inmanta-module-openstack 5.0.0__tar.gz → 5.0.1__tar.gz

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.0
+Version: 5.0.1
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/inmanta_module_openstack.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.0
+Version: 5.0.1
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/inmanta_plugins/openstack/network/network.py

@@ -16,6 +16,7 @@ limitations under the License.
 Contact: code@inmanta.com
 """
 
+import time
 from typing import Any
 
 from inmanta.agent import handler
@@ -156,7 +157,7 @@ class NetworkHandler(OpenStackHandler):
         if "external" in changes:
             self.network.is_router_external = resource.external
         if "port_security_enabled" in changes:
-            self.network.port_security_enabled = resource.port_security_enabled
+            self.network.is_port_security_enabled = resource.port_security_enabled
         if "mtu" in changes:
             self.network.mtu = resource.mtu
         if "segmentation_id" in changes:
@@ -172,10 +173,64 @@ class NetworkHandler(OpenStackHandler):
             else:
                 self.network.qos_policy_id = None
 
-        self.network = self._connection.network.update_network(self.network)
+        if "segmentation_id" in changes:
+            self._update_network_with_rebind(ctx)
+        else:
+            self.network = self._connection.network.update_network(self.network)
+
         ctx.fields_updated(tuple(changes.keys()))
         ctx.set_updated()
 
+    def _update_network_with_rebind(self, ctx: handler.HandlerContext) -> None:
+        """Update self.network after temporarily unbinding any bound ports.
+
+        Neutron ML2 rejects provider:segmentation_id updates when any port on
+        the network has a binding:vif_type other than 'unbound'/'binding_failed'.
+        Clearing binding:host_id forces ML2 to drop the binding; the agent
+        re-binds automatically once host_id is restored.
+
+        TODO: Persist original host_id in port metadata/tags before unbinding,
+        and recover possibly leaked bindings on next deploy (refer to #534).
+        """
+        saved_host_ids: dict[str, str] = {}
+        ports = list(self._connection.network.ports(network_id=self.network.id))
+        for port in ports:
+            if port.binding_vif_type not in ("unbound", "binding_failed"):
+                saved_host_ids[port.id] = port.binding_host_id or ""
+                self._connection.network.update_port(port.id, binding_host_id="")
+                ctx.debug(
+                    "Cleared binding:host_id on port %(port_id)s "
+                    "(was %(host)r) to allow segmentation_id update",
+                    port_id=port.id,
+                    host=saved_host_ids[port.id],
+                )
+
+        try:
+            if saved_host_ids:
+                deadline = time.monotonic() + 60
+                pending = set(saved_host_ids)
+                while pending and time.monotonic() < deadline:
+                    time.sleep(1)
+                    for port_id in list(pending):
+                        port = self._connection.network.get_port(port_id)
+                        if port.binding_vif_type in ("unbound", "binding_failed"):
+                            pending.discard(port_id)
+                if pending:
+                    raise TimeoutError(
+                        f"Timed out waiting for ports to unbind before "
+                        f"segmentation_id update. Ports still bound: {list(pending)}"
+                    )
+
+            self.network = self._connection.network.update_network(self.network)
+        finally:
+            for port_id, host_id in saved_host_ids.items():
+                self._connection.network.update_port(port_id, binding_host_id=host_id)
+                ctx.debug(
+                    "Restored binding:host_id on port %(port_id)s to %(host)r",
+                    port_id=port_id,
+                    host=host_id,
+                )
+
     def _set_facts(self, ctx):
         ctx.set_fact("network_id", self.network.id, expires=False)
         ctx.set_fact("status", self.network.status, expires=True)

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/inmanta_plugins/openstack/setup.cfg

@@ -22,7 +22,7 @@ target-version = 'py36', 'py37', 'py38'
 name = inmanta-module-openstack
 freeze_recursive = False
 freeze_operator = ~=
-version = 5.0.0
+version = 5.0.1
 license = Apache 2.0
 
 [egg_info]

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/setup.cfg

@@ -22,7 +22,7 @@ target-version = 'py36', 'py37', 'py38'
 name = inmanta-module-openstack
 freeze_recursive = False
 freeze_operator = ~=
-version = 5.0.0
+version = 5.0.1
 license = Apache 2.0
 
 [egg_info]

{inmanta_module_openstack-5.0.0 → inmanta_module_openstack-5.0.1}/tests/test_neutron.py

@@ -25,6 +25,58 @@ import pytest
 from conftest import assert_dryrun_deploy_dryrun
 
 
+def test_network_update(project, os_tester):
+
+    def get_model(port_security_enabled: bool):
+        return f"""
+        import unittest
+        project = openstack::Project(
+            provider=provider,
+            name=provider.project_name,
+            description="",
+            enabled=true,
+            managed=false
+        )
+        openstack::Network(
+            provider=provider,
+            name="test_net",
+            project=project,
+            external=true,
+            mtu=1000,
+            port_security_enabled={str(port_security_enabled).lower()},
+        )
+        """
+
+    network_name = "test_net"
+    try:
+        # Create network
+        os_tester.compile_with_provider(get_model(port_security_enabled=True))
+
+        assert project.dryrun_resource("openstack::Network", name=network_name)
+        project.deploy_resource("openstack::Network", name=network_name)
+        assert not project.dryrun_resource("openstack::Network", name=network_name)
+
+        networks = list(os_tester.connection.network.networks(name=network_name))
+        assert len(networks) == 1
+        assert networks[0].is_port_security_enabled
+
+        # Update network
+        os_tester.compile_with_provider(get_model(port_security_enabled=False))
+
+        assert project.dryrun_resource("openstack::Network", name=network_name)
+        project.deploy_resource("openstack::Network", name=network_name)
+        assert not project.dryrun_resource("openstack::Network", name=network_name)
+
+        networks = list(os_tester.connection.network.networks(name=network_name))
+        assert len(networks) == 1
+        assert not networks[0].is_port_security_enabled
+    finally:
+        # cleanup
+        networks = os_tester.connection.network.networks(name=network_name)
+        for network in networks:
+            os_tester.connection.network.delete_network(network)
+
+
 def test_net(project, os_tester):
     try:
         os_tester.compile_with_provider("""
@@ -1316,19 +1368,28 @@ def test_qos_policy(project, os_tester, require_network_extension):
 @pytest.fixture
 def segmentation_id_network(os_tester):
     net_name = "test_update_seg_id"
-    yield net_name
-    networks = os_tester.connection.network.networks(name=net_name)
-    for network in networks:
-        os_tester.connection.network.delete_network(network)
+    subnet_name = "test_update_seg_id_subnet"
+    yield net_name, subnet_name
+    conn = os_tester.connection
+    for subnet in conn.network.subnets(name=subnet_name):
+        conn.network.delete_subnet(subnet, ignore_missing=True)
+    for network in conn.network.networks(name=net_name):
+        conn.network.delete_network(network, ignore_missing=True)
 
 
 def test_update_segmentation_id(project, os_tester, segmentation_id_network):
     """
-    Test that segmentation_id can be updated on an existing network.
+    Test that segmentation_id can be updated on an existing network that has a
+    DHCP-enabled subnet.  When the DHCP agent has bound a port, the handler must
+    temporarily clear binding:host_id on those ports so ML2 accepts the update,
+    then restore it so the agent re-binds on the new VLAN.
     """
-    net_name = segmentation_id_network
+    import time as _time
+
+    net_name, subnet_name = segmentation_id_network
+    conn = os_tester.connection
 
-    # Create network with initial segmentation_id
+    # Create network + subnet with initial segmentation_id.
     os_tester.compile_with_provider(f"""
     import unittest
     project = openstack::Project(provider=provider, name=provider.project_name, description="", enabled=true, managed=false)
@@ -1339,16 +1400,51 @@ def test_update_segmentation_id(project, os_tester, segmentation_id_network):
         network_type="vlan",
         physical_network="physnet1",
         segmentation_id=742,
+    )
+    subnet = openstack::Subnet(
+        provider=provider,
+        project=project,
+        network=n,
+        dhcp=true,
+        name="{subnet_name}",
+        network_address="192.168.242.0/24",
     )
         """)
 
     assert_dryrun_deploy_dryrun(project, "openstack::Network", name=net_name)
+    assert_dryrun_deploy_dryrun(project, "openstack::Subnet", name=subnet_name)
 
-    networks = list(os_tester.connection.network.networks(name=net_name))
+    networks = list(conn.network.networks(name=net_name))
     assert len(networks) == 1
+    network_id = networks[0].id
     assert networks[0].provider_segmentation_id == 742
 
-    # Update segmentation_id to a new value
+    # Wait up to 5 minutes for the DHCP agent to fully bind a port: vif_type must be
+    # neither 'unbound' nor 'binding_failed', AND binding_host_id must be set.
+    # Both conditions are required to exercise the handler's ML2 rebind path.
+    # Agent binding can take on the order of minutes depending on the environment.
+    bound_ports_before: dict[str, str] = {}
+    deadline = _time.monotonic() + 300
+    while _time.monotonic() < deadline:
+        for port in conn.network.ports(
+            network_id=network_id, device_owner="network:dhcp"
+        ):
+            if (
+                port.binding_vif_type not in ("unbound", "binding_failed")
+                and port.binding_host_id
+            ):
+                bound_ports_before[port.id] = port.binding_host_id
+        if bound_ports_before:
+            break
+        _time.sleep(5)
+
+    assert bound_ports_before, (
+        "No fully-bound DHCP port (vif_type != unbound/binding_failed AND "
+        "binding_host_id set) appeared on the network within 5 minutes. "
+        "Cannot verify the ML2 rebind path."
+    )
+
+    # Update segmentation_id — handler must unbind, update, and rebind.
     os_tester.compile_with_provider(f"""
     import unittest
     project = openstack::Project(provider=provider, name=provider.project_name, description="", enabled=true, managed=false)
@@ -1359,15 +1455,31 @@ def test_update_segmentation_id(project, os_tester, segmentation_id_network):
         network_type="vlan",
         physical_network="physnet1",
         segmentation_id=3817,
+    )
+    subnet = openstack::Subnet(
+        provider=provider,
+        project=project,
+        network=n,
+        dhcp=true,
+        name="{subnet_name}",
+        network_address="192.168.242.0/24",
     )
         """)
 
     assert_dryrun_deploy_dryrun(project, "openstack::Network", name=net_name)
 
-    networks = list(os_tester.connection.network.networks(name=net_name))
+    networks = list(conn.network.networks(name=net_name))
     assert len(networks) == 1
     assert networks[0].provider_segmentation_id == 3817
 
+    # Verify binding:host_id was restored on every port that was bound before.
+    for port_id, expected_host in bound_ports_before.items():
+        port = conn.network.get_port(port_id)
+        assert port.binding_host_id == expected_host, (
+            f"Port {port_id} binding_host_id was not restored: "
+            f"expected {expected_host!r}, got {port.binding_host_id!r}"
+        )
+
     # Cleanup
     os_tester.compile_with_provider(f"""
     import unittest
@@ -1377,10 +1489,19 @@ def test_update_segmentation_id(project, os_tester, segmentation_id_network):
         name="{net_name}",
         project=project,
         purged=true,
+    )
+    subnet = openstack::Subnet(
+        provider=provider,
+        project=project,
+        network=n,
+        dhcp=true,
+        name="{subnet_name}",
+        network_address="192.168.242.0/24",
+        purged=true,
     )
         """)
 
+    assert_dryrun_deploy_dryrun(project, "openstack::Subnet", name=subnet_name)
     assert_dryrun_deploy_dryrun(project, "openstack::Network", name=net_name)
 
-    networks = list(os_tester.connection.network.networks(name=net_name))
-    assert len(networks) == 0
+    assert len(list(conn.network.networks(name=net_name))) == 0