[ovn] overlapping security group rules break neutron-ovn-db-sync-util
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Released
|
High
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Jake Yip | ||
neutron (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
Neutron (Xena) is happy to accept equivalent rules with overlapping remote CIDR prefix as long as the notation is different, e.g. 10.0.0.0/8 and 10.0.0.1/8.
However, OVN is smarter, normalizes the prefix and figures out that they both are 10.0.0.0/8.
This does not have any fatal effects in a running OVN deployment (creating and using such rules does not even trigger a warning) but upon running neutron-
Security group's rules:
$ openstack security group rule list overlap-sgr
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 3c41fa80-
| 639d263e-
| 96e99039-
| bf9160a3-
+------
Log excerpt:
16/Feb/
16/Feb/
16/Feb/
16/Feb/
16/Feb/
16/Feb/
File "/usr/lib/
txn.
File "/usr/lib/
command.
File "/usr/lib/
raise RuntimeError("ACL (%s, %s, %s) already exists" % (
RuntimeError: ACL (to-lport, 1002, outport == @pg_e90b68f3_
===== Ubuntu SRU Details =====
[Impact]
See bug description.
[Test Case]
Deploy openstack with OVN. Create overlapping security group rules. Run neutron-
[Where problems could occur]
If the logic driven by the may_exist parameter is not correct, the existing bug could still occur. Presumably this is not the case, but that is a theoritical potential for where problems could occur. All of these patches have already landed in the corresponding upstream branches.
tags: | added: ovn |
Changed in neutron: | |
importance: | Undecided → Critical |
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
assignee: | nobody → Jake Yip (waipengyip) |
Changed in neutron (Ubuntu): | |
status: | New → Fix Released |
Changed in neutron (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in cloud-archive: | |
status: | New → Fix Released |
description: | updated |
description: | updated |
tags: | added: verification-done |
Fix proposed https:/ /review. opendev. org/c/openstack /neutron/ +/801707