networking-ovn

ML2 driver does not support enable_security_group configuration

Bug #1588935 reported by Richard Theis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
Undecided
Richard Theis

Bug Description

The ML2 enable_security_group option under [securitygroup] in ml2_conf.ini is not supported. That is, security groups will always be enabled regardless of the enable_security_group setting.

In addition, the ML2 firewall_driver option under [securitygroup] in ml2_conf.ini should be left as None when deploying with DevStack and documented as not needed. Optionally, a message could be logged if firewall_driver option is set since it is ignored.

The default value for enable_security_group is True and the default value for firewall_driver is None which would enable security groups (i.e. OVN ACLs) by default which matches the default for the old OVN core plugin.

See original description
Richard Theis (rtheis)
Changed in networking-ovn:
assignee: nobody → Richard Theis (rtheis)
Richard Theis (rtheis)
description: updated
description: updated
Richard Theis (rtheis)
description: updated
Richard Theis (rtheis)
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (master)

Fix proposed to branch: master
Review: https://review.openstack.org/326669

Changed in networking-ovn:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/326712

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/326712
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=20442fa568fbe37709b28c57a90c3c7a33a24c05
Submitter: Jenkins
Branch: master

commit 20442fa568fbe37709b28c57a90c3c7a33a24c05
Author: Richard Theis <email address hidden>
Date: Tue Jun 7 14:28:55 2016 -0500

    Add more config validation to neutron-ovn-db-sync-util

    Running neutron-ovn-db-sync-util without the --config-file options
    may lead to different OVN NB synchronization results compared to the
    synchronization completed when OVN ML2 mechanism driver is started.
    As a result, documentation has been updated to note that the config
    files should be specified. In addition, 'ovn' must now be in the
    mechanism drivers list. This will help ensure that callers specify
    the correct configuration files.

    Change-Id: Id33360756b68e2f5a1f8f7338bfbf6d9279e29af
    Related-Bug: #1588935

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/326669
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=d1346339befb2b71c46d3423399f712c4607a7e4
Submitter: Jenkins
Branch: master

commit d1346339befb2b71c46d3423399f712c4607a7e4
Author: Richard Theis <email address hidden>
Date: Tue Jun 7 06:07:01 2016 -0500

    Support ML2 option to enable security groups

    Add support for the ML2 enable_security_group option under [securitygroup]
    in ml2_conf.ini. This option is set to True by default and will control
    whether or not ACLs are applied to ports and the port binding value for
    CAP_PORT_FILTER.

    Also, update devstack plugin to set enable_security_group based on
    Q_USE_SECGROUP and comment out firewall_driver since it isn't used by OVN.

    And finally, add the security group options to the neutron-ovn-db-sync-util
    command.

    Change-Id: I73ca9a34ea34f781cbec5680b44e98da309365bb
    Closes-Bug: #1588935

Changed in networking-ovn:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.