[Bug 1939723] Re: neutron-ovn-db-sync generates insufficient flow
nikhil kshirsagar
1939723 at bugs.launchpad.net
Tue Aug 29 10:02:43 UTC 2023
I tried reproducing it, but cant see expected result in step 2,
Step for reproduce and testing:
1. Create a VM (get neutron port_id, example xxxxx)
2. ovn-nbctl --no-leader-only list port_group neutron_pg_drop | grep xxxxx
--> port xxxxx in port_group neutron_pg_drop
ubuntu at nkshirsagar-bastion:~/stsstack-bundles/openstack$ openstack server list
+--------------------------------------+----------------+--------+------------------------+---------+-----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+----------------+--------+------------------------+---------+-----------+
| 9fdae43b-1bff-444d-9483-a5832732dfe2 | cirros2-060935 | ACTIVE | private=192.168.21.240 | cirros2 | m1.cirros |
| 838e7eba-1b7d-43b7-8ad7-eafd9c9d5087 | jammy-060831 | ERROR | | jammy | m1.small |
| b971c0a1-4344-4fa8-adba-ef6f7449626c | testneutron | ACTIVE | private=192.168.21.86 | jammy | m1.small |
+--------------------------------------+----------------+--------+------------------------+---------+-----------+
ubuntu at nkshirsagar-bastion:~/stsstack-bundles/openstack$ openstack port list --server cirros2-060935
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------+--------+
| 5f03dc77-12d0-497e-888d-c0f1019da68d | | fa:16:3e:2a:c4:b1 | ip_address='192.168.21.240', subnet_id='ebeedda7-ee84-4f04-93ae-941e12daf9b7' | ACTIVE |
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------+--------+
ubuntu at nkshirsagar-bastion:~/stsstack-bundles/openstack$ openstack port show 5f03dc77-12d0-497e-888d-c0f1019da68d
+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | juju-5a7359-neutronsru-8.cloud.sts |
| binding_profile | |
| binding_vif_details | port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2023-08-29T06:09:42Z |
| data_plane_status | None |
| description | |
| device_id | 9fdae43b-1bff-444d-9483-a5832732dfe2 |
| device_owner | compute:nova |
| dns_assignment | fqdn='cirros2-060935.neutronsru.stsstack.qa.1ss.', hostname='cirros2-060935', ip_address='192.168.21.240' |
| dns_domain | |
| dns_name | cirros2-060935 |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.21.240', subnet_id='ebeedda7-ee84-4f04-93ae-941e12daf9b7' |
| id | 5f03dc77-12d0-497e-888d-c0f1019da68d |
| ip_allocation | immediate |
| location | cloud='', project.domain_id=, project.domain_name='admin_domain', project.id='3380120d8535487e805d715ae79be5eb', project.name='admin', region_name='RegionOne', zone= |
| mac_address | fa:16:3e:2a:c4:b1 |
| name | |
| network_id | 13c98a1c-a62f-4be1-90c6-187fb217cd12 |
| port_security_enabled | False |
| project_id | 3380120d8535487e805d715ae79be5eb |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 6 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2023-08-29T06:23:12Z |
+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
converted the port_id in neutron to port_id in OVN ,
ubuntu at nkshirsagar-bastion:~/stsstack-bundles/openstack$ juju ssh ovn-central/1 sudo -s
root at juju-5a7359-neutronsru-10:/home/ubuntu# ovn-nbctl --no-leader-only lsp-list neutron-13c98a1c-a62f-4be1-90c6-187fb217cd12
64e8bc7b-2cb8-406b-9fef-f7827618867f (0118fb96-e3bb-416e-aeb2-7c8e3f54d541)
f9dc057a-cfdf-4e98-bbe3-dd5719bfbf92 (27b7f167-d4b8-4192-8042-83a584f13e13)
fb44147e-7819-4688-8052-d06d2f4c56f2 (5f03dc77-12d0-497e-888d-c0f1019da68d) <----
ff843c23-6f15-4bb4-bdaa-10dae394d0da (a5f3766a-70ce-4c0e-8ea2-ac8bd1c29bf4)
root at juju-5a7359-neutronsru-10:/home/ubuntu# ovn-nbctl --no-leader-only list port_group neutron_pg_drop
_uuid : bc8407bb-a44d-4b47-9f13-985b36249f88
acls : [8327cabf-3d12-4fe1-a58d-6e49fa2fb7b3, cf5c5f5f-6696-4184-92cb-1e9116dd5352]
external_ids : {}
name : neutron_pg_drop
ports : []
there's acls [8327cabf-3d12-4fe1-a58d-6e49fa2fb7b3,
cf5c5f5f-6696-4184-92cb-1e9116dd5352] but
fb44147e-7819-4688-8052-d06d2f4c56f2
(5f03dc77-12d0-497e-888d-c0f1019da68d) <----
I still don't see the above port id in the "ovn-nbctl --no-leader-only
list port_group neutron_pg_drop"
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1939723
Title:
neutron-ovn-db-sync generates insufficient flow
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive victoria series:
Fix Released
Status in Ubuntu Cloud Archive wallaby series:
Fix Released
Status in Ubuntu Cloud Archive xena series:
Fix Released
Status in Ubuntu Cloud Archive yoga series:
Fix Released
Status in Ubuntu Cloud Archive zed series:
Fix Released
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Fix Released
Status in neutron source package in Focal:
Fix Committed
Bug description:
= Original bug description =
In OpenStack version Victoria, neutron-ovn-db-sync generates insufficient flow for port no security-group or disable port-security.
---> As a result, the port is not connected to the network.
= Ubuntu SRU details =
[Impact]
The neutron-ovn-db-sync tool is used to syncing neutron networks and ports with OVN databases. When the tool is run, ports with port security disabled are incorrectly being added to the drop port group causing all traffic to be dropped by default.
[Test Case]
- Create a VM
- Disable port security
- Remove NB & SB DB
- Run command neutron-ovn-db-sync-util to resync from neutron to NB database
neutron-ovn-db-sync-util --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --ovn-neutron_sync_mode repair
- Restart ovn-controller
- VM with port disable security die without the fix
[Regression Potential]
This is a simple patch that fixes the logic of an if statement. This has been fixed in the victoria+ Ubuntu package versions since 2022-01-12, and has been fixed in the upstream stable/ussuri branch since 2021-11-11.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1939723/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list