Bug 1905118

Summary: [TestOnly] Stateless security groups
Product: Red Hat OpenStack Reporter: Karrar Fida <kfida>
Component: python-networking-ovnAssignee: OSP Team <rhos-maint>
Status: VERIFIED --- QA Contact: Vadim Khitrin <vkhitrin>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: ekuris, eshulman, gurpsing, hakhande, ihrachys, jlibosva, ksundara, mariel, rhos-maint, spower, supadhya, vchundur, vkhitrin
Target Milestone: gaKeywords: FutureFeature, Reopened, TestOnly, Triaged
Target Release: 17.1Flags: ifrangs: needinfo? (rhos-maint)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1827598 Environment:
Last Closed: 2022-01-06 14:42:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1827598    
Bug Blocks:    

Comment 1 Sanjay Upadhyay 2021-06-24 07:57:03 UTC 
It is not clear on what is the feature and what needs to be tested. We would need more details. A conditional ack is provided for now.
Comment 2 Ihar Hrachyshka 2021-07-29 21:09:32 UTC 
This feature is to support stateless ACL rules for OSP17+ and OVN. This is achieved by setting stateless=True for a security group. In which case, SG rules that belong to the group will be stateless (no connection tracking enabled). It should save some CPU cycles since conntrack tables are omitted. We expect to see somewhere around 10-15% bandwidth and latency savings, depending on protocol and scenario. Both stateful and stateless rules can be defined for a port (in OSP context they would have to belong to different SGs). All stateless rules take precedence over stateful rules (it's an implementation detail). 

Some info on neutron API here: https://docs.openstack.org/api-ref/network/v2/#stateful-security-groups-extension-stateful-security-group

This should now be available in OSP17. This should probably be moved to ON_QA, but I will let the assignee do it.
Comment 11 Gurpreet Singh 2022-10-19 02:31:35 UTC 
Hi Eran

We will have to get this in 17.1 for Verizon as well. Going through their requirements, I see that they have explicitly listed it. To make their upgrade to 17.1 and OVN migration successful, we will have to support this.

If QE capacity is a challenge, we should escalate the concern now. 

Regards
Gurpreet