[Bug 1951296] Re: [SRU] OVN db sync script fails with OVN schema that has label column in ACL table

Edward Hope-Morley 1951296 at bugs.launchpad.net
Thu Apr 13 09:20:14 UTC 2023 

Verified ussuri-proposed using [Test Case] and output:

# neutron-ovn-db-sync-util --config-file /etc/neutron/neutron.conf.no_keystone_authtoken --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --ovn-neutron_sync_mode repair| grep ACL
2023-04-13 09:17:34.332 1803 DEBUG neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-1e03d71c-8f82-40c3-8bf9-a762b0f0bae9 - - - - -] ACL-SYNC: started @ 2023-04-13 09:17:34.332499 sync_acls /usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_db_sync.py:241
2023-04-13 09:17:34.355 1803 DEBUG neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-1e03d71c-8f82-40c3-8bf9-a762b0f0bae9 - - - - -] ACL-SYNC: finished @ 2023-04-13 09:17:34.355450 sync_acls /usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_db_sync.py:301
# apt-cache policy neutron-common
neutron-common:
  Installed: 2:16.4.2-0ubuntu6.1~cloud0
  Candidate: 2:16.4.2-0ubuntu6.1~cloud0
  Version table:
 *** 2:16.4.2-0ubuntu6.1~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri/main amd64 Packages
        100 /var/lib/dpkg/status
     2:12.1.1-0ubuntu8 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
     2:12.0.1-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


** Tags removed: verification-needed verification-ussuri-needed
** Tags added: verification-done verification-ussuri-done

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1951296

Title:
  [SRU] OVN db sync script fails with OVN schema that has label column
  in ACL table

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Released
Status in Ubuntu Cloud Archive wallaby series:
  Fix Released
Status in Ubuntu Cloud Archive xena series:
  Fix Released
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Focal:
  Fix Committed

Bug description:
  [Impact]
  Backport fix to Focal/Ussuri so that neutron-ovn-db-sync-util does not trip up when it finds ovn ACL table entries with a "label" column that does not exist in neutron db.

  [Test Plan]
   * Deploy Openstack Ussuri
   * Upgrade OVN to 22.03 (https://charmhub.io/ovn-chassis/configure?channel=22.03/stable#ovn-source)
   * Create a network with security groups
   * Create an instance using this network so that ports get tied to SGs
   * Go to neutron-api unit (neutron-server) and do the following
   * cp /etc/neutron/neutron.conf /etc/neutron/neutron.conf.no_keystone_authtoken
   * remove "auth_section = keystone_authtoken" in the [nova] section of neutron.conf.no_keystone_authtoken
   * run 'neutron-ovn-db-sync-util --config-file /etc/neutron/neutron.conf.no_keystone_authtoken --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --ovn-neutron_sync_mode repair'
   * the above should not produce any errors like the following:

      RuntimeError: ACL ... already exists

  [Regression Potential]
  there is no regression potential expected with this patch.

  --------------------------------------------------------------------------

  OVN introduced a new column in ACL table. The column name is label and
  when running db-sync script, we compare ACL generated by the ovn mech
  driver from Neutron DB with the actual ACLs in the OVN DB. Because of
  the new label column, everything seems like a new ACL because the
  column differs to what Neutron generated. Thus the script attempts to
  create a new ACL that already exists.

      b'Traceback (most recent call last):'
      b'  File "/usr/local/lib/python3.6/site-packages/neutron/tests/base.py", line 181, in func'
      b'    return f(self, *args, **kwargs)'
      b'  File "/usr/local/lib/python3.6/site-packages/neutron/tests/base.py", line 181, in func'
      b'    return f(self, *args, **kwargs)'
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/tests/functional/test_ovn_db_sync.py", line 1547, in test_ovn_nb_sync_repair'
      b"    self._test_ovn_nb_sync_helper('repair')"
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/tests/functional/test_ovn_db_sync.py", line 1543, in _test_ovn_nb_sync_helper'
      b'    self._sync_resources(mode)'
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/tests/functional/test_ovn_db_sync.py", line 1523, in _sync_resources'
      b'    nb_synchronizer.do_sync()'
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/ovn_db_sync.py", line 104, in do_sync'
      b'    self.sync_acls(ctx)'
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/ovn_db_sync.py", line 288, in sync_acls'
      b'    txn.add(self.ovn_api.pg_acl_add(**acla))'
      b'  File "/usr/lib64/python3.6/contextlib.py", line 88, in __exit__'
      b'    next(self.gen)'
      b'  File "/home/cloud-user/networking-ovn/networking_ovn/ovsdb/impl_idl_ovn.py", line 230, in transaction'
      b'    yield t'
      b'  File "/usr/lib64/python3.6/contextlib.py", line 88, in __exit__'
      b'    next(self.gen)'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/api.py", line 110, in transaction'
      b'    del self._nested_txns_map[cur_thread_id]'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/api.py", line 61, in __exit__'
      b'    self.result = self.commit()'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 65, in commit'
      b'    raise result.ex'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/backend/ovs_idl/connection.py", line 131, in run'
      b'    txn.results.put(txn.do_commit())'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 93, in do_commit'
      b'    command.run_idl(txn)'
      b'  File "/usr/local/lib/python3.6/site-packages/ovsdbapp/schema/ovn_northbound/commands.py", line 124, in run_idl'
      b'    self.direction, self.priority, self.match))'
      b'RuntimeError: ACL (from-lport, 1001, inport == @neutron_pg_drop && ip) already exists'

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1951296/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list