Allow control of default route injection
Implements blueprint inject-default-route Change-Id: I81591e1122e0b775a500533460b9b9866c728629
This commit is contained in:
parent
0460baf43c
commit
975bdf2b00
@ -20,6 +20,14 @@ Kilo approved specs:
|
||||
|
||||
specs/kilo/*
|
||||
|
||||
Liberty approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/liberty/*
|
||||
|
||||
==================
|
||||
Indices and tables
|
||||
==================
|
||||
|
104
specs/liberty/dummy.rst
Normal file
104
specs/liberty/dummy.rst
Normal file
@ -0,0 +1,104 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Title of your blueprint
|
||||
==========================================
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
|
||||
Community impact
|
||||
----------------
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Tempest Tests
|
||||
-------------
|
||||
|
||||
|
||||
Functional Tests
|
||||
----------------
|
||||
|
||||
|
||||
API Tests
|
||||
---------
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
User Documentation
|
||||
------------------
|
||||
|
||||
|
||||
Developer Documentation
|
||||
-----------------------
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
|
411
specs/liberty/example.rst
Normal file
411
specs/liberty/example.rst
Normal file
@ -0,0 +1,411 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Example Spec - The title of your blueprint
|
||||
==========================================
|
||||
|
||||
Launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/group-based-policy/+spec/some-spec
|
||||
|
||||
Introduction paragraph -- why are we doing anything? A single paragraph of
|
||||
prose that operators can understand.
|
||||
|
||||
Some notes about using this template:
|
||||
|
||||
* Your spec should be in ReSTructured text, like this template.
|
||||
|
||||
* Please wrap text at 80 columns.
|
||||
|
||||
* Please do not delete any of the sections in this template. If you have
|
||||
nothing to say for a whole section, just write: None
|
||||
|
||||
* For help with syntax, see http://sphinx-doc.org/rest.html
|
||||
|
||||
* To test out your formatting, build the docs using tox, or see:
|
||||
http://rst.ninjs.org
|
||||
|
||||
* If you would like to provide a diagram with your spec, text representations
|
||||
are preferred. http://asciiflow.com/ is a very nice tool to assist with
|
||||
making ascii diagrams. blockdiag is another tool. These are described below.
|
||||
If you require an image (screenshot) for your BP, attaching that to the BP
|
||||
and checking it in is also accepted. However, text representations are prefered.
|
||||
|
||||
* Diagram examples
|
||||
|
||||
asciiflow::
|
||||
|
||||
+----------+ +-----------+ +----------+
|
||||
| A | | B | | C |
|
||||
| +-----+ +--------+ |
|
||||
+----------+ +-----------+ +----------+
|
||||
|
||||
blockdiag
|
||||
|
||||
.. blockdiag::
|
||||
|
||||
blockdiag sample {
|
||||
a -> b -> c;
|
||||
}
|
||||
|
||||
actdiag
|
||||
|
||||
.. actdiag::
|
||||
|
||||
actdiag {
|
||||
write -> convert -> image
|
||||
lane user {
|
||||
label = "User"
|
||||
write [label = "Writing reST"];
|
||||
image [label = "Get diagram IMAGE"];
|
||||
}
|
||||
lane actdiag {
|
||||
convert [label = "Convert reST to Image"];
|
||||
}
|
||||
}
|
||||
|
||||
nwdiag
|
||||
|
||||
.. nwdiag::
|
||||
|
||||
nwdiag {
|
||||
network dmz {
|
||||
address = "210.x.x.x/24"
|
||||
|
||||
web01 [address = "210.x.x.1"];
|
||||
web02 [address = "210.x.x.2"];
|
||||
}
|
||||
network internal {
|
||||
address = "172.x.x.x/24";
|
||||
|
||||
web01 [address = "172.x.x.1"];
|
||||
web02 [address = "172.x.x.2"];
|
||||
db01;
|
||||
db02;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
seqdiag
|
||||
|
||||
.. seqdiag::
|
||||
|
||||
seqdiag {
|
||||
browser -> webserver [label = "GET /index.html"];
|
||||
browser <-- webserver;
|
||||
browser -> webserver [label = "POST /blog/comment"];
|
||||
webserver -> database [label = "INSERT comment"];
|
||||
webserver <-- database;
|
||||
browser <-- webserver;
|
||||
}
|
||||
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* For a new feature this might be use cases. Ensure you are clear about the
|
||||
actors in each use case: End User vs Deployer
|
||||
|
||||
* For a major reworking of something existing it would describe the
|
||||
problems in that feature that are being addressed.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Here is where you cover the change you propose to make in detail. How do you
|
||||
propose to solve this problem?
|
||||
|
||||
If this is one part of a larger effort make it clear where this piece ends. In
|
||||
other words, what's the scope of this effort?
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
What other ways could we do this thing? Why aren't we using those? This doesn't
|
||||
have to be a full literature review, but it should demonstrate that thought has
|
||||
been put into why the proposed solution is an appropriate one.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
Changes which require modifications to the data model often have a wider impact
|
||||
on the system. The community often has strong opinions on how the data model
|
||||
should be evolved, from both a functional and performance perspective. It is
|
||||
therefore important to capture and gain agreement as early as possible on any
|
||||
proposed changes to the data model.
|
||||
|
||||
Questions which need to be addressed by this section include:
|
||||
|
||||
* What new data objects and/or database schema changes is this going to require?
|
||||
|
||||
* What database migrations will accompany this change.
|
||||
|
||||
* How will the initial set of new data objects be generated, for example if you
|
||||
need to take into account existing instances, or modify other existing data
|
||||
describe how that will work.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
For each API resource to be implemented using the attribute map
|
||||
facility, describe the resource collection and specify the name,
|
||||
type, and other essential details of each new or modified attribute.
|
||||
A table similar to the following may be used:
|
||||
|
||||
+----------+-------+---------+---------+------------+--------------+
|
||||
|Attribute |Type |Access |Default |Validation/ |Description |
|
||||
|Name | | |Value |Conversion | |
|
||||
+==========+=======+=========+=========+============+==============+
|
||||
|id |string |RO, all |generated|N/A |identity |
|
||||
| |(UUID) | | | | |
|
||||
+----------+-------+---------+---------+------------+--------------+
|
||||
|name |string |RW, all |'' |string |human-readable|
|
||||
| | | | | |name |
|
||||
+----------+-------+---------+---------+------------+--------------+
|
||||
|color |string |RW, admin|'red' |'red', |color |
|
||||
| | | | |'yellow', or|indicating |
|
||||
| | | | |'green' |state |
|
||||
+----------+-------+---------+---------+------------+--------------+
|
||||
|
||||
|
||||
Here is the other example of the table using csv-table
|
||||
|
||||
|
||||
.. csv-table:: CSVTable
|
||||
:header: Attribute Name,Type,Access,Default Value,Validation Conversion,Description
|
||||
|
||||
id,string (UUID),"RO, all",generated,N/A,identity
|
||||
name,string,"RW, all","''",string,human-readable name
|
||||
color,string,"RW, admin",red,"'red', 'yellow' or 'green'",color indicating state
|
||||
|
||||
|
||||
Each API method which is either added or changed that does not use
|
||||
Neutron's attribute map facility should have the following:
|
||||
|
||||
* Specification for the method
|
||||
|
||||
* A description of what the method does suitable for use in
|
||||
user documentation
|
||||
|
||||
* Method type (POST/PUT/GET/DELETE)
|
||||
|
||||
* Normal http response code(s)
|
||||
|
||||
* Expected error http response code(s)
|
||||
|
||||
* A description for each possible error code should be included
|
||||
describing semantic errors which can cause it such as
|
||||
inconsistent parameters supplied to the method, or when an
|
||||
instance is not in an appropriate state for the request to
|
||||
succeed. Errors caused by syntactic problems covered by the JSON
|
||||
schema defintion do not need to be included.
|
||||
|
||||
* URL for the resource
|
||||
|
||||
* Parameters which can be passed via the url
|
||||
|
||||
* JSON schema definition for the body data if allowed
|
||||
|
||||
* JSON schema definition for the response data if any
|
||||
|
||||
* Example use case including typical API samples for both data supplied
|
||||
by the caller and the response
|
||||
|
||||
* Discuss any API policy changes, and discuss what things a deployer needs to
|
||||
think about when defining their API policy. This is in reference to the
|
||||
policy.json file.
|
||||
|
||||
Note that the schema should be defined as restrictively as
|
||||
possible. Parameters which are required should be marked as such and
|
||||
only under exceptional circumstances should additional parameters
|
||||
which are not defined in the schema be permitted (eg
|
||||
additionaProperties should be False).
|
||||
|
||||
Reuse of existing predefined parameter types such as regexps for
|
||||
passwords and user defined names is highly encouraged.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Describe any potential security impact on the system. Some of the items to
|
||||
consider include:
|
||||
|
||||
* Does this change touch sensitive data such as tokens, keys, or user data?
|
||||
|
||||
* Does this change alter the API in a way that may impact security, such as
|
||||
a new way to access sensitive information or a new way to login?
|
||||
|
||||
* Does this change involve cryptography or hashing?
|
||||
|
||||
* Does this change require the use of sudo or any elevated privileges?
|
||||
|
||||
* Does this change involve using or parsing user-provided data? This could
|
||||
be directly at the API level or indirectly such as changes to a cache layer.
|
||||
|
||||
* Can this change enable a resource exhaustion attack, such as allowing a
|
||||
single API interaction to consume significant server resources? Some examples
|
||||
of this include launching subprocesses for each connection, or entity
|
||||
expansion attacks in XML.
|
||||
|
||||
For more detailed guidance, please see the OpenStack Security Guidelines as
|
||||
a reference (https://wiki.openstack.org/wiki/Security/Guidelines). These
|
||||
guidelines are a work in progress and are designed to help you identify
|
||||
security best practices. For further information, feel free to reach out
|
||||
to the OpenStack Security Group at openstack-security@lists.openstack.org.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
Please specify any changes to notifications. Be that an extra notification,
|
||||
changes to an existing notification, or removing a notification.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Aside from the API, are there other ways a user will interact with this feature?
|
||||
|
||||
* Does this change have an impact on python client? What does the user
|
||||
interface there look like?
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Describe any potential performance impact on the system, for example
|
||||
how often will new code be called, and is there a major change to the calling
|
||||
pattern of existing code.
|
||||
|
||||
Examples of things to consider here include:
|
||||
|
||||
* A periodic task might look like a small addition but if it calls conductor or
|
||||
another service the load is multiplied by the number of nodes in the system.
|
||||
|
||||
* A small change in a utility function or a commonly used decorator can have a
|
||||
large impacts on performance.
|
||||
|
||||
* Calls which result in a database queries (whether direct or via conductor) can
|
||||
have a profound impact on performance when called in critical sections of the
|
||||
code.
|
||||
|
||||
* Will the change include any locking, and if so what considerations are there on
|
||||
holding the lock?
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Discuss things that will affect how you deploy and configure OpenStack
|
||||
that have not already been mentioned, such as:
|
||||
|
||||
* What config options are being added? Should they be more generic than
|
||||
proposed (for example a flag that other hypervisor drivers might want to
|
||||
implement as well)? Are the default values ones which will work well in
|
||||
real deployments?
|
||||
|
||||
* Is this a change that takes immediate effect after its merged, or is it
|
||||
something that has to be explicitly enabled?
|
||||
|
||||
* If this change is a new binary, how would it be deployed?
|
||||
|
||||
* Please state anything that those doing continuous deployment, or those
|
||||
upgrading from the previous release, need to be aware of. Also describe
|
||||
any plans to deprecate configuration values or features. For example, if we
|
||||
change the directory name that instances are stored in, how do we handle
|
||||
instance directories created before the change landed? Do we move them? Do
|
||||
we have a special case in the code? Do we assume that the operator will
|
||||
recreate all the instances in their cloud?
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Discuss things that will affect other developers working on OpenStack,
|
||||
such as:
|
||||
|
||||
* If the blueprint proposes a change to the API, discussion of how other
|
||||
plugins would implement the feature is required.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Who is leading the writing of the code? Or is this a blueprint where you're
|
||||
throwing it out there to see who picks it up?
|
||||
|
||||
If more than one person is working on the implementation, please designate the
|
||||
primary author and contact.
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Work items or tasks -- break the feature up into the things that need to be
|
||||
done to implement it. Those parts might end up being done by different people,
|
||||
but we're mostly trying to understand the timeline for implementation.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Include specific references to specs and/or blueprints in other
|
||||
projects, that this one either depends on or is related to.
|
||||
|
||||
* If this requires functionality of another project that is not currently used
|
||||
by Neutron (such as the glance v2 API when we previously only required v1),
|
||||
document that fact.
|
||||
|
||||
* Does this feature require any new library dependencies or code otherwise not
|
||||
included in OpenStack? Or does it depend on a specific version of library?
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Please discuss how the change will be tested. We especially want to know what
|
||||
tempest tests will be added. It is assumed that unit test coverage will be
|
||||
added so that doesn't need to be mentioned explicitly, but discussion of why
|
||||
you think unit tests are sufficient and we don't need to add more tempest
|
||||
tests would need to be included.
|
||||
|
||||
Is this untestable in gate given current limitations (specific hardware /
|
||||
software configurations available)? If so, are there mitigation plans (3rd
|
||||
party testing, gate enhancements, etc).
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
What is the impact on the docs team of this change? Some changes might require
|
||||
donating resources to the docs team to have the documentation updated. Don't
|
||||
repeat details discussed above, but please reference them here.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Please add any useful references here. You are not required to have any
|
||||
reference. Moreover, this specification should still make sense when your
|
||||
references are unavailable. Examples of what you could include are:
|
||||
|
||||
* Links to mailing list or IRC discussions
|
||||
|
||||
* Links to notes from a summit session
|
||||
|
||||
* Links to relevant research, if appropriate
|
||||
|
||||
* Related specifications as appropriate (e.g. link any vendor documentation)
|
||||
|
||||
* Anything else you feel it is worthwhile to refer to
|
129
specs/liberty/gbp-inject-default-route-attr.rst
Normal file
129
specs/liberty/gbp-inject-default-route-attr.rst
Normal file
@ -0,0 +1,129 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Allow control of default route injection
|
||||
==========================================
|
||||
|
||||
Launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/group-based-policy/+spec/inject-default-route
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
For every PTG that is created and associated with a subnet, a default
|
||||
gateway is set for that subnet. A route to this default gateway is
|
||||
injected automtically whenever a VM obtains a DHCP IP.
|
||||
|
||||
When a VM is associated with more than one PTG, it can get a default
|
||||
route for the subnet associated every PTG. This can lead to one default
|
||||
route overriding another one and might not be desirable in certain cases.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
It is proposed to add a new attribute to the l2_policy resource, that will allow
|
||||
suppressing the default route propagation for all PTGs associated with this
|
||||
l2_policy. The current default behavior will be maintained that the default
|
||||
route is always propagated. This change will be backward compatible.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
A new boleean attribute "inject_default_route" will be added to the L2Policy
|
||||
table.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
A new optional attribute "inject_default_route" is added to the l2_policy resource:
|
||||
|
||||
'inject_default_route': {'allow_post': True, 'allow_put': True,
|
||||
'default': True, 'is_visible': True,
|
||||
'convert_to': attr.convert_to_boolean,
|
||||
'required': False},
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
|
||||
Community impact
|
||||
----------------
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
* Sumit Naiksatam (snaiksat)
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Tempest tests
|
||||
-------------
|
||||
|
||||
|
||||
Functional tests
|
||||
----------------
|
||||
|
||||
|
||||
API tests
|
||||
---------
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
User documentation
|
||||
------------------
|
||||
|
||||
|
||||
Developer documentation
|
||||
-----------------------
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
Loading…
Reference in New Issue
Block a user