Migration to port groups will reference old address sets in ACLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When migrating from Address Sets to Port Groups, last step is to delete old Address Sets to reduce dataplane downtime. However, when we're creating the new ACLs we check for the existence of those Address Sets and place wrong match actions:
if (ovn and ovn.is_
not ovn.get_
We don't expect ovn.get_address_set to return any valid Address Set for that SG id but, since we haven't yet deleted them, it'll pick it up and place wrong action on the ACL like:
match : "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_7b8938a6_
tags: | added: networking-ovn-proactive-backport-potential |
tags: |
added: in-stable-queens removed: networking-ovn-proactive-backport-potential |
Reviewed: https:/ /review. openstack. org/594136 /git.openstack. org/cgit/ openstack/ networking- ovn/commit/ ?id=55c1a36a1d7 2a5f4b95b7fdcf6 47315ecdf526f6
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 55c1a36a1d72a5f 4b95b7fdcf64731 5ecdf526f6
Author: Daniel Alvarez <email address hidden>
Date: Wed May 23 15:04:07 2018 +0200
Support Port Groups in networking-ovn
A new feature has been introduced in core OVN which allows to define
a group of ports and assign ACLs to those. This patch is making use
of the new feature if supported by the underlying OVS version.
As a result we'll be modelling Neutron Security Groups as OVN Port deleted by core OVN in SB database upon Port Group creation/
Groups and we won't be adding one ACL per Security Group Rule per
port. Instead, just add one single ACL per Security Group. This will
also tackle the race conditions that we had for Address Sets as those
will just be used for Remote Security Groups and will be automatically
generated/
deletion.
The major benefit of this patch is that we'll reduce the number of /mail.openvswit ch.org/ pipermail/ ovs-discuss/ 2018-February/ 046166. html
ACL's dramatically, resulting in a performance leap as discussed at:
https:/
This patch will address the migration of old Security Groups being
modelled as Address Sets if the OVN schema supports the feature. This
migration will be performed from the OvnWorker which is holding a lock
on the IDL. This ensures that the migration happens from only one worker
in the cloud and after it's done, all the neutron-server instances are
ready to use Port Groups.
NOTE: This also squashes I706199109a3b7d d5339c90b731f8c b8f04ca4f49
Closes-Bug: #1752897 2b92b9d664e9615 c6fecde595a 0a1bc1653f79512 eb0664c35d)
Closes-Bug: #1790118
Co-Authored-By: Lucas Alvares Gomes <email address hidden>
Change-Id: I35d5ec40c666e9
Signed-off-by: Daniel Alvarez <email address hidden>
(cherry picked from commit f01169b405bb508