Merge pull request #251 from stackhpc/upstream/2025.1-2026-01-12

Synchronise 2025.1 with upstream

Author: mnasiadka

doc/source/ovn/index.rst

@@ -13,3 +13,4 @@ OVN Driver
    ml2ovn_trace.rst
    faq/index.rst
    ovn_agent.rst
+   virtual_ips.rst

doc/source/ovn/virtual_ips.rst

@@ -58,9 +58,8 @@ def __init__(self, conf):
         self._chassis = None
         self._chassis_id = None
         self._ovn_bridge = None
-        self.ext_manager_api = ext_mgr.OVNAgentExtensionAPI()
-        self.ext_manager = ext_mgr.OVNAgentExtensionManager(self._conf)
-        self.ext_manager.initialize(None, 'ovn', self)
+        self.ext_manager_api = None
+        self.ext_manager = None
 
     def __getitem__(self, name):
         """Return the named extension objet from ``self.ext_manager``"""
@@ -159,7 +158,22 @@ def update_neutron_sb_cfg_key(self):
             'Chassis_Private', self.chassis,
             ('external_ids', external_ids)).execute(check_error=True)
 
+    def _initialize_ext_manager(self):
+        """Initialize the externsion manager and the extension manager API.
+
+        This method must be called once, outside the ``__init__`` method and
+        at the beginning of the ``start`` method.
+        """
+        if not self.ext_manager:
+            self.ext_manager_api = ext_mgr.OVNAgentExtensionAPI()
+            self.ext_manager = ext_mgr.OVNAgentExtensionManager(self._conf)
+            self.ext_manager.initialize(None, 'ovn', self)
+
     def start(self):
+        # This must be the first operation in the `start` method.
+        self._initialize_ext_manager()
+
+        # Extension manager configuration.
         self.ext_manager_api.ovs_idl = self._load_ovs_idl()
         self.load_config()
         # Before executing "_load_sb_idl", is is needed to execute

neutron/agent/ovn/agent/ovn_neutron_agent.py

@@ -431,6 +431,21 @@ def _update_chassis_private_config(self):
             'Chassis_Private', self.chassis,
             ('external_ids', external_ids)).execute(check_error=True)
 
+    def _update_metadata_sb_cfg_key(self):
+        """Update the Chassis_Private nb_cfg information in external_ids
+
+        This method should be called once the Metadata Agent has been
+        registered (method ``register_metadata_agent`` has been called) and
+        the corresponding Chassis_Private register has been created/updated
+        and chassis private config has been updated.
+        """
+        nb_cfg = self.sb_idl.db_get('Chassis_Private',
+                                    self.chassis, 'nb_cfg').execute()
+        external_ids = {ovn_const.OVN_AGENT_METADATA_SB_CFG_KEY: str(nb_cfg)}
+        self.sb_idl.db_set(
+            'Chassis_Private', self.chassis,
+            ('external_ids', external_ids)).execute(check_error=True)
+
     @_sync_lock
     def resync(self):
         """Resync the agent.
@@ -439,6 +454,7 @@ def resync(self):
         """
         self._load_config()
         self._update_chassis_private_config()
+        self._update_metadata_sb_cfg_key()
         self.sync()
 
     def start(self):
@@ -474,6 +490,7 @@ def start(self):
         # Register the agent with its corresponding Chassis
         self.register_metadata_agent()
         self._update_chassis_private_config()
+        self._update_metadata_sb_cfg_key()
 
         self._proxy.wait()
 

neutron/agent/ovn/metadata/agent.py

@@ -33,7 +33,10 @@
 PROXY_SERVICE_NAME = 'haproxy'
 PROXY_SERVICE_CMD = 'haproxy'
 
-CONTENT_ENCODERS = ('gzip', 'deflate')
+CONTENT_ENCODERS = {
+    'gzip': b'\x1f\x8b\x08',
+    'deflate': b'\x1f\x8b\x08'
+}
 
 
 class InvalidUserOrGroupException(Exception):
@@ -159,15 +162,21 @@ class MetadataProxyHandlerBaseSocketServer(
         metaclass=abc.ABCMeta):
     @staticmethod
     def _http_response(http_response, request):
+        headerlist = list(http_response.headers.items())
+        # We detect if content is compressed by magic signature,
+        # when `content-encoding` is not present.
+        if not http_response.headers.get('content-encoding'):
+            if http_response.content[:3] == CONTENT_ENCODERS['gzip']:
+                headerlist.append(('content-encoding', 'gzip'))
+
         _res = webob.Response(
             body=http_response.content,
             status=http_response.status_code,
-            content_type=http_response.headers['content-type'],
-            charset=http_response.encoding)
+            headerlist=headerlist)
         # The content of the response is decoded depending on the
         # "Context-Enconding" header, if present. The operation is limited to
         # ("gzip", "deflate"), as is in the ``webob.response.Response`` class.
-        if _res.content_encoding in CONTENT_ENCODERS:
+        if _res.content_encoding in CONTENT_ENCODERS.keys():
             _res.decode_content()
 
         # NOTE(ralonsoh): there should be a better way to format the HTTP

neutron/common/metadata.py

@@ -70,6 +70,7 @@
 from neutron_lib.api.definitions import qinq
 from neutron_lib.api.definitions import qos
 from neutron_lib.api.definitions import qos_bw_limit_direction
+from neutron_lib.api.definitions import qos_bw_minimum_ingress
 from neutron_lib.api.definitions import qos_default
 from neutron_lib.api.definitions import qos_gateway_ip
 from neutron_lib.api.definitions import qos_rule_type_details
@@ -171,6 +172,7 @@
     qinq.ALIAS,
     qos.ALIAS,
     qos_bw_limit_direction.ALIAS,
+    qos_bw_minimum_ingress.ALIAS,
     qos_default.ALIAS,
     qos_rule_type_details.ALIAS,
     qos_rule_type_filter.ALIAS,

neutron/common/ovn/extensions.py

@@ -16,6 +16,7 @@
 from neutron_lib import constants as const
 from oslo_log import log as logging
 from oslo_policy import policy as oslo_policy
+from oslo_serialization import jsonutils
 from oslo_utils import excutils
 from pecan import hooks
 import webob
@@ -190,6 +191,14 @@ def after(self, state):
             # we have to set the status_code here to prevent the catch_errors
             # middleware from turning this into a 500.
             state.response.status_code = 404
+            # replace the original body on NotFound body
+            error_message = {
+                'type': 'HTTPNotFound',
+                'message': 'The resource could not be found.',
+                'detail': ''
+            }
+            state.response.text = jsonutils.dumps(error_message)
+            state.response.content_type = 'application/json'
             return
 
         if is_single:

neutron/pecan_wsgi/hooks/policy_enforcement.py

@@ -655,14 +655,22 @@ def _get_common_ips(ip_addresses, ip_networks):
                     common_ips.add(str(ip_address))
             return common_ips
 
+        # NOTE(slaweq): We can safely ignore any CIDR larger than /32 (for
+        # IPv4) or /128 (for IPv6) in the allowed_address_pairs, since such
+        # CIDRs cannot be set as a Virtual IP in OVN.
+        # Only /32 and /128 CIDRs are allowed to be set as Virtual IPs in OVN.
+        address_pairs_to_check = [
+            ip_net for ip_net in port_allowed_address_pairs_ip_addresses
+            if ip_net.size == 1]
+
         for distributed_port in distributed_ports:
             distributed_port_ip_addresses = [
                 netaddr.IPAddress(fixed_ip['ip_address']) for fixed_ip in
                 distributed_port.get('fixed_ips', [])]
 
             common_ips = _get_common_ips(
                 distributed_port_ip_addresses,
-                port_allowed_address_pairs_ip_addresses)
+                address_pairs_to_check)
 
             if common_ips:
                 err_msg = (

neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py

@@ -267,7 +267,7 @@ def _get_port_dhcp_options(self, port, ip_version):
                     wait=tenacity.wait_random(min=2, max=3),
                     stop=tenacity.stop_after_attempt(3),
                     reraise=True)
-    def _wait_for_port_bindings_host(self, context, port_id):
+    def _wait_for_active_port_bindings_host(self, context, port_id):
         db_port = ml2_db.get_port(context, port_id)
         # This is already checked previously but, just to stay on
         # the safe side in case the port is deleted mid-operation
@@ -280,11 +280,18 @@ def _wait_for_port_bindings_host(self, context, port_id):
                 _('No port bindings information found for  '
                   'port %s') % port_id)
 
-        if not db_port.port_bindings[0].host:
+        active_binding = p_utils.get_port_binding_by_status_and_host(
+            db_port.port_bindings, const.ACTIVE)
+        if not active_binding:
+            raise RuntimeError(
+                _('No active port bindings information found for '
+                  'port %s') % port_id)
+
+        if not active_binding.host:
             raise RuntimeError(
                 _('No hosting information found for port %s') % port_id)
 
-        return db_port
+        return active_binding
 
     def update_lsp_host_info(self, context, db_port, up=True):
         """Update the binding hosting information for the LSP.
@@ -307,24 +314,29 @@ def update_lsp_host_info(self, context, db_port, up=True):
         if up:
             if not port_up:
                 LOG.warning('Logical_Switch_Port %s host information not '
-                            'updated, the port state is down')
+                            'updated, the port state is down', db_port.id)
                 return
 
             if not db_port.port_bindings:
                 return
 
-            if not db_port.port_bindings[0].host:
+            # There could be more than one port binding present, we need
+            # to find the active one
+            active_binding = p_utils.get_port_binding_by_status_and_host(
+                db_port.port_bindings, const.ACTIVE)
+
+            if not active_binding or not active_binding.host:
                 # NOTE(lucasgomes): There might be a sync issue between
                 # the moment that this port was fetched from the database
                 # and the hosting information being set, retry a few times
                 try:
-                    db_port = self._wait_for_port_bindings_host(
+                    active_binding = self._wait_for_active_port_bindings_host(
                         context, db_port.id)
                 except RuntimeError as e:
                     LOG.warning(e)
                     return
 
-            host = db_port.port_bindings[0].host
+            host = active_binding.host
             ext_ids = ('external_ids',
                        {ovn_const.OVN_HOST_ID_EXT_ID_KEY: host})
             cmd.append(
@@ -333,7 +345,7 @@ def update_lsp_host_info(self, context, db_port, up=True):
         else:
             if port_up:
                 LOG.warning('Logical_Switch_Port %s host information not '
-                            'removed, the port state is up')
+                            'removed, the port state is up', db_port.id)
                 return
 
             cmd.append(

neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py

@@ -354,6 +354,33 @@ def sync_acls(self, ctx):
                 add_acls.append(na)
                 n_index += 1
 
+        # Check any ACLs we found to add against existing ACLs, ignoring the
+        # SG rule ID key. This eliminates any false-positives where the
+        # normalized cidr for two SG rules is the same value, since there
+        # will only be a single ACL that matches exactly with the SG rule ID.
+        if add_acls:
+            def copy_acl_rem_id_key(acl):
+                acl_copy = acl.copy()
+                del acl_copy[ovn_const.OVN_SG_RULE_EXT_ID_KEY]
+                return acl_copy
+
+            add_rem_acls = []
+            # Make a list of non-default rule ACLs (they have a security group
+            # rule id). See ovn_default_acls code/comment above for more info.
+            nd_ovn_acls = [copy_acl_rem_id_key(oa) for oa in ovn_acls
+                           if ovn_const.OVN_SG_RULE_EXT_ID_KEY in oa]
+            # We must copy here since we need to keep the original
+            # 'add_acl' intact for removal
+            for add_acl in add_acls:
+                add_acl_copy = copy_acl_rem_id_key(add_acl)
+                if add_acl_copy in nd_ovn_acls:
+                    add_rem_acls.append(add_acl)
+
+            # Remove any of the false-positive ACLs
+            LOG.warning('False-positive ACLs to remove: (%s)', add_rem_acls)
+            for add_rem in add_rem_acls:
+                add_acls.remove(add_rem)
+
         if n_index < neutron_num:
             # We didn't find the OVN ACLs matching the Neutron ACLs
             # in "ovn_acls" and we are just adding the pending Neutron ACLs.