neutron

Bug #1881157
Comment #11

Comment 11 for bug 1881157

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-26: Related fix merged to neutron (stable/stein)

#11

Reviewed: https://review.opendev.org/747378
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aaf87aeb55949a32412ffdc46089e67c1ca24d54
Submitter: Zuul
Branch: stable/stein

commit aaf87aeb55949a32412ffdc46089e67c1ca24d54
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Jun 2 17:09:07 2020 +0000

[OVS][FW] Remote SG IDs left behind when a SG is removed

    When any port in the OVS agent is using a security groups (SG) and
    this SG is removed, is marked to be deleted. This deletion process
    is done in [1].

    The SG deletion process consists on removing any reference of this SG
    from the firewall and the SG port map. The firewall removes this SG in
    [2].

    The information of a SG is stored in:
    * ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the
      conjunction IDS (conj_ids) in a dictionary using the following keys:

ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype,
conj_ids)] = conj_id_XXX

* ConjIPFlowManager.conj_ids is a nested dictionary, built in the
following way:

self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = \
set([conj_id_1, conj_id_2, ...])

    This patch stores all conjuntion IDs generated and assigned to the
    tuple (sg_id, remote_sg_id, direction, ethertype). When a SG is
    removed, the deletion method will look for this SG in the new storage
    variable created, ConjIdMap.id_map_group, and will mark all the
    conjuntion IDs related to be removed. That will cleanup those rules
    left in the OVS matching:
      action=conjunction(conj_id, 1/2)

[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399

Conflicts:
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

    Change-Id: I63e446a30cf10e7bcd34a6f0d6ba1711301efcbe
    Related-Bug: #1881157
    (cherry picked from commit 0eebd002ccda66dc6d9f9e5a254815109225e299)
    (cherry picked from commit ed22f7a2ff19a874bc8521f84cb4fd1c7483a23f)
    (cherry picked from commit 6615f248e25a361d988db1795a3486a58f4768cb)

Reviewed:  https://review.opendev.org/747378
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aaf87aeb55949a32412ffdc46089e67c1ca24d54
Submitter: Zuul
Branch:    stable/stein

commit aaf87aeb55949a32412ffdc46089e67c1ca24d54
Author: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Date:   Tue Jun 2 17:09:07 2020 +0000

[OVS][FW] Remote SG IDs left behind when a SG is removed
    
    When any port in the OVS agent is using a security groups (SG) and
    this SG is removed, is marked to be deleted. This deletion process
    is done in [1].
    
    The SG deletion process consists on removing any reference of this SG
    from the firewall and the SG port map. The firewall removes this SG in
    [2].
    
    The information of a SG is stored in:
    * ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the
      conjunction IDS (conj_ids) in a dictionary using the following keys:
    
        ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype,
          conj_ids)] = conj_id_XXX
    
    * ConjIPFlowManager.conj_ids is a nested dictionary, built in the
      following way:
    
        self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = \
          set([conj_id_1, conj_id_2, ...])
    
    This patch stores all conjuntion IDs generated and assigned to the
    tuple (sg_id, remote_sg_id, direction, ethertype). When a SG is
    removed, the deletion method will look for this SG in the new storage
    variable created, ConjIdMap.id_map_group, and will mark all the
    conjuntion IDs related to be removed. That will cleanup those rules
    left in the OVS matching:
      action=conjunction(conj_id, 1/2)
    
    [1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
    [2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
    
    Conflicts:
          neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
    
    Change-Id: I63e446a30cf10e7bcd34a6f0d6ba1711301efcbe
    Related-Bug: #1881157
    (cherry picked from commit 0eebd002ccda66dc6d9f9e5a254815109225e299)
    (cherry picked from commit ed22f7a2ff19a874bc8521f84cb4fd1c7483a23f)
    (cherry picked from commit 6615f248e25a361d988db1795a3486a58f4768cb)