This issue was fixed in the openstack/neutron ussuri-eol release.
** Changed in: cloud-archive/ussuri
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1961112
Title:
[ovn] overlapping security group rules break neutron-ovn-db-sync-util
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Released
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Fix Released
Status in neutron source package in Focal:
Fix Committed
Bug description:
Neutron (Xena) is happy to accept equivalent rules with overlapping
remote CIDR prefix as long as the notation is different, e.g.
10.0.0.0/8 and 10.0.0.1/8.
However, OVN is smarter, normalizes the prefix and figures out that
they both are 10.0.0.0/8.
This does not have any fatal effects in a running OVN deployment
(creating and using such rules does not even trigger a warning) but
upon running neutron-ovn-db-sync-util, it crashes and won't perform a
sync. This is a blocker for upgrades (and other scenarios).
Security group's rules:
$ openstack security group rule list overlap-sgr
+--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range
| Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
| 3c41fa80-1d23-49c9-9ec1-adf581e07e24 | tcp | IPv4 | 10.0.0.1/8
| | ingress | None | None |
| 639d263e-6873-47cb-b2c4-17fc824252db | None | IPv4 | 0.0.0.0/0
| | egress | None | None |
| 96e99039-cbc0-48fe-98fe-ef28d41b9d9b | tcp | IPv4 | 10.0.0.0/8
| | ingress | None | None |
| bf9160a3-fc9b-467e-85d5-c889811fd6ca | None | IPv6 | ::/0
| | egress | None | None |
+--------------------------------------+-------------+-----------+------------+------------+-----------+-----------------------+----------------------+
Log excerpt:
16/Feb/2022:20:55:40.568 527216 INFO neutron.cmd.ovn.neutron_ovn_db_sync_util
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Sync for Northbound db
started with mode : repair
16/Feb/2022:20:55:42.105 527216 INFO
neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.extensions.qos
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Starting
OVNClientQosExtension
16/Feb/2022:20:55:42.380 527216 INFO neutron.db.ovn_revision_numbers_db
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Successfully bumped
revision number for resource 49b3249a-7624-4711-b271-3e63c6a27658 (type: ports)
to 17
16/Feb/2022:20:55:43.205 527216 WARNING
neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACLs-to-be-added 1
ACLs-to-be-removed 0
16/Feb/2022:20:55:43.206 527216 WARNING
neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] ACL found in Neutron but
not in OVN DB for port group pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99
16/Feb/2022:20:55:43.208 527216 ERROR ovsdbapp.backend.ovs_idl.transaction
[req-c595a893-db9b-484e-ae8a-bb7dbe8b31f3 - - - - -] Traceback (most recent
call last):
File
"/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line
131, in run
txn.results.put(txn.do_commit())
File
"/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line
93, in do_commit
command.run_idl(txn)
File
"/usr/lib/python3/dist-packages/ovsdbapp/schema/ovn_northbound/commands.py",
line 123, in run_idl
raise RuntimeError("ACL (%s, %s, %s) already exists" % (
RuntimeError: ACL (to-lport, 1002, outport ==
@pg_e90b68f3_9f8d_4250_9b6a_7531e2249c99 && ip4 && ip4.src == 10.0.0.0/8 &&
tcp) already exists
===== Ubuntu SRU Details =====
[Impact]
See bug description.
[Test Case]
Deploy openstack with OVN. Create overlapping security group rules. Run
neutron-ovn-db-sync-util and ensure it completes successfully.
[Where problems could occur]
If the logic driven by the may_exist parameter is not correct, the existing
bug could still occur. Presumably this is not the case, but that is a
theoritical potential for where problems could occur. All of these patches have
already landed in the corresponding upstream branches.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1961112/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
