On 5/10/23 05:33, 张祖建 wrote: > > Attached is the ovn-northd log file. > > Numan Siddique <num...@ovn.org <mailto:num...@ovn.org>> 于2023年5月10日周三 08:03写道: > > On Tue, May 9, 2023 at 1:29 PM Ilya Maximets via discuss > <ovs-discuss@openvswitch.org <mailto:ovs-discuss@openvswitch.org>> wrote: > > > > On 5/5/23 10:22, 张祖建 via discuss wrote: > > > Hi, all: > > > > > > I'm using OVN ACL with address set. Sometimes an ACL rule does not > work as expected after updating address set addresses, and ovn-northd reports > the following warning: > > > > > > 2023-05-05T08:00:07.298Z|00217|ovsdb_idl|WARN|Trying to delete a key > that doesn't exist in the set. > > > > > > After some investigation, I found the reason is that ovn-northd tries > to delete an address 0.0.0.0/4 <http://0.0.0.0/4> <http://0.0.0.0/4 > <http://0.0.0.0/4>> from the addresses column while the existing addresses > are 10.16.0.47/4 <http://10.16.0.47/4> <http://10.16.0.47/4 > <http://10.16.0.47/4>> and 10.16.3.48/32 <http://10.16.3.48/32> > <http://10.16.3.48/32 <http://10.16.3.48/32>>. > > > > > > I added some debug logging and found that there are two functions > responsible for updating ovn sb address_set, update_sb_addr_set() and > sync_addr_set(). In update_sb_addr_set(), ovn-northd formats 10.16.0.47/4 > <http://10.16.0.47/4> <http://10.16.0.47/4 <http://10.16.0.47/4>> to > 0.0.0.0/4 <http://0.0.0.0/4> <http://0.0.0.0/4 <http://0.0.0.0/4>> and writes > the later to ovn sb. While in sync_addr_set(), ovn-northd writes 10.16.0.47/4 > <http://10.16.0.47/4> <http://10.16.0.47/4 <http://10.16.0.47/4>> to sb > directly. > > > > > > I believe this is a bug. > > > > > > OVN version: v22.12 > > > > CC: Numan > > > > Thanks for the report! This indeed looks like a bug in the > > address set incremental processing in northd. > > > > If address set doesn't already exist, sync_addr_set() function > > just copies to Sb without any processing on the addresses, but > > during the update all addresses are going through expression > > parsing and formatting that is getting rid of bits that are not > > part of the mask. And that creates a difference and inability > > to remove the address from Sb as a result. > > > > Best regards, Ilya Maximets. > > Thanks for the report. > > Is it possible to enable jsonrpc dbg in ovn-northd and share the logs > when you see this issue ? > (ovn-appctl -t ovn-northd vlog/set jsonrpc:dbg) > > Or if you can share a simple ovn-nbctl script to reproduce this issue > and/or attach the OVN Northbound db that would be great.
FWIW, the simple reproducer: [tutorial]$ as_uuid=$(ovn-nbctl --wait=sb create address-set name=as1 addresses=10.16.0.47/4,10.16.3.48/32) [tutorial]$ ovn-nbctl --wait=sb remove address_set $as_uuid addresses 10.16.0.47/4 [tutorial]$ cat sandbox/ovn-northd.log | grep WARN 2023-05-10T11:22:38.998Z|00012|ovsdb_idl|WARN|Trying to delete a key that doesn't exist in the set. > > Thanks > Numan > > > > > _______________________________________________ > > discuss mailing list > > disc...@openvswitch.org <mailto:disc...@openvswitch.org> > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > <https://mail.openvswitch.org/mailman/listinfo/ovs-discuss> > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
