Bug 2003023

Summary: [OVN migration] No connectivity with ports with port-security disabled
Product: Red Hat OpenStack Reporter: Eduardo Olivares <eolivare>
Component: python-networking-ovnAssignee: Kamil Sambor <ksambor>
Status: CLOSED NOTABUG QA Contact: Eran Kuris <ekuris>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 16.2 (Train)CC: apevec, jamsmith, ksambor, lhh, lmartins, majopela, scohen
Target Milestone: z1Keywords: Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-07 11:11:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2004149    

Description Eduardo Olivares 2021-09-10 10:08:06 UTC 
Description of problem:
A VM with a port with port-security disabled is not reachable after migration from ML2/OVS to OVN. It cannot even be pinged from its ovnmetadata namespace.

The VM had its IP properly configured via DHCP before the migration, but after the migration it could not contact the DHCP service. DHCP packets were dropped on table 17 from the br-int flows:
 cookie=0x968032e0, duration=33983.654s, table=17, n_packets=23, n_bytes=7866, idle_age=1207, priority=2001,ip,reg0=0x200/0x200,reg14=0x9,metadata=0x5 actions=drop

I have enabled port-security on this port and added ICMP and SSH security rules and now it works fine (dhcp client succeeded, ping to external network, etc).



I have created a new VM on the same network with port-sec disabled after the migration to OVN is completed and it works fine.

The rest of the VMs with port-sec disabled created before the migration have the same connectivity problems.


Link to the job: https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/job/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ml2ovs-to-ovn-migration/3/

This has been actually reproduced by several tobiko tests during the check resources stage:
http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ml2ovs-to-ovn-migration/3/infrared/.workspaces/workspace_2021-09-09_16-16-00/tobiko_check-resources/tobiko_check-resources_check_resources_scenario.html



Version-Release number of selected component (if applicable):
RHOS-16.2-RHEL-8-20210903.n.1

How reproducible:
100%

Steps to Reproduce:
1. create VM with port-sec disabled
2. perform ovs to ovn migration