yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89576
[Bug 1983600] Re: Neutron should clean up ACLs in OVN NB DB when a remote security group is deleted
Reviewed: https://review.opendev.org/c/openstack/neutron/+/852742
Committed: https://opendev.org/openstack/neutron/commit/1957353ef92ec11766a2ce3d29d51afa8d7fdb3e
Submitter: "Zuul (22348)"
Branch: master
commit 1957353ef92ec11766a2ce3d29d51afa8d7fdb3e
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date: Tue Aug 9 20:10:42 2022 +0200
[OVN] Remove ACLs with remote SG during deletion of SG
When a security group is removed, the rules having this security
group as remote are removed. But the OVN ACL registers related
to those rules are not removed. This patch catches the security
group deletion precommit event to perform this cleanup.
Closes-Bug: #1983600
Change-Id: I6bb84cb748a2f80f2ff640ceeb3223413f7e92c7
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1983600
Title:
Neutron should clean up ACLs in OVN NB DB when a remote security
group is deleted
Status in neutron:
Fix Released
Bug description:
Neutron does not clean up ACLs in OVN NB DB when a remote security
group is deleted in Neutron. This causes some warning in OVN logs.
This issue does not impact functionality but it would be great if we
could clean this up and make those logs go away. I think this BZ can
be marked as low priority and low hanging fruit.
Reproducing steps:
1. A security group rule which has a rule that uses a remote security
group
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1155ffc7-9a99-41c7-bd65-fac33b719973 | icmp | None | | 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5 |
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
Here is a view in ovn nb db
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
2. now remove the remote security group and check the rules in the
first security group
openstack security group delete 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+-----------------------+
So from neutron the security group rule is removed
3. check the acl in ovn again and see they are still there
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
this causes warnings to be generated in ovn
2020-11-17T14:04:59Z|00708|lflow|WARN|Dropped 1 log messages in last 917 seconds (most recently, 917 seconds ago) due to excessive rate
2020-11-17T14:04:59Z|00709|lflow|WARN|error parsing match "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4)": Syntax error at `$pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4' expecting address set name.
What that is happening:
Only security groups that are not in use by other ports can be deleted. If a security group referenced as remote by other group is removed, the security group rule is deleted in DB because of the references in DB tables. It means there is no code triggered in the Neutron code. The corresponding port group is deleted in OVN but OVN doesn't have any on delete cascade functionality like SQL has. It means ACL remains in the OVN DB using port group that no longer exists. It has no impact on the traffic because the deleted security group was not in use.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1983600/+subscriptions
References
