[OVN] DHCP doesn't work while instance has disabled port security

Bug #1864027 reported by Maciej Jozefczyk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Maciej Jozefczyk

Bug Description

While instance has disabled port security its not able to reach DHCP service.
Looks like the change [1] introduced this regression.

Port has [unknown] address set:
+-----------------------+--------------------------------------------------------------------------------------------------------+
root@mjozefcz-ovn-train-lb:~# ovn-nbctl list logical_switch_port a09a1ac7-62ad-46ad-b802-c4abf65dcf70
_uuid : 32a741bc-a185-4291-8b36-dc9c387bb662
addresses : [unknown]
dhcpv4_options : 7c94ec89-3144-4920-b624-193d968c637a
dhcpv6_options : []
dynamic_addresses : []
enabled : true
external_ids : {"neutron:cidrs"="10.2.1.134/24", "neutron:device_id"="9f4a705f-b438-4da1-975d-1a0cdf81e124", "neutron:device_owner"="compute:nova", "neutron:network_name"=neutron-cd1ee69d-06b6-4502-ba26-e1280fd66ad9, "neutron:port_fip"="172.24.4.132", "neutron:port_name"="", "neutron:project_id"="98b165bfeeca4efd84724f3118d84f6f", "neutron:revision_number"="4", "neutron:security_group_ids"=""}
ha_chassis_group : []
name : "a09a1ac7-62ad-46ad-b802-c4abf65dcf70"
options : {requested-chassis=mjozefcz-ovn-train-lb}
parent_name : []
port_security : []
tag : []
tag_request : []
type : ""
up : true

ovn-controller doesn't respond for DHCP requests.

It was caught by failing OVN Provider driver tempest test:
octavia_tempest_plugin.tests.scenario.v2.test_traffic_ops.TrafficOperationsScenarioTest

[1] https://review.opendev.org/#/c/702249/

Revision history for this message
Maciej Jozefczyk (maciejjozefczyk) wrote :

I think we need to revert https://review.opendev.org/#/c/702249/.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/708852

Changed in neutron:
assignee: nobody → Maciej Jozefczyk (maciej.jozefczyk)
status: New → In Progress
Changed in neutron:
importance: Undecided → High
status: In Progress → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Maciej Józefczyk (<email address hidden>) on branch: master
Review: https://review.opendev.org/708852

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/708852
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d3b61f8792277b303e10bce51512d9a73ef187e
Submitter: Zuul
Branch: master

commit 3d3b61f8792277b303e10bce51512d9a73ef187e
Author: Maciej Józefczyk <email address hidden>
Date: Thu Feb 20 11:27:13 2020 +0000

    Revert "[OVN] Set 'unknown' address properly when port sec is disabled"

    We can now revert this patch, because main cause has been already
    fixed in Core OVN [1]. With this fix the ARP responder flows are not
    installed on LS pipeline, when LSP has port security disabled, and
    an 'unknown' address is set in addresses column.
    This makes MAC spoofing possible.

    [1] https://patchwork.ozlabs.org/patch/1258152/

    This reverts commit 03b87ad963d5d8165a92e5c7c284c1517333dd00.

    Change-Id: Ie4c87d325b671348e133d62818d99af147d50ca2
    Closes-Bug: #1864027

Changed in neutron:
status: In Progress → Fix Released
tags: added: neutron-proactive-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.