Merge "Allow disable stateful security group extension on older OVN"

This commit is contained in:
Zuul 2023-02-05 23:22:44 +00:00 committed by Gerrit Code Review
commit 147103e07b
3 changed files with 25 additions and 1 deletions

View File

@ -213,6 +213,13 @@ ovn_opts = [
'(VNIC type "baremetal"). This alllow operators to '
'plug their own DHCP server of choice for PXE booting '
'baremetal nodes. Defaults to False.')),
cfg.BoolOpt('allow_stateless_action_supported',
default=True,
help=_('If OVN older than 21.06 is used together with '
'Neutron, this option should be set to ``False`` in '
'order to disable ``stateful-security-group`` API '
'extension as ``allow-stateless`` keyword is only '
'supported by OVN >= 21.06.')),
]

View File

@ -27,6 +27,7 @@ import uuid
from neutron_lib.api.definitions import portbindings
from neutron_lib.api.definitions import provider_net
from neutron_lib.api.definitions import segment as segment_def
from neutron_lib.api.definitions import stateful_security_group
from neutron_lib.callbacks import events
from neutron_lib.callbacks import registry
from neutron_lib.callbacks import resources
@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver):
return portbindings.CONNECTIVITY_L2
def supported_extensions(self, extensions):
return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions
supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS)
if not cfg.CONF.ovn.allow_stateless_action_supported:
supported_extensions.discard(stateful_security_group.ALIAS)
return set(supported_extensions) & extensions
@staticmethod
def provider_network_attribute_updates_supported():

View File

@ -0,0 +1,13 @@
---
other:
- |
OVN mechanism driver has now got config option
``allow_stateless_action_supported`` which allows manually disable
``stateful-security-group`` API extension in case when OVN older than 21.06
is used because support for ``allow-stateful`` action in OVN's ACL was
added in OVN 21.06.
By default this option is set to ``True`` so ``stateful-security-group``
API extension is enabled.
If this option is set to ``True`` and OVN < 21.06 is used, Neutron will
fallback to the statefull ACLs even if SG is set to be stateless in Neutron
database.