OVS native firewall driver does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
High
|
Radosław Piliszek | ||
Rocky |
Fix Released
|
High
|
Radosław Piliszek | ||
Stein |
Fix Released
|
High
|
Radosław Piliszek | ||
Train |
Fix Released
|
High
|
Radosław Piliszek | ||
Ussuri |
Fix Released
|
High
|
Radosław Piliszek |
Bug Description
A lot of such entries are being generated by neutron-ovs-agent when ovs native fireall driver is being used:
2020-03-14 15:34:39.761 6 ERROR neutron.
2020-03-14 15:34:39.762 6 ERROR neutron.
The reason is neutron-ovs-agent still calls ovs-ofctl behind the scenes. This path is deprecated by Neutron for removal in Victoria but currently ovs native firewall driver relies on it.
The bug has been caused by the /run mount removal. See: https:/
/run/openvswitch must still be mounted in neutron-ovs-agent.
Triage: https:/
The observed effect is that security group rules are silently (except for non-fatal error messages in logs) not applied and all the traffic is accepted.
Fix proposed to branch: master /review. opendev. org/713129
Review: https:/