Bug 1898198
| Summary: | Don't include IP addresses for OVN ports if both port security and DHCP are disabled | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Elvira <egarciar> |
| Component: | python-networking-ovn | Assignee: | Elvira <egarciar> |
| Status: | CLOSED ERRATA | QA Contact: | Eran Kuris <ekuris> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 16.1 (Train) | CC: | apevec, dalvarez, ftaylor, gregraka, lhh, lmartins, majopela, mflusche, scohen |
| Target Milestone: | z7 | Keywords: | Reopened, Triaged |
| Target Release: | 16.1 (Train on RHEL 8.2) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-networking-ovn-7.3.1-1.20210422143234.4e24f4c.el8ost | Doc Type: | Known Issue |
| Doc Text: |
Currently, there is a known issue where it is not possible to simulate certain real-life scenarios when the MAC-IP addresses of a port are unknown. The RHOSP Networking service (neutron) directly specifies the MAC-IP of a port even if DHCP or security groups are not configured.
+
Workaround: upgrade to RHOSP 16.1.7 and install ML2/OVN v21.03. If DHCP and port security are disabled, then the addresses field of a port does not include its MAC-IP address pairs, and ML2/OVN can use the MAC learning capabilities to send traffic only to the desired port.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-09 20:17:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Build available at: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1575419 There is a build with the fix available at brew: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1585485 Thank Elvira,
After upgrading to this build it looks good now! thanks for all the work on this one!
[root@overcloud-controller-0 ~]# podman exec -ti neutron_api rpm -q python3-networking-ovn
python3-networking-ovn-7.3.1-1.20210422143234.4e24f4c.el8ost.noarch
$ openstack network create net1
$ openstack subnet create --subnet-range 10.10.10.0/24 --network net1 --no-dhcp subnet1
$ source overcloudrc
$ openstack port create --disable-port-security --no-security-group --network net1 net1-port1
$ openstack port create --disable-port-security --no-security-group --network net1 net1-port2
$ openstack server add port rhel1 net1-port1
$ openstack server add port rhel1 net1-port2
# ovn-nbctl show |grep -A1 net1-port1
port 98c905bb-04fb-4101-82f0-67629d1d4bb0 (aka net1-port1)
addresses: ["unknown"]
# ovn-nbctl show |grep -A1 net1-port2
port 1137ac4c-0bd7-45da-bb08-1aaad4a990e0 (aka net1-port2)
addresses: ["unknown"]
# ovn-sbctl list fdb
_uuid : e97c6301-3893-48b2-95b6-8f752609a844
dp_key : 2
mac : "fa:16:3e:01:41:ff"
port_key : 3
Hi Matt, Nice to know!! Thanks to you for your patience. Looks good! Changed to z7 since z6 is now only accepting blockers. verified:
overcloud) [stack@undercloud-0 tmp]$ cat ~/core_puddle_version
RHOS-16.1-RHEL-8-20211007.n.1
[root@controller-1 ~]# podman exec -it neutron_api /bin/bash
^[[A()[neutron@controller-1 /]$ rpm -qa | grep ovn
puppet-ovn-15.4.1-1.20210528102649.192ac4e.el8ost.noarch
python3-networking-ovn-7.3.1-1.20210714143309.el8ost.noarch
[root@controller-1 ~]# sudo podman exec -it ovn-dbs-bundle-podman-1 /bin/bash
()[root@controller-1 /]# ovn-nbctl show |grep -A1 net1-port1
port 548f16c7-c86b-4cac-a6d7-bb4eb97437c8 (aka net1-port1)
addresses: ["unknown"]
()[root@controller-1 /]# ovn-nbctl show |grep -A1 net1-port2
port 0c608c07-a796-41b1-816c-3a18c610d01e (aka net1-port2)
addresses: ["unknown"]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.7 (Train) bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3762 |
Description of problem: Right now, when port security is disabled the ML2/OVN plugin will set the addresses field to ["unknown", "mac IP1 IP2..."]. Eg.: port 2da76786-51f0-4217-a09b-0c16e6728588 (aka servera-port-2) addresses: ["52:54:00:02:FA:0A 192.168.0.245", "unknown"] There are scenarios (eg. NIC teaming) where the traffic may come from two different ports with the same source MAC address. While this is fine, on the way back, OVN doesn't learn the location of the MAC and it will deliver to the port which has the MAC address defined in the DB. E.g port1 - MAC1 port2 - MAC2 If traffic goes out from port2 with smac=MAC1, then the traffic will be delivered by OVN. However, for incoming traffic getting to br-int with dmac=MAC1, OVN will deliver that to port1 instead of port2 because of the above configuration. If OVN is not configured with any MAC(s) then the traffic will be flooded to all ports which have addresses=["unknown"]. The reason why "MAC IP" is added is merely so that OVN can install the necessary flows to serve DHCP natively. In order to cover these use cases, the ML2/OVN driver could clear up the MAC-IP(s) from the 'addresses' column of those ports that belong to a network with DHCP disabled. Launchpad bug at: https://bugs.launchpad.net/neutron/+bug/1904412