neutron

Stateleful SG API extension should be disabled when old OVN is used

Bug #2003999 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Slawek Kaplonski

Bug Description

Stateful security group API extension is supported by OVN backend since [1] and [2] but it works properly only with OVN >= 21.06 which added support for "allow-stateless" action in ACL rules.
Neutron currently supports still e.g. Ubuntu 20.04 which delivers OVN 20.03. In that case stateful SG API extension is available in Neutron and it allows users to create stateless SG but OVN will then silently ignore requested "allow-stateless" and will set "allow-related" for all ACL rules. Finally cloud's user will be using stateful SG rules even when stateless was requested and are shown in Neutron API.
Because of that Neutron should check OVN version and remove this API extension from the enabled extensions list if OVN is not 21.06 or newer.

[1] https://review.opendev.org/c/openstack/neutron/+/789974
[2] https://review.opendev.org/c/openstack/neutron/+/816612

Tags: api ovn
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/871982

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/871983

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/871982
Committed: https://opendev.org/openstack/neutron/commit/7cb481a3dc090d0ebd33a0ef577ae40e13291f5c
Submitter: "Zuul (22348)"
Branch: master

commit 7cb481a3dc090d0ebd33a0ef577ae40e13291f5c
Author: Slawek Kaplonski <email address hidden>
Date: Fri Jan 27 11:52:45 2023 +0100

    Allow disable stateful security group extension on older OVN

    This patch adds config option to let cloud operator to disable
    'stateful-security-group' API extension if OVN < 21.06 is used. This is
    the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided.
    In case when API extension is enabled and OVN < 21.06 is used, Neutron
    will fallback to stateful ACLs even for stateless security groups which
    may be confusing for Neutron API users.

    This needs to be done with config option and not by checking
    automatically in OVN if "allow-stateless" is supported keyword for ACL's
    action because it needs to be done during initialization of plugin,
    where IDL isn't initialized yet and it would cause deadlock when Neutron
    would try to connect to the OVN NB.

    Closes-Bug: #2003999
    Change-Id: I62e77dad2782e9c546745e860fda7622a8281739

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/871983
Committed: https://opendev.org/openstack/neutron/commit/6df75ca6962504741caee747b3237bfdbaa03611
Submitter: "Zuul (22348)"
Branch: master

commit 6df75ca6962504741caee747b3237bfdbaa03611
Author: Slawek Kaplonski <email address hidden>
Date: Fri Jan 27 12:04:05 2023 +0100

    Deprecate allow_stateless_action_supported config option

    This config option will not be needed anymore in 2023.2 (Bobcat) release
    of Neutron as we will not support then Ubuntu 20.04 so we will be able
    to bump minimal required OVN version to be >= 21.06.

    Related-Bug: #2003999
    Change-Id: I6933019406dfee67b279a413310a7a19f485d372

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.