yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96007
[Bug 2107925] Re: [ovn] neutron_pg_drop deleted when using network log
Reviewed: https://review.opendev.org/c/openstack/neutron/+/948783
Committed: https://opendev.org/openstack/neutron/commit/1cf5b6de7c964b17913d4ade9a8c7485aff8a2db
Submitter: "Zuul (22348)"
Branch: master
commit 1cf5b6de7c964b17913d4ade9a8c7485aff8a2db
Author: Elvira <egarciar@xxxxxxxxxx>
Date: Tue May 27 19:11:46 2025 +0000
Consider logging options when using OVNdbsync
Previously, OVN db sync would erase an ACL if any unexpected property
appeared on it and not recreate it again. This happened because of the
order of deletion and creation of the ACLS: the new ACL was first
created and then deleted just the moment after that. This meant that
even crucial ACLs like the ones bounded to the pg_drop port group, which
are used to reject all the traffic by default on ML2/OVN environments,
would dissapear. The order of the ACL deletion and creation has been
inverted to avoid this.
Furthermore, security group logging was not supported on the
ovn_db_sync script, which would also cause the logging parameters to
dissapear. Now, the logging options are considered when doing a sync.
Closes-Bug: #2107925
Change-Id: I00fa8332fdebc958ddb8f28c638670c75a70e0c5
Signed-off-by: Elvira Garcia <egarciar@xxxxxxxxxx>
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2107925
Title:
[ovn] neutron_pg_drop deleted when using network log
Status in neutron:
Fix Released
Bug description:
When you create a network log resource to enable OVN logging:
https://docs.openstack.org/neutron/latest/contributor/internals/ovn/ovn_network_logging.html
It seems that will add a an ACL rule similar to this:
```
_uuid : bd6eaad4-939d-4624-b2f9-9701d1ec402e
action : drop
direction : to-lport
external_ids : {}
label : 1753594327
log : true
match : "outport == @neutron_pg_drop && ip"
meter : acl_log_meter
name : neutron-4054c65c-9a05-4bf4-8abe-f31959dbd56f
options : {log-related="true"}
priority : 1001
severity : info
tier : 0
```
However, once that ACL rule comes in, Neutron starts to think that the
rule is not supposed to be there, so when a sync runs, it'll "create"
new ACLs and "delete" these ones (not from this one above but
similar):
```
2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 7
2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
```
At this point, the neutron_pg_drop ACL to drop all is fully gone and
everything is allowed, running the repair again will add the rules
again:
```
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 0
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1
2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop
```
However, once these are restored, the ACL meter rules are also gone
for good but at least the default block all is restored.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2107925/+subscriptions
References