neutron

Bug #1881157
Comment #3

Comment 3 for bug 1881157

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-31: Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/732761
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0eebd002ccda66dc6d9f9e5a254815109225e299
Submitter: Zuul
Branch: master

commit 0eebd002ccda66dc6d9f9e5a254815109225e299
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Jun 2 17:09:07 2020 +0000

[OVS][FW] Remote SG IDs left behind when a SG is removed

    When any port in the OVS agent is using a security groups (SG) and
    this SG is removed, is marked to be deleted. This deletion process
    is done in [1].

    The SG deletion process consists on removing any reference of this SG
    from the firewall and the SG port map. The firewall removes this SG in
    [2].

    The information of a SG is stored in:
    * ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the
      conjunction IDS (conj_ids) in a dictionary using the following keys:

ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype,
conj_ids)] = conj_id_XXX

* ConjIPFlowManager.conj_ids is a nested dictionary, built in the
following way:

self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = \
set([conj_id_1, conj_id_2, ...])

    This patch stores all conjuntion IDs generated and assigned to the
    tuple (sg_id, remote_sg_id, direction, ethertype). When a SG is
    removed, the deletion method will look for this SG in the new storage
    variable created, ConjIdMap.id_map_group, and will mark all the
    conjuntion IDs related to be removed. That will cleanup those rules
    left in the OVS matching:
      action=conjunction(conj_id, 1/2)

[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399

Change-Id: I63e446a30cf10e7bcd34a6f0d6ba1711301efcbe
Related-Bug: #1881157

Reviewed:  https://review.opendev.org/732761
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0eebd002ccda66dc6d9f9e5a254815109225e299
Submitter: Zuul
Branch:    master

commit 0eebd002ccda66dc6d9f9e5a254815109225e299
Author: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Date:   Tue Jun 2 17:09:07 2020 +0000

[OVS][FW] Remote SG IDs left behind when a SG is removed
    
    When any port in the OVS agent is using a security groups (SG) and
    this SG is removed, is marked to be deleted. This deletion process
    is done in [1].
    
    The SG deletion process consists on removing any reference of this SG
    from the firewall and the SG port map. The firewall removes this SG in
    [2].
    
    The information of a SG is stored in:
    * ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the
      conjunction IDS (conj_ids) in a dictionary using the following keys:
    
        ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype,
          conj_ids)] = conj_id_XXX
    
    * ConjIPFlowManager.conj_ids is a nested dictionary, built in the
      following way:
    
        self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = \
          set([conj_id_1, conj_id_2, ...])
    
    This patch stores all conjuntion IDs generated and assigned to the
    tuple (sg_id, remote_sg_id, direction, ethertype). When a SG is
    removed, the deletion method will look for this SG in the new storage
    variable created, ConjIdMap.id_map_group, and will mark all the
    conjuntion IDs related to be removed. That will cleanup those rules
    left in the OVS matching:
      action=conjunction(conj_id, 1/2)
    
    [1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
    [2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
    
    Change-Id: I63e446a30cf10e7bcd34a6f0d6ba1711301efcbe
    Related-Bug: #1881157