½ÚµãÀàÐÍ

½ÚµãÉèÖÃ

ÊýÄ¿

Èí¼þ

°æ±¾

±¸×¢

[mysqld]

max_allowed_packet = 64M

collect_statistics_interval = 30000

ha-mode

ha-params

˵Ã÷

RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS='+sbt nnts'

heartbeat = 180

vcpu_pin_set = 1-14

reserved_host_memory_mb=4096? #µ¥Î»MB

[DEFAULT]

cpu_allocation_ratio = 2

[DEFAULT]

block_device_allocate_retries = 150

[DEFAULT]

vif_plugging_timeout = 500

WSGIDaemonProcess cinder-api processes=12 threads=3 user=cinder group=cinder display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages

¡­¡­

[DEFAULT]

rpc_response_timeout = 600

[oslo_messaging_rabbit]

heartbeat_timeout_threshold = 180

service_down_time = 120

[DEFAULT]

Enable_backends =rbd-1

[rbd-1]

rbd_exclusive_cinder_pool = true

[DEFAULT]

cinder_internal_tenant_project_id = c4076a45bcac411bacf20eb4fecb50e0?

cinder_internal_tenant_user_id = 4fe8e33010fd4263be493c1c9681bec8?

[backend_defaults]

image_volume_cache_enabled=True

image_volume_cache_max_size_gb = 0

image_volume_cache_max_count = 0

[agent]

polling_interval = 1

WSGIDaemonProcess keystone-public processes=12 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages

¡­¡­

?

WSGIDaemonProcess keystone-admin processes=12 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages

¡­¡­

defaults

timeout http-request 100s

timeout queue 4m

timeout connect 100s

timeout client 10m

timeout server 10m¡£

global

maxconn 40000

global

nbproc 4

listen keystone_external

??? mode http

??? http-request del-header X-Forwarded-Proto

??? option httplog

??? option forwardfor

??? http-request set-header X-Forwarded-Proto https if { ssl_fc }

??? bind?haproxy-ip-addr:5000

??? maxconn 5000

??? server controller01?server-ip-addr:5000 check inter 2000 rise 2 fall 5 maxconn 3000 weight 10

??? server controller02?server-ip-addr:5000 check inter 2000 rise 2 fall 5 maxconn 3000 weight 10

??? server controller03?server-ip-addr:5000 check inter 2000 rise 2 fall 5 maxconn 3000 weight 9

diff -ruN nova-bak/api/openstack/compute/migrate_server.py nova/api/openstack/compute/migrate_server.py

--- nova-bak/api/openstack/compute/migrate_server.py??? 2021-09-10 11:20:15.774990677 +0800

+++ nova/api/openstack/compute/migrate_server.py 2021-09-10 11:23:22.239098421 +0800

@@ -157,7 +157,9 @@

?????????????????????????????? 'conductor during pre-live-migration checks '

?????????????????????????????? ''%(ex)s'', {'ex': ex})

???????????? else:

-??????????????? raise exc.HTTPBadRequest(explanation=ex.format_message())

+?????????????? raise exc.HTTPBadRequest(explanation=ex.format_message())

+??????? except exception.OperationNotSupportedForSEV as e:

+??????????? raise exc.HTTPConflict(explanation=e.format_message())

???????? except exception.InstanceIsLocked as e:

???????????? raise exc.HTTPConflict(explanation=e.format_message())

???????? except exception.ComputeHostNotFound as e:

diff -ruN nova-bak/api/openstack/compute/suspend_server.py nova/api/openstack/compute/suspend_server.py

--- nova-bak/api/openstack/compute/suspend_server.py?? 2021-09-10 11:25:03.847439106 +0800

+++ nova/api/openstack/compute/suspend_server.py 2021-09-10 11:27:09.958950964 +0800

@@ -40,7 +40,8 @@

???????????? self.compute_api.suspend(context, server)

???????? except exception.InstanceUnknownCell as e:

???????????? raise exc.HTTPNotFound(explanation=e.format_message())

-??????? except exception.InstanceIsLocked as e:

+??????? except (exception.OperationNotSupportedForSEV,

+??????????????? exception.InstanceIsLocked) as e:

???????????? raise exc.HTTPConflict(explanation=e.format_message())

???????? except exception.InstanceInvalidState as state_error:

???????????? common.raise_http_conflict_for_instance_invalid_state(state_error,

diff -ruN nova-bak/compute/api.py nova/compute/api.py

--- nova-bak/compute/api.py?? 2021-09-10 11:31:55.278077457 +0800

+++ nova/compute/api.py 2021-09-10 15:32:28.131175652 +0800

@@ -215,6 +215,23 @@

???????? return fn(self, context, instance, *args, **kwargs)

???? return _wrapped

?

+def reject_sev_instances(operation):

+??? '''Decorator.? Raise OperationNotSupportedForSEV if instance has SEV

+??? enabled.

+??? '''

+

+??? def outer(f):

+??????? @six.wraps(f)

+??????? def inner(self, context, instance, *args, **kw):

+??????????? if hardware.get_mem_encryption_constraint(instance.flavor,

+????????????????????????????????????????????????????? instance.image_meta):

+??????????????? raise exception.OperationNotSupportedForSEV(

+??????????????????? instance_uuid=instance.uuid,

+??????????????????? operation=operation)

+??????????? return f(self, context, instance, *args, **kw)

+??????? return inner

+??? return outer

+

?

?def _diff_dict(orig, new):

???? '''Return a dict describing how to change orig to new.? The keys

@@ -690,6 +707,9 @@

???????? '''

? ???????image_meta = _get_image_meta_obj(image)

?

+??????? API._validate_flavor_image_mem_encryption(instance_type, image_meta)

+?????

+

???????? # Only validate values of flavor/image so the return results of

???????? # following 'get' functions are not used.

???????? hardware.get_number_of_serial_ports(instance_type, image_meta)

@@ -701,6 +721,19 @@

???????? if validate_pci:

???????????? pci_request.get_pci_requests_from_flavor(instance_type)

?

+??? @staticmethod

+??? def _validate_flavor_image_mem_encryption(instance_type, image):

+??????? '''Validate that the flavor and image don't make contradictory

+??????? requests regarding memory encryption.

+??????? :param instance_type: Flavor object

+??????? :param image: an ImageMeta object

+??????? :raises: nova.exception.FlavorImageConflict

+??????? '''

+??????? # This library function will raise the exception for us if

+??????? # necessary; if not, we can ignore the result returned.

+??????? hardware.get_mem_encryption_constraint(instance_type, image)

+

+

??? ?def _get_image_defined_bdms(self, instance_type, image_meta,

???????????????????????????????? root_device_name):

???????? image_properties = image_meta.get('properties', {})

@@ -3915,6 +3948,7 @@

???????? return self.compute_rpcapi.get_instance_diagnostics(context,

???????????????????????????????????????????????????????????? instance=instance)

?

+??? @reject_sev_instances(instance_actions.SUSPEND)

???? @check_instance_lock

???? @check_instance_cell

???? @check_instance_state(vm_state=[vm_states.ACTIVE])

@@ -4699,6 +4733,7 @@

????????????????????????????????????????????????????? diff=diff)

???????? return _metadata

?

+??? @reject_sev_instances(instance_actions.SUSPEND)

???? @check_instance_lock

???? @check_instance_cell

???? @check_instance_state(vm_state=[vm_states.ACTIVE, vm_states.PAUSED])

diff -ruN nova-bak/exception.py nova/exception.py

--- nova-bak/exception.py??????? 2021-09-10 11:35:25.491284738 +0800

+++ nova/exception.py???? 2021-09-10 11:36:09.799787563 +0800

@@ -536,6 +536,10 @@

???? msg_fmt = _('Unable to migrate instance (%(instance_id)s) '

???????????????? 'to current host (%(host)s).')

?

+class OperationNotSupportedForSEV(NovaException):

+??? msg_fmt = _('Operation '%(operation)s' not supported for SEV-enabled '

+??????????????? 'instance (%(instance_uuid)s).')

+??? code = 409

?

?class InvalidHypervisorType(Invalid):

???? msg_fmt = _('The supplied hypervisor type of is invalid.')

diff -ruN nova-bak/objects/image_meta.py nova/objects/image_meta.py

--- nova-bak/objects/image_meta.py 2021-09-10 15:16:30.530628464 +0800

+++ nova/objects/image_meta.py????? 2021-09-10 15:19:26.999151245 +0800

@@ -177,6 +177,9 @@

???????? super(ImageMetaProps, self).obj_make_compatible(primitive,

???????????????????????????????????????????????????????? target_version)

???????? target_version = versionutils.convert_version_to_tuple(target_version)

+???????

+??????? if target_version < (1, 24):

+??????????? primitive.pop('hw_mem_encryption', None)

???????? if target_version < (1, 21):

???????????? primitive.pop('hw_time_hpet', None)

??? ?????if target_version < (1, 20):

@@ -298,6 +301,11 @@

???????? # is not practical to enumerate them all. So we use a free

???????? # form string

???????? 'hw_machine_type': fields.StringField(),

+???????

+??????? # boolean indicating that the guest needs to be booted with

+??????? # encrypted memory

+??????? 'hw_mem_encryption': fields.FlexibleBooleanField(),

+

?

???????? # One of the magic strings 'small', 'any', 'large'

???????? # or an explicit page size in KB (eg 4, 2048, ...)

diff -ruN nova-bak/scheduler/utils.py nova/scheduler/utils.py

--- nova-bak/scheduler/utils.py 2021-09-10 15:19:58.172561042 +0800

+++ nova/scheduler/utils.py????? 2021-09-10 15:35:05.630393147 +0800

@@ -35,7 +35,7 @@

?from nova.objects import instance as obj_instance

?from nova import rpc

?from nova.scheduler.filters import utils as filters_utils

-

+import nova.virt.hardware as hw

?

?LOG = logging.getLogger(__name__)

?

@@ -61,6 +61,27 @@

???????? # Default to the configured limit but _limit can be

???????? # set to None to indicate 'no limit'.

???????? self._limit = CONF.scheduler.max_placement_results

+??????? image = (request_spec.image if 'image' in request_spec

+???????????????? else objects.ImageMeta(properties=objects.ImageMetaProps()))

+??????? self._translate_memory_encryption(request_spec.flavor, image)

+

+??? def _translate_memory_encryption(self, flavor, image):

+??????? '''When the hw:mem_encryption extra spec or the hw_mem_encryption

+??????? image property are requested, translate into a request for

+??????? resources:MEM_ENCRYPTION_CONTEXT=1 which requires a slot on a

+??????? host which can support encryption of the guest memory.

+??????? '''

+??????? # NOTE(aspiers): In theory this could raise FlavorImageConflict,

+??????? # but we already check it in the API layer, so that should never

+??????? # happen.

+??????? if not hw.get_mem_encryption_constraint(flavor, image):

+??????????? # No memory encryption required, so no further action required.

+??????????? return

+

+??????? self._add_resource(None, orc.MEM_ENCRYPTION_CONTEXT, 1)

+??????? LOG.debug('Added %s=1 to requested resources',

+????????????????? orc.MEM_ENCRYPTION_CONTEXT)

+

?

???? def __str__(self):

???????? return ', '.join(sorted(

diff -ruN nova-bak/virt/hardware.py nova/virt/hardware.py

--- nova-bak/virt/hardware.py? 2022-02-23 10:45:42.320988102 +0800

+++ nova/virt/hardware.py??????? 2021-09-10 14:05:25.145572630 +0800

@@ -1140,6 +1140,67 @@

?

???? return flavor_policy, image_policy

?

+def get_mem_encryption_constraint(flavor, image_meta, machine_type=None):

+??? '''Return a boolean indicating whether encryption of guest memory was

+??? requested, either via the hw:mem_encryption extra spec or the

+??? hw_mem_encryption image property (or both).

+??? Also watch out for contradictory requests between the flavor and

+??? image regarding memory encryption, and raise an exception where

+??? encountered.? These conflicts can arise in two different ways:

+??????? 1) the flavor requests memory encryption but the image

+?????????? explicitly requests *not* to have memory encryption, or

+?????????? vice-versa

+??????? 2) the flavor and/or image request memory encryption, but the

+?????????? image is missing hw_firmware_type=uefi

+??????? 3) the flavor and/or image request memory encryption, but the

+?????????? machine type is set to a value which does not contain 'q35'

+??? This can be called from the libvirt driver on the compute node, in

+??? which case the driver should pass the result of

+??? nova.virt.libvirt.utils.get_machine_type() as the machine_type

+??? parameter, or from the API layer, in which case get_machine_type()

+??? cannot be called since it relies on being run from the compute

+??? node in order to retrieve CONF.libvirt.hw_machine_type.

+??? :param instance_type: Flavor object

+??? :param image: an ImageMeta object

+??? :param machine_type: a string representing the machine type (optional)

+??? :raises: nova.exception.FlavorImageConflict

+??? :raises: nova.exception.InvalidMachineType

+??? :returns: boolean indicating whether encryption of guest memory

+??? was requested

+??? '''

+

+??? flavor_mem_enc_str, image_mem_enc = _get_flavor_image_meta(

+??????? 'mem_encryption', flavor, image_meta)

+

+??? flavor_mem_enc = None

+??? if flavor_mem_enc_str is not None:

+??????? flavor_mem_enc = strutils.bool_from_string(flavor_mem_enc_str)

+

+??? # Image property is a FlexibleBooleanField, so coercion to a

+??? # boolean is handled automatically

+

+??? if not flavor_mem_enc and not image_mem_enc:

+??????? return False

+

+??? _check_for_mem_encryption_requirement_conflicts(

+?? ?????flavor_mem_enc_str, flavor_mem_enc, image_mem_enc, flavor, image_meta)

+

+??? # If we get this far, either the extra spec or image property explicitly

+??? # specified a requirement regarding memory encryption, and if both did,

+??? # they are asking for the same thing.

+??? requesters = []

+??? if flavor_mem_enc:

+??????? requesters.append('hw:mem_encryption extra spec in %s flavor' %

+????????????????????????? flavor.name)

+??? if image_mem_enc:

+??????? requesters.append('hw_mem_encryption property of image %s' %

+????????????????????????? image_meta.name)

+

+??? _check_mem_encryption_uses_uefi_image(requesters, image_meta)

+??? _check_mem_encryption_machine_type(image_meta, machine_type)

+

+??? LOG.debug('Memory encryption requested by %s', ' and '.join(requesters))

+??? return True

?

?def _get_numa_pagesize_constraint(flavor, image_meta):

???? '''Return the requested memory page size

diff -ruN nova-bak/compute/manager.py nova/compute/manager.py

--- nova-bak/compute/manager.py? 2021-07-07 14:40:15.570807168 +0800

+++ nova/compute/manager.py??????? 2021-10-18 19:02:37.931655551 +0800

@@ -7013,7 +7013,8 @@

???????????????????????????????????????? migrate_data)

?

???????? # Detaching volumes.

-??????? connector = self.driver.get_volume_connector(instance)

+??????? connector = None

+??????? #connector = self.driver.get_volume_connector(instance)

???????? for bdm in source_bdms:

???????????? if bdm.is_volume:

???????????????? # Detaching volumes is a call to an external API that can fail.

@@ -7033,6 +7034,8 @@

???????????????????????? # remove the volume connection without detaching from

???????????????????????? # hypervisor because the instance is not running

???????????????????????? # anymore on the current host

+??????????????????????? if connector is None:

+??????????????????????????? connector = self.driver.get_volume_connector(instance)

???????????????????????? self.volume_api.terminate_connection(ctxt,

????????????????????????????????????????????????????????????? bdm.volume_id,

????????????????????????? ????????????????????????????????????connector)

@@ -7056,8 +7059,10 @@

?

???????? # Releasing vlan.

???????? # (not necessary in current implementation?)

-

-??????? network_info = self.network_api.get_instance_nw_info(ctxt, instance)

+???????

+??????? #changed by Fiona

+??????? #network_info = self.network_api.get_instance_nw_info(ctxt, instance)

+??????? network_info = instance.get_network_info()

?

???????? self._notify_about_instance_usage(ctxt, instance,

?????????????????????????????????????????? 'live_migration._post.start',

diff -ruN neutron-bak/agent/l3/router_info.py neutron-iproute/agent/l3/router_info.py

--- neutron-bak/agent/l3/router_info.py??? 2020-12-14 18:00:23.683687327 +0800

+++ neutron-iproute/agent/l3/router_info.py???? 2022-02-23 15:18:15.650669589 +0800

@@ -748,8 +748,10 @@

???????? for ip_version in (lib_constants.IP_VERSION_4,

??????????????????????????? lib_constants.IP_VERSION_6):

???????????? gateway = device.route.get_gateway(ip_version=ip_version)

-??????????? if gateway and gateway.get('gateway'):

-??????????????? current_gateways.add(gateway.get('gateway'))

+#??????????? if gateway and gateway.get('gateway'):

+#??????????????? current_gateways.add(gateway.get('gateway'))

+??????????? if gateway and gateway.get('via'):

+???????????? ???current_gateways.add(gateway.get('via'))

???????? for ip in current_gateways - set(gateway_ips):

???????????? device.route.delete_gateway(ip)

???????? for ip in gateway_ips:

diff -ruN neutron-bak/agent/linux/ip_lib.py neutron-iproute/agent/linux/ip_lib.py

--- neutron-bak/agent/linux/ip_lib.py 2020-12-14 18:03:47.951878754 +0800

+++ neutron-iproute/agent/linux/ip_lib.py 2022-02-23 15:19:03.981457532 +0800

@@ -48,6 +48,8 @@

?????????????????? 'main': 254,

?????????????????? 'local': 255}

?

+IP_RULE_TABLES_NAMES = {v: k for k, v in IP_RULE_TABLES.items()}

+

?# Rule indexes: pyroute2.netlink.rtnl

?# Rule names: https://www.systutorials.com/docs/linux/man/8-ip-rule/

?# NOTE(ralonsoh): 'masquerade' type is printed as 'nat' in 'ip rule' command

@@ -592,14 +594,18 @@

???? def _dev_args(self):

???????? return ['dev', self.name] if self.name else []

?

-??? def add_gateway(self, gateway, metric=None, table=None):

-??????? ip_version = common_utils.get_ip_version(gateway)

-??????? args = ['replace', 'default', 'via', gateway]

-??????? if metric:

-??????????? args += ['metric', metric]

-??????? args += self._dev_args()

-??????? args += self._table_args(table)

-??????? self._as_root([ip_version], tuple(args))

+#??? def add_gateway(self, gateway, metric=None, table=None):

+#??????? ip_version = common_utils.get_ip_version(gateway)

+#??????? args = ['replace', 'default', 'via', gateway]

+#??????? if metric:

+#??????????? args += ['metric', metric]

+#??????? args += self._dev_args()

+#??????? args += self._table_args(table)

+#??????? self._as_root([ip_version], tuple(args))

+

+??? def add_gateway(self, gateway, metric=None, table=None, scope='global'):

+??????? self.add_route(None, via=gateway, table=table, metric=metric,

+?????????????????????? scope=scope)

?

???? def _run_as_root_detect_device_not_found(self, options, args):

???????? try:

@@ -618,41 +624,16 @@

???????? args += self._table_args(table)

???????? self._run_as_root_detect_device_not_found([ip_version], args)

?

-??? def _parse_routes(self, ip_version, output, **kwargs):

-??????? for line in output.splitlines():

-??????????? parts = line.split()

-

-??????????? # Format of line is: '|default [] ...'

-??????????? route = {k: v for k, v in zip(parts[1::2], parts[2::2])}

-??????????? route['cidr'] = parts[0]

-??????????? # Avoids having to explicitly pass around the IP version

-??????????? if route['cidr'] == 'default':

-??????????????? route['cidr'] = constants.IP_ANY[ip_version]

-

-??????????? # ip route drops things like scope and dev from the output if it

-??????????? # was specified as a filter.? This allows us to add them back.

-??????????? if self.name:

-??????????????? route['dev'] = self.name

-??????????? if self._table:

-??????????????? route['table'] = self._table

-??????????? # Callers add any filters they use as kwargs

-??????????? route.update(kwargs)

-

-??????????? yield route

-

-??? def list_routes(self, ip_version, **kwargs):

-??????? args = ['list']

-??????? args += self._dev_args()

-??????? args += self._table_args()

-??????? for k, v in kwargs.items():

-??????????? args += [k, v]

-

-??????? output = self._run([ip_version], tuple(args))

-??????? return [r for r in self._parse_routes(ip_version, output, **kwargs)]

+??? def list_routes(self, ip_version, scope=None, via=None, table=None,

+??????????????????? **kwargs):

+??????? table = table or self._table

+??????? return list_ip_routes(self._parent.namespace, ip_version, scope=scope,

+????????????????????????????? via=via, table=table, device=self.name, **kwargs)

?

???? def list_onlink_routes(self, ip_version):

???????? routes = self.list_routes(ip_version, scope='link')

-??????? return [r for r in routes if 'src' not in r]

+#??????? return [r for r in routes if 'src' not in r]

+??????? return [r for r in routes if not r['source_prefix']]

?

???? def add_onlink_route(self, cidr):

???????? self.add_route(cidr, scope='link')

@@ -660,34 +641,12 @@

???? def delete_onlink_route(self, cidr):

???????? self.delete_route(cidr, scope='link')

?

-??? def get_gateway(self, scope=None, filters=None, ip_version=None):

-??????? options = [ip_version] if ip_version else []

-

-??????? args = ['list']

-??????? args += self._dev_args()

-??????? args += self._table_args()

-??????? if filters:

-??????????? args += filters

-

-??????? retval = None

-

-??????? if scope:

-??????????? args += ['scope', scope]

-

-??????? route_list_lines = self._run(options, tuple(args)).split('\n')

-??????? default_route_line = next((x.strip() for x in

-?????????????????????????????????? route_list_lines if

-???????????????????????????? ??????x.strip().startswith('default')), None)

-??????? if default_route_line:

-??????????? retval = dict()

-??????????? gateway = DEFAULT_GW_PATTERN.search(default_route_line)

-??????????? if gateway:

-??????????????? retval.update(gateway=gateway.group(1))

-??????????? metric = METRIC_PATTERN.search(default_route_line)

-??????????? if metric:

-??????????????? retval.update(metric=int(metric.group(1)))

-

-??????? return retval

+??? def get_gateway(self, scope=None, table=None,

+??????????????????? ip_version=constants.IP_VERSION_4):

+??????? routes = self.list_routes(ip_version, scope=scope, table=table)

+??????? for route in routes:

+??????????? if route['via'] and route['cidr'] in constants.IP_ANY.values():

+??????????????? return route

?

???? def flush(self, ip_version, table=None, **kwargs):

???????? args = ['flush']

@@ -696,16 +655,11 @@

???????????? args += [k, v]

???????? self._as_root([ip_version], tuple(args))

?

-??? def add_route(self, cidr, via=None, table=None, **kwargs):

-??????? ip_version = common_utils.get_ip_version(cidr)

-??????? args = ['replace', cidr]

-??????? if via:

-??????????? args += ['via', via]

-??????? args += self._dev_args()

-??????? args += self._table_args(table)

-??????? for k, v in kwargs.items():

-??????????? args += [k, v]

-??????? self._run_as_root_detect_device_not_found([ip_version], args)

+??? def add_route(self, cidr, via=None, table=None, metric=None, scope=None,

+????????????????? **kwargs):

+??????? table = table or self._table

+??????? add_ip_route(self._parent.namespace, cidr, device=self.name, via=via,

+???????????????????? table=table, metric=metric, scope=scope, **kwargs)

?

???? def delete_route(self, cidr, via=None, table=None, **kwargs):

???????? ip_version = common_utils.get_ip_version(cidr)

@@ -1455,3 +1409,53 @@

???????????????? retval[device['vxlan_link_index']]['name'])

?

???? return list(retval.values())

+

+def add_ip_route(namespace, cidr, device=None, via=None, table=None,

+???????????????? metric=None, scope=None, **kwargs):

+??? '''Add an IP route'''

+??? if table:

+??????? table = IP_RULE_TABLES.get(table, table)

+??? ip_version = common_utils.get_ip_version(cidr or via)

+??? privileged.add_ip_route(namespace, cidr, ip_version,

+??????????????????????????? device=device, via=via, table=table,

+??????? ????????????????????metric=metric, scope=scope, **kwargs)

+

+

+def list_ip_routes(namespace, ip_version, scope=None, via=None, table=None,

+?????????????????? device=None, **kwargs):

+??? '''List IP routes'''

+??? def get_device(index, devices):

+??????? for device in (d for d in devices if d['index'] == index):

+??????????? return get_attr(device, 'IFLA_IFNAME')

+

+??? table = table if table else 'main'

+??? table = IP_RULE_TABLES.get(table, table)

+??? routes = privileged.list_ip_routes(namespace, ip_version, device=device,

+?????????????????????????????????????? table=table, **kwargs)

+??? devices = privileged.get_link_devices(namespace)

+??? ret = []

+??? for route in routes:

+??????? cidr = get_attr(route, 'RTA_DST')

+??????? if cidr:

+??????????? cidr = '%s/%s' % (cidr, route['dst_len'])

+??????? else:

+??????????? cidr = constants.IP_ANY[ip_version]

+??????? table = int(get_attr(route, 'RTA_TABLE'))

+??????? value = {

+??????????? 'table': IP_RULE_TABLES_NAMES.get(table, table),

+??????????? 'source_prefix': get_attr(route, 'RTA_PREFSRC'),

+??????????? 'cidr': cidr,

+??????????? 'scope': IP_ADDRESS_SCOPE[int(route['scope'])],

+??????????? 'device': get_device(int(get_attr(route, 'RTA_OIF')), devices),

+??????????? 'via': get_attr(route, 'RTA_GATEWAY'),

+??????????? 'priority': get_attr(route, 'RTA_PRIORITY'),

+??????? }

+

+??????? ret.append(value)

+

+??? if scope:

+??????? ret = [route for route in ret if route['scope'] == scope]

+??? if via:

+??????? ret = [route for route in ret if route['via'] == via]

+

+??? return ret

diff -ruN neutron-bak/cmd/sanity/checks.py neutron-iproute/cmd/sanity/checks.py

--- neutron-bak/cmd/sanity/checks.py?????? 2022-02-23 11:33:16.934132708 +0800

+++ neutron-iproute/cmd/sanity/checks.py??????? 2022-02-23 15:20:10.562018672 +0800

@@ -36,6 +36,7 @@

?from neutron.common import utils as common_utils

?from neutron.plugins.ml2.drivers.openvswitch.agent.common \

???? import constants as ovs_const

+from neutron.privileged.agent.linux import dhcp as priv_dhcp

?

?LOG = logging.getLogger(__name__)

?

@@ -230,8 +231,8 @@

?

?

?def dhcp_release6_supported():

-??? return runtime_checks.dhcp_release6_supported()

-

+#??? return runtime_checks.dhcp_release6_supported()

+???? return priv_dhcp.dhcp_release6_supported()

?

?def bridge_firewalling_enabled():

? ???for proto in ('arp', 'ip', 'ip6'):

@@ -363,7 +364,8 @@

?

???????????? default_gw = gw_dev.route.get_gateway(ip_version=6)

???????????? if default_gw:

-??????????????? default_gw = default_gw['gateway']

+#??????????????? default_gw = default_gw['gateway']

+??????????????? default_gw = default_gw['via']

?

???? return expected_default_gw == default_gw

?

diff -ruN neutron-bak/privileged/agent/linux/ip_lib.py neutron-iproute/privileged/agent/linux/ip_lib.py

--- neutron-bak/privileged/agent/linux/ip_lib.py 2020-12-14 18:26:08.339307939 +0800

+++ neutron-iproute/privileged/agent/linux/ip_lib.py 2022-02-23 15:20:39.477439105 +0800

@@ -634,3 +634,50 @@

???????? if e.errno == errno.ENOENT:

???????????? raise NetworkNamespaceNotFound(netns_name=namespace)

???????? raise

+

+@privileged.default.entrypoint

+@lockutils.synchronized('privileged-ip-lib')

+def add_ip_route(namespace, cidr, ip_version, device=None, via=None,

+???????????????? table=None, metric=None, scope=None, **kwargs):

+??? '''Add an IP route'''

+??? try:

+??????? with get_iproute(namespace) as ip:

+??????????? family = _IP_VERSION_FAMILY_MAP[ip_version]

+??????????? if not scope:

+??????????????? scope = 'global' if via else 'link'

+??????????? scope = _get_scope_name(scope)

+??????????? if cidr:

+????? ??????????kwargs['dst'] = cidr

+??????????? if via:

+??????????????? kwargs['gateway'] = via

+??????????? if table:

+??????????????? kwargs['table'] = int(table)

+??????????? if device:

+??????????????? kwargs['oif'] = get_link_id(device, namespace)

+???? ???????if metric:

+??????????????? kwargs['priority'] = int(metric)

+??????????? ip.route('replace', family=family, scope=scope, proto='static',

+???????????????????? **kwargs)

+??? except OSError as e:

+??????? if e.errno == errno.ENOENT:

+??????????? raise NetworkNamespaceNotFound(netns_name=namespace)

+??????? raise

+

+

+@privileged.default.entrypoint

+@lockutils.synchronized('privileged-ip-lib')

+def list_ip_routes(namespace, ip_version, device=None, table=None, **kwargs):

+??? '''List IP routes'''

+?? ?try:

+??????? with get_iproute(namespace) as ip:

+??????????? family = _IP_VERSION_FAMILY_MAP[ip_version]

+??????????? if table:

+??????????????? kwargs['table'] = table

+??????????? if device:

+??????????????? kwargs['oif'] = get_link_id(device, namespace)

+??????????? return make_serializable(ip.route('show', family=family, **kwargs))

+??? except OSError as e:

+??????? if e.errno == errno.ENOENT:

+??????????? raise NetworkNamespaceNotFound(netns_name=namespace)

+??????? raise

+

diff -ruN neutron-bak/agent/linux/dhcp.py neutron-dhcprelease/agent/linux/dhcp.py

--- neutron-bak/agent/linux/dhcp.py 2020-12-15 09:59:29.966957908 +0800

+++ neutron-dhcprelease/agent/linux/dhcp.py? 2022-02-23 15:10:14.169101010 +0800

@@ -25,6 +25,7 @@

?from neutron_lib import constants

?from neutron_lib import exceptions

?from neutron_lib.utils import file as file_utils

+from oslo_concurrency import processutils

?from oslo_log import log as logging

?from oslo_utils import excutils

?from oslo_utils import fileutils

@@ -41,6 +42,7 @@

?from neutron.common import ipv6_utils

?from neutron.common import utils as common_utils

?from neutron.ipam import utils as ipam_utils

+from neutron.privileged.agent.linux import dhcp as priv_dhcp

?

?LOG = logging.getLogger(__name__)

?

@@ -476,7 +478,8 @@

?

???? def _is_dhcp_release6_supported(self):

???????? if self._IS_DHCP_RELEASE6_SUPPORTED is None:

-??????????? self._IS_DHCP_RELEASE6_SUPPORTED = checks.dhcp_release6_supported()

+??????????? self._IS_DHCP_RELEASE6_SUPPORTED = (

+??????????????? priv_dhcp.dhcp_release6_supported())

???????????? if not self._IS_DHCP_RELEASE6_SUPPORTED:

???????????????? LOG.warning('dhcp_release6 is not present on this system, '

???????????????????????????? 'will not call it again.')

@@ -485,24 +488,28 @@

???? def _release_lease(self, mac_address, ip, ip_version, client_id=None,

??????????????????????? server_id=None, iaid=None):

???????? '''Release a DHCP lease.'''

-??????? if ip_version == constants.IP_VERSION_6:

-??????????? if not self._is_dhcp_release6_supported():

-??????????????? return

-??????????? cmd = ['dhcp_release6', '--iface', self.interface_name,

-?????????????????? '--ip', ip, '--client-id', client_id,

-?????????????????? '--server-id', server_id, '--iaid', iaid]

-??????? else:

-??????????? cmd = ['dhcp_release', self.interface_name, ip, mac_address]

-??????????? if client_id:

-??????????????? cmd.append(client_id)

-??????? ip_wrapper = ip_lib.IPWrapper(namespace=self.network.namespace)

???????? try:

-??????????? ip_wrapper.netns.execute(cmd, run_as_root=True)

-??????? except RuntimeError as e:

+??????????? if ip_version == constants.IP_VERSION_6:

+??????????????? if not self._is_dhcp_release6_supported():

+??????????????????? return

+

+??????????????? params = {'interface_name': self.interface_name,

+??? ??????????????????????'ip_address': ip, 'client_id': client_id,

+????????????????????????? 'server_id': server_id, 'iaid': iaid,

+????????????????????????? 'namespace': self.network.namespace}

+??????????????? priv_dhcp.dhcp_release6(**params)

+?????????? ?else:

+??????????????? params = {'interface_name': self.interface_name,

+????????????????????????? 'ip_address': ip, 'mac_address': mac_address,

+????????????????????????? 'client_id': client_id,

+????????????????????????? 'namespace': self.network.namespace}

+#??????????????? LOG.info('Rock_DEBUG: DHCP release construct params %(params)s.', {'params': params})

+??????????????? priv_dhcp.dhcp_release(**params)

+??????? except (processutils.ProcessExecutionError, OSError) as e:

???????????? # when failed to release single lease there's

???????????? # no need to propagate error further

-??????????? LOG.warning('DHCP release failed for %(cmd)s. '

-??????????????????????? 'Reason: %(e)s', {'cmd': cmd, 'e': e})

+??????????? LOG.warning('DHCP release failed for params %(params)s. '

+??????????????????????? 'Reason: %(e)s', {'params': params, 'e': e})

?

???? def _output_config_files(self):

???????? self._output_hosts_file()

diff -ruN neutron-bak/cmd/sanity/checks.py neutron-dhcprelease/cmd/sanity/checks.py

--- neutron-bak/cmd/sanity/checks.py?????? 2022-02-23 11:33:16.934132708 +0800

+++ neutron-dhcprelease/cmd/sanity/checks.py 2022-02-23 15:11:07.536446402 +0800

@@ -36,6 +36,7 @@

?from neutron.common import utils as common_utils

?from neutron.plugins.ml2.drivers.openvswitch.agent.common \

???? import constants as ovs_const

+from neutron.privileged.agent.linux import dhcp as priv_dhcp

?

?LOG = logging.getLogger(__name__)

?

@@ -230,8 +231,8 @@

?

?

?def dhcp_release6_supported():

-??? return runtime_checks.dhcp_release6_supported()

-

+#??? return runtime_checks.dhcp_release6_supported()

+???? return priv_dhcp.dhcp_release6_supported()

?

?def bridge_firewalling_enabled():

???? for proto in ('arp', 'ip', 'ip6'):

@@ -363,7 +364,8 @@

?

???????????? default_gw = gw_dev.route.get_gateway(ip_version=6)

???????????? if default_gw:

-??????????????? default_gw = default_gw['gateway']

+#??????????????? default_gw = default_gw['gateway']

+??????????????? default_gw = default_gw['via']

?

???? return expected_default_gw == default_gw

?

diff -ruN neutron-bak/privileged/__init__.py neutron-dhcprelease/privileged/__init__.py

--- neutron-bak/privileged/__init__.py??????? 2020-04-23 14:45:14.000000000 +0800

+++ neutron-dhcprelease/privileged/__init__.py 2022-02-23 15:10:29.209584186 +0800

@@ -27,3 +27,11 @@

?????????????????? caps.CAP_DAC_OVERRIDE,

?????????????????? caps.CAP_DAC_READ_SEARCH],

?)

+

+dhcp_release_cmd = priv_context.PrivContext(

+??? __name__,

+??? cfg_section='privsep_dhcp_release',

+??? pypath=__name__ + '.dhcp_release_cmd',

+??? capabilities=[caps.CAP_SYS_ADMIN,

+????????????????? caps.CAP_NET_ADMIN]

+)

diff -ruN neutron-bak/agent/linux/ipset_manager.py neutron/agent/linux/ipset_manager.py

--- neutron-bak/agent/linux/ipset_manager.py? 2022-02-16 15:11:40.419016919 +0800

+++ neutron/agent/linux/ipset_manager.py??????? 2022-02-16 15:17:02.328133786 +0800

@@ -146,7 +146,7 @@

???????????? cmd_ns.extend(['ip', 'netns', 'exec', self.namespace])

???????? cmd_ns.extend(cmd)

???????? self.execute(cmd_ns, run_as_root=True, process_input=input,

-???? ????????????????check_exit_code=fail_on_errors)

+???????????????????? check_exit_code=fail_on_errors, privsep_exec=True)

?

???? def _get_new_set_ips(self, set_name, expected_ips):

???????? new_member_ips = (set(expected_ips) -

diff -ruN neutron-bak/agent/linux/iptables_manager.py neutron/agent/linux/iptables_manager.py

--- neutron-bak/agent/linux/iptables_manager.py????? 2022-02-16 15:05:53.853147520 +0800

+++ neutron/agent/linux/iptables_manager.py?? 2021-07-07 14:59:16.000000000 +0800

@@ -475,12 +475,15 @@

???? ????args = ['iptables-save', '-t', table]

???????? if self.namespace:

???????????? args = ['ip', 'netns', 'exec', self.namespace] + args

-??????? return self.execute(args, run_as_root=True).split('\n')

+??????? #return self.execute(args, run_as_root=True).split('\n')

+??????? return self.execute(args, run_as_root=True,

+??????????????????????????? privsep_exec=True).split('\n')

?

???? def _get_version(self):

???????? # Output example is 'iptables v1.6.2'

???????? args = ['iptables', '--version']

-??????? version = str(self.execute(args, run_as_root=True).split()[1][1:])

+??????? #version = str(self.execute(args, run_as_root=True).split()[1][1:])

+??????? version = str(self.execute(args, run_as_root=True, privsep_exec=True).split()[1][1:])

???????? LOG.debug('IPTables version installed: %s', version)

???????? return version

?

@@ -505,8 +508,10 @@

???????????? args += ['-w', self.xlock_wait_time, '-W', XLOCK_WAIT_INTERVAL]

???????? try:

???????????? kwargs = {} if lock else {'log_fail_as_error': False}

+?????? ?????#self.execute(args, process_input='\n'.join(commands),

+??????????? #???????????? run_as_root=True, **kwargs)

???????????? self.execute(args, process_input='\n'.join(commands),

-???????????????????????? run_as_root=True, **kwargs)

+?????????????????? ??????run_as_root=True, privsep_exec=True, **kwargs)

???????? except RuntimeError as error:

???????????? return error

?

@@ -568,7 +573,8 @@

???????????? if self.namespace:

???????????????? args = ['ip', 'netns', 'exec', self.namespace] + args

???????????? try:

-??????????????? save_output = self.execute(args, run_as_root=True)

+??????????????? #save_output = self.execute(args, run_as_root=True)

+??????????????? save_output = self.execute(args, run_as_root=True, privsep_exec=True)

???????????? except RuntimeError:

???????????????? # We could be racing with a cron job deleting namespaces.

???????????????? # It is useless to try to apply iptables rules over and

@@ -769,7 +775,8 @@

???????????????? args.append('-Z')

???????????? if self.namespace:

????????????? ???args = ['ip', 'netns', 'exec', self.namespace] + args

-??????????? current_table = self.execute(args, run_as_root=True)

+??????????? #current_table = self.execute(args, run_as_root=True)

+??????????? current_table = self.execute(args, run_as_root=True, privsep_exec=True)

???????????? current_lines = current_table.split('\n')

?

???????????? for line in current_lines[2:]:

diff -ruN neutron-bak/agent/linux/utils.py neutron/agent/linux/utils.py

--- neutron-bak/agent/linux/utils.py 2022-02-16 15:06:03.133090388 +0800

+++ neutron/agent/linux/utils.py?????? 2021-07-08 09:34:12.000000000 +0800

@@ -38,6 +38,7 @@

?from neutron.agent.linux import xenapi_root_helper

?from neutron.common import utils

?from neutron.conf.agent import common as config

+from neutron.privileged.agent.linux import utils as priv_utils

?from neutron import wsgi

?

?

@@ -85,13 +86,24 @@

???? if run_as_root:

???????? cmd = shlex.split(config.get_root_helper(cfg.CONF)) + cmd

???? LOG.debug('Running command: %s', cmd)

-??? obj = utils.subprocess_popen(cmd, shell=False,

-???????????????????????????????? stdin=subprocess.PIPE,

-???????????????????????????????? stdout=subprocess.PIPE,

-???????????????????????????????? stderr=subprocess.PIPE)

+??? #obj = utils.subprocess_popen(cmd, shell=False,

+??? #??????? ?????????????????????stdin=subprocess.PIPE,

+??? #???????????????????????????? stdout=subprocess.PIPE,

+??? #???????????????????????????? stderr=subprocess.PIPE)

+??? obj = subprocess.Popen(cmd, shell=False, stdin=subprocess.PIPE,

+??????????????????????? ???stdout=subprocess.PIPE, stderr=subprocess.PIPE)

?

???? return obj, cmd

?

+def _execute_process(cmd, _process_input, addl_env, run_as_root):

+??? obj, cmd = create_process(cmd, run_as_root=run_as_root, addl_env=addl_env)

+??? _stdout, _stderr = obj.communicate(_process_input)

+??? returncode = obj.returncode

+??? obj.stdin.close()

+??? _stdout = helpers.safe_decode_utf8(_stdout)

+??? _stderr = helpers.safe_decode_utf8(_stderr)

+??? return _stdout, _stderr, returncode

+

?

?def execute_rootwrap_daemon(cmd, process_input, addl_env):

???? cmd = list(map(str, addl_env_args(addl_env) + cmd))

@@ -103,31 +115,45 @@

???? LOG.debug('Running command (rootwrap daemon): %s', cmd)

???? client = RootwrapDaemonHelper.get_client()

???? try:

-??????? return client.execute(cmd, process_input)

+??????? #return client.execute(cmd, process_input)

+??????? returncode, __stdout, _stderr =? client.execute(cmd, process_input)

???? except Exception:

???????? with excutils.save_and_reraise_exception():

???????????? LOG.error('Rootwrap error running command: %s', cmd)

+??? _stdout = helpers.safe_decode_utf8(_stdout)

+??? _stderr = helpers.safe_decode_utf8(_stderr)

+??? return _stdout, _stderr, returncode

?

?

?def execute(cmd, process_input=None, addl_env=None,

???????????? check_exit_code=True, return_stderr=False, log_fail_as_error=True,

-??????????? extra_ok_codes=None, run_as_root=False):

+??????????? extra_ok_codes=None, run_as_root=False, privsep_exec=False):

???? try:

???????? if process_input is not None:

???????????? _process_input = encodeutils.to_utf8(process_input)

???????? else:

???????????? _process_input = None

-??????? if run_as_root and cfg.CONF.AGENT.root_helper_daemon:

-??????????? returncode, _stdout, _stderr = (

-??????????????? execute_rootwrap_daemon(cmd, process_input, addl_env))

+??????? #if run_as_root and cfg.CONF.AGENT.root_helper_daemon:

+??????? #??? returncode, _stdout, _stderr = (

+??????? #??????? execute_rootwrap_daemon(cmd, process_input, addl_env))

+??????? #else:

+??????? #??? obj, cmd = create_process(cmd, run_as_root=run_as_root,

+??????? #????????????????????????????? addl_env=addl_env)

+??????? #??? _stdout, _stderr = obj.communicate(_process_input)

+??????? #??? returncode = obj.returncode

+??????? #??? obj.stdin.close()

+??????? #_stdout = helpers.safe_decode_utf8(_stdout)

+??????? #_stderr = helpers.safe_decode_utf8(_stderr)

+

+??????? if run_as_root and privsep_exec:

+??????????? _stdout, _stderr, returncode = priv_utils.execute_process(

+??????????????? cmd, _process_input, addl_env)

+??????? elif run_as_root and cfg.CONF.AGENT.root_helper_daemon:

+??????????? _stdout, _stderr, returncode = execute_rootwarp_daemon(

+??????????????? cmd, process_input, addl_env)

???????? else:

-??????????? obj, cmd = create_process(cmd, run_as_root=run_as_root,

-?? ???????????????????????????????????addl_env=addl_env)

-??????????? _stdout, _stderr = obj.communicate(_process_input)

-??????????? returncode = obj.returncode

-??????????? obj.stdin.close()

-??????? _stdout = helpers.safe_decode_utf8(_stdout)

-??????? _stderr = helpers.safe_decode_utf8(_stderr)

+??????????? _stdout, _stderr, returncode = _execute_process(

+??????????????? cmd, _process_input, addl_env, run_as_root)

?

???????? extra_ok_codes = extra_ok_codes or []

???????? if returncode and returncode not in extra_ok_codes:

diff -ruN neutron-bak/cmd/ipset_cleanup.py neutron/cmd/ipset_cleanup.py

--- neutron-bak/cmd/ipset_cleanup.py????? 2022-02-16 15:18:00.727786180 +0800

+++ neutron/cmd/ipset_cleanup.py?? 2021-07-07 15:00:03.000000000 +0800

@@ -38,7 +38,8 @@

?def remove_iptables_reference(ipset):

???? # Remove any iptables reference to this IPset

???? cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']

-??? iptables_save = utils.execute(cmd, run_as_root=True)

+??? #iptables_save = utils.execute(cmd, run_as_root=True)

+??? iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True)

?

???? if ipset in iptables_save:

???????? cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']

@@ -50,7 +51,8 @@

? ???????????????params = rule.split()

???????????????? params[0] = '-D'

???????????????? try:

-??????????????????? utils.execute(cmd + params, run_as_root=True)

+??????????????????? #utils.execute(cmd + params, run_as_root=True)

+??????????????????? utils.execute(cmd + params, run_as_root=True, privsep_exec=True)

???????????????? except Exception:

???????????????????? LOG.exception('Error, unable to remove iptables rule '

?????????????????????????????????? 'for IPset: %s', ipset)

@@ -65,7 +67,8 @@

???? LOG.info('Destroying IPset: %s', ipset)

???? cmd = ['ipset', 'destroy', ipset]

???? try:

-??????? utils.execute(cmd, run_as_root=True)

+??????? #utils.execute(cmd, run_as_root=True)

+??????? utils.execute(cmd, run_as_root=True, privsep_exec=True)

???? except Exception:

???????? LOG.exception('Error, unable to destroy IPset: %s', ipset)

?

@@ -75,7 +78,8 @@

???? LOG.info('Destroying IPsets with prefix: %s', conf.prefix)

?

???? cmd = ['ipset', '-L', '-n']

-??? ipsets = utils.execute(cmd, run_as_root=True)

+??? #ipsets = utils.execute(cmd, run_as_root=True)

+??? ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True)

???? for ipset in ipsets.split('\n'):

???????? if conf.allsets or ipset.startswith(conf.prefix):

???????????? destroy_ipset(conf, ipset)

diff -ruN neutron-bak/privileged/agent/linux/utils.py neutron/privileged/agent/linux/utils.py

--- neutron-bak/privileged/agent/linux/utils.py? 1970-01-01 08:00:00.000000000 +0800

+++ neutron/privileged/agent/linux/utils.py??????? 2021-07-07 14:58:21.000000000 +0800

@@ -0,0 +1,82 @@

+# Copyright 2020 Red Hat, Inc.

+#

+#??? Licensed under the Apache License, Version 2.0 (the 'License'); you may

+#??? not use this file except in compliance with the License. You may obtain

+#??? a copy of the License at

+#

+#???????? http://www.apache.org/licenses/LICENSE-2.0

+#

+#??? Unless required by applicable law or agreed to in writing, software

+#??? distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT

+#??? WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

+#??? License for the specific language governing permissions and limitations

+#??? under the License.

+

+import os

+import re

+

+from eventlet.green import subprocess

+from neutron_lib.utils import helpers

+from oslo_concurrency import processutils

+from oslo_utils import fileutils

+

+from neutron import privileged

+

+

+NETSTAT_PIDS_REGEX = re.compile(r'.* (?P\d{2,6})/.*')

+

+

+@privileged.default.entrypoint

+def find_listen_pids_namespace(namespace):

+??? return _find_listen_pids_namespace(namespace)

+

+

+def _find_listen_pids_namespace(namespace):

+??? '''Retrieve a list of pids of listening processes within the given netns

+??? This method is implemented separately to allow unit testing.

+??? '''

+??? pids = set()

+??? cmd = ['ip', 'netns', 'exec', namespace, 'netstat', '-nlp']

+??? output = processutils.execute(*cmd)

+??? for line in output[0].splitlines():

+??????? m = NETSTAT_PIDS_REGEX.match(line)

+??????? if m:

+??????????? pids.add(m.group('pid'))

+??? return list(pids)

+

+

+@privileged.default.entrypoint

+def delete_if_exists(path, remove=os.unlink):

+??? fileutils.delete_if_exists(path, remove=remove)

+

+

+@privileged.default.entrypoint

+def execute_process(cmd, _process_input, addl_env):

+??? obj, cmd = _create_process(cmd, addl_env=addl_env)

+??? _stdout, _stderr = obj.communicate(_process_input)

+??? returncode = obj.returncode

+??? obj.stdin.close()

+??? _stdout = helpers.safe_decode_utf8(_stdout)

+??? _stderr = helpers.safe_decode_utf8(_stderr)

+??? return _stdout, _stderr, returncode

+

+

+def _addl_env_args(addl_env):

+??? '''Build arguments for adding additional environment vars with env'''

+

+??? # NOTE (twilson) If using rootwrap, an EnvFilter should be set up for the

+??? # command instead of a CommandFilter.

+??? if addl_env is None:

+??????? return []

+??? return ['env'] + ['%s=%s' % pair for pair in addl_env.items()]

+

+

+def _create_process(cmd, addl_env=None):

+??? '''Create a process object for the given command.

+??? The return value will be a tuple of the process object and the

+??? list of command arguments used to create it.

+??? '''

+??? cmd = list(map(str, _addl_env_args(addl_env) + list(cmd)))

+??? obj = subprocess.Popen(cmd, shell=False, stdin=subprocess.PIPE,

+?????????????????????????? stdout=subprocess.PIPE, stderr=subprocess.PIPE)

+??? return obj, cmd

--- neutron-bak/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py? 2022-08-02 17:02:51.213224245 +0800

+++ neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py 2022-08-02 17:02:09.181883012 +0800

@@ -161,8 +161,8 @@

???????? self.enable_distributed_routing = agent_conf.enable_distributed_routing

???????? self.arp_responder_enabled = agent_conf.arp_responder and self.l2_pop

?

-??????? host = self.conf.host

-??????? self.agent_id = 'ovs-agent-%s' % host

+??????? self.host = self.conf.host

+??????? self.agent_id = 'ovs-agent-%s' % self.host

?

???????? self.enable_tunneling = bool(self.tunnel_types)

?

@@ -245,7 +245,7 @@

???????????? self.phys_ofports,

???????????? self.patch_int_ofport,

???????????? self.patch_tun_ofport,

-??????????? host,

+??????????? self.host,

???????????? self.enable_tunneling,

???????????? self.enable_distributed_routing,

???????????? self.arp_responder_enabled)

@@ -289,7 +289,7 @@

???????? #?????????????? ???or which are used by specific extensions.

???????? self.agent_state = {

???????????? 'binary': 'neutron-openvswitch-agent',

-??????????? 'host': host,

+??????????? 'host': self.host,

???????????? 'topic': n_const.L2_AGENT_TOPIC,

???????????? 'configurations': {'bridge_mappings': self.bridge_mappings,

??????????????????????????????? c_const.RP_BANDWIDTHS: self.rp_bandwidths,

@@ -1671,6 +1671,7 @@

???????? skipped_devices = []

???????? need_binding_devices = []

???????? binding_no_activated_devices = set()

+??????? migrating_devices = set()

???????? agent_restarted = self.iter_num == 0

???????? devices_details_list = (

???????????? self.plugin_rpc.get_devices_details_list_and_failed_devices(

@@ -1696,6 +1697,12 @@

???????????????? skipped_devices.append(device)

???????????????? continue

?

+??????????? migrating_to = details.get('migrating_to')

+??????????? if migrating_to and migrating_to != self.host:

+??????????????? LOG.info('Port %(device)s is being migrated to host %(host)s.',

+???????????????????????? {'device': device, 'host': migrating_to})

+??????????????? migrating_devices.add(device)

+

???????????? if 'port_id' in details:

???????????????? LOG.info('Port %(device)s updated. Details: %(details)s',

????????????????????????? {'device': device, 'details': details})

@@ -1729,7 +1736,7 @@

???????????????? if (port and port.ofport != -1):

???????????????????? self.port_dead(port)

???????? return (skipped_devices, binding_no_activated_devices,

-??????????????? need_binding_devices, failed_devices)

+??????? ????????need_binding_devices, failed_devices, migrating_devices)

?

???? def _update_port_network(self, port_id, network_id):

???????? self._clean_network_ports(port_id)

@@ -1821,10 +1828,12 @@

???????? need_binding_devices = []

???????? skipped_devices = set()

???????? binding_no_activated_devices = set()

+??????? migrating_devices = set()

???????? start = time.time()

???????? if devices_added_updated:

???????????? (skipped_devices, binding_no_activated_devices,

-???????????? need_binding_devices, failed_devices['added']) = (

+???????????? need_binding_devices, failed_devices['added'],

+??????????????? migrating_devices) = (

???????????????? self.treat_devices_added_or_updated(

???????????????????? devices_added_updated, provisioning_needed))

???????????? LOG.debug('process_network_ports - iteration:%(iter_num)d - '

@@ -1847,7 +1856,7 @@

???????? # TODO(salv-orlando): Optimize avoiding applying filters

???????? # unnecessarily, (eg: when there are no IP address changes)

???????? added_ports = (port_info.get('added', set()) - skipped_devices -

-?????????????????????? binding_no_activated_devices)

+?????????????????????? binding_no_activated_devices - migrating_devices)

???????? self._add_port_tag_info(need_binding_devices)

???????? self.sg_agent.setup_port_filters(added_ports,

????????????????????????????????????????? port_info.get('updated', set()))

--- neutron-bak/conf/common.py???? 2022-08-02 17:07:18.239265163 +0800

+++ neutron/conf/common.py 2021-09-08 17:08:59.000000000 +0800

@@ -166,6 +166,24 @@

??????????????? help=_('Type of the nova endpoint to use.? This endpoint will'

?????????????????????? ' be looked up in the keystone catalog and should be'

?????????????????????? ' one of public, internal or admin.')),

+??? cfg.BoolOpt('live_migration_events', default=True,

+ ???????????????help=_('When this option is enabled, during the live '

+?????????????????????? 'migration, the OVS agent will only send the '

+?????????????????????? ''vif-plugged-event' when the destination host '

+?????????????????????? 'interface is bound. This option also disables any '

+?????????????????????? 'other agent (like DHCP) to send to Nova this event '

+?????????????????????? 'when the port is provisioned.'

+?????????????????????? 'This option can be enabled if Nova patch '

+????????????????? ?????'https://review.opendev.org/c/openstack/nova/+/767368 '

+?????????????????????? 'is in place.'

+?????????????????????? 'This option is temporary and will be removed in Y and '

+?????????????????????? 'the behavior will be 'True'.'),

+??????????????? deprecated_for_removal=True,

+??????????????? deprecated_reason=(

+??????????????????? 'In Y the Nova patch '

+??????????????????? 'https://review.opendev.org/c/openstack/nova/+/767368 '

+??????????????????? 'will be in the code even when running a Nova server in '

+??????????????????? 'X.')),

?]

--- neutron-bak/agent/rpc.py?? 2021-08-25 15:29:11.000000000 +0800

+++ neutron/agent/rpc.py 2021-09-15 16:34:09.000000000 +0800

@@ -25,8 +25,10 @@

?from neutron_lib import constants

?from neutron_lib.plugins import utils

?from neutron_lib import rpc as lib_rpc

+from oslo_config import cfg

?from oslo_log import log as logging

?import oslo_messaging

+from oslo_serialization import jsonutils

?from oslo_utils import uuidutils

?

?from neutron.agent import resource_cache

@@ -323,8 +325,10 @@

???????? binding = utils.get_port_binding_by_status_and_host(

???????????? port_obj.bindings, constants.ACTIVE, raise_if_not_found=True,

???????????? port_id=port_obj.id)

-??????? if (port_obj.device_owner.startswith(

-???????????? ???constants.DEVICE_OWNER_COMPUTE_PREFIX) and

+??????? migrating_to = migrating_to_host(port_obj.bindings)

+??????? if (not (migrating_to and cfg.CONF.nova.live_migration_events) and

+??????????????? port_obj.device_owner.startswith(

+??????????????????? constants.DEVICE_OWNER_COMPUTE_PREFIX) and

???????????????? binding[pb_ext.HOST] != host):

???????????? LOG.debug('Device %s has no active binding in this host',

?????????????????????? port_obj)

@@ -357,7 +361,8 @@

???????????? 'qos_policy_id': port_obj.qos_policy_id,

???????????? 'network_qos_policy_id': net_qos_policy_id,

???????????? 'profile': binding.profile,

-??????????? 'security_groups': list(port_obj.security_group_ids)

+??????????? 'security_groups': list(port_obj.security_group_ids),

+??????????? 'migrating_to': migrating_to,

???????? }

???????? LOG.debug('Returning: %s', entry)

???????? return entry

@@ -365,3 +370,40 @@

???? def get_devices_details_list(self, context, devices, agent_id, host=None):

???????? return [self.get_device_details(context, device, agent_id, host)

???????????????? for device in devices]

+

+# TODO(ralonsoh): move this method to neutron_lib.plugins.utils

+def migrating_to_host(bindings, host=None):

+??? '''Return the host the port is being migrated.

+

+??? If the host is passed, the port binding profile with the 'migrating_to',

+??? that contains the host the port is being migrated, is compared to this

+??? value. If no value is passed, this method will return if the port is

+??? being migrated ('migrating_to' is present in any port binding profile).

+

+??? The function returns None or the matching host.

+??? '''

+??? #LOG.info('LiveDebug: enter migrating_to_host? 001')

+??? for binding in (binding for binding in bindings if

+??????????????????? binding[pb_ext.STATUS] == constants.ACTIVE):

+??????? profile = binding.get('profile')

+??????? if not profile:

+??????????? continue

+?????? '''

+??????? profile = (jsonutils.loads(profile) if isinstance(profile, str) else

+?????????????????? profile)

+??????? migrating_to = profile.get('migrating_to')

+?????? '''

+??????? # add by michael

+??????? if isinstance(profile, str):

+??????????? migrating_to = jsonutils.loads(profile).get('migrating_to')

+??????????? #LOG.info('LiveDebug: migrating_to_host 001? migrating_to: %s', migrating_to)

+??????? else:

+??????????? migrating_to = profile.get('migrating_to')

+??????????? #LOG.info('LiveDebug: migrating_to_host 002? migrating_to: %s', migrating_to)

+

+??????? if migrating_to:

+??????????? if not host:? # Just know if the port is being migrated.

+?????? ?????????return migrating_to

+??????????? if migrating_to == host:

+??????????????? return migrating_to

+??? return None

--- neutron-bak/db/provisioning_blocks.py??????? 2021-08-25 15:43:47.000000000 +0800

+++ neutron/db/provisioning_blocks.py???? 2021-09-03 09:32:41.000000000 +0800

@@ -137,8 +137,7 @@

???????????? context, standard_attr_id=standard_attr_id):

???????? LOG.debug('Provisioning complete for %(otype)s %(oid)s triggered by '

?????????????????? 'entity %(entity)s.', log_dict)

-??????? registry.notify(object_type, PROVISIONING_COMPLETE,

-??????????????????????? 'neutron.db.provisioning_blocks',

+??????? registry.notify(object_type, PROVISIONING_COMPLETE, entity,

???????????????????????? context=context, object_id=object_id)

?

--- neutron-bak/notifiers/nova.py???? 2021-08-25 16:02:33.000000000 +0800

+++ neutron/notifiers/nova.py? 2021-09-03 09:32:41.000000000 +0800

@@ -13,6 +13,8 @@

?#??? License for the specific language governing permissions and limitations

?#??? under the License.

?

+import contextlib

+

?from keystoneauth1 import loading as ks_loading

?from neutron_lib.callbacks import events

?from neutron_lib.callbacks import registry

@@ -66,6 +68,16 @@

???????????? if ext.name == 'server_external_events']

???????? self.batch_notifier = batch_notifier.BatchNotifier(

???????????? cfg.CONF.send_events_interval, self.send_events)

+??????? self._enabled = True

+

+??? @contextlib.contextmanager

+??? def context_enabled(self, enabled):

+??????? stored_enabled = self._enabled

+??????? try:

+??????????? self._enabled = enabled

+??????????? yield

+??????? finally:

+??????????? self._enabled = stored_enabled

?

???? def _get_nova_client(self):

???????? global_id = common_context.generate_request_id()

@@ -163,6 +175,10 @@

???????????????? return self._get_network_changed_event(port)

?

???? def _can_notify(self, port):

+??????? if not self._enabled:

+??????????? LOG.debug('Nova notifier disabled')

+??????????? return False

+

???????? if not port.id:

???????????? LOG.warning('Port ID not set! Nova will not be notified of '

???????????????????????? 'port status change.')

--- nova-bak/compute/manager.py? 2022-08-02 16:27:45.943428128 +0800

+++ nova/compute/manager.py??????? 2021-09-03 09:35:24.529858458 +0800

@@ -6637,12 +6637,12 @@

???????? LOG.error(msg, msg_args)

?

???? @staticmethod

-??? def _get_neutron_events_for_live_migration(instance):

+??? def _get_neutron_events_for_live_migration(instance, migration):

???????? # We don't generate events if CONF.vif_plugging_timeout=0

???????? # meaning that the operator disabled using them.

-??????? if CONF.vif_plugging_timeout and utils.is_neutron():

-??????????? return [('network-vif-plugged', vif['id'])

-??????????????????? for vif in instance.get_network_info()]

+??????? if CONF.vif_plugging_timeout:

+??????????? return (instance.get_network_info()

+??????????????????? .get_live_migration_plug_time_events())

???????? else:

???????????? return []

?

@@ -6695,7 +6695,8 @@

???????????? '''

???????????? pass

?

-??????? events = self._get_neutron_events_for_live_migration(instance)

+??????? events = self._get_neutron_events_for_live_migration(

+??????????? instance, migration)

???????? try:

???????????? if ('block_migration' in migrate_data and

???????????????????? migrate_data.block_migration):

--- nova-bak/network/model.py??????? 2022-08-02 16:27:47.490437859 +0800

+++ nova/network/model.py???? 2021-09-03 09:35:24.532858440 +0800

@@ -469,6 +469,14 @@

???????? return (self.is_hybrid_plug_enabled() and not

???????????????? migration.is_same_host())

?

+??? @property

+??? def has_live_migration_plug_time_event(self):

+??????? '''Returns whether this VIF's network-vif-plugged external event will

+??????? be sent by Neutron at 'plugtime' - in other words, as soon as neutron

+??????? completes configuring the network backend.

+??????? '''

+????? ??return self.is_hybrid_plug_enabled()

+

???? def is_hybrid_plug_enabled(self):

???????? return self['details'].get(VIF_DETAILS_OVS_HYBRID_PLUG, False)

?

@@ -527,20 +535,26 @@

???????? return jsonutils.dumps(self)

?

???? def get_bind_time_events(self, migration):

-??????? '''Returns whether any of our VIFs have 'bind-time' events. See

-??????? has_bind_time_event() docstring for more details.

+??????? '''Returns a list of external events for any VIFs that have

+??????? 'bind-time' events during cold migration.

???????? '''

???????? return [('network-vif-plugged', vif['id'])

???????????????? for vif in self if vif.has_bind_time_event(migration)]

?

+??? def get_live_migration_plug_time_events(self):

+??????? '''Returns a list of external events for any VIFs that have

+??????? 'plug-time' events during live migration.

+??????? '''

+??????? return [('network-vif-plugged', vif['id'])

+??????????????? for vif in self if vif.has_live_migration_plug_time_event]

+

???? def get_plug_time_events(self, migration):

-???? ???'''Complementary to get_bind_time_events(), any event that does not

-??????? fall in that category is a plug-time event.

+??????? '''Returns a list of external events for any VIFs that have

+??????? 'plug-time' events during cold migration.

???????? '''

???????? return [('network-vif-plugged', vif['id'])

???????????????? for vif in self if not vif.has_bind_time_event(migration)]

?

-

?class NetworkInfoAsyncWrapper(NetworkInfo):

???? '''Wrapper around NetworkInfo that allows retrieving NetworkInfo

???? in an async manner.

--- linux-3.10.0-1062.18.1.el7.orig/net/ipv4/udp_offload.c???? 2020-02-12 21:45:22.000000000 +0800

+++ linux-3.10.0-1062.18.1.el7/net/ipv4/udp_offload.c?? 2022-08-17 15:56:27.540557289 +0800

@@ -261,7 +261,7 @@ struct sk_buff **udp_gro_receive(struct

????? struct sock *sk;

?

????? if (NAPI_GRO_CB(skb)->encap_mark ||

-???? ??? (skb->ip_summed != CHECKSUM_PARTIAL &&

+???? ??? (uh->check && skb->ip_summed != CHECKSUM_PARTIAL &&

????? ???? NAPI_GRO_CB(skb)->csum_cnt == 0 &&

????? ???? !NAPI_GRO_CB(skb)->csum_valid))

???????????? goto out;