Merge "Allow disable stateful security group extension on older OVN"
This commit is contained in:
commit
147103e07b
|
@ -213,6 +213,13 @@ ovn_opts = [
|
|||
'(VNIC type "baremetal"). This alllow operators to '
|
||||
'plug their own DHCP server of choice for PXE booting '
|
||||
'baremetal nodes. Defaults to False.')),
|
||||
cfg.BoolOpt('allow_stateless_action_supported',
|
||||
default=True,
|
||||
help=_('If OVN older than 21.06 is used together with '
|
||||
'Neutron, this option should be set to ``False`` in '
|
||||
'order to disable ``stateful-security-group`` API '
|
||||
'extension as ``allow-stateless`` keyword is only '
|
||||
'supported by OVN >= 21.06.')),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -27,6 +27,7 @@ import uuid
|
|||
from neutron_lib.api.definitions import portbindings
|
||||
from neutron_lib.api.definitions import provider_net
|
||||
from neutron_lib.api.definitions import segment as segment_def
|
||||
from neutron_lib.api.definitions import stateful_security_group
|
||||
from neutron_lib.callbacks import events
|
||||
from neutron_lib.callbacks import registry
|
||||
from neutron_lib.callbacks import resources
|
||||
|
@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver):
|
|||
return portbindings.CONNECTIVITY_L2
|
||||
|
||||
def supported_extensions(self, extensions):
|
||||
return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions
|
||||
supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS)
|
||||
if not cfg.CONF.ovn.allow_stateless_action_supported:
|
||||
supported_extensions.discard(stateful_security_group.ALIAS)
|
||||
return set(supported_extensions) & extensions
|
||||
|
||||
@staticmethod
|
||||
def provider_network_attribute_updates_supported():
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
other:
|
||||
- |
|
||||
OVN mechanism driver has now got config option
|
||||
``allow_stateless_action_supported`` which allows manually disable
|
||||
``stateful-security-group`` API extension in case when OVN older than 21.06
|
||||
is used because support for ``allow-stateful`` action in OVN's ACL was
|
||||
added in OVN 21.06.
|
||||
By default this option is set to ``True`` so ``stateful-security-group``
|
||||
API extension is enabled.
|
||||
If this option is set to ``True`` and OVN < 21.06 is used, Neutron will
|
||||
fallback to the statefull ACLs even if SG is set to be stateless in Neutron
|
||||
database.
|
Loading…
Reference in New Issue