neutron

Bug #1459423
Comment #25

Comment 25 for bug 1459423

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-04: Fix merged to neutron-vpnaas (master)

#25

Reviewed: https://review.openstack.org/230164
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=7ba17a3155a7ab69032e4be9f17777818aa977e5
Submitter: Jenkins
Branch: master

commit 7ba17a3155a7ab69032e4be9f17777818aa977e5
Author: Paul Michali <email address hidden>
Date: Mon Sep 28 20:00:58 2015 +0000

VPNaaS: Multiple Local Subnets feature

Implements support for multiple local subnets for IPSec site to site
connections, using the new Endpoint Group API.

    The implementation supports backwards compatibility as follows. If
    a VPN service is created with a subnet, then the older API is assumed
    and the user must specify the peer CIDRs for any IPSec connections
    and cannot specify multiple local subnets.

    If a subnet is not provided for the VPN service, then the user must
    use the newer API and provide a local and peer endpoint group IDs for
    the IPSec connection (and cannot specify the peer CIDRs in the IPSec
    connection API).

Implication here is that the subnet will be an optional argument for
the VPN service API.

With this feature, when an endpoint group is deleted, a check is made
to ensure that there are no IPSec connections using the group.

    Migration will move the subnet from VPN service API to a new endpoint
    group, and specify the group in any connections using the service.
    The peer CIDR(s) will be moved from each connection to an endpoint
    group, with the group ID specified in the connection.

    Note: As part of testing the database methods for this feature, several
    more tests were created to test database access only, instead of doing
    a round trip test. In a separate commit, these tests can be expanded,
    and the existing round trip tests removed.

    Note: Tests for building the dict used in sync requests was enhanced,
    as part of supporting this feature. The previous tests didn't check
    that the peer CIDR information was correct, so were enhanced as well.

    Note: The service driver passes the local CIDR(s) in a new field,
    called local_cidrs. This field is used for the older API, as well,
    passing the subnet's CIDR, and allowing consistent consumption by the
    device driver. The IP version is also passed, rather than obtaining
    it from the subnet info (so both new and old API use the same fields).

    Note: to support rolling upgrades, where an agent may be using the older
    release, after the server has been updated, the subnet CIDR field passed
    from the service driver to device driver, will be populated from the
    first local endpoint from the first connection (there has to be at least
    one connection, when sending data to the agent).

    Note: In the device driver, I noticed that the local CIDR's IP version
    can change the config file output, so I added test cases for IPv6, as
    part of enhancing the tests for multiple local CIDRs.

Change-Id: I7a011e3170d7db463a6561e550b2ead3e3311125
Partial-Bug: 1459423

Reviewed:  https://review.openstack.org/230164
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=7ba17a3155a7ab69032e4be9f17777818aa977e5
Submitter: Jenkins
Branch:    master

commit 7ba17a3155a7ab69032e4be9f17777818aa977e5
Author: Paul Michali <pc@michali.net>
Date:   Mon Sep 28 20:00:58 2015 +0000

VPNaaS: Multiple Local Subnets feature
    
    Implements support for multiple local subnets for IPSec site to site
    connections, using the new Endpoint Group API.
    
    The implementation supports backwards compatibility as follows. If
    a VPN service is created with a subnet, then the older API is assumed
    and the user must specify the peer CIDRs for any IPSec connections
    and cannot specify multiple local subnets.
    
    If a subnet is not provided for the VPN service, then the user must
    use the newer API and provide a local and peer endpoint group IDs for
    the IPSec connection (and cannot specify the peer CIDRs in the IPSec
    connection API).
    
    Implication here is that the subnet will be an optional argument for
    the VPN service API.
    
    With this feature, when an endpoint group is deleted, a check is made
    to ensure that there are no IPSec connections using the group.
    
    Migration will move the subnet from VPN service API to a new endpoint
    group, and specify the group in any connections using the service.
    The peer CIDR(s) will be moved from each connection to an endpoint
    group, with the group ID specified in the connection.
    
    Note: As part of testing the database methods for this feature, several
    more tests were created to test database access only, instead of doing
    a round trip test. In a separate commit, these tests can be expanded,
    and the existing round trip tests removed.
    
    Note: Tests for building the dict used in sync requests was enhanced,
    as part of supporting this feature. The previous tests didn't check
    that the peer CIDR information was correct, so were enhanced as well.
    
    Note: The service driver passes the local CIDR(s) in a new field,
    called local_cidrs. This field is used for the older API, as well,
    passing the subnet's CIDR, and allowing consistent consumption by the
    device driver. The IP version is also passed, rather than obtaining
    it from the subnet info (so both new and old API use the same fields).
    
    Note: to support rolling upgrades, where an agent may be using the older
    release, after the server has been updated, the subnet CIDR field passed
    from the service driver to device driver, will be populated from the
    first local endpoint from the first connection (there has to be at least
    one connection, when sending data to the agent).
    
    Note: In the device driver, I noticed that the local CIDR's IP version
    can change the config file output, so I added test cases for IPv6, as
    part of enhancing the tests for multiple local CIDRs.
    
    Change-Id: I7a011e3170d7db463a6561e550b2ead3e3311125
    Partial-Bug: 1459423