Bug 1789764

Summary: port_security disabled in networking-ovn works for egress, but not for ingress
Product: Red Hat OpenStack Reporter: Maciej Józefczyk <mjozefcz>
Component: python-networking-ovnAssignee: Maciej Józefczyk <mjozefcz>
Status: CLOSED ERRATA QA Contact: Eduardo Olivares <eolivare>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: apevec, chrisw, dalvarez, ekuris, ksambor, lhh, lmartins, majopela, mgarciac, nusiddiq, ojanas, pmorey, ragiman, rhos-maint, rsafrono, scohen
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-networking-ovn-4.0.3-20.el7ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1683311 Environment:
Last Closed: 2020-06-24 11:53:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1671809, 1683311    
Bug Blocks:    

Comment 6 Eduardo Olivares 2020-02-14 08:53:32 UTC 
Following original's bug verification procedure [1], I created an internal network with port security disabled and and connected to an external network via router. I expected unknown addresses were only applied to normal LPs, according to comment 4. However, I got this:

[heat-admin@controller-0 ~]$ ovn-nbctl ls-list                                                                                                                                                                                                
3a64592b-cf74-4a1b-9a25-bd4ffdda7ec7 (neutron-10f1e3c4-56e8-4ac7-9807-81ace182f4a2)
a47bd27a-be32-4634-92f0-975824a9a7e5 (neutron-23d561d2-6fbb-4a82-b0d3-f712c9f543c5)

[heat-admin@controller-0 ~]$ ovn-nbctl show 3a64592b-cf74-4a1b-9a25-bd4ffdda7ec7
switch 3a64592b-cf74-4a1b-9a25-bd4ffdda7ec7 (neutron-10f1e3c4-56e8-4ac7-9807-81ace182f4a2) (aka net1)
    port 6981ff38-c857-4c1c-ad4e-6cb7f3749626
        addresses: ["fa:16:3e:30:b0:ea 192.168.1.11", "unknown"]
    port 91c458f8-ec75-43ef-a5aa-3a820eb17d30
        addresses: ["fa:16:3e:3e:b1:1d 192.168.1.13", "unknown"]
    port 2e390e49-fae4-4499-b84f-9f473208f1f8
        addresses: ["fa:16:3e:e8:55:7e 192.168.1.9", "unknown"]
    port d83fa00d-1de0-4761-8ae7-0d56ddec6499
        type: localport
        addresses: ["fa:16:3e:17:e6:49 192.168.1.2", "unknown"]
    port 9d8d9bf6-06c4-4d40-8c45-612e50474f19
        type: router
        router-port: lrp-9d8d9bf6-06c4-4d40-8c45-612e50474f19

[heat-admin@controller-0 ~]$ ovn-nbctl show a47bd27a-be32-4634-92f0-975824a9a7e5
switch a47bd27a-be32-4634-92f0-975824a9a7e5 (neutron-23d561d2-6fbb-4a82-b0d3-f712c9f543c5) (aka public)
    port ca0fd8b7-62d6-4398-be64-e879fcd24fbf
        type: router
        router-port: lrp-ca0fd8b7-62d6-4398-be64-e879fcd24fbf
    port provnet-23d561d2-6fbb-4a82-b0d3-f712c9f543c5
        type: localnet
        addresses: ["unknown"]
    port 7a0ba43c-8869-4f40-8c62-64e896631843
        type: localport
        addresses: ["fa:16:3e:70:9e:46", "unknown"]


Unknown is applied to localport and localnet also, which is unexpected.

[heat-admin@controller-0 ~]$ sudo rpm -qa python-networking-ovn
python-networking-ovn-4.0.4-2.el7ost.noarch


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1671809#c30
Comment 16 errata-xmlrpc 2020-06-24 11:53:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2724