Description of problem: Right now, when port security is disabled the ML2/OVN plugin will set the addresses field to ["unknown", "mac IP1 IP2..."]. Eg.: port 2da76786-51f0-4217-a09b-0c16e6728588 (aka servera-port-2) addresses: ["52:54:00:02:FA:0A 192.168.0.245", "unknown"] There are scenarios (eg. NIC teaming) where the traffic may come from two different ports with the same source MAC address. While this is fine, on the way back, OVN doesn't learn the location of the MAC and it will deliver to the port which has the MAC address defined in the DB. E.g port1 - MAC1 port2 - MAC2 If traffic goes out from port2 with smac=MAC1, then the traffic will be delivered by OVN. However, for incoming traffic getting to br-int with dmac=MAC1, OVN will deliver that to port1 instead of port2 because of the above configuration. If OVN is not configured with any MAC(s) then the traffic will be flooded to all ports which have addresses=["unknown"]. The reason why "MAC IP" is added is merely so that OVN can install the necessary flows to serve DHCP natively. In order to cover these use cases, the ML2/OVN driver could clear up the MAC-IP(s) from the 'addresses' column of those ports that belong to a network with DHCP disabled. Launchpad bug at: https://bugs.launchpad.net/neutron/+bug/1904412
Build available at: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1575419
There is a build with the fix available at brew: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1585485
Thank Elvira, After upgrading to this build it looks good now! thanks for all the work on this one! [root@overcloud-controller-0 ~]# podman exec -ti neutron_api rpm -q python3-networking-ovn python3-networking-ovn-7.3.1-1.20210422143234.4e24f4c.el8ost.noarch $ openstack network create net1 $ openstack subnet create --subnet-range 10.10.10.0/24 --network net1 --no-dhcp subnet1 $ source overcloudrc $ openstack port create --disable-port-security --no-security-group --network net1 net1-port1 $ openstack port create --disable-port-security --no-security-group --network net1 net1-port2 $ openstack server add port rhel1 net1-port1 $ openstack server add port rhel1 net1-port2 # ovn-nbctl show |grep -A1 net1-port1 port 98c905bb-04fb-4101-82f0-67629d1d4bb0 (aka net1-port1) addresses: ["unknown"] # ovn-nbctl show |grep -A1 net1-port2 port 1137ac4c-0bd7-45da-bb08-1aaad4a990e0 (aka net1-port2) addresses: ["unknown"] # ovn-sbctl list fdb _uuid : e97c6301-3893-48b2-95b6-8f752609a844 dp_key : 2 mac : "fa:16:3e:01:41:ff" port_key : 3
Hi Matt, Nice to know!! Thanks to you for your patience. Looks good!
Changed to z7 since z6 is now only accepting blockers.
verified: overcloud) [stack@undercloud-0 tmp]$ cat ~/core_puddle_version RHOS-16.1-RHEL-8-20211007.n.1 [root@controller-1 ~]# podman exec -it neutron_api /bin/bash ^[[A()[neutron@controller-1 /]$ rpm -qa | grep ovn puppet-ovn-15.4.1-1.20210528102649.192ac4e.el8ost.noarch python3-networking-ovn-7.3.1-1.20210714143309.el8ost.noarch [root@controller-1 ~]# sudo podman exec -it ovn-dbs-bundle-podman-1 /bin/bash ()[root@controller-1 /]# ovn-nbctl show |grep -A1 net1-port1 port 548f16c7-c86b-4cac-a6d7-bb4eb97437c8 (aka net1-port1) addresses: ["unknown"] ()[root@controller-1 /]# ovn-nbctl show |grep -A1 net1-port2 port 0c608c07-a796-41b1-816c-3a18c610d01e (aka net1-port2) addresses: ["unknown"]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.7 (Train) bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3762