neutron

[OVN] Missing OVN ACLs for security groups that utilize remote groups attached to ports with allowed_address_pairs

Bug #1908382 reported by Krzysztof Klimonda
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
High
Unassigned

Bug Description

See mailing list thread started at http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019442.html

Bug discovered during magnum testing in ussuri, where pods deployed on different nodes could not communicate with each other - it has been traced to incorrect OVN ACLs for this specific scenario:

- neutron port with additional subnet added to allowed_address_pairs
- security group created with a remote group set for both TCP and UDP, to allow traffic between subnet defined in allowed_address_pairs

It resulted in TCP and UDP being dropped by OVN.

Hongbin Lu (hongbin.lu)
Changed in neutron:
importance: Undecided → High
status: New → Confirmed
tags: added: ovn
Revision history for this message
Bartosz Bezak (bbezak) wrote :

one possible workaround to this issue in Magnum is to use Calico overlay.
Can be set with cluster template label:
calico_ipv4pool_ipip=Always

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/772983
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Lars Wiegman (lars-fuga) wrote :

I am experiencing the same issue with Magnum Ussuri in combination with OVN and would like to know what is holding back the patch.

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by "Michal Nasiadka <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/772983
Reason: seems to not be needed anymore

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 14.0.0.0rc1

This issue was fixed in the openstack/magnum 14.0.0.0rc1 release candidate.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.