Description of problem: While setting unknown address for LSP we found that dhcp related logical flows are deleted from logical switch ingress pipeline. While there are addresses configured we can see that the flows are in place: stack@mjozefcz-ovn-train-lb:~/logs$ sudo ovn-sbctl lflow-list |grep a09a1ac7-62ad-46ad-b802-c4abf65dcf70 | grep ls_in_dhcp_options table=14(ls_in_dhcp_options ), priority=100 , match=(inport == "a09a1ac7-62ad-46ad-b802-c4abf65dcf70" && eth.src == fa:16:3e:05:35:b1 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(reg0[3] = put_dhcp_opts(offerip = 10.2.1.134, classless_static_route = {169.254.169.254/32,10.2.1.2, 0.0.0.0/0,10.2.1.1}, dns_server = {127.0.0.53}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.2.1.1, server_id = 10.2.1.1); next;) table=14(ls_in_dhcp_options ), priority=100 , match=(inport == "a09a1ac7-62ad-46ad-b802-c4abf65dcf70" && eth.src == fa:16:3e:05:35:b1 && ip4.src == 10.2.1.134 && ip4.dst == {10.2.1.1, 255.255.255.255} && udp.src == 68 && udp.dst == 67), action=(reg0[3] = put_dhcp_opts(offerip = 10.2.1.134, classless_static_route = {169.254.169.254/32,10.2.1.2, 0.0.0.0/0,10.2.1.1}, dns_server = {127.0.0.53}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.2.1.1, server_id = 10.2.1.1); next;) When we set unknown address all the DHCP flows are deleted: stack@mjozefcz-ovn-train-lb:~/logs$ ovn-nbctl set logical_switch_port a09a1ac7-62ad-46ad-b802-c4abf65dcf70 addresses='"unknown"' stack@mjozefcz-ovn-train-lb:~/logs$ sudo ovn-sbctl lflow-list |grep a09a1ac7-62ad-46ad-b802-c4abf65dcf70 | grep ls_in_dhcp_options stack@mjozefcz-ovn-train-lb:~/logs$ In OpenStack there is a possibility to disable port security for particular port. In this situation instance is not able to get address from DHCP. Maybe we can try to not loop over defined addresses in LSP, but to install flow that will match only inport [1]? [1] https://github.com/ovn-org/ovn/blob/master/northd/ovn-northd.c#L6290
I don't think this is a bug. OVN dhcp will only work if there's IP set in the addresses column. You need to append "unknown" to the logical port if you want to allow any mac address from/to the port and also clear the port_security column.
Created attachment 1666925 [details] patch-with-failing-ut
Created attachment 1667195 [details] patch-with-failing-2-ut
*** Bug 1784807 has been marked as a duplicate of this bug. ***
reproduced on version # rpm -qa|grep ovn ovn2.11-2.11.1-37.el7fdp.x86_64 ovn2.11-host-2.11.1-37.el7fdp.x86_64 ovn2.11-central-2.11.1-37.el7fdp.x86_64 server: # dhcp options local dhcp_102=$(ovn-nbctl create DHCP_Options cidr=42.42.42.0/24 \ options="\"server_id\"=\"42.42.42.254\" \"server_mac\"=\"00:de:ad:ff:01:02\" \ \"lease_time\"=\"3600\" \"router\"=\"42.42.42.254\"") echo $dhcp_102 ovn-nbctl ls-add ls ovn-nbctl lsp-add ls vm1 ovn-nbctl lsp-set-addresses vm1 "00:00:00:00:00:01 42.42.42.2" unknown rlRun "ovn-nbctl lsp-set-dhcpv4-options vm1 $dhcp_102" rlRun "ovn-nbctl lsp-get-dhcpv4-options vm1" ovn-nbctl lsp-add ls vm2 ovn-nbctl lsp-set-addresses vm2 "00:00:00:00:00:02 42.42.42.3" rlRun "ovn-nbctl lsp-set-dhcpv4-options vm2 $dhcp_102" rlRun "ovn-nbctl lsp-get-dhcpv4-options vm2" ip netns add vm1 ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal ip link set vm1 netns vm1 ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01 ip netns exec vm1 ip link set vm1 up ip netns exec vm1 ip link set lo up ovs-vsctl set Interface vm1 external_ids:iface-id=vm1 ip netns exec vm1 dhclient -i vm1 -v client: ip netns add vm2 ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal ip link set vm2 netns vm2 ip netns exec vm2 ip link set vm2 address 00:00:00:00:00:02 ip netns exec vm2 ip link set vm2 up ip netns exec vm2 ip link set lo up ovs-vsctl set Interface vm2 external_ids:iface-id=vm2 sync_set server $FUNCNAME sync_wait server $FUNCNAME pkill dhclient ip netns exec vm2 dhclient -v -i vm2 and then change the mac address of vm1 ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:03 ping vm1 from vm2: ip netns exec vm2 ping 42.42.42.2 PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data. --- 42.42.42.2 ping statistics --- 50 packets transmitted, 0 received, 100% packet loss, time 48999ms verified on version: # rpm -qa|grep ovn ovn2.11-2.11.1-38.el7fdp.x86_64 ovn2.11-host-2.11.1-38.el7fdp.x86_64 ovn2.11-central-2.11.1-38.el7fdp.x86_64 change the mac of vm1,and then ping from vm2 to vm1: ip netns exec vm2 ping 42.42.42.2 -c 50' PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data. 64 bytes from 42.42.42.2: icmp_seq=1 ttl=64 time=1.22 ms 64 bytes from 42.42.42.2: icmp_seq=2 ttl=64 time=0.254 ms 64 bytes from 42.42.42.2: icmp_seq=3 ttl=64 time=0.243 ms 64 bytes from 42.42.42.2: icmp_seq=4 ttl=64 time=0.225 ms 64 bytes from 42.42.42.2: icmp_seq=5 ttl=64 time=0.236 ms set verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1458