yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2092971] Re: Metadata service does not work when port security is disabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Miro Tomaska <2092971@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Sep 2025 19:59:01 -0000
Reply-to: Bug 2092971 <2092971@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I am changing this bug to invalid. This does not reproduce on master or
released version. It could be this was issue on my end. Currently when
port security is disabled the OVN NB lrp addresses value is directory
copied to mac column. The addresses column is always in format [ip,
unknown] and not just [unknown]

** Changed in: neutron
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2092971

Title:
  Metadata service does not work when port security is disabled

Status in neutron:
  Invalid

Bug description:
  While I was experimenting with metadata service I discovered that ovn
  metadata agent fails to spawn a haproxy service when port security is
  disabled.

  This happens because here [1] we look into vif_port mac column for an
  IP address. However, when port security is disabled, OVN will set it
  to [unknown]. As per OVN documentation [2] this column is not
  guranteed to contain MAC and IPs

         mac: set of strings
                This column is a misnomer as it may contain MAC addresses
                and IP addresses.

  Example of a VIF port with security disabled (I am omiting some
  columns/data):

  _uuid               : 43a5e506-2361-4cdb-a2fb-2ce0636cf34a
  chassis             : 5f37d656-e7ab-4ea9-8a9a-52633fb2b43e
  datapath            : ef68b5d5-a133-4dcd-98ba-6aac76dcf148
  external_ids        : {"neutron:cidrs"="2001:db8:0:1:f816:3eff:feef:f2ad/64", .....}
  logical_port        : "19b7a707-4762-400b-9fd9-6e90cf5bfbde"
  mac                 : [unknown]
  port_security       : []
  type                : ""

  When the port security is enabled the mac column looks like this:

  mac                 : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
  port_security       : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]

  It appears that more reliable way of getting an IP would be extracting
  it from external_ids column under the neutron:cidrs key.

  This eventually just manifests as this[3] log in the agents logs.

  [1]
  https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L619-L622

  [2] https://man7.org/linux/man-pages/man5/ovn-
  sb.5.html#Port_Binding_TABLE

  [3]
  https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L627-L630

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2092971/+subscriptions

References

[Bug 2092971] [NEW] Metadata service does not work when port security is disabled
From: Miro Tomaska, 2025-01-04