Bug 1885668

Summary: [RFE] Improve ovn-nbctl man page to clarify function behavior of Port-Group
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Anil Vishnoi <avishnoi>
Component: OVNAssignee: OVN Team <ovnteam>
Status: NEW --- QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: low    
Version: RHEL 8.0CC: ctrautma, dcbw, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anil Vishnoi 2020-10-06 16:23:32 UTC
Description of problem:
Current functional behavior of port-group is bit confusing because of the way port-group can be used. CMS can use port-group in
(1) match criteria (inport/outport using port-group (PG-M) to match) in ACL and associating it to port-group (PG-A)
(2) associating acl's (inport/outport) to port group (PG-A).

In case 1, ACL will be installed on all the logical-switches, that has one or more logical-port in the port-group (PG-A). In this kind of scenario, it's recommended that PG-A and PG-M is same. If PG-M is containing logical-ports from logical-switch on node-1 and PG-A is container logical-ports from logical-switch on node-2, it will endup installing the logical-flows on node-2, that is matching on ports from node-1, and that doesn't make sense.
In this scenario, Port-Group is used to do 
(a) exact match on logical-port, because it's used as a match criteria 
(b) to determine the logical-switch where this acl need to be installed.

In case 2, ACL will be installed on all the logical-switches that has one or more, logical-port in the port-group (PG-A). In this scenario, it doesn't matter if you add one logical-port or all the logical-port from specific logical-switch. ACL will be applied at the switch level, because match criteria doesn't match on port-groups.

So based on the context, port-group is used as an exact match in ACL to handle traffic or to determine where to install acl.

Current documentation is not very clean about it, so that needs to be improved to clearly explain the function behavior of the port-groups.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: