Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-16091

[sgl 18.0] neutron_pg_drop deleted when using dbsync if drop events are being logged

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhos-18.0.10 FR 3
    • rhos-17.1.z, rhos-18.0.z
    • openstack-neutron
    • None
    • Neutron Sprint 12, Neutron Sprint 13, Neutron Sprint 14
    • 3
    • Critical

      To close this bug, you should
      Cherry pick upstream patch(which ever branch is appropriate) https://review.opendev.org/c/openstack/neutron/+/948783 once merged into 18-trunk-patches
      Update "fix in build" version and move it to "review"

      -------------------------- Original description ----------------
      When you create a network log resource to enable OVN logging:

      https://docs.openstack.org/neutron/latest/contributor/internals/ovn/ovn_network_logging.html

      It seems that will add a an ACL rule similar to this:

      _uuid : bd6eaad4-939d-4624-b2f9-9701d1ec402e
action : drop
direction : to-lport
external_ids : {}
label : 1753594327
log : true
match : "outport == @neutron_pg_drop && ip"
meter : acl_log_meter
name : neutron-4054c65c-9a05-4bf4-8abe-f31959dbd56f
options : {log-related="true"}
priority : 1001
severity : info
tier : 0

      However, once that ACL rule comes in, Neutron starts to think that the rule is not supposed to be there, so when a sync runs, it'll "create" new ACLs and "delete" these ones

      To Reproduce Steps to reproduce the behavior:

      1. sudo ovn-nbctl find ACL direction=to-lport action=drop # Check for default drop ACL
      2. openstack network log create --resource-type security_group --resource <SG_ID> --event DROP logmedrop -f value -c ID
      3. sudo ovn-nbctl find ACL direction=to-lport action=drop # Once network log created default port group ACL get's updated
      4. /opt/stack/data/venv/bin/neutron-ovn-db-sync-util --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --ovn-neutron_sync_mode repair # First repair removes the above ACL
      5. rerun repair /opt/stack/data/venv/bin/neutron-ovn-db-sync-util --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --ovn-neutron_sync_mode repair # Second repair run get's back the original ACL from step 1

      Expected behavior

      DBSync should expect pg_drop ACL with SGL options set.

      Bug impact

      • Very critical. PG_drop ACL should never be destroyed since it is the basis of the blacklisting policy for Security groups
      • 18, 17.1.
      • Could also happen in 16.2 if someone enables SGL as TP.

              egarciar@redhat.com Elvira Garcia
              egarciar@redhat.com Elvira Garcia
              Maor Blaustein Maor Blaustein
              rhos-dfg-networking-squad-neutron
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: