yahoo-eng-team team mailing list archive

[Mohammed Naser <2107925@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

When you create a network log resource to enable OVN logging:

https://docs.openstack.org/neutron/latest/contributor/internals/ovn/ovn_network_logging.html

It seems that will add a an ACL rule similar to this:

```
_uuid               : bd6eaad4-939d-4624-b2f9-9701d1ec402e
action              : drop
direction           : to-lport
external_ids        : {}
label               : 1753594327
log                 : true
match               : "outport == @neutron_pg_drop && ip"
meter               : acl_log_meter
name                : neutron-4054c65c-9a05-4bf4-8abe-f31959dbd56f
options             : {log-related="true"}
priority            : 1001
severity            : info
tier                : 0
```

However, once that ACL rule comes in, Neutron starts to think that the
rule is not supposed to be there, so when a sync runs, it'll "create"
new ACLs and "delete" these ones (not from this one above but similar):

```
2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 7
2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
```

At this point, the neutron_pg_drop ACL to drop all is fully gone and
everything is allowed, running the repair again will add the rules
again:

```
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 0
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
```

However, once these are restored, the ACL meter rules are also gone for
good but at least the default block all is restored.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2107925

Title:
  [ovn] neutron_pg_drop deleted when using network log

Status in neutron:
  New

Bug description:
  When you create a network log resource to enable OVN logging:

  https://docs.openstack.org/neutron/latest/contributor/internals/ovn/ovn_network_logging.html

  It seems that will add a an ACL rule similar to this:

  ```
  _uuid               : bd6eaad4-939d-4624-b2f9-9701d1ec402e
  action              : drop
  direction           : to-lport
  external_ids        : {}
  label               : 1753594327
  log                 : true
  match               : "outport == @neutron_pg_drop && ip"
  meter               : acl_log_meter
  name                : neutron-4054c65c-9a05-4bf4-8abe-f31959dbd56f
  options             : {log-related="true"}
  priority            : 1001
  severity            : info
  tier                : 0
  ```

  However, once that ACL rule comes in, Neutron starts to think that the
  rule is not supposed to be there, so when a sync runs, it'll "create"
  new ACLs and "delete" these ones (not from this one above but
  similar):

  ```
  2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 7
  2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
  2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  ```

  At this point, the neutron_pg_drop ACL to drop all is fully gone and
  everything is allowed, running the repair again will add the rules
  again:

  ```
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 0
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
  2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
  2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
  ```

  However, once these are restored, the ACL meter rules are also gone
  for good but at least the default block all is restored.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2107925/+subscriptions