networking-ovn

Migration to port groups will reference old address sets in ACLs

Bug #1790118 reported by Daniel Alvarez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
Undecided
Unassigned

Bug Description

When migrating from Address Sets to Port Groups, last step is to delete old Address Sets to reduce dataplane downtime. However, when we're creating the new ACLs we check for the existence of those Address Sets and place wrong match actions:

https://github.com/openstack/networking-ovn/blob/6d93783cfd0a8e90d74f70b8134d8a5df621f6d5/networking_ovn/common/acl.py#L321

    if (ovn and ovn.is_port_groups_supported() and
            not ovn.get_address_set(r['security_group_id'])):

We don't expect ovn.get_address_set to return any valid Address Set for that SG id but, since we haven't yet deleted them, it'll pick it up and place wrong action on the ACL like:

match : "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_7b8938a6_4568_4fa5_9ff2_1b8095f7685c && ip4 && ip4.src == $as_ip4_7b8938a6_4568_4fa5_9ff2_1b8095f7685c)"

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/rocky)

Reviewed: https://review.openstack.org/594136
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=55c1a36a1d72a5f4b95b7fdcf647315ecdf526f6
Submitter: Zuul
Branch: stable/rocky

commit 55c1a36a1d72a5f4b95b7fdcf647315ecdf526f6
Author: Daniel Alvarez <email address hidden>
Date: Wed May 23 15:04:07 2018 +0200

    Support Port Groups in networking-ovn

    A new feature has been introduced in core OVN which allows to define
    a group of ports and assign ACLs to those. This patch is making use
    of the new feature if supported by the underlying OVS version.

    As a result we'll be modelling Neutron Security Groups as OVN Port
    Groups and we won't be adding one ACL per Security Group Rule per
    port. Instead, just add one single ACL per Security Group. This will
    also tackle the race conditions that we had for Address Sets as those
    will just be used for Remote Security Groups and will be automatically
    generated/deleted by core OVN in SB database upon Port Group creation/
    deletion.

    The major benefit of this patch is that we'll reduce the number of
    ACL's dramatically, resulting in a performance leap as discussed at:
    https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html

    This patch will address the migration of old Security Groups being
    modelled as Address Sets if the OVN schema supports the feature. This
    migration will be performed from the OvnWorker which is holding a lock
    on the IDL. This ensures that the migration happens from only one worker
    in the cloud and after it's done, all the neutron-server instances are
    ready to use Port Groups.

    NOTE: This also squashes I706199109a3b7dd5339c90b731f8cb8f04ca4f49

    Closes-Bug: #1752897
    Closes-Bug: #1790118
    Co-Authored-By: Lucas Alvares Gomes <email address hidden>
    Change-Id: I35d5ec40c666e92b92b9d664e9615c6fecde595a
    Signed-off-by: Daniel Alvarez <email address hidden>
    (cherry picked from commit f01169b405bb5080a1bc1653f79512eb0664c35d)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 5.0.1

This issue was fixed in the openstack/networking-ovn 5.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/598592
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=26551f85d1102b2de3eab4b468d22bacad3c1f45
Submitter: Zuul
Branch: master

commit 26551f85d1102b2de3eab4b468d22bacad3c1f45
Author: Daniel Alvarez <email address hidden>
Date: Fri Aug 31 12:31:04 2018 +0200

    Fix bug migrating ACLs to Port Groups

    When migrating to Port Groups, we were installing wrong ACLs
    matching on old Address Sets. This was because, during migration
    time, old Address Sets still existed in NB database and we
    were relying on their existence to figure out which one to use.

    This patch fixes it by simply picking the auto generated
    Address Set if Port Groups is supported in the OVSDB schema.

    Change-Id: I706199109a3b7dd5339c90b731f8cb8f04ca4f49
    Closes-Bug: #1790118
    Signed-off-by: Daniel Alvarez <email address hidden>

Changed in networking-ovn:
status: New → Fix Released
Bernard Cafarelli (bcafarel)
tags: added: networking-ovn-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/queens)

Change abandoned by Daniel Alvarez (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/594138

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 6.0.0.0b1

This issue was fixed in the openstack/networking-ovn 6.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/681563

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/queens)

Change abandoned by Maciej Józefczyk (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/681563
Reason: Needed to be squashed with https://review.opendev.org/#/c/594138/9 because of failing tests.

Jakub Libosvar (libosvar)
tags: added: in-stable-queens
removed: networking-ovn-proactive-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.