Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1885668

Summary: [RFE] Improve ovn-nbctl man page to clarify function behavior of Port-Group
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Anil Vishnoi <avishnoi>
Component: OVNAssignee: OVN Team <ovnteam>
Status: CLOSED WONTFIX QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: low    
Version: RHEL 8.0CC: ctrautma, dcbw, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-14 21:11:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anil Vishnoi 2020-10-06 16:23:32 UTC 
Description of problem:
Current functional behavior of port-group is bit confusing because of the way port-group can be used. CMS can use port-group in
(1) match criteria (inport/outport using port-group (PG-M) to match) in ACL and associating it to port-group (PG-A)
(2) associating acl's (inport/outport) to port group (PG-A).

In case 1, ACL will be installed on all the logical-switches, that has one or more logical-port in the port-group (PG-A). In this kind of scenario, it's recommended that PG-A and PG-M is same. If PG-M is containing logical-ports from logical-switch on node-1 and PG-A is container logical-ports from logical-switch on node-2, it will endup installing the logical-flows on node-2, that is matching on ports from node-1, and that doesn't make sense.
In this scenario, Port-Group is used to do 
(a) exact match on logical-port, because it's used as a match criteria 
(b) to determine the logical-switch where this acl need to be installed.

In case 2, ACL will be installed on all the logical-switches that has one or more, logical-port in the port-group (PG-A). In this scenario, it doesn't matter if you add one logical-port or all the logical-port from specific logical-switch. ACL will be applied at the switch level, because match criteria doesn't match on port-groups.

So based on the context, port-group is used as an exact match in ACL to handle traffic or to determine where to install acl.

Current documentation is not very clean about it, so that needs to be improved to clearly explain the function behavior of the port-groups.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 OVN Bot 2024-02-14 21:11:20 UTC 
This issue is being closed as an automatic process due to the issue's age. If you wish to re-open this issue, please do so in Jira (https://issues.redhat.com) in the 'FDP' project. Please be sure to set the component to the latest OVN version where this issue is known to occur. If this is a feature request or improvement, please set the component to 'OVN'.