Hi, It seems, that I see regression with claim port functionality in my OVN installation between v20.06.2 and latest branch-20.06 (78174ea) on cluster with enabled rbac.
On v20.06.2 ovn-controller successfully claims port: # ovn-controller --version ovn-controller 20.06.2 Open vSwitch Library 2.13.0 OpenFlow versions 0x6:0x6 2020-12-02T18:25:28.787Z|00011|binding|INFO|Claiming lport eni-35AFCD00 for this chassis. 2020-12-02T18:25:28.787Z|00012|binding|INFO|eni-35AFCD00: Claiming 0a:00:35:af:cd:00 192.168.0.5 2020-12-02T18:25:28.787Z|00013|binding|INFO|Claiming lport eni-3E9901E0 for this chassis. 2020-12-02T18:25:28.787Z|00014|binding|INFO|eni-3E9901E0: Claiming 0a:00:3e:99:01:e0 192.168.0.4 Transaction request: 2020-12-02T18:50:36.128Z|01605|jsonrpc|DBG|ssl:X.X.X.X:6642: send request, method="transact", params=["OVN_Southbound",{"where":[["_uuid","==",["uuid","4e9bd54c-f083-45cd-93d3-a65f4d20d688"]]],"row":{"chassis":["uuid","9d414bfc-da12-487e-80a0-5c1f2a98a05a"]},"op":"update","table":"Port_Binding"}], id=310 # ovn-sbctl show | grep 04540082-b5b5-4ab5-9901-03ed445c772d -A 9 Chassis "04540082-b5b5-4ab5-9901-03ed445c772d" hostname: host.local Encap vxlan ip: "Y.Y.Y.Y" options: {csum="true"} Encap stt ip: "Y.Y.Y.Y" options: {csum="true"} Port_Binding eni-3E9901E0 Port_Binding eni-35AFCD00 Then I run update OVN (doesn’t matter only ovn controller or full ovn installation): # ovn-controller --version ovn-controller 20.06.3 Open vSwitch Library 2.13.0 OpenFlow versions 0x6:0x6 ovn-controller is unable to claim lport: 2020-12-02T18:53:35.309Z|00043|binding|INFO|Claiming lport eni-3E9901E0 for this chassis. 2020-12-02T18:53:35.309Z|00044|binding|INFO|eni-3E9901E0: Claiming 0a:00:3e:99:01:e0 192.168.0.4 2020-12-02T18:53:35.309Z|00045|binding|INFO|Claiming lport eni-DB28C420 for this chassis. 2020-12-02T18:53:35.309Z|00046|binding|INFO|eni-DB28C420: Claiming 0a:00:db:28:c4:20 192.168.0.6 2020-12-02T18:53:35.309Z|00047|binding|INFO|Claiming lport eni-35AFCD00 for this chassis. 2020-12-02T18:53:35.309Z|00048|binding|INFO|eni-35AFCD00: Claiming 0a:00:35:af:cd:00 192.168.0.5 2020-12-02T18:53:35.345Z|00049|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"04540082-b5b5-4ab5-9901-03ed445c772d\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"} 2020-12-02T18:53:35.345Z|00050|main|INFO|OVNSB commit failed, force recompute next time. Transaction request (added encap table modification comparing to previous version): 2020-12-02T18:57:33.661Z|20500|jsonrpc|DBG|ssl:X.X.X.X:6642: send request, method="transact", params=["OVN_Southbound",{"where":[["_uuid","==",["uuid","9a397740-4072-4853-9b75-9cc120fe4b34"]]],"row":{"chassis":["uuid","e1436af9-4a15-4480-937e-7584e64033a3"]},"op":"update","table":"Port_Binding"},{"where":[["_uuid","==",["uuid","7ec10f55-c89a-4fd3-a2ab-8ac22f845c85"]]],"row":{"chassis_name":"04540082-b5b5-4ab5-9901-03ed445c772d"},"op":"update","table":"Encap"},{"where":[["_uuid","==",["uuid","256d47ca-ef69-4d75-b967-7ab19bd413a7"]]],"row":{"chassis_name":"04540082-b5b5-4ab5-9901-03ed445c772d"},"op":"update","table":"Encap"},{"where":[["_uuid","==",["uuid","34856b67-7f15-44d3-8071-e20ae0f6029f"]]],"row":{"chassis":["uuid","e1436af9-4a15-4480-937e-7584e64033a3"]},"op":"update","table":"Port_Binding"}], id=113 I’ve configured rbac consulting with this instruction: https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html Some rbac-related parameters: # ovn-sbctl list connection _uuid : 4940feb2-c4ae-47d9-ade7-6f25c26a2a71 external_ids : {} inactivity_probe : [] is_connected : false max_backoff : [] other_config : {} read_only : false role : "" status : {} target : "pssl:16642" _uuid : ed9366ef-e352-4210-998f-655f648d638d external_ids : {} inactivity_probe : [] is_connected : false max_backoff : [] other_config : {} read_only : false role : ovn-controller status : {} target : "pssl:6642" # ovn-sbctl list rbac_role _uuid : 91e9fee1-4aff-4d94-93bf-d4c5119a0dd2 name : ovn-controller permissions : {Chassis=4a0070bf-1327-4c4d-a7be-83cf91fa1e42, Encap=91da95b4-4eaf-4659-b803-789c72ea3fad, MAC_Binding=660466ef-f0f0-4e58-8be1-a6d16a640ef9, Port_Binding=046836f0-caf1-4d22-88b3-a1d9562d2b58, Service_Monitor=dabca251-6c8e-4953-8769-88f687285a60} # ovn-sbctl list rbac_permission _uuid : 91da95b4-4eaf-4659-b803-789c72ea3fad authorization : [chassis_name] insert_delete : true table : Encap update : [ip, options, type] _uuid : 046836f0-caf1-4d22-88b3-a1d9562d2b58 authorization : [""] insert_delete : false table : Port_Binding update : [chassis] _uuid : dabca251-6c8e-4953-8769-88f687285a60 authorization : [""] insert_delete : false table : Service_Monitor update : [status] _uuid : 660466ef-f0f0-4e58-8be1-a6d16a640ef9 authorization : [""] insert_delete : true table : MAC_Binding update : [datapath, ip, logical_port, mac] _uuid : 4a0070bf-1327-4c4d-a7be-83cf91fa1e42 authorization : [name] insert_delete : true table : Chassis update : [encaps, external_ids, nb_cfg, other_config, vtep_logical_switches] # ovs-vsctl get open . external-ids:system-id "04540082-b5b5-4ab5-9901-03ed445c772d" # ovs-vsctl get-ssl Private key: /var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-privkey.pem Certificate: /var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-cert.pem CA Certificate: /var/lib/openvswitch/pki/host/cacert.pem Bootstrap: false # openssl x509 -noout -subject -in /var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-cert.pem subject= /C=US/ST=CA/O=Open vSwitch/OU=Open vSwitch certifier/CN=04540082-b5b5-4ab5-9901-03ed445c772d # ovn-sbctl list chassis 04540082-b5b5-4ab5-9901-03ed445c772d _uuid : e1436af9-4a15-4480-937e-7584e64033a3 encaps : [256d47ca-ef69-4d75-b967-7ab19bd413a7, 7ec10f55-c89a-4fd3-a2ab-8ac22f845c85] external_ids : {datapath-type="", iface-types="erspan,geneve,gre,internal,ip6erspan,ip6gre,lisp,patch,stt,system,tap,vxlan", is-interconn="false", ovn-bridge-mappings="", ovn-chassis-mac-mappings="", ovn-cms-options="", ovn-monitor-all="false"} hostname : host.local name : "04540082-b5b5-4ab5-9901-03ed445c772d" nb_cfg : 0 other_config : {datapath-type="", iface-types="erspan,geneve,gre,internal,ip6erspan,ip6gre,lisp,patch,stt,system,tap,vxlan", is-interconn="false", ovn-bridge-mappings="", ovn-chassis-mac-mappings="", ovn-cms-options="", ovn-monitor-all="false"} transport_zones : [] vtep_logical_switches: [] # ovn-sbctl list encap 256d47ca-ef69-4d75-b967-7ab19bd413a7 _uuid : 256d47ca-ef69-4d75-b967-7ab19bd413a7 chassis_name : "04540082-b5b5-4ab5-9901-03ed445c772d" ip : "Y.Y.Y.Y" options : {csum="true"} type : stt # ovn-sbctl list encap 7ec10f55-c89a-4fd3-a2ab-8ac22f845c85 _uuid : 7ec10f55-c89a-4fd3-a2ab-8ac22f845c85 chassis_name : "04540082-b5b5-4ab5-9901-03ed445c772d" ip : "Y.Y.Y.Y" options : {csum="true"} type : vxlan Can anybody point me what could go wrong? Am I missing something? Regards, Vladislav Odintsov _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev