yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2003999] Re: Stateleful SG API extension should be disabled when old OVN is used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2003999@xxxxxxxxxxxxxxxxxx>
Date: Sun, 05 Feb 2023 23:22:51 -0000
Reply-to: Bug 2003999 <2003999@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/871982
Committed: https://opendev.org/openstack/neutron/commit/7cb481a3dc090d0ebd33a0ef577ae40e13291f5c
Submitter: "Zuul (22348)"
Branch:    master

commit 7cb481a3dc090d0ebd33a0ef577ae40e13291f5c
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Fri Jan 27 11:52:45 2023 +0100

    Allow disable stateful security group extension on older OVN
    
    This patch adds config option to let cloud operator to disable
    'stateful-security-group' API extension if OVN < 21.06 is used. This is
    the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided.
    In case when API extension is enabled and OVN < 21.06 is used, Neutron
    will fallback to stateful ACLs even for stateless security groups which
    may be confusing for Neutron API users.
    
    This needs to be done with config option and not by checking
    automatically in OVN if "allow-stateless" is supported keyword for ACL's
    action because it needs to be done during initialization of plugin,
    where IDL isn't initialized yet and it would cause deadlock when Neutron
    would try to connect to the OVN NB.
    
    Closes-Bug: #2003999
    Change-Id: I62e77dad2782e9c546745e860fda7622a8281739


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2003999

Title:
  Stateleful SG API extension should be disabled when old OVN is used

Status in neutron:
  Fix Released

Bug description:
  Stateful security group API extension is supported by OVN backend since [1] and [2] but it works properly only with OVN >= 21.06 which added support for "allow-stateless" action in ACL rules.
  Neutron currently supports still e.g. Ubuntu 20.04 which delivers OVN 20.03. In that case stateful SG API extension is available in Neutron and it allows users to create stateless SG but OVN will then silently ignore requested "allow-stateless" and will set "allow-related" for all ACL rules. Finally cloud's user will be using stateful SG rules even when stateless was requested and are shown in Neutron API.
  Because of that Neutron should check OVN version and remove this API extension from the enabled extensions list if OVN is not 21.06 or newer.

  [1] https://review.opendev.org/c/openstack/neutron/+/789974
  [2] https://review.opendev.org/c/openstack/neutron/+/816612

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2003999/+subscriptions

References

[Bug 2003999] [NEW] Stateleful SG API extension should be disabled when old OVN is used
From: Slawek Kaplonski, 2023-01-27