Bug #1489111 “[OSSA 2015-018] IP, MAC, and DHCP spoofing rules c...” : Bugs : neutron

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26:

#1

Hi,

I have a attached a patch that fixes the problem.

It enables a regex match in the policy engine and then changes the default policy to prevent users from using the 'network:' prefix in the device_owner field unless they own the network, have the advanced services role, or are an admin.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26:

#2

The core issue here is that the L2 agent trusts any devices whose owner field starts with 'network:'. This is necessary because the DHCP port and the router ports can't have DHCP spoofing and IP spoofing rules (respectively).

Here is the logic that skips 'network:' owned ports for security groups.

https://github.com/openstack/neutron/blob/d66f0e27919a29682d7c65e4f9ce1f9c7b278542/neutron/api/rpc/handlers/securitygroups_rpc.py#L83

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-26:

#3

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-26:

#4

Beside having an instance unprotected by iptables, what can the user do with it ?
e.g., can he spoof other tenants' ip ?

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26:

#5

Yes, the big risk here is with shared networks. The attacker can spoof other VMs IPs, or give out incorrect information via spoofed DHCP responses to get other VMs to send traffic to it.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26:

#6

Had to update the patch to handle a changed response code in a unit test.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-26:

#7

Assuming this affect all l2 agents and all supported release, here is the impact description:

Title: Neutron firewall rules bypass through port update
Reporter: Kevin Benton (Mirantis)
Products: Neutron
Affects: versions through 2014.2.3 and 2015.1 versions through 2015.1.1

Description:
Kevin Benton from Mirantis reported a vulnerability in Neutron. By changing the port's device owner of an instance right after it is created, an authenticated user may prevent firewall rules to be applied, potentially resulting in anti spoofing rules to be disabled. All Neutron setups are affected.

Changed in ossa:
status:	Incomplete → Confirmed
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-26:

#8

Thanks Kevin for the update, please let me know if the above description is accurate.

@neutron-coresec, is the proposed patch going to be easily backportable ? Not sure what's the rule for policy.json changes...

Anyway, please follow this guide to properly format proposed patch: https://security.openstack.org/#how-to-propose-and-review-a-security-patch

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2015-08-26:

#9

This scenario will likely enable an attacker on a shared network to hijack DHCP traffic as mentioned by Kevin.
IP spoofing could also be possible since the attacker VMs would be able to intercept ARP requests and fabricate ARP replies

It is not possible to do any sort of mitigation using security groups, so this attack is very practical and probably deserves an A in the OSSA taxonomy

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26:

#10

Yes, that description sounds correct. I will format the patch appropriately.

Revision history for this message

Aaron Rosen (arosen) wrote on 2015-08-26:

#12

Patch looks good to me. +2,

The shared network flag feature in neutron is such a hack. Thank goodness we have proper RBAC now thanks to the support you added kevin :)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-27:

#13

Assuming this affect all the way down to Juno, can you also attach backports for stable/juno and stable/kilo branches as well ?

Changed in ossa:
status:	Confirmed → Triaged

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-08-27:

#14

Minor improvement to the wording:

By changing the device owner of an instance's port right after it is created, an authenticated user may prevent application of firewall rules and so avoid IP anti-spoofing controls.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-27:

#15

Thanks for the review, here is the updated impact description:

Title: Neutron firewall rules bypass through port update
Reporter: Kevin Benton (Mirantis)
Products: Neutron
Affects: versions through 2014.2.3 and 2015.1 versions through 2015.1.1

Description:
Kevin Benton from Mirantis reported a vulnerability in Neutron. By changing the device owner of an instance's port right after it is created, an authenticated user may prevent application of firewall rules and so avoid IP anti-spoofing controls. All Neutron setups are affected.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-27:

#18

CVE have been requested.

@neutron-coresec, please review proposed patch.

Changed in ossa:
status:	Triaged → In Progress

Tristan Cacqueray (tristan-cacqueray) on 2015-08-27

summary:

IP, MAC, and DHCP spoofing rules can by bypassed by changing
- device_owner
+ device_owner (CVE-2015-5240)

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2015-08-28: Re: IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240)

#19

I verified the patch fixes the security issue. I ran several tests trying to find other the way to exploit the same issue, for instance by re-using system created network ports. Nova does not allow one to boot instances on such ports as nova will return a 409 when attempting to boot on a port with an already-populated device_owner attribute.

The patch is also resilient to white space padding (eg: " network:" is accepted but won't cause the port_security_enabled attribute go to False).

I have minor observations on the code changes:
- the policy change works but it seems weird as it's an or condition and is acting as a "and". Perhaps the policy engine is not operating as expected here. This is unrelated to this patch however.
- Having to prepend ~ to say it's a regex is fine by me. Alternatively one could treat everything as a regex, adding automatically ^ and $ for doing exact matches. But then you'll have to document that regex evaluation will always match on the whole string.

On the CVE it is worth probably stating that as far as we know only affects the ML2 plugin. The logic where the vulnerability is introduced is specific indeed to that plugin. Other plugins might be affected too if they adopted similar logic for determining whether spoofing protections should be installed, but I think it's up to the plugin maintainers to verify that and fix if necessary.

Summarizing: the patch looks good to me, and there's no need of further revisions.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-28:

#20

Thanks Salvatore for this prompt review.

About the description, since we only support plugins within the neutron code base, the affects can also be reduced to:
"All Neutron setups using the ML2 plugin"

I'd like to send the advance notification today with this disclosure date/time:
2015-09-03, 1500UTC

Though ?

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-28:

#21

"All Neutron setups using the ML2 plugin or a plugin that relies on the security groups AMQP API"

Any plugins that have agents calling this method will be affected:
https://github.com/openstack/neutron/blob/4f802232771d051d0fe076e6458674a995c6bc14/neutron/api/rpc/handlers/securitygroups_rpc.py#L79-L84

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-08-28:

#22

pre-OSSA sent with last suggestion from Kevin. Thanks everyone :-)

Changed in ossa:
status:	In Progress → Fix Committed

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#23

There is a mistake in the patches, sending updated versions shortly.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-09-01:

#24

That's unfortunate. Should we send updated patches to the downstream stakeholders and extend the disclosure date?

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#25

Yes, we will need to send the updated patches. I'm not sure if the disclosure date needs to be adjusted.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#26

difference between this and the previous version is 'rule:admin_or_network_owner' instead of 'role:admin_or_network_owner' in policy.json

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#27

master patch Edit (7.4 KiB, text/plain)

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#28

kilo patch Edit (7.5 KiB, text/plain)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-09-01:

#29

Ouch, well then we need to extend the disclosure date. If those new patch are approved by thursday it can be:

2015-09-08, 1500UTC

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-01:

#30

juno patch Edit (6.1 KiB, text/plain)

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2015-09-01:

#31

I verified the updated patches with Kevin.
I think this explains why I was observing the weird behaviour noted in the review with:
"the policy change works but it seems weird as it's an or condition and is acting as a "and". Perhaps the policy engine is not operating as expected here. This is unrelated to this patch however."

Basically the typo was causing the policy engine to enforce a different kind of check (which always failed afaict). If we merged that patch we would have fixed the security issue, but introduced a functional defect.

The difference between the two patches is minimal, so there's not much else to review.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-09-01:

#32

The new patch have been sent, please do not push them until the new disclosure date:
2015-09-08, 1500UTC

Tristan Cacqueray (tristan-cacqueray) on 2015-09-08

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Fix proposed to neutron (master)

#33

Fix proposed to branch: master
Review: https://review.openstack.org/221342

Changed in neutron:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Fix proposed to neutron (stable/kilo)

#34

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/221344

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Fix proposed to neutron (stable/juno)

#35

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/221345

Tristan Cacqueray (tristan-cacqueray) on 2015-09-08

summary:

- IP, MAC, and DHCP spoofing rules can by bypassed by changing
- device_owner (CVE-2015-5240)
+ [OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by
+ changing device_owner (CVE-2015-5240)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-08: Fix merged to neutron (master)

#36

Reviewed: https://review.openstack.org/221342
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Submitter: Jenkins
Branch: master

commit bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700

Stop device_owner from being set to 'network:*'

    This patch adjusts the FieldCheck class in the policy engine to
    allow a regex rule. It then leverages that to prevent users from
    setting the device_owner field to anything that starts with
    'network:' on networks which they do not own.

    This policy adjustment is necessary because any ports with a
    device_owner that starts with 'network:' will not have any security
    group rules applied because it is assumed they are trusted network
    devices (e.g. router ports, DHCP ports, etc). These security rules
    include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
    and IP headers.

    Without this policy adjustment, tenants can abuse this trust when
    connected to a shared network with other tenants by setting their
    VM port's device_owner field to 'network:<anything>' and hijack other
    tenants' traffic via DHCP spoofing or MAC/IP spoofing.

Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-09: Fix merged to neutron (stable/juno)

#37

Reviewed: https://review.openstack.org/221345
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ebb0c5403b347ae1a841f578971ed1a3e3b6de53
Submitter: Jenkins
Branch: stable/juno

commit ebb0c5403b347ae1a841f578971ed1a3e3b6de53
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700

Stop device_owner from being set to 'network:*'

    This patch adjusts the FieldCheck class in the policy engine to
    allow a regex rule. It then leverages that to prevent users from
    setting the device_owner field to anything that starts with
    'network:' on networks which they do not own.

    This policy adjustment is necessary because any ports with a
    device_owner that starts with 'network:' will not have any security
    group rules applied because it is assumed they are trusted network
    devices (e.g. router ports, DHCP ports, etc). These security rules
    include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
    and IP headers.

    Without this policy adjustment, tenants can abuse this trust when
    connected to a shared network with other tenants by setting their
    VM port's device_owner field to 'network:<anything>' and hijack other
    tenants' traffic via DHCP spoofing or MAC/IP spoofing.

    Conflicts:
     etc/policy.json
     neutron/api/v2/attributes.py
     neutron/tests/etc/policy.json
     neutron/tests/unit/test_policy.py

    Closes-Bug: #1489111
    Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
    (cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f)

tags:	added: in-stable-juno
tags:	added: in-stable-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-09: Fix merged to neutron (stable/kilo)

#38

Reviewed: https://review.openstack.org/221344
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=767cea23de44a963c6793ffe30ea5c6827d27a38
Submitter: Jenkins
Branch: stable/kilo

commit 767cea23de44a963c6793ffe30ea5c6827d27a38
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700

Stop device_owner from being set to 'network:*'

    This patch adjusts the FieldCheck class in the policy engine to
    allow a regex rule. It then leverages that to prevent users from
    setting the device_owner field to anything that starts with
    'network:' on networks which they do not own.

    This policy adjustment is necessary because any ports with a
    device_owner that starts with 'network:' will not have any security
    group rules applied because it is assumed they are trusted network
    devices (e.g. router ports, DHCP ports, etc). These security rules
    include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
    and IP headers.

    Without this policy adjustment, tenants can abuse this trust when
    connected to a shared network with other tenants by setting their
    VM port's device_owner field to 'network:<anything>' and hijack other
    tenants' traffic via DHCP spoofing or MAC/IP spoofing.

    Closes-Bug: #1489111
    Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
    (cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f)

Tristan Cacqueray (tristan-cacqueray) on 2015-09-14

Changed in ossa:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-16: Fix proposed to neutron (feature/pecan)

#39

Fix proposed to branch: feature/pecan
Review: https://review.openstack.org/224334

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-17:

#40

Fix proposed to branch: feature/pecan
Review: https://review.openstack.org/224357

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-17: Fix merged to neutron (feature/pecan)

#41

Download full text (73.6 KiB)

Reviewed: https://review.openstack.org/224357
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fdc3431ccd219accf6a795079d9b67b8656eed8e
Submitter: Jenkins
Branch: feature/pecan

commit fe236bdaadb949661a0bfb9b62ddbe432b4cf5f1
Author: Miguel Angel Ajo <email address hidden>
Date: Thu Sep 3 15:40:12 2015 +0200

No network devices on network attached qos policies

Network devices, like internal router legs, or dhcp ports
should not be affected by bandwidth limiting rules.

This patch disables application of network attached policies
to network/neutron owned ports.

Closes-bug: #1486039
DocImpact

Change-Id: I75d80227f1e6c4b3f5fa7762b8dc3b0c0f1abd46

commit db4a06f7caa20a4c7879b58b20e95b223ed8eeaf
Author: Ken'ichi Ohmichi <email address hidden>
Date: Wed Sep 16 10:04:32 2015 +0000

Use tempest-lib's token_client

    Now tempest-lib provides token_client modules as library and the
    interface is stable. So neutron repogitory doesn't need to contain
    these modules.
    This patch makes neutron use tempest-lib's token_client and removes
    the own modules for the maintenance.

Change-Id: Ieff7eb003f6e8257d83368dbc80e332aa66a156c

commit 78aed58edbe6eb8a71339c7add491fe9de9a0546
Author: Jakub Libosvar <email address hidden>
Date: Thu Aug 13 09:08:20 2015 +0000

Fix establishing UDP connection

    Previously, in establish_connection() for UDP protocol data were sent
    but never read on peer socket. That lead to successful read on peer side
    if this connection was filtered. Having constant testing string masked
    this issue as we can't distinguish to which test of connectivity data
    belong.

    This patch makes unique data string per test_connectivity() and
    also makes establish_connection() to create an ASSURED entry in
    conntrack table. Finally, in last test after firewall filter was
    removed, connection is re-established in order to avoid troubles with
    terminated processes or TCP continuing sending packets which weren't
    successfully delivered.

Closes-Bug: 1478847
Change-Id: I2920d587d8df8d96dc1c752c28f48ba495f3cf0f

commit e6292fcdd6262434a7b713ad8802db6bc8a6d3dc
Author: YAMAMOTO Takashi <email address hidden>
Date: Wed Sep 16 13:20:51 2015 +0900

ovsdb: Fix a few docstring

Change-Id: I53e1e21655b28fe5da60e58aeeb7cbbd103ae014

commit c22949a4449d96a67caa616290cf76b67b182917
Author: fumihiko kakuma <email address hidden>
Date: Wed Sep 16 11:52:59 2015 +0900

Remove requirements.txt for the ofagent mechanism driver

It is no longer used.

Related-Blueprint: core-vendor-decomposition
https://blueprints.launchpad.net/neutron/+spec/core-vendor-decomposition

Change-Id: Ib31fb3febf8968e50d86dd66e1e6e1ea2313f8ac

commit d1d4de19d85f961d388c91e70f31b3bafec418c5
Author: Kevin Benton <email address hidden>
Date: Thu Sep 3 20:25:57 2015 -0700

Always return iterables in L3 get_candidates

The caller of this function expects iterables.

Closes-Bug: #1494996
Change-Id: I3d103e63f4e127a77268502415c0ddb0d804b54a

commit 1ad6ac448067306...

Reviewed:  https://review.openstack.org/224357
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fdc3431ccd219accf6a795079d9b67b8656eed8e
Submitter: Jenkins
Branch:    feature/pecan

commit fe236bdaadb949661a0bfb9b62ddbe432b4cf5f1
Author: Miguel Angel Ajo <mangelajo@redhat.com>
Date:   Thu Sep 3 15:40:12 2015 +0200

No network devices on network attached qos policies
    
    Network devices, like internal router legs, or dhcp ports
    should not be affected by bandwidth limiting rules.
    
    This patch disables application of network attached policies
    to network/neutron owned ports.
    
    Closes-bug: #1486039
    DocImpact
    
    Change-Id: I75d80227f1e6c4b3f5fa7762b8dc3b0c0f1abd46

commit db4a06f7caa20a4c7879b58b20e95b223ed8eeaf
Author: Ken'ichi Ohmichi <ken-oomichi@wx.jp.nec.com>
Date:   Wed Sep 16 10:04:32 2015 +0000

Use tempest-lib's token_client
    
    Now tempest-lib provides token_client modules as library and the
    interface is stable. So neutron repogitory doesn't need to contain
    these modules.
    This patch makes neutron use tempest-lib's token_client and removes
    the own modules for the maintenance.
    
    Change-Id: Ieff7eb003f6e8257d83368dbc80e332aa66a156c

commit 78aed58edbe6eb8a71339c7add491fe9de9a0546
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Thu Aug 13 09:08:20 2015 +0000

Fix establishing UDP connection
    
    Previously, in establish_connection() for UDP protocol data were sent
    but never read on peer socket. That lead to successful read on peer side
    if this connection was filtered. Having constant testing string masked
    this issue as we can't distinguish to which test of connectivity data
    belong.
    
    This patch makes unique data string per test_connectivity() and
    also makes establish_connection() to create an ASSURED entry in
    conntrack table. Finally, in last test after firewall filter was
    removed, connection is re-established in order to avoid troubles with
    terminated processes or TCP continuing sending packets which weren't
    successfully delivered.
    
    Closes-Bug: 1478847
    Change-Id: I2920d587d8df8d96dc1c752c28f48ba495f3cf0f

commit e6292fcdd6262434a7b713ad8802db6bc8a6d3dc
Author: YAMAMOTO Takashi <yamamoto@midokura.com>
Date:   Wed Sep 16 13:20:51 2015 +0900

ovsdb: Fix a few docstring
    
    Change-Id: I53e1e21655b28fe5da60e58aeeb7cbbd103ae014

commit c22949a4449d96a67caa616290cf76b67b182917
Author: fumihiko kakuma <kakuma@valinux.co.jp>
Date:   Wed Sep 16 11:52:59 2015 +0900

Remove requirements.txt for the ofagent mechanism driver
    
    It is no longer used.
    
    Related-Blueprint: core-vendor-decomposition
    https://blueprints.launchpad.net/neutron/+spec/core-vendor-decomposition
    
    Change-Id: Ib31fb3febf8968e50d86dd66e1e6e1ea2313f8ac

commit d1d4de19d85f961d388c91e70f31b3bafec418c5
Author: Kevin Benton <blak111@gmail.com>
Date:   Thu Sep 3 20:25:57 2015 -0700

Always return iterables in L3 get_candidates
    
    The caller of this function expects iterables.
    
    Closes-Bug: #1494996
    Change-Id: I3d103e63f4e127a77268502415c0ddb0d804b54a

commit 1ad6ac448067306fcf7ea562840e63fd257f0556
Author: Sudhakar Babu Gariganti <sudhakar-babu.gariganti@hp.com>
Date:   Fri Sep 11 14:53:27 2015 +0530

Prevent full sync in dhcp_agent when possible
    
    If an exception occurs in sync_state method, we try for a full sync
    even in the case where we have fewer networks to resync for.
    
    This turns out to be pretty costly in scaled environments.
    
    This patch addresses the above behavior by resyncing only for the
    eariler set of failed networks.
    
    Closes-Bug: #1495592
    
    Change-Id: I069e992b3b7814370d409236b6a3c81a25829cc1

commit 1b94f3f3d9c84a20f46000c0801eeb8bad84a6fb
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Wed Jul 15 10:46:35 2015 +0000

Add QoS fullstack test
    
    Test the qos policy and rule CRUD lifecycle with port. Future plans are
    to add similar testing with ports belonging to network with set qos
    policy.
    
    Change-Id: Iebe9b3e9d612d3533381a8cf4d0b9c587f8fda42

commit cc698b2ba578e5bc1475f6229bfebd1316c41ffb
Author: Moshe Levi <moshele@mellanox.com>
Date:   Mon Aug 10 12:25:59 2015 +0300

QoS agent extension and driver refactoring
    
    Moved some code common to all drivers into base
    qos driver abstract class, so related bugfixes go all in one
    place and we simplify the logic for every qos drivers.
    
    Port/Policy mapping moved out to a separate class.
    
    Support delete per rule_type or delete all rules.
    
    Related-bug: #1486039
    
    Co-Authored-By: Miguel Angel Ajo <mangelajo@redhat.com>
    Partially-Implements: blueprint ml2-qos
    Change-Id: Ia9d8638b9268b5aa8512cbb9d001413751f82649

commit 17765114292217d109c15b220be57fea6c9eed4a
Author: sridhargaddam <sridhar.gaddam@enovance.com>
Date:   Tue Jul 14 16:18:06 2015 +0000

Add IPv6 Address Resolution protection
    
    Similar to IPv4 arp protection support, this patch adds the necessary OVS
    rules to prevent ports attached to agent from sending any icmpv6 neighbor
    advertisement messages that contain an IPv6 address not belonging to the port.
    
    For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
    http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
    
    DocImpact
    SecurityImpact
    
    Closes-Bug: #1491690
    Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88

commit 53c64ff1ac3e92fa1cb8945cfae26b2624f2697d
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Tue Sep 15 11:52:03 2015 +0000

Revert "AsyncProcess: try to kill tender"
    
    This change introduced bug 1495937.
    
    This reverts commit 470a7d8a106a274e06fb1311c6738f333a98f59c.
    
    Change-Id: I84fea4fdac71141da335ccd9e0d4c9d6174dfd86

commit 25e4e13565690fc4bc9e08e34598e18f04b921b7
Author: Cedric Brandily <zzelle@gmail.com>
Date:   Mon Aug 24 22:24:10 2015 +0200

Remove out-of-tree vendor AGENT_TYPE_* constant
    
    AGENT_TYPE_* constants[1] defines all agent types BUT the only vendor
    one(AGENT_TYPE_NEC) is only used in out-of-tree networking-nec repo.
    This changes removes out-of-tree AGENT_TYPE_NEC constant (dependant
    change defines it in networking-nec repo).
    
    [1] in neutron.extensions.portbindings
    
    Change-Id: Ia80c33ee7970cfe167c2c9ca6d512f23561455a2
    Closes-Bug: #1487598
    Depends-On: I955fa48ee2120900e422bab57db250303c3d7bb4

commit f4a76a7a26c0902d61f4fe61091e7fe556923592
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Mon Sep 14 14:54:34 2015 +0000

func: Don't use private method of AsyncProcess
    
    In functional test we simulate crash of AsyncProcess by calling
    _kill_process(). This method is a private method and such usage
    introduced a race where process was respawned prior to calling wait() of
    killed process, leading to infinite wait on newly spawned process.
    
    This patch adds manual send of kill and then active waiting for process
    to be respawned, similarly like done with recent keepalived patch [1].
    
    [1] https://review.openstack.org/#/c/222460/7/neutron/tests/functional/agent/linux/test_keepalived.py
    
    Closes-Bug: #1477860
    Change-Id: I1c91393304d65a0695311416ecc5b64fd549b192

commit a13f5afcc821e24e40227965491b964fa85c003c
Author: lzklibj <lzklibj@cn.ibm.com>
Date:   Fri Sep 11 02:37:47 2015 +0800

Remove unused ovs_lib method reset_bridge
    
    Per [1] we are using a better way to keep tunnel connectivity,
    so reset_bridge isn't used anymore. Bug in [2] was caused by
    using method reset_bridge which will delete and recreate bridge.
    For [1] makes method reset_bridge deprecated, it makes sense to
    remove this method, and make [2] no longer produce.
    
    [1] https://review.openstack.org/#/c/182920
    [2] Related-bug: #1332450
    
    Change-Id: I155f66a37b8d4081126467fe576e8315c2d5560c

commit 573c14659a953164ba556c694062e9242dcca807
Author: Brian Haley <brian.haley@hp.com>
Date:   Mon Sep 14 16:12:18 2015 -0400

Fix TypeError caused by delete_agent_gateway_port()
    
    A recent change used a keyword argument when it didn't need to,
    correct it to fix the multinode DVR job.
    
    End of typical traceback:
    
    File "/opt/stack/new/neutron/neutron/api/rpc/handlers/l3_rpc.py",
    in delete_agent_gateway_port(admin_ctx, network_id, host_id=host)
    
    TypeError: delete_floatingip_agent_gateway_port() got multiple
    values for keyword argument 'host_id'
    
    Introduced in commit 639f1893dde0d393a97b29ca5309dba716831a7
    
    Related-bug: #1495147
    
    Change-Id: Id2522bc843bc7b089b7783d3f765900a50a0033f

commit b01f2f08257f5156084ac3e2644e79f220b15b6d
Author: Kyle Mestery <mestery@mestery.com>
Date:   Thu Sep 10 15:46:04 2015 +0000

sub_project_guidelines: Add richer documentation
    
    Add additional documentation around releasing sub-projects.
    
    Change-Id: I71f31b6b8ed085066491e181074b467435f8d66d
    Signed-off-by: Kyle Mestery <mestery@mestery.com>

commit bfebc9f8af05b5d4a5dcd2c2b0d521fe2fefa265
Author: Ryan Moats <rmoats@us.ibm.com>
Date:   Mon Sep 14 11:29:28 2015 -0500

Fix typo: Large Ops, not Large Opts
    
    Change-Id: I73e64e19275f002fcc2ae2e903611835bfd98f8a
    Signed-off-by: Ryan Moats <rmoats@us.ibm.com>

commit 5eaff5fa0720b860ec4c0c75abee942313f93e94
Author: Ann Kamyshnikova <akamyshnikova@mirantis.com>
Date:   Mon Sep 14 17:29:22 2015 +0300

Fix query in get_l3_agent_with_min_routers
    
    For PostgreSQL if you're using GROUP BY everything in the SELECT
    list must be an aggregate count(...) or used in the GROUP BY.
    
    Closes-bug: #1495523
    
    Change-Id: Ieb75d0666ec2f6d2e61686bf2bacea2b9ad6c521

commit a8d0586fdebfd28e407e2d30f72c92e3711d0a1e
Author: Ilya Shakhat <ishakhat@mirantis.com>
Date:   Mon Sep 14 15:43:05 2015 +0300

Do not specify host for l2population topics
    
    When creating topics oslo.messaging automatically creates
    topic with hostname suffix (e.g. topic.hostname), there's
    no need to do this explicitly.
    
    Change-Id: Ia396452e8deb2c8f10bbead936245eeece8066a6
    Closes-Bug: #1495508

commit 638d16c8a019cfdafa2b6bb12c95775544bb58df
Author: Kevin Benton <blak111@gmail.com>
Date:   Thu Sep 3 10:01:40 2015 -0700

Add utility function for checking trusted port
    
    Ports that have a device_owner that starts with 'network:'
    are trusted in several places throughout the codebase. Each
    of these did a startswith check on each field and it's not
    immediately obvious why it's done.
    
    This patch adds a utility function called 'is_port_trusted'
    that performs the same check and makes it obvious what is
    being done.
    
    Change-Id: I542c753776d5cfb2fd736b25ea6e111867c89c89

commit 691fae47a4e7468884cb58692ecaf48b9737dae1
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Mon Sep 14 09:19:14 2015 +0000

Fix typo in error message in NetcatTester
    
    Change-Id: Ie00901b1dab6c0c5ad4ec0f0c437426afc60396e

commit a466531aec4cb02469d12756c0151deb59dd4d13
Author: Saju Madhavan <sajuptpm@gmail.com>
Date:   Mon Sep 14 14:03:28 2015 +0530

docstring fix
    
    Change-Id: I35e44872c3dc7508d5991dc967bbceb22d6bea51

commit 470a7d8a106a274e06fb1311c6738f333a98f59c
Author: IWAMOTO Toshihiro <iwamoto@valinux.co.jp>
Date:   Fri Sep 11 19:01:20 2015 +0900

AsyncProcess: try to kill tender
    
    _kill_process kills processes with SIGKILL, which prevents the
    processes' cleanup from running.  Issue SIGTERM first and wait a bit.
    
    Change-Id: Ie7b94011bbd11b1d672c95e3be19bb3c84ef77ec
    Closes-bug: 1494363

commit a57b37fc56ffe3c1dade796c4663e95b1bbeea80
Author: Hong Hui Xiao <xiaohhui@cn.ibm.com>
Date:   Thu Sep 10 06:38:01 2015 -0400

Enable servicing lbaasV2 vip by DVR
    
    Currently, the vip of lbaasV2 will not have l3 network with DVR.
    This prevent the usercase of lbaasV2 + DVR. This patch aims to
    enable servicing lbaasv2 vip by DVR.
    
    Change-Id: I1b51550437994fbe78d4db904641d4d9fb75d82e
    Closes-Bug: #1493809

commit e5f635ee4fd1fe8a0bd2e5c58db068b51fc94c0b
Author: armando-migliaccio <armamig@gmail.com>
Date:   Fri Sep 11 02:32:42 2015 -0700

Switch scheduler drivers to load based schedulers
    
    Cloud deployed at scale most likely will use these scheduler
    drivers because they allow a fairer resource allocation compared
    to chance schedulers (which randomly place resources on the hosts).
    
    Because of their importance, it's only wise to test them in
    the gate on a continuous basis, so that we do not get surprised
    by accidental regressions.
    
    Rather than pushing this down through devstack-gate/project-config
    patches, this chance alters the default of the scheduler
    drivers, so that users can also pick these up out of the box.
    
    This means that after an upgrade they would observe a change in
    the scheduling behavior, if they relied on the default config.
    
    DocImpact
    UpgradeImpact
    
    Closes-bug: #1494667
    
    Change-Id: I5927914cb88eff66bc7a045340ff68cb8da95ad6

commit dafa61bd46b7eacbc708d17a3fa492de971d6dd2
Author: armando-migliaccio <armamig@gmail.com>
Date:   Sat Sep 12 12:07:35 2015 -0700

Fix BadRequest error on add_router_interface for DVR
    
    This operation for DVR is made of multiple steps, some of
    which are not within the same DB transaction. For this
    reason, if a failure occurs, the rollback will be partial.
    
    This inconsistent state leads the retry logic to fail with
    BadRequest, because the router is believed to be already
    connected to the subnet.
    
    To fix this condition, it is necessary to delete the port
    should the DB deadlock occur.
    
    Closes-bug: #1494114
    
    Change-Id: Ia2a73d6f9d1e4746e761ad072d954e64267a3ad1

commit 57b6a651a39099ea76178bdcea51b06bde587e25
Author: Sergey Vilgelm <sergey@vilgelm.info>
Date:   Sat Sep 12 21:55:01 2015 +0300

Fix missing value types for log message
    
    This patch add missing value types for some log message of exception.
    
    Change-Id: Ie9f512bc804f0cd70df991b1910c975a2f9d6fcf
    Closes-Bug: #1494574

commit 5405d9742b94f203389f555c56727a66925e9454
Author: armando-migliaccio <armamig@gmail.com>
Date:   Thu Sep 10 21:54:33 2015 -0700

Tweak test_keepalived_respawns test logic
    
    This test initial design is problematic: it spawns keepalived,
    it asserts the process is up, then it attempts to kill it.
    
    However, this is when problems may arise:
    
    a) it does so by using the disable method on the process - we
       should be more rude than that if we want to simulate a crash!
    
    b) keepalived may be forking while it is starting and it is
       possible that for a moment the ppid changes and the process
       owner invoking the kill has no rights to kill the spawned
       process. This is the most plausible explaination I could find
       as to why kill returns 1 with no standard error
    
    c) it does not verify that the process has indeed disappeared
       (what if the pm.disable didn't work?) - this means that the
       test can pass, and yet the monitor may not work.
    
    Bottom line: this test relied on the correctness of the very code
    that was meant to validate...and that's not cool. To this aim, we
    wait for the process to be active, kill the process with a kill -9
    and verify that the process after the kill is indeed different.
    
    Closes-bug: #1490043
    
    Change-Id: Idaf419a1464d9d0d75b9106a7acd5cd960a7c623

commit 3c9482eb78b8a1e459ea9876a3b9a977690fce0d
Author: Salvatore Orlando <salv.orlando@gmail.com>
Date:   Fri Aug 28 08:55:42 2015 -0700

Reservations: Don't count usage if resource is unlimited
    
    If a resource is unlimited (ie: limit<0) then there is no need
    to verify headroom for it. This also means that there no need for
    counting it; therefore it is possible to save some DB operations
    by skipping the count phase.
    
    Change-Id: Ibe9ca8a1c29fb8ba12df187c25f8f9515968a54d
    Related-blueprint: better-quotas

commit 14ef151fe0ca193c341098fcd3910d5e523c140c
Author: Salvatore Orlando <salv.orlando@gmail.com>
Date:   Tue Aug 25 02:28:08 2015 -0700

Restore reservations in API controller
    
    This patch restores the reservation logic in the API controller,
    as the DB issues arising from the pymysql switch has been solved.
    
    Change-Id: I98b40925fdceba13d6a2b5a4d0c5793aeb5cf077
    Related-Bug: #1486134
    Related-Blueprint: better-quotas

commit a19e64c9d95781982d28113c667dbc90d0ea11eb
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Fri Sep 11 14:46:51 2015 -0400

ovs: don't use ARP responder for IPv6 addresses
    
    ARP does not support IPv6 addresses, so when we try to apply the flow, it
    fails, with all other flows deferred for the same transaction. It results in
    random flow breakages, depending on the order of the bad flow in the
    transaction.
    
    Change-Id: I0ecf167653e5a7d0916e091e05050406a026a1e2
    Co-Authored-By: Thomas Carroll <Thomas.Carroll@pnnl.gov>
    Closes-Bug: #1477253

commit 6ee4343c4ce90423ea6477216519bcb0ef21b816
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Fri Sep 11 16:32:06 2015 +0200

Install sriov-agent.ini on 'setup.py install'
    
    The previous change [1] that split the configuration file into two pieces
    missed the update of setup.cfg, so the file was not installed.
    
    [1]: Ie1eda925e051f85d53ad9624d6617d095cf8c7be
    
    Change-Id: Idcdc71b5614463fc0d81a8bc2d2833159be9e6c9
    Related-Bug: #1489060

commit c89a4fdd88b0f8832b32af55f64e0d3a35c84388
Author: sridhargaddam <sridhar.gaddam@enovance.com>
Date:   Thu Sep 10 16:14:13 2015 +0000

Configure gw_iface for RAs only in Master HA Router
    
    For an HA Router which does not have any IPv6 subnets in the external network
    and when ipv6_gateway is not set, Neutron configures the gateway interface of
    the router to receive Router Advts for default route. In an HA router, only
    the Master instance has the IP addresses while the Backup instance does not
    have any addresses (including LLA). In Kernel version 3.10, when the last
    IPv6 address is removed from the interface, IPv6 proc entries corresponding
    to the iface are also deleted. This is however reverted in the later versions
    of kernel code.
    
    This patch addresses this issue by configuring the proc entry only for the
    Master HA Router instance instead of doing it un-conditionally.
    
    Closes-Bug: #1494336
    Change-Id: Ibf8e0ff64cda00314f8fa649ef5019c95c2d6004

commit fb8014294530ac83f209a79612c09c897d80227f
Author: Ryan Moats <rmoats@us.ibm.com>
Date:   Fri Sep 11 07:41:38 2015 -0500

Remove useless log from periodic_sync_routers_task
    
    Logging that peridoic_sync_routers_task is starting with fullsync
    False just adds noise to devstack logs.  Reposition the log
    statement to indicate that the task is starting if it is going
    to be doing real processing.
    
    Change-Id: I73def1e20218b01c135769d0b8fbce449dad17ea
    Signed-off-by: Ryan Moats <rmoats@us.ibm.com>

commit 0f44a874b421e7dc055f409cffddbe52ca96b956
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date:   Thu Sep 10 13:48:46 2015 -0700

Replace is_this_snat_host validation with internal function
    
    There is already a function to validate if it is an snat
    host or not. So just use that function instead of additional
    validation.
    
    Change-Id: I004d94d1d4b632880ed289ccdc9bf45cffc0e095

commit bcafe20a14048b90d1f3153dad6076e42bf571f5
Author: Assaf Muller <amuller@redhat.com>
Date:   Thu Jun 11 17:13:44 2015 -0400

Add l2pop support to full stack tests
    
    Add the l2pop mechanism driver to the ML2 plugin configuration, and set
    l2_population = True, in the OVS agent configuration.
    Each test class can enable or disable l2pop in its environment.
    
    Change-Id: If4f2bf07883b763073b5a53f1aa557acb131d176

commit a885c4075ad983b8d68c4843359fa3578c48b575
Author: Assaf Muller <amuller@redhat.com>
Date:   Tue Jun 16 08:56:41 2015 -0400

Add tunneling support to full stack tests
    
    * EnvironmentDescription class now accepts 'network_type'.
      It sets the ML2 segmentation type, passes it to the OVS agents
      configuration files, and sets up the host configuration. If
      tunnelling type is selected, it sets up a veth pair with an IP
      address from the 240.0.0.1+ range. The addressed end of
      this pair is configured as the local_ip for tunneling purposes
      in each of the OVS agents. If network type is not tunnelled, it
      sets up provider bridges instead and interconnects them.
    * For now we run the basic L3 HA test with VLANs and tunneling just
      so we have something to show for.
    * I started using scenarios in fullstack tests to run the same test
      with VLANs or tunneling, and because test names are used for log
      dirs, and testscenarios changes test names to include characters
      that are not shell friendly (Space, parenthesis), I 'sanitized'
      some of those characters.
    
    Change-Id: Ic45cc27396452111678cf85ab26b07275846ce44

commit 590ed69918efabc173144f170f2ea5ff0d445a78
Author: IWAMOTO Toshihiro <iwamoto@valinux.co.jp>
Date:   Thu Sep 10 17:24:47 2015 +0900

Remove an unused DVR function
    
    is_dvr_router_interface isn't used since commit
    c5fafcb30a5b86e87309ad4650f7d05a2ca038dc.
    
    Change-Id: Id902e7b4aafcf61f8da29bf7ab543559ea6b7937

commit 29ac69ebe365b597ad5d1510381d3f02643edb3e
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Thu Sep 10 10:51:10 2015 +0300

Handle ObjectDeletedError when deleting network ports/subnets
    
    It appeared there is still a race on port deletion when deleting
    networks. So commit a55e10cfd6369533f0cc22edd6611c9549b8f1b4
    introduced a regression. It's a bit of ironic that commit message
    was "Avoid DB errors when deleting network's ports and subnets".
    Shame on me!
    
    Closes-Bug: #1494157
    Change-Id: I37727eca5d68e6440f0f93e0f6bbe63b2f18b443

commit d5a8074ec3c67ed68e64a96827da990f1c34e10f
Author: Stephen Ma <stephen.ma@hp.com>
Date:   Fri Aug 28 14:00:48 2015 +0000

Descheduling DVR routers when ports are unbound from VM
    
    When a VM is deleted, the DVR port used by the VM could be unbound
    from the compute node. When it is unbounded, it is no longer
    in use on the node. Currently the unbind doesn't trigger a check
    to determine whether the DVR router can be unscheduled from the
    L3-agent running on the compute node. This patch makes the check
    and unschedule the router, if necessary.
    
    Closes-Bug: 1489184
    Change-Id: I882e0682bfc7695b3b23e36eb4d7e35a5d19748e

commit 81dd69caddced348ed26d7a732dc93c9bd10b953
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Thu Sep 10 00:06:08 2015 +0000

Updated from global requirements
    
    Change-Id: I78f123c8e49b6dcd23bda1def9e021df74ffb0ea

commit 4a8c2b875e4abb8e99d62f1530f209147faada2f
Author: ajmiller <al.miller@ajmiller.net>
Date:   Wed Sep 9 14:38:41 2015 -0700

Reduce the chance of random check/gate test failures
    
    As previously implemented, the TestTrackedResource class is designed
    to inject random failures into the gate. It generates random numbers
    within the range of 0..10000, and will fail if it generates duplicate
    random numbers during its run.
    
    This patch creates UUIDs instead of random numbers, and makes the
    chance of an collision vanishingly small.
    
    Change-Id: I0cf535d1c5a3995a50b506aafce10e983872dcb7
    Closes-bug: #1494021

commit 9b7ff6d3bd4059699c54180aca02e11d5fe07f21
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Mon Aug 31 21:31:57 2015 +0000

Allow passing arbitrary ip route parameters to add/delete_route
    
    There are arguments to ip route like scope and dev that will need to
    be passed to add_route and delete_route.  This patch allows them to be
    passed using kwargs.
    
    Change-Id: I06d46bee9ca333c6a308d1af961bd9eadab9db97
    Partially-Implements:  blueprint address-scopes

commit 46e59d312a46d96860fc1226ec6024d10ef2b1e0
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Tue Sep 1 16:58:22 2015 +0000

Make ip address optional to add_route and delete_route
    
    The add_route and delete_route methods require that the ip (actually
    "via" in ip route terms) be passed.  Some routes don't require this.
    This patch makes it optional while maintaining the position for those
    callers who do pass it by position.
    
    Change-Id: Ic16408c00c77898d8f7663c92e56aa30427469f3
    Partially-Implements:  blueprint address-scopes

commit da4ee8c8d26880b6b1a20d18f5cbd38e7d5e4b04
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Fri Aug 28 21:28:39 2015 +0000

Add list routes
    
    This adds list routes while refactoring list_onlink_routes to share
    implementation.  It changes test_onlink_routes to be consistent in the
    type of data that it returns with the new list_routes.
    
    Change-Id: I386a8e2cb146385bb59a7a8387a29dddbec48d8a
    Partially-Implements: blueprint address-scopes

commit 24fa37e05544316b58357b753360b147878e5d94
Author: lzklibj <lzklibj@cn.ibm.com>
Date:   Mon Mar 2 02:13:41 2015 -0800

Fix dvr update for subnet attach multi subnets
    
    Fix method dvr_update_router_addvm to notify every
    router attached to subnet where the vm will boot
    on.
    
    In dvr case, when a subnet only attaches to one router,
    the subnet will only have one distributed router interface,
    which device_owner is "network:router_interface_distributed".
    So in this case, get_ports in this method will only get
    one port, and it should be unnecessary to break in for loop.
    
    But when a subnet attaches multiple routers, get_ports in
    this method will return all distributed router interfaces
    and the routers hold those interfaces should be notified
    when an instance booted on the subnet. So it should also
    be unnecessary to break in for loop.
    
    Change-Id: I3a5808e5b6e8b78abd1a5b924395844507da0764
    Closes-Bug: #1427122
    Co-Authored-By: Ryan Moats <rmoats@us.ibm.com>

commit 7bd30aa49c24dc65332740e4fa74da28533b92ed
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Fri Aug 28 21:19:40 2015 +0000

Make ip rule comparison more robust
    
    I found that ip rules would be added multiple times in new address
    scopes code because the _exists method was unable to reliably
    determine if the rule already existed.  This commit improves this by
    more robustly canonicalizing what it reads from the ip rule command so
    that like rules always compare the same.
    
    Change-Id: I6d0c208f0ed8e65cdb750789321a7ad6ca1b77c2
    Partially-Implements: blueprint address-scopes

commit ce5761f15388888038f9c39da886cd0343b734fc
Author: Andrey Kurilin <akurilin@mirantis.com>
Date:   Wed Sep 9 16:48:59 2015 +0300

Remove hack for discovery novaclients extension
    
    novaclient provides a common way to discover all extensions, so we can
    remove import based on novaclient versioned client object.
    
    Closes-Bug: #1493886
    Change-Id: I7ae2eeb2d7e5c56e9284f3b059ff6e3545f42d5f

commit 91c476dcc5cd2192d0c43ca51a1b258b9c331fc4
Author: huangpengtao <huangpengtao@huawei.com>
Date:   Sun Aug 30 10:43:50 2015 +0800

Check ICMP codes in range [0,255]
    
    ICMP allows codes between 0 and 255, this change
    adds a check for codes range min value.
    
    DocImpact
    APIImpact
    
    Closes-Bug: #1486300
    
    Change-Id: Ic7a49458448fad16447b914bb15742515661a851

commit cc9957c747b3caa84ea52c7960d863e587ac66ac
Author: Carl Baldwin <carl.baldwin@hpe.com>
Date:   Tue Sep 8 21:04:23 2015 +0000

Remove address scopes from supported extensions
    
    This feature is not ready for prime time, but the cli code is
    already landed and shipped.
    
    In order to prevent users from getting mad about an uncooked feature,
    let's disable it until it becomes more robust.
    
    Tests must be disabled unconditionally because our CI API test framework
    execute tests for 'all' extensions available.
    
    Related-blueprint: address-scopes
    
    Change-Id: I71dc333e210b1f4acf30569711b4442ed8a1dfc3

commit bbaa4abdd5500d30576d63b5a5eb1503363e2f67
Author: Ann Kamyshnikova <akamyshnikova@mirantis.com>
Date:   Wed Sep 9 14:32:36 2015 +0300

Add test to check that correct functions is used in expand/contract
    
    This test will check that expand branch does not contain drop SQLAlchemy
    operations and contract branch does not contain create/add SQLAlchemy
    operations.
    
    Partially-Implements: blueprint online-schema-migrations
    
    Change-Id: Ifda31c0599651931c1a98f673f3b10e64538f18b
    Related-bug: #1490767

commit bd07b74045d93c46483aa261b8686072d9b448e8
Author: Moshe Levi <moshele@mellanox.com>
Date:   Tue Aug 25 15:50:09 2015 +0300

SR-IOV: devstack support for SR-IOV agent
    
    Change-Id: Ia0649962bd0c68d9c99fd54cc84ce8dd67d792e8

commit 4d831a462e2510ab080be7abae49ca3cff056e61
Author: Ann Kamyshnikova <akamyshnikova@mirantis.com>
Date:   Tue Sep 1 15:15:53 2015 +0300

Fix test_external_tables_not_changed
    
    test_external_tables_not_changed was not
    executed properly as new engine was created in env.py.
    
    Related-bug: #1466704
    
    Change-Id: If02415d7abd17024946f7aee8fb6abc374a7aefe

commit 37430d4bd096a04a0b3e23165ac244ac1f47a774
Author: Yi Zhao <zhaoyi@cmss.chinamobile.com>
Date:   Thu Aug 27 15:24:21 2015 +0800

Delete gateway conntrack state when remove external gateway
    
    This fixed the problem that a gateway ip conntrack state not cleared
    when user clears a router external gateway.
    
    Change-Id: I77f22d9504430259b01366e6296a99ba1cd6a046
    Closes-Bug: #1488730

commit 319920303a22988e418a982eef60f67af321148b
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Tue Sep 8 22:03:54 2015 +0000

Updated from global requirements
    
    Change-Id: Ib9d2e669f3d6e68cced7cd6674ff23ff7642f997

commit 7ca5a26c982084ed0b4cf036917a64580da6385c
Author: Mike Bayer <mike_mp@zzzcomputing.com>
Date:   Fri Aug 14 14:44:28 2015 -0400

Add non-model index names to autogen exclude filters
    
    The SQLAlchemy MySQL dialect generates implicit indexes
    in the less-common case of an integer column within a composite
    primary key where autoincrement is not set to False.
    Add a rule to ignore these indexes when performing
    autogenerate against a target database.
    
    Change-Id: I49abb3f7ad9731cde046fa2862cdb9ec16c3aeb3
    Partially-Implements: blueprint online-schema-migrations

commit 6576bea07c6c268b16e6c1f118b858e698452e2b
Author: Mike Bayer <mike_mp@zzzcomputing.com>
Date:   Mon Jul 20 18:34:15 2015 -0400

Implement expand/contract autogenerate extension
    
    Makes use of new Alembic 0.8 features to allow
    altering of the "alembic revision" stream such
    that operations for expand and contract are
    directed into separate branches.
    
    Change-Id: Ifa743e2f5b90e59a8de8f4e7a67c4bbe46686804
    Partially-Implements: blueprint online-schema-migrations

commit cd45f16442b7c56c4876bef527c9c83ea0907c40
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date:   Mon Jun 22 17:17:15 2015 -0700

Cleanup the fip agent gateway port delete routines
    
    Based on the parent patch, right now the Floatingip
    agent gateway ports will only be deleted when the
    last gateway port associated with the external
    network is deleted.
    
    The Floatingip agent gateway port will not be deleted
    for every floatingip dis-association and deletion.
    
    The Floatingip agent gateway port was created on all
    nodes as a substitute for the gateway port. So it
    makes sense to delete those ports only when the last
    gateway port on the external network is deleted.
    
    The agent should be able to delete the floatingip agent
    gateway port on a given external network when it is not
    required.
    
    This would substantially reduce the burden on the server
    to validate, read and delete the port form the DB.
    
    Change-Id: Ie561b19a2e58a2a563d79b75421e9e24c70f36f9
    Closes-Bug: #1468007
    Closes-Bug: #1408855
    Closes-Bug: #1450982

commit 639f1893dde0d393a97b29ca5309dba716831a7f
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date:   Mon Jun 22 16:50:43 2015 -0700

Add RPC command and delete if last FIP on Agent
    
    Today FloatingIP Agent gateway port is deleted and
    re-created for DVR based routers based on floatingip
    association and disassociation with VMs on compute
    nodes by the plugin.
    
    This introduces lot more strain on the plugin to
    create and delete these ports when VMs come up and
    get deleted that are associated with FloatingIps.
    
    This patch will introduce an RPC call for the agent
    to initiate a agent gateway port delete.
    
    Also the agent will look for the last floatingip that
    it manages, and if condition satisfies, the agent will
    request the server to remove the FloatingIP Agent
    Gateway port.
    
    Change-Id: I47694b2ee60c363e2fe59ad5f7d168252da08a45
    Related-Bug: #1468007
    Related-Bug: #1408855
    Related-Bug: #1450982

commit d5aa1659f56601d8f4d5e17273d5ade7a0e202dd
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date:   Mon Jun 22 16:33:32 2015 -0700

Delete FIP agent gateway port with external gw port
    
    FIP agent gateway ports are associated with external
    networks and specific host.
    
    Today FIP agent gateway ports are deleted for
    every floatingip associate and disassociate. This
    introduces race conditions in the port delete and also
    un-necessary access to the db.
    
    This patch will delete the FIP agent gateway port when
    the last gateway port of the external network is deleted.
    
    The child patch linked to this parent patch will clean
    up the FIP agent gateway port delete when associate,
    disassociate and delete of floatingip happens.
    
    This should also cover the case when an agent for some
    reason was unable to request agent gw port delete.
    (agent died).
    
    Related-Bug: #1408855
    Related-Bug: #1468007
    Related-Bug: #1450982
    
    Change-Id: I6637a771e6a6ce74e848cb74b779043e16a54a84

commit b62b92da9b9dbba953573bc212279c719e08f3ef
Author: Cedric Brandily <zzelle@gmail.com>
Date:   Tue Sep 8 15:23:49 2015 +0000

Remove ebtables_driver/manager dead code
    
    Previous changes[1] have been merged as enablers[2] to fix the bug
    1274034 but an alternative solution has been choosen and now we can
    consider the introduced code as dead code.
    
    This changes removes [2], associated tests and rootwrap filters.
    
    [1] I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0
        I3c66e92cbe8883dcad843ad243388def3a96dbe5
    [2] neutron.agent.linux.ebtables_driver
        neutron.agent.linux.ebtables_manager
    
    Closes-Bug: #1493422
    Related-Bug: #1274034
    Change-Id: I61e38fc0d8cf8e79252aabc19a70240be57e4a32

commit bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Author: Kevin Benton <blak111@gmail.com>
Date:   Tue Aug 25 22:03:27 2015 -0700

Stop device_owner from being set to 'network:*'
    
    This patch adjusts the FieldCheck class in the policy engine to
    allow a regex rule. It then leverages that to prevent users from
    setting the device_owner field to anything that starts with
    'network:' on networks which they do not own.
    
    This policy adjustment is necessary because any ports with a
    device_owner that starts with 'network:' will not have any security
    group rules applied because it is assumed they are trusted network
    devices (e.g. router ports, DHCP ports, etc). These security rules
    include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
    and IP headers.
    
    Without this policy adjustment, tenants can abuse this trust when
    connected to a shared network with other tenants by setting their
    VM port's device_owner field to 'network:<anything>' and hijack other
    tenants' traffic via DHCP spoofing or MAC/IP spoofing.
    
    Closes-Bug: #1489111
    Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9

commit c0ee8cbcbf98698411e3618b95b1d8c7676c76ad
Author: Assaf Muller <amuller@redhat.com>
Date:   Tue Sep 8 10:48:11 2015 -0400

Add oslo rootwrap daemon logging during functional tests
    
    Change-Id: Ie688a1df6e256c0195b8f3937228f65c0463e9c3
    Closes-Bug: #1493396

commit d6d0853be34ce783b133a9c39aeb608033f3073b
Author: Aman Kumar <amank@hp.com>
Date:   Tue Mar 17 03:41:54 2015 -0700

ovs agent resync may miss port remove event
    
    In OVS Agent rpc_loop() resync mechanism clears the registered ports and
    rescans them again, and it might result in missing some "port removed"
    event and treat_devices_removed will not be called.
    
    This fix rescans the newly updated ports when resync mechanism called,
    without clearing the current registered ports.
    
    The registered ports will be cleared only if there are too many
    consecutive resyncs to avoid resycing forever because of the same
    faulty port.
    
    Closes-Bug: #1329223
    
    Co-Authored-By: Andrey Epifanov <aepifanov@mirantis.com>
    Co-Authored-By: Gandharva S <gandharva.s@hp.com>
    Co-Authored-By: Romil Gupta <romilg@hp.com>
    Co-Authored-By: Rossella Sblendido <rsblendido@gmail.com>
    
    Change-Id: Ib0db9dcf889d9fd90b623857782c9a6b091e18f5

commit 1b67012794932a06ce90976f9759fc588da269b5
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Tue Sep 8 11:20:10 2015 +0200

tests: disable process monitor before managers
    
    Otherwise the monitor may respawn managers later, leaving them running.
    
    Issue spotted in:
    http://logs.openstack.org/02/216902/4/check/gate-neutron-dsvm-functional/a97df90
    
    Change-Id: I0e68b06c87b5770756fdf7b9201e1986cc67e07b
    Related-Bug: #1490051

commit 4b2e6842f320405cd963f560bc06849b4b7bb1eb
Author: armando-migliaccio <armamig@gmail.com>
Date:   Mon Sep 7 04:53:50 2015 -0700

Retry metadata request on connection refused error
    
    This testcase may fail intermittently on 'Connection refused' error.
    This could be due to the fact that the metadata proxy setup is not exactly
    complete at the time the request is issued; in fact there is no
    synchronization between the router being up and the metadata request being
    issued, and clearly this may be the reason of accidental but seldom failures.
    
    In order to rule out this possibility and stabilize the test, let's retry
    on connection refused only. If we continue to fail, then the next step would
    be to dump the content of iptables to figure out why the error occurs.
    
    Closes-bug: #1461172
    
    Change-Id: I65a5bf4fbbcad6ba93a46d36cabe7844ff528d8d

commit 9e178e42e46317a6f1ac7688340f0f84e4c16c80
Author: Sergey Belous <sbelous@mirantis.com>
Date:   Thu Sep 3 16:53:21 2015 +0300

Add ability to use custom config in DHCP-agent
    
    This patch doesn't changes behaviour of dhcp-agent
    but adds the opportunity to use user-defined config,
    that will make dhcp-agent more flexible
    and allows to run functional tests correctly
    (without changing global oslo.config CONF)
    
    Closes-Bug: #1492283
    Change-Id: Ice807e8fc872b56bb3960b7a3de4110c7675d9d6

commit 7da1724d446b6804c6be7a602532fbae58d9f008
Author: Salvatore Orlando <salv.orlando@gmail.com>
Date:   Tue Aug 25 02:21:06 2015 -0700

Improve DB operations for quota reservation
    
    This patch deals with the lock wait timeout and the deadlock errors
    observed under high concurrency (api_workers >= 4) with the pymysql
    driver. It includes the following changes:
    
    - Stop setting dirty status for resource usage when creating
      reservation, as usage of reserved resources is not tracked anymore;
    - Add a variable, increasing delay when retrying make_reservation
      upon a DBDeadlock error in order to reduce the chances of further
      collisions;
    - Enable transaction retry upon DBDeadlock errors for set_quota_usage;
    - Do not resync quota usage while making reservation. This puts a lot
      of stress on the database and is also wasteful since resource usage
      is very likely to change again once the transaction is committed;
    - Use autonested_transaction to simplify logic around when the
      nested flag should be used.
    
    Change-Id: I7a335f9ebea3c0d6fee6e6b757554e045a66075c
    Closes-Bug: #1486134
    Related-Blueprint: better-quotas

commit 13901bdf6941d17069073f489798faaa86151fae
Author: Moshe Levi <moshele@mellanox.com>
Date:   Tue Aug 18 08:48:24 2015 +0300

Qos SR-IOV: Refactor extension delete to get mac and pci slot
    
    When calling delete we need the pci slot details to reset the VF rate. The problem
    is that when the VM is deleted libvirt return the VF to the hypervisor and eswitch
    manager will mark the pci_slot as unassigned so can't know from the mac which pci slot (VF)
    to reset. Also newer libvirt version reset the mac when deleteing VM, so than it is
    not possible at all.
    The solution is to keep pci slot details locally in the agent since upon removal event
    you cannot get pci_slot from the neutron server as it is for create/update since port
    is already removed from neutron.
    
    This patch pairs the mac and pci_slot for a device (VF) so when calling the extension
    port delete api we can have the pci_slot and reset the VF rate.
    
    It is also add a mapping between mac to port_id so we can pass the port_id
    when calling the extention port delete api.
    
    Partially-Implements: blueprint ml2-sriov-qos-with-bwlimiting
    Closes-Bug: #1492909
    Change-Id: Icc3a9599c6d7a4de9c56b452dfab7909c8d0a576

commit b89879c286cdc5718ee540c2c581a3f500c18b3e
Author: root <mamtaprabhu@in.ibm.com>
Date:   Sat Sep 5 10:47:41 2015 -0700

Adds support to provide the csum option for the OVS tunnels
    
    The new option for the ovs agent will enable to set/unset the
    csum option for the vxlan/gre tunnels. The default is maintained as False.
    
    Change-Id: I18dcd8946b585e70f8890a5c222ea37059c4a0c5
    Implements: bp ovs-tunnel-csum-option
    Closes-bug: #1492111

commit 597be0028952f57e6083a674d724978cd9fe599c
Author: huangpengtao <huangpengtao@huawei.com>
Date:   Sun Sep 6 23:32:49 2015 +0800

Delete the useless variable agent_host
    
    Change-Id: I7fb9da4b4b5316ddbc93a89317ee57718da178d3

commit 42f80682d3eff58af60199f817ac402f457491a0
Author: Neil Jerram <Neil.Jerram@metaswitch.com>
Date:   Sun Sep 6 01:09:16 2015 +0100

Handle process disappearing before we ask for its PPID
    
    Change-Id: I573aba8e11dca16f8a6565f7e9704be18e938566
    Closes-Bug: #1478190

commit 6d51ef5d2e275d0d260a592d3ab8ed8a76a63421
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Thu Sep 3 16:31:33 2015 +0300

OVS agent: handle deleted ports on each rpc_loop iteration
    
    Currently rpc loop processes ports only in case polling is required
    (message from ovsdb monitor) or there are port_updated notifications from
    server or security group notifications.
    In case of just port_deleted notifications port processing is not
    triggered during rpc loop.
    This may lead to agent accumulating a big amount of deleted ports
    and processing all of them at once during next iteration when polling is
    required or any notification from server, which might be quite tough for
    the agent. Tough means agent will be irresponsive while processing deleted
    ports.
    The patch makes port deletion processing more gradual.
    
    Closes-Bug: #1491922
    Change-Id: I0e1f6dfbf5b56fb18a978d6214e1768560d8ac98

commit b61cd4eaedc3a65657d5dbf8b09ec3c39f250637
Author: Shweta P <shpadubi@cisco.com>
Date:   Thu Aug 27 16:53:13 2015 -0400

Final decomposition of Cisco plugin
    
    This patch follows the previous patch(listed as dependent) and moves
    the remaining cisco db models from neutron to networking-cisco.
    The patch deletes l3_model and cisco_router_plugin and their associated
    config and helper files from neutron
    
    Change-Id: I5b71e1dfb683e633e1cd11386dfb7c2ed7cc7d62
    Partial-Bug: #1489609

commit d12017ad511a202a12422245cce6204a5731250c
Author: Abhishek Raut <rauta@vmware.com>
Date:   Mon Aug 10 20:52:15 2015 -0700

Remove Cisco Meta and N1KV monolithic plugins
    
    This patch removes the Cisco meta plugin and the Cisco
    Nexus1000V monolithic plugin as they were deprecated in the
    previous cycle.
    
    Closes-bug: #1473217
    
    Change-Id: Id170b9512b2f52a971264336d83b083d487359ee

commit 065275e51ff3852462586d01f5d3dd750bf2d663
Author: Robert Collins <rbtcollins@hp.com>
Date:   Sat Sep 5 16:04:42 2015 +1200

Workaround test stream corruption issue.
    
    Change-Id: I4c88f1891f53c6559bca71bf657aa30df2101280
    Closes-Bug: #1492505

commit ad9aaa63e5ea427d24c07e6a36a2976d83f1a26f
Author: Kevin Benton <blak111@gmail.com>
Date:   Fri Sep 4 18:27:42 2015 -0700

Fix RBAC filter query for negative case
    
    The query to find networks that aren't shared to the querier was
    broken. It was querying for the inverse of RBAC entries that shared
    to the querier, so it would return the network for each other tenant
    it was shared to. This meant that if a network had multiple RBAC
    entries, a shared=False filter wouldn't work in the API.
    
    This patch corrects the behavior by adjusting the query that looks
    for objects not shared to the caller to make sure the object ID doesn't
    appear in the shared subquery.
    
    This patch also adds a test that reliably reproduces the original issue.
    The sporadically failing filter test that revealed this issue depended
    on a race to have a network be shared to another tenant and to the wildcard
    at the same time.
    
    Change-Id: I9dcd869c1640b223221ba12e97284bbfcabbeb2b
    Closes-Bug: #1495040

commit 1886964890e1ba9d13df43d0caeff1546f2090a9
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Fri Sep 4 23:06:43 2015 +0000

Updated from global requirements
    
    Change-Id: I6f3dbf989cb6d9d110c2ee6a3a2e2b557bced28f

commit ed3c317ed9182538747f74713154ad94e9d866db
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Fri Sep 4 22:21:41 2015 +0200

Fixed functional test that validates graceful ovs agent restart
    
    The async_ping function returns a callable that returns True when all ping
    futures are done. Since those futures are running for 10 secs, there was no
    chance that the result of the callable was True.
    
    The test was bailing out without calling bridge reset even a single time,
    effectively leaving the feature untested in gate.
    
    Another thing to note is that for some reason the patch fixed oslo rootwrap
    errors in the test when executed locally. Since I still don't understand how
    it's possible that it fixes the issue for me, I mark the bug as related only,
    and will track logstash after it's merged to see whether it applies unknown
    magic to gate jobs too.
    
    Change-Id: Iaa977abddf1a0c6af7e964f1a5cd545ffb79585a
    Related-Bug: #1490051

commit 1b25e30800c869dacca58afa6b8bf92f4cf9d377
Author: rossella <rsblendido@suse.com>
Date:   Wed Aug 26 16:06:25 2015 +0000

_bind_devices query only existing ports
    
    If a port is deleted right before _bind_devices is called,
    get_ports_attributes will throw an exception since the row
    corresponding to the port doesn't exist in the OVS DB.
    Avoid that setting if_exists to True. The port will be
    processed as deleted by the agent in the following iteration.
    
    Change-Id: Ia6590d76f8683e6cba562cde3c39b051549f6c04
    Closes-bug: #1489014

commit a93886278f1308ae78c65b4ad36ee7648cad2914
Author: Kevin Benton <blak111@gmail.com>
Date:   Fri Sep 4 05:33:46 2015 -0700

Stop logging deadlock tracebacks
    
    The oslo db retry decorator logs a traceback everytime a deadlock
    is encountered even though it is being retried. With multiple workers
    and a Galera cluster, deadlocks are common occurences due to our use
    of with_lockmode update so we should not be polluting the logs.
    
    This patch adjusts our usage of the retry decorator to catch deadlocks
    with the exception checker which does not log them until the retries
    are exhausted.
    
    Change-Id: I433fbbad61070e20ebe934b9247e36fc190fa3e0

commit e959e474d65211991c12f9495b227da5e4d99ed7
Author: Kevin Benton <blak111@gmail.com>
Date:   Fri Sep 4 04:22:35 2015 -0700

Don't log exceptions in GW update on router create
    
    The LOG.exception statement is not necessary because the exception
    is re-raised so if it's a real error it will be logged like any
    other failure.
    
    Related-Bug: #1494886
    Change-Id: I29aacd8c1187ddf8653009865ed9a62be948c5a7

commit 9b66c82483ab70caf3e09d8dcf5cb8d4d4ecfd60
Author: Kevin Benton <blak111@gmail.com>
Date:   Fri Sep 4 04:28:58 2015 -0700

Remove an unnecessary extension check for rbac
    
    This removes some logic to detect the RBAC extension
    that was written when RBAC was being developed as a
    service plugin. Since it's part of db base plugin there
    is nothing to enable in devstack so it's not necessary.
    
    Change-Id: I37f8060c14d8ad74f5cea649c18ee9ef3912cb2d

commit da81ae88929c389f0ba8660c4c8dfb79eec7c0fd
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Thu Sep 3 15:13:25 2015 +0300

OVS agent: flush firewall rules for all deleted ports at once
    
    In some cases, under high load OVS agent has to delete a big amount of
    ports during rpc_loop. remove_devices_filter() does iptables-save/restore
    for IPv4 and IPv6 which is 4 system calls. It is very expensive and
    inefficient to call it for each port individually.
    
    Closes-Bug: #1491922
    Change-Id: I4cfb2dfcef5088436c7aaae22c8f66e1ea052311

commit ef409d9da2ecbf12f9916a9a933231146538cf04
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Tue Sep 1 21:45:55 2015 +0200

Enable most unit tests for py34 job
    
    * Skip TestWSGIServerWithSSL[1] for Python 3 since it seems wsgi + ssl +
      eventlet setup does not behave correctly now,
    * Skip test_json_with_utf8[2] until we solve unicode/utf8 encode/decode,
    * Fix some more tests to pass for py3,
    * Replace print by print() in docs/docstrings.
    
    [1] neutron.tests.unit.test_wsgi (bug 1482633)
    [2] neutron.tests.unit.test_wsgi.JSONDictSerializerTest (bug 1491824)
    
    Related-Bug: #1482633
    Related-Bug: #1491824
    Blueprint: neutron-python3
    Co-Authored-By: Cyril Roelandt <cyril@redhat.com>
    Co-Authored-By: Cedric Brandily <zzelle@gmail.com>
    Co-Authored-By: sonu.kumar <sonu.kumar@nectechnologies.in>
    Change-Id: I26e513d4dcf473f4cd79728382fc94af3d901b5d

commit cd524065e2ac4f48d8b9810fa9735f0fd925c4d8
Author: Tu Hong Jun <tuhongj@cn.ibm.com>
Date:   Thu Aug 20 14:08:07 2015 +0800

Changed filter field to router_id
    
    The get_sync_interfaces query will always return all router ports
    from database even it is supposed to query specific ones that
    belong to a certain router. In large L3 scale environment with
    number of route ports in place, this would lag the response time
    for adding router interface and router L3 agent binding.
    
    Closes-Bug: #1489671
    Change-Id: Ib78ca766f91783ad2ecca5b728c31602b4ed15d8

commit 997aa86fa12e3209b65741ef95906d491895a493
Author: Sergey Vilgelm <sergey@vilgelm.info>
Date:   Mon Aug 31 17:06:48 2015 +0300

Fix a wrong condition for the _purge_metering_info function
    
    Fix a situation for the _purge_metering_info function
    when the items will never be deleted from the metering_info.
    Delete the metering_info dict and use the metering_infos instead.
    Fix the problem with changing a dictionary during iteration.
    Add the unit tests for the _purge_metering_info and
    _add_metering_info functions.
    
    Co-Authored-By: Yaroslav Isakov <yisakov@mirantis.com>
    
    Change-Id: I9031a5f27ae6438ffd5c5a48b0cf5cdc6867eff3
    Closes-Bug: #1490581

commit 2d65cccba29220e46b490871210014b94f086984
Author: Kevin Benton <blak111@gmail.com>
Date:   Thu Sep 3 17:43:37 2015 -0700

Don't log deadlock or retry exceptions in L3 DB
    
    We don't want to log exceptions in the l3 DB that will be retried
    by the DB retry decorator because it will look like a failure in
    the log when it actually ends up being retried.
    
    Change-Id: I024fc2db9022809194178c227d994bc6ed33c78b
    Closes-Bug: #1494886

commit f347939fd6c7b5a9e93af2007a0c01d00f29dc2b
Author: armando-migliaccio <armamig@gmail.com>
Date:   Thu Sep 3 10:29:12 2015 -0700

Make sure service providers can be loaded correctly
    
    This patch fixes a regression where, if neutron was loaded using
    --config-dir, the service_providers option was no longer available.
    
    We bring the logic back (removed by 61121c5f2af), alongside the ability
    to load the option auto-magically. This is especially required for DevStack
    deployments as of today, because neutron-server is only loaded by passing
    --config-file (...)neutron.conf and --config-file (...)ml2_conf.ini
    
    Change-Id: I9bfaed9e19a5506e27795a0b7ad47f4c31fefa40
    Closes-bug: #1490990

commit 9c466f4d0effa4686ca6744d7b9d015857830cb7
Author: Roman Bogorodskiy <rbogorodskiy@mirantis.com>
Date:   Wed Jun 24 14:40:35 2015 +0200

sriov: update port state even if ip link fails
    
    Some SRIOV drivers/devices don't support link state setting,
    meaning that 'ip link' fails like this when trying to set state:
    
     # ip l set dev p2p1 vf 6 state disable
     RTNETLINK answers: Operation not supported
    
    The sriov-nic-agent tries to do that in
    SriovNicSwitchAgent.treat_device() and fails because of non-zero
    exit status from 'ip link' and, therefore, doesn't reach the code
    that updates the actual port status, so port could hang in a BUILD
    state even if binding was successful.
    
    This patch fixes problem of nova not being able to successfully bind
    or cleanup such a port. It does not fix a case when user manually
    updates admin_state_up for a port via API, it's subject to a separate
    fix.
    
    Also, replace LOG.exception with LOG.warning for set_device_state()
    as the exception would be logged by PciDeviceIPWrapper.set_vf_state()
    anyway.
    
    Closes-bug: #1468332
    Change-Id: Ifa7c128d369ced60b5986aa0ed92527868f7efab

commit a97fd4dabb31019ac7926b4445cd8d8f319b1b6a
Author: armando-migliaccio <armamig@gmail.com>
Date:   Wed Sep 2 17:23:56 2015 -0700

Retain logs for functional test cases
    
    This helps greatly the debugging process in face of race conditions.
    
    Change-Id: I74235307183cbb15a7179b18b417b38ffb1d2cc9

commit da1ac497d2d10d008925311e3f14e9750f7b86b2
Author: Kevin Benton <blak111@gmail.com>
Date:   Wed Sep 2 06:50:36 2015 -0700

Don't setup ARP protection on OVS for network ports
    
    Skip adding ARP spoofing protection on OVS ports with a
    device_owner field starting with 'network:'. This is
    already the case for the other iptables-based spoofing
    protection and is necessary for floating IPs to function
    correctly on router gateway ports.
    
    Closes-Bug: #1487338
    Change-Id: I32cef17ff47fd62e6db16b9083104f07239be25f

commit 051ff13771026b015c893a19a89654bf2ca4d018
Author: Kevin Benton <blak111@gmail.com>
Date:   Wed Sep 2 07:04:55 2015 -0700

Don't setup ARP protection on LB for network ports
    
    Skip adding ARP spoofing protection on Linux bridge ports
    with a device_owner field starting with 'network:'. This is
    already the case for the other iptables-based spoofing
    protection and is necessary for floating IPs to function
    correctly on router gateway ports.
    
    Change-Id: If53733fb3060e5ab44bac5388f42bdc384bcdb93
    Closes-Bug: #1483315

commit 9f6bd17703b7286be9e7d439d15f4dec2774e13a
Author: Terry Wilson <twilson@redhat.com>
Date:   Mon Jun 15 22:52:28 2015 -0500

Add support for PluginWorker and Process creation notification
    
    There are several cases where plugin initialization should be
    handled after neutron-server forks API/RPC workers. For example,
    starting a client connection to an SDN controller before forking
    copies the fd of the socket to the child process, but then you have
    multiple processes trying to read/write the same socket connection.
    
    It is also useful for a plugin to be able to do something in only
    one process, regardless of how many workers are forked. One example
    would be handling syncing from an external system to the neutron
    database.
    
    This patch does 3 things:
    1) Treats rpc_workers=0 as = 1. This simplifies the code for
       handling notification that forking has completed. In the
       existing code, calling the notification in the Worker object's
       start() method would happen twice in the case where both api
       and rpc workers were 0, despite there being only one process.
       An earlier patch already changed the default api_workers to be
       the number of processors.
    2) Adds notification of forking via the callbacks mechanism.
       Plugins can subscribe to resources.PROCESS, event.AFTER_CREATE
       and do any post-fork initialization that needs to be done for
       every spawned process.
    3) Adds core/service plugin calls to get_workers() which defaults
       to returning (). Plugins that need additional processes to spawn
       should just return an iterable of NeutronWorkers that will be
       spawned in their own process.
    
    DocImpact
    
    Closes-Bug: #1463129
    Change-Id: Ib99954678c2b4f32f486b537979d446aafbea07b

commit bd734811753a99d61e30998c734e465a8d507b8f
Author: Nick <skywalker.nick@gmail.com>
Date:   Sun Jul 19 22:41:27 2015 +0800

Implement external physical bridge mapping in linuxbridge
    
    In some deployment scenario, it is not allowed to remove system
    ethernet configuration from physical interface to newly-created
    physical bridge by neutron due to some IT regulations.
    End-users require to take advantage of the pre-existed(user-defined)
    physical bridge to connect tap devices for neutron.
    
    Closes-Bug: #1105488
    Implements: blueprint phy-net-bridge-mapping
    DocImpact
    
    Change-Id: Ia0eaa6233d8da93da32e86404b15184b77937d0a

commit a55e10cfd6369533f0cc22edd6611c9549b8f1b4
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Wed Aug 12 20:02:01 2015 +0300

Avoid DB errors when deleting network's ports and subnets
    
    DB errors may occur when accessing query results
    after the transaction was closed (like ObjectDeletedError).
    Hence it's better to avoid DB object access especially
    when it's not needed.
    This patch changes _delete_ports() and _delete_subnets() to accept
    only ids. Indeed, there is no need to pass db objects to these methods.
    
    Closes-Bug: #1484135
    Related-Bug: #1454408
    Change-Id: I7507cb1c85defb2e6d5144e5832aea713d6251ae

commit 8c3cb79aa54b0ffcdc840c7e95ab809835d05001
Author: Kevin Benton <blak111@gmail.com>
Date:   Thu Aug 27 22:12:48 2015 -0700

Better message on allowed address pairs error
    
    Neutron was throwing a 500 error when a non-iterable was passed
    into allowed address pairs. This patch just catches that and
    converts it into a regular badrequest message.
    
    Closes-Bug: #1477829
    Change-Id: I3c6f55df4912c7a9480fa097988f910b254572fd
    Signed-off-by: Kevin Benton <blak111@gmail.com>

commit cc20673d673113974c78a2b17a9ff4da47ad6665
Author: Assaf Muller <amuller@redhat.com>
Date:   Sat Aug 29 11:32:19 2015 -0400

Add info to debug test_keepalived_respawns gate failure
    
    Current theory is that there's a bug in external_process.active,
    it returns True when it shouldn't, then kill -15 on the process
    pid fails because the process isn't up. Added ps -p output to
    see if the process is up or not.
    
    Change-Id: Ic062be829d5f05a1294f6b2fa54820422871ffcb
    Related-Bug: #1490043

commit d02bcb9c3917028948b08c319d1443d487c36846
Author: Hirofumi Ichihara <ichihara.hirofumi@lab.ntt.co.jp>
Date:   Tue Aug 25 09:10:00 2015 +0900

Enable to update external network subnet's gateway-ip
    
    This patch enables users to update gateway_ip of a subnet even if
    the subnet is in use for an external network of a router.
    
    Change-Id: I78d2b024c99b1af0001bd454465d2fc02692cbf2
    Closes-Bug: #1317363

commit c43cc3eb20101b2d2b19344690fed9892383621b
Author: James Arendt <james.arendt@hp.com>
Date:   Fri Aug 28 16:33:44 2015 -0700

Make Neutron service flavor save service_type
    
    While the service_type exists in the resource attributes and as
    a database field for a Flavor, the creation dictionary did not
    pass the value so the service_type was not being persisted
    in the database nor returned.
    
    Enhanced unit test to show problem.  Test fails on old code
    to save or return the input service_type.
    
    Change-Id: I4dba287f5972ecebd193d65e7f542dd0a65f055b
    Closes-Bug: 1490063

commit db4ea4517886741c2bd3e15e39bee0ecbd1356ae
Author: James Arendt <james.arendt@hp.com>
Date:   Wed Aug 26 16:53:24 2015 -0700

Add tenant_id to flavor service profiles attributes
    
    Neutron v2 base.py auto populates a 'tenant_id' attribute on
    calls if the attribute is not passed.  This causes a POST
    to create a flavor service binding to fail when verifying
    attributes with:
    Unrecognized attribute(s) 'tenant_id'
    
    Solution is to add tenant_id as expected attribute in the
    attribute map as done in other sub resources like QOS.
    
    Fix unit test for non-keystone case.
    
    Change-Id: Ic2bd1271f297fc10b49304ffd5fe617637e3d8f4
    Closes-Bug: 1489197

commit 9022fb1ae8f90df59c4da64450eb96de8c011715
Author: armando-migliaccio <armamig@gmail.com>
Date:   Mon Jul 27 14:11:46 2015 -0700

Remove implicit registration of *-aas service providers
    
    Implicit registration can be dropped when explicit registration
    for load balancer and vpn is implemented. Firewall does not
    use service providers and the ServiceTypeManager, so the
    precautionary step can be dropped altogether.
    
    Support for configuring providers via the service_providers section
    in neutron.conf, is no longer available, hence clear the stale
    entry points.
    
    DocImpact
    
    Closes-bug: #1473110
    
    Change-Id: I5e1d254b9a3a24121d9e9d3cb82f877d44079296

commit 0a258afc7ee3c03974dffa2c0dd0b7b367034cc7
Author: Kevin Benton <blak111@gmail.com>
Date:   Fri Aug 28 00:50:59 2015 -0700

Process user iptables rules before INVALID
    
    Process user-defined iptables rules before the INVALID DROP
    rule. This is to allow scenarios where the VMs need to
    legitimately receive packets that conntrack doesn't have an
    entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
    A user can accomplish this by adding an allow rule that matches
    the headers of these INVALID packets so they get permitted before
    they hit the INVALID DROP rule.
    
    Closes-Bug: #1460741
    Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b

commit b3e7e21c32a251ba0b7123aa909edeaedd08152a
Author: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Date:   Mon Mar 2 16:40:11 2015 +0900

OVS-agent: Introduce Ryu based OpenFlow implementation
    
    Introduce an alternative OpenFlow implementation, "native",
    implemented using Ryu ofproto python library from Ryu SDN Framework.
    Make it selectable with of_driver=native agent option.
    The aim is to replace the existing ovs-ofctl based implementation
    eventually.
    
    It introduces node-local OpenFlow controller embedded in
    OVS agent.  Benefits include:
    * Reduce the overhead of invoking ovs-ofctl command (and associated
      rootwrap)
    * Make future uses of OpenFlow asynchronous messages (e.g. Packet-In,
      Port-Status, etc) easier
    * Make XenAPI integration simpler
    
    Highlights:
    * Switch to OpenFlow 1.3.
    * Make OVS-agent act as an OpenFlow controller
    * Configure OVS on the node to connect to the controller
    
    DocImpact
    
    Implements: blueprint ovs-ofctl-to-python
    Co-Authored-by: IWAMOTO Toshihiro <iwamoto@valinux.co.jp>
    Change-Id: I02e65ea7c6083b2c0a686fed2ab04da4d92b21a3

commit 5aab6a577950525d8f656d373f2e46a229fa600b
Author: Kevin Benton <blak111@gmail.com>
Date:   Tue Sep 1 19:35:33 2015 -0700

Deprecate external_network_bridge option in L3 agent
    
    This option provides another way to attach to a specific bridge
    that is not quite equivalent with how bridge_mappings work in the
    L2 agent. This creates inconsistencies between how the L3 agent
    behaves when configured with a bridge_mapping and provider properties
    of the Neutron network vs. when it just ignores all L2 stuff and
    plugs itself directly into the bridge.
    
    See the bug report for more info.
    
    Change-Id: I37de3cd6eaaf34856fa72753f471f4f0a9381836
    Closes-Bug: #1491668

commit e10b008f7a2a1cb45ae5f77082f8d45b51274489
Author: salvatore <salv.orlando@gmail.com>
Date:   Fri Aug 21 10:44:25 2015 +0200

Do not track active reservations
    
    Reservations have a transient nature: a reservation lifespan
    typically begins and ends with a single request.
    Therefore tracking reserved amounts for each tenant and resource
    is not nearly as efficient as tracking resource usage.
    Indeed it is fairly easy to verify that the overhead for tracking
    reserved amounts is much greater than the one needed for counting
    active reservations for each tenant and resource.
    
    This patch removes the logic for tracking reservations, and
    replaces it with an explicit count of active reservations.
    
    Please note that this patch does not adjust accordingly the
    ResourceUsage DB model. This will be done in a separate patch with
    an expand migration; this should avoid most merge conflicts before
    the final patch for restoring reservation logic merges.
    
    Related-Blueprint: better-quotas
    
    Change-Id: Ib5e3bd61c1bc0fc8a5d612dae5c1740a8834a980

commit 8ba57a2bf1ce3693db47de4ff8dd5a7a9b5347d7
Author: Henry Gessau <gessau@cisco.com>
Date:   Tue Sep 1 17:17:01 2015 -0400

Deprecate --service option for neutron-db-manage
    
    Now that https://review.openstack.org/198542 has merged we can
    deprecate the --service option. From now on instead of
      --service fwaas
    we should instead use
      --subproject neutron-fwaas
    
    This puts the *aas subprojects on equal footing with the other
    projects in the Neutron Stadium for neutron-db-manage.
    
    In the Liberty release the --service option will be marked as
    deprecated. It will be removed in Mitaka.
    
    Related-Bug: #1470625
    
    Change-Id: Iecc678efafd798b62bb83e6e85333c64760f16b5

commit c029954c8ae041e5f15b14ceef0e2aa060928e05
Author: Sachi King <nakato@nakato.io>
Date:   Tue Sep 1 15:10:54 2015 +1000

Add constraint target to tox.ini
    
    This adds a pip install command to tox.ini that is only used when the
    tox env is passed with the 'constraints' factor appended onto it.
    As such this will not effect developer workflows or current unit tests.
    
    The initial use of this will be in a non-voting job, to verify that the
    constrained checks with tox are stable.  DevStack is already running
    constrained jobs, as such problems are no expected.
    
    To run a tox with pip using constraints on a developer system a
    developer should run the desired tox environment with -constraints.
    For example: $(tox -epy27-constraints)
    Pip will pull the current version of the upper-constraints.txt file down
    from the git.openstack.org, however this method can be overriden to use
    a local file setting the environment variable "UPPER_CONSTRAINTS_FILE"
    to the local path or a different URL, it is passed directly to pip.
    
    This is currently not enabled in the default tox run, however it is
    possible to enable it as a default by adding it to 'envlist' in tox.ini
    
    Change-Id: I13579599dfdf846d06d8c39f33265e8b46db6e68
    Depends-On: I17ac389f78af241917b6da7f049085f2b13d30f2
    Implements Blueprint: Requirements-Management

commit f3f5940201a9e010c188f83aead7d93e7e8c9b6d
Author: Neil Jerram <Neil.Jerram@metaswitch.com>
Date:   Mon Jul 27 14:41:29 2015 +0100

DHCP agent: allow using gateway IPs instead of uniquely allocated
    
    In each place where the DHCP agent runs, and for each subnet for which
    DHCP is handing out IP addresses, the DHCP port needs - at the Linux
    level - to have an IP address within that subnet.  Generally this
    needs to be a unique Neutron-allocated IP address, because the
    subnet's underlying L2 domain is bridged across multiple compute hosts
    and network nodes, and for HA there may be multiple DHCP agents
    running on that same bridged L2 domain.
    
    However, if the DHCP ports - on multiple compute/network nodes but for
    the same network - are _not_ bridged to each other, they do not need
    each to have a unique IP address.  Instead they can all share the same
    address from the relevant subnet.  This works, without creating any
    ambiguity, because those ports are not all present on the same L2
    domain, and because no data within the network is ever sent to that
    address.  (DHCP requests are broadcast, and it is the network's job to
    ensure that such a broadcast will reach at least one of the available
    DHCP servers.  DHCP responses will be sent _from_ the DHCP port
    address.)
    
    Specifically, for some networking backends it makes sense to allow all
    DHCP ports to use the subnet's gateway IP address, and thereby to
    completely avoid any unique IP address allocation.
    
    This change therefore enhances the DHCP agent code to be able to use
    gateway IPs as an alternative to uniquely allocated ones, with the
    choice between those being made by a new interface driver property,
    'use_gateway_ips'.  The back-compatible default is to use unique IPs.
    An interface driver that wants the DHCP agent to use gateway IPs can
    achieve that by overriding as follows:
    
        @property
        def use_gateway_ips(self):
            return True
    
    Partial-Bug: #1486649
    Change-Id: I17e1dc9231a5ec35bd6f84c4c7aca6350d76e8ec

commit 3de01b39b74d0a23f765b1f9b1a4ba1eb457068c
Author: Stephen Ma <stephen.ma@hp.com>
Date:   Thu Aug 27 04:50:14 2015 +0000

Resolve issue where router can't be removed from L3-agent in dvr mode
    
    Fixes the problem where the L3 DVR Scheduler is unable
    to remove a DVR router from a L3 agent running in
    'dvr' mode.
    
    Closes-bug: 1489091
    Change-Id: Id128a81d2cf7108936715ee305012fbff23ffdbf

commit c5d182da588d8dcf107d22735eb37250362043c0
Author: rossella <rsblendido@suse.com>
Date:   Thu Jul 23 19:41:20 2015 +0200

OVS agent add functional tests of OVS status
    
    Add a functional tests to verify that the agent
    behaves correctly when OVS restarted.
    
    Partially-Implements: blueprint restructure-l2-agent
    Change-Id: Ifeb0f2f6a06baead93df2c016ea26bfea990734d

commit 71dd3a0f87eb69072696f6905f8380924dd67c1a
Author: rossella <rsblendido@suse.com>
Date:   Fri Jul 31 17:25:37 2015 +0000

check_changed_vlans doesn't need registered_ports as param
    
    check_changed_vlans doesn't need registered_ports since the
    ports processed by the agent are accessible from local_vlan_map
    
    Partially-Implements: blueprint restructure-l2-agent
    Change-Id: I279dcaff469337c553b358f6f5476c7238e89a59

commit 4ea6810d50c0d960c4640f0c12c6ec025449b64d
Author: YAMAMOTO Takashi <yamamoto@midokura.com>
Date:   Tue Sep 1 16:26:03 2015 +0900

test_migrations: Remove unnecessary midonetclient mocks
    
    These seem leftovers from plugin decomposition.
    
    Change-Id: Ib05ebbbd6627a1b69c413761b0e5a8e53817d8f2

commit ed392dc5354131b377ebf6aea518fb8e2ca7f893
Author: Sergey Belous <sbelous@mirantis.com>
Date:   Mon Aug 31 17:44:19 2015 +0300

Fixed filters for functional tests
    
    Removed filter for unused tee utility.
    CommandFilter for curl replaced with more stricted RegExpFilter
    and now allow run curl only with specified parameters.
    
    Change-Id: I5d151a63f85cb969f79d4d92f5422e8e88855be5
    Closes-Bug: #1487139

commit 599977e20bd480305434168400055fa417aad8b1
Author: Lajos Katona <lajos.katona@ericsson.com>
Date:   Tue Jul 7 15:04:35 2015 +0200

Fix locale problem in execute()
    
    Change from new format string to old style formatting.
    
    Change-Id: Ib39de7169416c2cc053d4aa909075c68cd2d7f0b
    Closes-bug: #1449897

commit e77eac8611f8fbb333168dc344c0056acaebb8b5
Author: Edgar Magana <emagana@gmail.com>
Date:   Sat Aug 29 08:00:17 2015 -0700

Improve python code for missing suggestion
    
    Include a missing suggestion in code already merged
    
    Related-Blueprint: better-quotas
    
    Change-Id: I5983ccf6e2f98d2df41403b3be06748d5556c181

commit 34a329b4de7c801c15b3c214cc2b122ac82d0b72
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date:   Tue Aug 25 16:24:05 2015 -0700

Add a functional test to validate dvr snat namespace
    
    Add a functional test to validate the dvr snat
    namespace and its internal interfaces when internal
    networks are removed and added.
    
    Change-Id: Id44f5e5899e959be53b09e6f9bc732f553ae9a5a
    Related-Bug: #1479130

commit 3a9e778399af8380b11c968da39e08b4a97a9f1f
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Tue Aug 25 22:32:50 2015 +0000

Add snat ports cache to dvr router
    
    This reverses the effect of [1] but in a way that works with the
    current structure of the code and keeps DVR details in DVR classes
    
    [1] https://review.openstack.org/#/c/200293
    
    Change-Id: Ia8468881de6538882d4a14725b55db53e23d2e4c
    Closes-Bug: #1479130

commit 72e388445eb6f6903ccfc5079aa206ac2cbcfd5e
Author: Sachi King <nakato@nakato.io>
Date:   Mon Dec 8 17:42:48 2014 +1100

Return exception when attempting to add duplicate VIP
    
    Neutron should never attempt to add a VIP to keepalived's config
    multiple times, and to do so is an error.  As such this adds an
    exception if this is ever attempted.
    
    Change-Id: If1c41c3164e8a998c73f9b7aa566e2ba6570f54b
    Closes-Bug: #1400217

tags:

added: in-feature-pecan

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-21: Change abandoned on neutron (feature/pecan)

#42

Change abandoned by Doug Wiegley (<email address hidden>) on branch: feature/pecan
Review: https://review.openstack.org/224334

Thierry Carrez (ttx) on 2015-09-24

Changed in neutron:
milestone:	none → liberty-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in neutron:
milestone:	liberty-rc1 → 7.0.0

Revision history for this message

Perry (panxia6679) wrote on 2015-11-25:

#43

I won't be able to reproduce the problem on the Juno with steps in Bug Description. I am wondering whether there is any incorrect step. Can anyone help correct me? Thanks.

1) create a neutron security group
neutron security-group-create --description permissive unlocked11
neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 --direction ingress unlocked11
neutron security-group-rule-create --protocol tcp --port-range-min 28 --port-range-max 50000 --direction egress unlocked11
neutron security-group-rule-create --protocol udp --port-range-min 1 --port-range-max 1000 --direction ingress unlocked11

2) create a port with security group created above
neutron port-create --security-group unlocked11 <network>

3) update port immediately after step 2)
watch neutron port-update <port uuid above> --device-owner network:hello

4) boot a vm
nova boot --key-name perry --nic port-id= <port uuid above> --flavor Standard --image <image> test

I found that if VM got ERROR with the following message.
{"message": "Build of instance f5b5090c-4141-44a8-8130-95692c5b1199 aborted: Failed to allocate the network(s), not rescheduling.", "code": 500, "details": " File \"/usr/lib/python2.6/site-packages/nova/compute/manager.py\", line 2079, in _do_build_and_run_instance filter_properties File \"/usr/lib/python2.6/site-packages/nova/compute/manager.py\", line 2213, in _build_and_run_instance reason=msg)

In addition, if I update the port device owner after several seconds after nova boot, the the VM's iptables looks consistent with port security group rules which is the same as normal VM without updating port. There is no any thing missed.

Thanks.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-11-25:

#44

Hi Perry, just a quick check, are you using 2014.2.4 ? Or make sure you don't have the fix (changeId: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9) in order to reproduce that bug...

description:

updated

Revision history for this message

Perry (panxia6679) wrote on 2015-11-26:

#45

Hi Tristan, thanks for your reply. I double checked servers and there is no such fix (changeId: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9) applied. The code base is 2014.2.2.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-11-26:

#46

Can you see why the nova instance failed to build? It may be easier to create the port, start the update loop and then attach it to a running VM.

Revision history for this message

Perry (panxia6679) wrote on 2015-11-27:

#47

Download full text (5.1 KiB)

Hi Kevin,

compute log:

2015-11-27 03:17:29.480 6812 ERROR nova.compute.manager [-] [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] Instance failed to spawn
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] Traceback (most recent call last):
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 2310, in _build_resources
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] yield resources
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 2172, in _build_and_run_instance
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] block_device_info=block_device_info)
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 2661, in spawn
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] block_device_info, disk_info=disk_info)
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 4485, in _create_domain_and_network
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] raise exception.VirtualInterfaceCreateException()
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] VirtualInterfaceCreateException: Virtual Interface creation failed
2015-11-27 03:17:29.480 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20]
2015-11-27 03:17:29.490 6812 AUDIT nova.compute.manager [req-4de7d5b4-69c9-4e62-971c-c67ff32f418c None] [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] Terminating instance
2015-11-27 03:17:29.512 6812 WARNING nova.virt.libvirt.driver [-] [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] During wait destroy, instance disappeared.
2015-11-27 03:17:29.880 6812 ERROR nova.compute.manager [-] [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] Failed to allocate network(s)
2015-11-27 03:17:29.880 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] Traceback (most recent call last):
2015-11-27 03:17:29.880 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 2172, in _build_and_run_instance
2015-11-27 03:17:29.880 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] block_device_info=block_device_info)
2015-11-27 03:17:29.880 6812 TRACE nova.compute.manager [instance: 0b98dcb2-d343-4350-b65a-6615a8c45a20] File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 2661, in spawn
2015-11-27 03:17:29.880 6812 TRACE nova.compute.manager ...

	Status	Importance	Assigned to	Milestone
OpenStack Security Advisory	Fix Released	Undecided	Tristan Cacqueray
neutron	Fix Released	Undecided	Tristan Cacqueray	neutron 7.0.0 "liberty"
Juno	Fix Released	Undecided	Unassigned	neutron 2014.2.4

neutron

[OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240)

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches