On 3/29/25 1:25 AM, Qin, Qiaofeng via discuss wrote: > Hi, > Hi Qiaofeng,
> I am thinking about a scenario where NB has multiple clients. For > example, there are two users each managing a datapath, and they do not > care about each other. They might accidentally install the same ACL Do you mean you'd have multiple CMS (cloud management systems) configuring the NB database contents? Don't they need a sort of broker anyway (e.g., to ensure they don't remove each other's datapaths?). Couldn't that broker layer ensure that ACLs are consolidated? > which is then combined by ovn-northd. In this case, one of them can > easily find the logical flow in SB by checking the stage-hint, but it is > more difficult for the other user to find the logical flow. > We could maybe change the semantics of SB.Logical_Flow.external_ids 'stage-hint' and instead of storing a single hint store a list. However, that seems tricky, might require extensive changes in the code base and might induce performance issues. Is this a limitation we can live with? In theory the stage-hint added by ovn-northd is just an internal OVN implementation detail and there's no guarantee its semantics are persisted across OVN upgrades. I know in practice ovn-detrace relies on it to try to map back to various NB records but ovn-detrace anyway has some limitations because there's no explicit typing of stage-hints. ovn-detrace tries to guess what those hints mean and can potentially already report slightly incorrect results (e.g., if a load balancer and an ACL generate the same stage-hint value). That is, in my opinion, fine because ovn-detrace is a debugging tool. Regards, Dumitru > Best, > Qiaofeng > > ------------------------------------------------------------------------ > *From:* Ilya Maximets <i.maxim...@ovn.org> > *Sent:* Friday, March 28, 2025 4:59 AM > *To:* Qin, Qiaofeng <qiaofeng....@intel.com>; ovs- > disc...@openvswitch.org <ovs-discuss@openvswitch.org> > *Cc:* i.maxim...@ovn.org <i.maxim...@ovn.org> > *Subject:* Re: [ovs-discuss] [OVN] Logical flows combined in > logical_dp_groups lose "stage-hint" information > > On 3/28/25 10:08, Qin, Qiaofeng via discuss wrote: >> Hi all, >> >> I created some ACLs in OVN, and want to trace each OVN-SB logical flow >> to the corresponding OVN-NB ACL table row. To achieve it, I refer to the >> "stage-hint" value of Logical_Flow.External_Ids and compare the UUID. >> >> However, when multiple datapaths have the same ACL rule, these rules will >> be combined into a single logical flow with a logical_dp_group. The merged >> logical flow has only one "stage-hint" UUID value. Therefore, some OVN-NB >> ACL table rows can no longer be tracked in OVN-SB. > > Hi. What is your use case for tracking NB ACLs in SB? If those ACLs are > actually the same, you may reference the same ACL row from all switches and > port groups. That will solve the mapping problem, as there will be just one > ACL row in both NB and SB. > > Best regards, Ilya Maximets. > >> >> Would it be possible to keep all stage-hint UUIDs when ovn-northd performs >> the flow combination? Or are there any workarounds to prevent an ACL from >> being merged? Currently, I am setting different names to each ACL to make >> them distinct. However, that also forces ACL logging that creates extra >> traffic overheads. >> >> >> Best, >> Qiaofeng > > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
