[Bug 1961112] Re: [ovn] overlapping security group rules break neutron-ovn-db-sync-util

Corey Bryant 1961112 at bugs.launchpad.net
Wed Nov 15 18:50:42 UTC 2023


** Description changed:

  Neutron (Xena) is happy to accept equivalent rules with overlapping
  remote CIDR prefix as long as the notation is different, e.g. 10.0.0.0/8
  and 10.0.0.1/8.
  
  However, OVN is smarter, normalizes the prefix and figures out that they
  both are 10.0.0.0/8.
  
  This does not have any fatal effects in a running OVN deployment
  (creating and using such rules does not even trigger a warning) but upon
  running neutron-ovn-db-sync-util, it crashes and won't perform a sync.
  This is a blocker for upgrades (and other scenarios).
- 
  
  Security group's rules:
  
  $ openstack security group rule list overlap-sgr
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
  | ID                                   | IP Protocol | Ethertype | IP Range   | Port Range | Direction | Remote Security Group | Remote Address Group |
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
  | 3c41fa80-1d23-49c9-9ec1-adf581e07e24 | tcp         | IPv4      | 10.0.0.1/8 |            | ingress   | None                  | None                 |
  | 639d263e-6873-47cb-b2c4-17fc824252db | None        | IPv4      | 0.0.0.0/0  |            | egress    | None                  | None                 |
  | 96e99039-cbc0-48fe-98fe-ef28d41b9d9b | tcp         | IPv4      | 10.0.0.0/8 |            | ingress   | None                  | None                 |
  | bf9160a3-fc9b-467e-85d5-c889811fd6ca | None        | IPv6      | ::/0       |            | egress    | None                  | None                 |
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
  
- 
  Log excerpt:
  16/Feb/2022:20:55:40.568 527216 INFO neutron.cmd.ovn.neutron_ovn_db_sync_util [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Sync for Northbound db started with mode : repair
  16/Feb/2022:20:55:42.105 527216 INFO neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.extensions.qos [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Starting OVNClientQosExtension
  16/Feb/2022:20:55:42.380 527216 INFO neutron.db.ovn_revision_numbers_db [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Successfully bumped revision number for resource 49b3249a-7624-4711-b271-3e63c6a27658 (type: ports) to 17
  16/Feb/2022:20:55:43.205 527216 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACLs-to-be-added 1 ACLs-to-be-removed 0
  16/Feb/2022:20:55:43.206 527216 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACL found in Neutron but not in OVN DB for port group pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99
  16/Feb/2022:20:55:43.208 527216 ERROR ovsdbapp.backend.ovs_idl.transaction [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Traceback (most recent call last):
-   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 131, in run
-     txn.results.put(txn.do_commit())
-   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 93, in do_commit
-     command.run_idl(txn)
-   File "/usr/lib/python3/dist-packages/ovsdbapp/schema/ovn_northbound/commands.py", line 123, in run_idl
-     raise RuntimeError("ACL (%s, %s, %s) already exists" % (
+   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 131, in run
+     txn.results.put(txn.do_commit())
+   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 93, in do_commit
+     command.run_idl(txn)
+   File "/usr/lib/python3/dist-packages/ovsdbapp/schema/ovn_northbound/commands.py", line 123, in run_idl
+     raise RuntimeError("ACL (%s, %s, %s) already exists" % (
  RuntimeError: ACL (to-lport, 1002, outport == @pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99 && ip4 && ip4.src == 10.0.0.0/8 && tcp) already exists
+ 
+ 
+ ===== Ubuntu SRU Details =====
+ 
+ [Impact]
+ See bug description.
+ 
+ [Test Case]
+ Deploy openstack with OVN. Create overlapping security group rules. Run neutron-ovn-db-sync-util and ensure it completes successfully.
+ 
+ [Where problems could occur]
+ If the logic driven by the may_exist parameter is not correct, the existing bug could still occur. Presumably this is not the case, but that is a theoritical potential for where problems could occur. All of these patches have already landed in the corresponding upsream branches.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1961112

Title:
  [ovn] overlapping security group rules break neutron-ovn-db-sync-util

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  Fix Released
Status in neutron source package in Focal:
  Triaged

Bug description:
  Neutron (Xena) is happy to accept equivalent rules with overlapping
  remote CIDR prefix as long as the notation is different, e.g.
  10.0.0.0/8 and 10.0.0.1/8.

  However, OVN is smarter, normalizes the prefix and figures out that
  they both are 10.0.0.0/8.

  This does not have any fatal effects in a running OVN deployment
  (creating and using such rules does not even trigger a warning) but
  upon running neutron-ovn-db-sync-util, it crashes and won't perform a
  sync. This is a blocker for upgrades (and other scenarios).

  Security group's rules:

  $ openstack security group rule list overlap-sgr
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
  | ID                                   | IP Protocol | Ethertype | IP Range   | Port Range | Direction | Remote Security Group | Remote Address Group |
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
  | 3c41fa80-1d23-49c9-9ec1-adf581e07e24 | tcp         | IPv4      | 10.0.0.1/8 |            | ingress   | None                  | None                 |
  | 639d263e-6873-47cb-b2c4-17fc824252db | None        | IPv4      | 0.0.0.0/0  |            | egress    | None                  | None                 |
  | 96e99039-cbc0-48fe-98fe-ef28d41b9d9b | tcp         | IPv4      | 10.0.0.0/8 |            | ingress   | None                  | None                 |
  | bf9160a3-fc9b-467e-85d5-c889811fd6ca | None        | IPv6      | ::/0       |            | egress    | None                  | None                 |
  +--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+

  Log excerpt:
  16/Feb/2022:20:55:40.568 527216 INFO neutron.cmd.ovn.neutron_ovn_db_sync_util [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Sync for Northbound db started with mode : repair
  16/Feb/2022:20:55:42.105 527216 INFO neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.extensions.qos [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Starting OVNClientQosExtension
  16/Feb/2022:20:55:42.380 527216 INFO neutron.db.ovn_revision_numbers_db [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Successfully bumped revision number for resource 49b3249a-7624-4711-b271-3e63c6a27658 (type: ports) to 17
  16/Feb/2022:20:55:43.205 527216 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACLs-to-be-added 1 ACLs-to-be-removed 0
  16/Feb/2022:20:55:43.206 527216 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACL found in Neutron but not in OVN DB for port group pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99
  16/Feb/2022:20:55:43.208 527216 ERROR ovsdbapp.backend.ovs_idl.transaction [req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 131, in run
      txn.results.put(txn.do_commit())
    File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 93, in do_commit
      command.run_idl(txn)
    File "/usr/lib/python3/dist-packages/ovsdbapp/schema/ovn_northbound/commands.py", line 123, in run_idl
      raise RuntimeError("ACL (%s, %s, %s) already exists" % (
  RuntimeError: ACL (to-lport, 1002, outport == @pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99 && ip4 && ip4.src == 10.0.0.0/8 && tcp) already exists

  
  ===== Ubuntu SRU Details =====

  [Impact]
  See bug description.

  [Test Case]
  Deploy openstack with OVN. Create overlapping security group rules. Run neutron-ovn-db-sync-util and ensure it completes successfully.

  [Where problems could occur]
  If the logic driven by the may_exist parameter is not correct, the existing bug could still occur. Presumably this is not the case, but that is a theoritical potential for where problems could occur. All of these patches have already landed in the corresponding upsream branches.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1961112/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list