are ``False``, so ``not is_lock_contended`` evaluates to ``True`` even though the lock is not held. During neutron-server startup or OVSDB reconnection, this race window could allow maintenance tasks (configured with ``run_immediately=True``) or BGP topology synchronization to be processed by a worker that does not actually own the lock, potentially causing duplicate or conflicting operations against the OVN Northbound DB. Replace all occurrences with ``idl.has_lock``, which is only ``True`` when the server has explicitly confirmed lock ownership. This is consistent with the approach already used in the BGP service IDL (``neutron/services/bgp/ovn.py``) and with the semantics documented in the upstream OVS IDL class. Closes-Bug: #2155155 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I80e74a399b7c3420baf49e0cbc50ddfee0a070e0
The delete path for floating ips currently only deletes the nat entry on the ovn side if it actually finds a nat entry for the floating ip. When quickly associating and then disassociating a floating ip through different neutron api instances, the nat entry may not yet have propagated from one api instance to the other through the northbound if load on the ovsdb is sufficiently high. Since the ovn revision entry is deleted anyways, the maintenance task has no chance of fixing it later on, leaving an orphaned nat entry in ovn which causes connectivity issues when the ip address gets reused. Keep the ovn revision entry in case we don't find a matching nat entry to give the maintenance task a chance to retry the deletion. Related-Bug: #1987530 Signed-off-by: Felix Moebius <felix.moebius@digits.schwarz> Change-Id: I6c598cbbca1e449cf67314d022f101f2f73cf1bc
... to detect unsupported values early. Also use the native interface to document available choices. Change-Id: I43848aebddc1819101f969a452560b5b37dc839b Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
When dependencies change in neutron, it occasionally breaks the gate.
This is a quick-and-dirty tool that will parse neutron, requiremnts,
and ovn/ovs branches and print out dependency changes that happend in
a date or neutron commit hash range. Example run for finding a recent
gate failure:
/tools/dep_version_diff.py --start 2026-06-04 --branch-commits
Dependency changes (neutron direct deps)
start : 2026-06-04
-> requirements bdc4e18f (2026-06-03)
end : HEAD
-> requirements e4a4f7d3 (2026-06-06)
neutron deps read from: 8e0d77da
Changed:
webob 1.8.9 -> 1.8.10 2026-06-06 [bot] Updated from generate-constraints (requirements@e4a4f7d3)
OVS/OVN binary branches:
OVN_BRANCH branch-26.03 (unchanged, branch (moving))
6 commit(s) on branch-26.03:
cbb71611b northd: Clear stale LSP tags on tag_request removal.
e43a84b21 tests: Add macro for running UDP "echo" service.
3888f8944 northd: Ignore LRP.status write-only column in northd.
7aa8875ca ovn-nbctl: Display tier in "acl-list" for multi-tier ACLs.
2a0ca98b7 ovn-nbctl: Display peer info in "show" for router ports.
9f04b8c50 tests: Fix flaky "Loadbalancer add-route option" system test.
OVS_BRANCH branch-3.7 (unchanged, branch (moving))
6 commit(s) on branch-3.7:
ea7f21658 packets: Add support for unicast ND NS compose.
e9082e2a6 ofproto-dpif-xlate: Track the last action through normal pipeline.
eb0555761 ofproto-dpif-xlate: Use datapath actions for reversibility check.
5b2f54ea0 tests: ovsdb: Fix negotiation error check with OpenSSL 4.0.
70a73ab72 dpdk: Use DPDK 25.11.2 release for OVS 3.7.
04b05b31a ofproto-dpif: Fix bundle floodable flag when disabling STP/RSTP.
It can also take zuul job names as filters, e.g.
--job neutron-functional-with-pyroute2-master won't show pyroute2
requirements changes.
Assisted-By: Claude Opus 4.6
Change-Id: I7403071949b1bfbdfa78aa0fd59739c1a42a8a6e
Signed-off-by: Terry Wilson <twilson@redhat.com>
Previously, PUT responses would input the old values of pvlan, pvlan_type and pvlan_community. The cause of this is that in plugin.py, _make_port_dict is calling _extend_port_pvlan before the DB is actually updated, so the old values are the ones being used. The modification of the desired state solves this timing issue. Closes-Bug: #2155636 Assisted-By: Claude Opus 4.6 Change-Id: I0d2b10a2ad8ece4738a4c2225dee42ad55740003 Signed-off-by: Elvira Garcia <egarciar@redhat.com>
Those base check strings were moved to neutron-lib with patch [1]. [1] https://review.opendev.org/c/openstack/neutron-lib/+/983214 Related-bug: #2143895 Change-Id: Ifaf22a010911de9c1dc7ccef6fd2aaaf73875b1d Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
This is a followup patch to I78fec86595fb358880b306ec1fe014adad007d87 The patch moves Netlink specific constants from evpn to netlink module. It moves the EVPN specific naming convention out of the Svd class and creates a new EvpnSvd that is used by the evpn-ovn driver. It adds back the functional tests from the patch it depends on, now that the Svd is generic and doesn't use same device names, we can test its integration because the device names can be generated and will not collide in a parallel run. Depends-On: https://review.opendev.org/c/openstack/neutron/+/989626 Related-Bug: #2144617 Assited-By: Claude Opus 4.6 Co-Authored-By: Helen Chen <ichen@redhat.com> Change-Id: I95fe3a93da6a8ec353c4f8de05ab6b281f5df6ec Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
This old module was just left overs from the dark old ages before Zuul v3 and jobs defined in its native way. Migration to zuul v3 was done many years ago and those scripts which were in neutron.tests.contrib are not used anymore. The only exception is `testing.filters` file which contains rootwrap filters to use in the CI jobs like e.g. functional tests. This file is now moved to the `tools/rootwrap/testing.filters` location which is "closer" to the scripts which actually are using it. Change-Id: I9199596a06c84d6f6b84ff43bc95d04a31074685 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
Add DevStack configuration to load the PVLAN service plugin when neutron-pvlan is enabled. This is required for neutron-tempest-plugin OVN jobs that exercise PVLAN scenario tests. Assisted-By: Cursor-composer-2-fast Related-Bug: #2138746 Change-Id: Ic6e8bbccbd6695eadb007952241c275a694f19c0 Signed-off-by: Fiorella Yanac <fyanac@redhat.com>
The patch implements resource creation for an EVPN router, its deletion and advertise-host option for the LSP associated with an EVPN router. Assisted-By: Claude Opus 4.6 Related-Bug: #2144617 Change-Id: I66c59707006b4351f637a14fee38f5fd3ebfd22d Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
Change-Id: I55d86d7a86eb4e65bfef884ff8822fb241c6bce6 Signed-off-by: Winicius Silva <winiciusab12@gmail.com>
OVN Agent EVPN Extension now creates an SVD at start up. The SVD consists of a Linux bridge with a name based on the pattern evpn.constants.EVPN_LB_NAME_PREFIX and a vxlan interface with a name based on the pattern evpn.constants.EVPN_VXLAN_IFNAME. Since the current plan is to create only one SVD per OVN Agent, the index for the Linux bridge and vxlan interface is the default 0. When an EVPN instance's finite state machine advances to the evpn.fsm.Evpn.ADVERTISING state, a vlan:vni mapping is added to the SVD and a vlan interface with its name based on the pattern evpn.constants.EVPN_VLAN_IFNAME_PATTERN is also created. Similarly, when the EVPN instance's finite state machine advances away from evpn.fsm.Evpn.ADVERTISING, the vlan:vni mapping is removed from the SVD and the vlan interface is deleted. Related-Bug: #2144617 Assisted-By: Claude Opus 4.6 Change-Id: Ia9aeb47a6b06b003b2ff3c65c525603a1b760bb9 Signed-off-by: Helen Chen <ichen@redhat.com>
Add EVPN_LRP_VLAN_EXT_ID_KEY constant and pass vid to fsm.advance() for port binding create events to support SVD vni:vlan mapping. Change-Id: Ibd06716a98e1e4addb00a616d3d8e46ad22d1aca Signed-off-by: Terry Wilson <twilson@redhat.com>
Provides common interface via EVPNRouterDriver class. This is so we can implement other evpn drivers in the future. E.g. frr gRPC driver. This patch Implements `FrrVtyshDriver` which uses python subprocess to call into vtysh on the system to configure a evpn driver. The configuration file is generated based on templates in templates.py. For now, there is no way for the operator to add their own custom frr configuration. Fortunately, FrrCommandBuilder can be extended with a new "loader" to allow overwrite files in future. Follow up patches: - Hook up FrrVtyshDriver to the EVPN state machine Assisted-By: Claude Opus 4.6 Change-Id: I746e30c2b2ab36ad706bff6f411790d27d85be1b Signed-off-by: Miro Tomaska <mtomaska@redhat.com> Related-Bug: #2144617
This patch adds `write memory` for each configuration it applies. Adds restart method and exposes start+stop methods in FrrFixture Adds tests which confirm that running config is used on reboots or explicit stop and starts. Related-Bug: #2144617 Change-Id: I5973492fc538946462d0fec0b1b93db73a032854 Signed-off-by: Miro Tomaska <mtomaska@redhat.com>
When a service plugin package (e.g. neutron-fwaas, neutron-vpnaas,
networking-sfc) is installed but its service plugin is not configured
in ``service_plugins``, the quota details API endpoint
(GET /v2.0/quotas/{project_id}/details) returns a 500 Server Error.
The installed package registers quota resources (e.g. firewall_group,
firewall_policy, firewall_rule) at import time via
``resource_helper.build_resource_info(register_quota=True)``. When the
quota details endpoint iterates over all registered resources to
count usage, it calls ``_count_resource()`` which looks for a plugin
that provides ``get_<collection>_count`` or ``get_<collection>``.
Since the service plugin is not loaded, no plugin supports counting
those resources, and a ``NotImplementedError`` is raised.
Catch the ``NotImplementedError`` in
``DbQuotaDriver.get_detailed_project_quotas()`` and skip the resource
instead of letting the exception propagate as a 500 error. Also
guard the project-specific limit update loop against skipped
resources.
Closes-Bug: #2155846
Assisted-By: Claude Opus 4.6
Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Change-Id: I923e90279edf3de3fa85c83fd46e1b5dec0468de
The option is validated when config files are loaded, so don't have to be validated again in internal logic. Change-Id: Ie334cf08159ba406d55ffbce8bf60be7de184010 Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This patch removes the OVN Metadata agent grenade and neutron-tempest-plugin CI jobs. Both jobs are marked for removal in 2026.2 release. Related-Bug: #2112313 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: Id9994994b28ffb27670970901466e454815dee20
Removed the following CI job definitions: * neutron-tempest-dvr * neutron-tempest-iptables_hybrid * neutron-grenade-multinode Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I9a47b9251c408c1fd60cdcd29e249815535bd61b
Python's `requests` lib is always asking for 'gzip,deflate' encoding by itself, and decoding those by itself too, but does not remove the content-encoding header from response, so don't rely on this header alone to decide if content should be decoded or not. Also, content-length and transfer-encoding are left untouched, even if they correspond to originally gzip-ed content. This all interferes when user data is itself gzip-ed and there's a proper web server like apache2 that itself generates proper gzip-ed response. Clean-up erroneous headers, and let webob recalculate them as needed. Related-Bug: #2120723 Closes-Bug: #2156587 Change-Id: Ia5d0cbdc5c715462438e38135e441ce9f5ea98c1 Signed-off-by: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Vtysh accepts passing different path to unix socket for communicating with frr via `--vty_socket` argument. This patch exposes this argument in the frr_driver. The goal is to use this argument when frrdriver is run inside a container where the unix path might be different than default. Related-Bug: #2144617 Assisted-by: Opus 4.6 model Change-Id: I34e2ecfe0f78f4cbc6326615745468761902e75e Signed-off-by: Miro Tomaska <mtomaska@redhat.com>
Other code passes the MaintenanceWorker as the trigger to from_server() like the ovn-db-sync-util and only the real MaintenanceWorker itself should call set_lock() before connecting. Closes-Bug: #2156979 Signed-off-by: Terry Wilson <twilson@redhat.com> Change-Id: I74145ef1407856b7ec75de87daa2270b452b6c70
Introduce a new API extension that allows configuring the default value of the ``stateful`` attribute for new security groups, on a per-project or system-wide basis. The new resource supports full CRUD operations with corresponding RBAC policy rules. The API definition ``security-groups-default-statefulness`` is provided in [1] and was released in neutron-lib 4.0.0. [1]https://review.opendev.org/c/openstack/neutron-lib/+/984354 Closes-Bug: #2146803 Assisted-By: Claude Opus 4.6 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I1c773a445a65414dbb3df325a3a61b94d050efc6
…y_fields_from_db``"
When a VM with a floating IP is deleted, the port deletion triggers ``disassociate_floatingips`` which calls ``_process_dns_floatingip_delete``. This method deleted the DNS records from Designate but did not remove the ``FloatingIPDNS`` DB row (``floatingipdnses`` table). The stale row caused failures when the same FIP was later associated with a new VM: the external DNS cleanup attempted to delete the old name which no longer existed in Designate, resulting in a ``DuplicateRecordSet`` error. The new VM's DNS records were then never cleaned on its deletion. Delete the ``FloatingIPDNS`` row after removing the records from the external DNS service. This is safe for both callers of ``_process_dns_floatingip_delete``: on FIP deletion the row would be cascade-deleted anyway, and on FIP disassociation it prevents stale data from persisting. Closes-Bug: #2130405 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I0d7f722ae1ef8d474112b40c9ab78ed2d1a417b2
github-actions
Bot
added
automated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains a snapshot of master from upstream master.