Reviewed: https://review.opendev.org/c/openstack/neutron/+/948783 Committed: https://opendev.org/openstack/neutron/commit/1cf5b6de7c964b17913d4ade9a8c7485aff8a2db Submitter: "Zuul (22348)" Branch: master
commit 1cf5b6de7c964b17913d4ade9a8c7485aff8a2db Author: Elvira <[email protected]> Date: Tue May 27 19:11:46 2025 +0000 Consider logging options when using OVNdbsync Previously, OVN db sync would erase an ACL if any unexpected property appeared on it and not recreate it again. This happened because of the order of deletion and creation of the ACLS: the new ACL was first created and then deleted just the moment after that. This meant that even crucial ACLs like the ones bounded to the pg_drop port group, which are used to reject all the traffic by default on ML2/OVN environments, would dissapear. The order of the ACL deletion and creation has been inverted to avoid this. Furthermore, security group logging was not supported on the ovn_db_sync script, which would also cause the logging parameters to dissapear. Now, the logging options are considered when doing a sync. Closes-Bug: #2107925 Change-Id: I00fa8332fdebc958ddb8f28c638670c75a70e0c5 Signed-off-by: Elvira Garcia <[email protected]> ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2107925 Title: [ovn] neutron_pg_drop deleted when using network log Status in neutron: Fix Released Bug description: When you create a network log resource to enable OVN logging: https://docs.openstack.org/neutron/latest/contributor/internals/ovn/ovn_network_logging.html It seems that will add a an ACL rule similar to this: ``` _uuid : bd6eaad4-939d-4624-b2f9-9701d1ec402e action : drop direction : to-lport external_ids : {} label : 1753594327 log : true match : "outport == @neutron_pg_drop && ip" meter : acl_log_meter name : neutron-4054c65c-9a05-4bf4-8abe-f31959dbd56f options : {log-related="true"} priority : 1001 severity : info tier : 0 ``` However, once that ACL rule comes in, Neutron starts to think that the rule is not supposed to be there, so when a sync runs, it'll "create" new ACLs and "delete" these ones (not from this one above but similar): ``` 2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 7 2025-04-11 00:52:12.959 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop 2025-04-11 00:52:12.960 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group neutron_pg_drop 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 00:52:12.962 37 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-85cacb15-72f4-4c66-b5f4-587c2d558780 - - - - - -] ACLs found in OVN DB but not in Neutron for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 ``` At this point, the neutron_pg_drop ACL to drop all is fully gone and everything is allowed, running the repair again will add the rules again: ``` 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACLs-to-be-added 7 ACLs-to-be-removed 0 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 13:47:02.506 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group pg_c40034c8_8393_4a72_9ca9_6d4be2da5db1 2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop 2025-04-11 13:47:02.507 49 WARNING neutron.plugins.ml2.drivers.ovn.mech_driver.ovsdb.ovn_db_sync [None req-8857e42b-0299-4749-90ba-2ef1a4c55ffb - - - - - -] ACL found in Neutron but not in OVN DB for port group neutron_pg_drop ``` However, once these are restored, the ACL meter rules are also gone for good but at least the default block all is restored. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2107925/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
