[Bug 1914988] Please test proposed package

Wed Oct 13 17:00:57 UTC 2021

Hello Pedro, or anyone else affected,

Accepted ovn into wallaby-proposed. The package will build now and be
available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:wallaby-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-wallaby-needed to verification-wallaby-done. If it
does not fix the bug for you, please add a comment stating that, and
change the tag to verification-wallaby-failed. In either case, details
of your testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/wallaby
       Status: New => Fix Committed

** Tags added: verification-wallaby-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1914988

Title:
  IGMP Snooping does not work with RBAC enabled ovn-controllers

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
  New
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in ovn package in Ubuntu:
  Fix Released
Status in ovn source package in Focal:
  Fix Committed
Status in ovn source package in Hirsute:
  Fix Committed
Status in ovn source package in Impish:
  Fix Released

Bug description:
  [Impact]
  It is currently not possible to use Multicast IGMP snooping with OVN in Ubuntu Focal and Hirsute.

  [Test Plan]
  1. Execute the gate tests for the neutron-api-plugin-ovn charm, which performs a full cloud deployment and confirms two instances can spawn, get metadata and communicate with each other.

  2. Enable IGMP snooping and have instances join a multicast group and
  validate that packets forward and check for RBAC errors.

  [Regression Potential]
  This is a very small patch that adds a static RBAC rule that ovn-northd writes into the database.  The patch has already been available in the upstream branches since February 2021, we have also landed several similar patches upstream which have previously been made available to Focal through point release updates.

  [Original Bug Description]
  Hi,

  I've tested this on both 20.03 and 20.06.

  Looking into ovn-architecture.xml: https://github.com/ovn-org/ovn/blob/master/ovn-architecture.7.xml#L2530
  It states that once RBAC is enabled, ovn-controllers will have access to some of the tables and that is hardcoded within OVN.

  That means once RBAC is enabled, IGMP_Group table is out of reach for
  ovn-controllers and will cause the following issue:

  2021-02-06T17:17:40.916Z|00028|ovsdb_idl|WARN|transaction error:
  {"details":"RBAC rules for client "REDACTED" role "ovn-controller"
  prohibit row insertion into table "IGMP_Group".","error":"permission
  error"}

  Reported on upstream repo: https://github.com/ovn-org/ovn/issues/77

  Proposed patch:
  https://github.com/phvalguima/ovn/commit/3419d9946c51b413f816ceb82372677e4afdbe9d

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1914988/+subscriptions