Debian Patches
Status for neutron/2:28.0.0-8
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-path-of-healthcheck_disable.patch | Fix path of healthcheck_disable | Thomas Goirand <zigo@debian.org> | no | 2022-11-14 | ||
| fix-teardown.patch | <short summary of the patch> TODO: Put a short summary on the line above and replace this paragraph with a longer explanation of this change. Complete the meta-information with other relevant fields (see below for details). To make it easier, the information below has been extracted from the changelog. Adjust it or drop it. . neutron (2:27.0.1-5) UNRELEASED; urgency=medium . * Back to old unit test list. |
Thomas Goirand <zigo@debian.org> | no | |||
| neutron-keepalived-state-change_as_dash_script.patch | Replace keepalived-state-change by a dash script This patch replaces the Python script to monitor the "keepalived" status of a router instance with a bash script. The Python implementation of the keepalived state change monitor consumed approximately 100MB of RAM per router monitor process. This becomes problematic when running many HA routers on a single node. This patch replaces the Python daemon with a lightweight POSIX shell script (dash-compatible) that consumes only ~6MB of RAM per router monitor (this includes all children process, including "ip"), representing a 17x improvement in memory efficiency. Key changes: - New shell script: bin/neutron-keepalived-state-change * Uses /bin/sh (dash on Debian/Ubuntu) for minimal memory footprint * No bashisms to ensure portability across distributions * Proper signal handling and cleanup of child processes - Added new logging configuration options in conf/agent/l3/config.py to allow central logging instead of one log per router spread across many ha_confs folder: * per_router_log_files: Include router ID in log filename * router_log_files_in_ha_confs: Store logs in router's ha_confs dir * No change of previous behavior - Memory usage comparison: * Old Python implementation: ~100 MB per router monitor * New shell implementation: ~6 MB per router monitor * Savings: ~94 MB per router (94% reduction) * For a node with 250 HA routers: ~25 GB of RAM saved This also to improves the stability. This shell script do not uses threads to monitor the IP addresses, as in the Python script. It uses an "ip -o monitor" context that exits every seconds and acts on its output. Also, uppon l3-agent startup, the L3NATAgent class will check for all processes of currently active routers on the agent by listing all files under: /var/lib/neutron/external/pids/*.monitor.pid.neutron-keepalived-state-change-monitor kills them via privsep, and deletes the file, so that a new process may be spawned instead. |
Thomas Goirand <zigo@debian.org> | no | 2026-05-12 | ||
| OSSA-2026-016_Fix_plural_policy_names_in_tagging_controller_and_floatingip_policy.patch | OSSA-2026-016: Fix plural policy names in tagging controller and floatingip policy The TaggingController.create() and update() methods enforce policy action names using the plural collection key (e.g. create_networks:tags) instead of the singular member name (e.g. create_network:tags). Since the registered policy rules use the singular form, the unmatched plural names fall through to oslo.policy's default rule, allowing project readers to mutate tags on same-project resources. . Fix the delete_floatingips:tags policy rule name (should be singular delete_floatingip:tags) and add a unit test that validates _get_policy_action produces the correct singular form for all supported resources and actions, and that each generated name matches an actually registered policy rule. diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py index 9a3eaaf..ae99279 100644 |
Rodolfo Alonso Hernandez <ralonsoh@redhat.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/neutron/+/989374 | 2026-05-28 |
| OSSA-2026-021_Fix_port_RBAC_policies_to_require_network_ownership.patch | OSSA-2026-021: Fix port RBAC policies to require network ownership Several default port policies that require network ownership incorrectly included PROJECT_MANAGER. That rule checks the port project_id, not network ownership, so any project manager could perform those actions on shared/RBAC networks where they do not own the network. . Remove PROJECT_MANAGER from the affected create/update port policies and rely on NET_OWNER_MEMBER or ADMIN_OR_NET_OWNER_MEMBER instead. Project managers who own the network remain authorized through the default Keystone role implication chain (manager implies member). diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index 9573eb9..63765c8 100644 |
Rodolfo Alonso Hernandez <ralonsoh@redhat.com> | yes | debian upstream | upstream, https://review.opendev.org/c/openstack/neutron/+/990353 | 2026-06-04 |
All known versions for source package 'neutron'
- 2:28.0.0-8 (sid, forky)
- 2:26.0.3-0+deb13u2 (trixie-security, trixie-proposed-updates)
- 2:26.0.0-9 (trixie)
- 2:21.0.0-7 (bookworm)