openstack/neutron
Code Issues Proposed changes

Merge "[OVN] Check if OVN NB supports stateless NAT rules"

Browse Source
This commit is contained in:
Zuul 2022-01-13 15:38:45 +00:00 committed by Gerrit Code Review
commit 5730eae0e9
6 changed files with 39 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
neutron/cmd/sanity/checks.py
View File

@ -51,6 +51,7 @@ DIRECT_PORT_QOS_MIN_OVS_VERSION = '2.11'
MINIMUM_DIBBLER_VERSION = '1.0.1'
CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre'
OVN_NB_DB_SCHEMA_PORT_GROUP = '5.11'
OVN_NB_DB_SCHEMA_STATELESS_NAT = '5.17'
class OVNCheckType(enum.Enum):
@ -597,3 +598,17 @@ def ovn_nb_db_schema_port_group_supported():
'Exception: %s', e)
return False
return True
def ovn_nb_db_schema_stateless_nat_supported():
try:
ver = _get_ovn_version(OVNCheckType.nb_db_schema)
minver = versionutils.convert_version_to_tuple(
OVN_NB_DB_SCHEMA_STATELESS_NAT)
if ver < minver:
return False
except (OSError, RuntimeError, ValueError) as e:
LOG.debug('Exception while checking OVN DB schema version. '
'Exception: %s', e)
return False
return True

13
neutron/cmd/sanity_check.py
View File

@ -311,6 +311,14 @@ def check_ovn_nb_db_schema_port_group_support():
return result
def check_ovn_nb_db_schema_stateless_nat():
result = checks.ovn_nb_db_schema_stateless_nat_supported()
if not result:
LOG.warning('OVN NB DB schema does not support stateless NAT. This '
'support was added in DB schema version 5.17.')
return result
# Define CLI opts to test specific features, with a callback for the test
OPTS = [
BoolOptCallback('ovs_vxlan', check_ovs_vxlan, default=False,
@ -379,6 +387,10 @@ OPTS = [
check_ovn_nb_db_schema_port_group_support,
help=_('Check OVN NB DB schema support Port_Group'),
default=False),
BoolOptCallback('ovn_nb_db_schema_stateless_nat_support',
check_ovn_nb_db_schema_stateless_nat,
help=_('Check OVN NB DB schema support stateless NAT'),
default=False),
]
@ -427,6 +439,7 @@ def enable_tests_from_config():
cfg.CONF.set_default('check_min_tx_rate_support', True)
if 'ovn' in cfg.CONF.ml2.mechanism_drivers:
cfg.CONF.set_default('ovn_nb_db_schema_port_group_support', True)
cfg.CONF.set_default('ovn_nb_db_schema_stateless_nat_support', True)
def all_tests_passed():

3
neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
View File

@ -283,9 +283,6 @@ class DBInconsistenciesPeriodics(SchemaAwarePeriodicsBase):
@rerun_on_schema_updates
def migrate_to_stateless_fips(self):
"""Perform the migration from stateful to stateless Floating IPs. """
if not self._ovn_client.is_stateless_nat_supported():
raise periodics.NeverAgain()
# Only the worker holding a valid lock within OVSDB will perform the
# migration.
if not self.has_lock:

9
neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
View File

@ -119,10 +119,6 @@ class OVNClient(object):
return self._nb_idl.is_col_supports_value('ACL', 'action',
'allow-stateless')
# TODO(ihrachys) remove when min OVN version >= 20.03
def is_stateless_nat_supported(self):
return self._nb_idl.is_col_present('NAT', 'options')
def _get_allowed_addresses_from_port(self, port):
if not port.get(psec.PORTSECURITY):
return [], []
@ -747,9 +743,8 @@ class OVNClient(object):
'logical_ip': floatingip['fixed_ip_address'],
'external_ip': floatingip['floating_ip_address'],
'logical_port': floatingip['port_id'],
'external_ids': ext_ids}
if self.is_stateless_nat_supported():
columns['options'] = {'stateless': 'true'}
'external_ids': ext_ids,
'options': {'stateless': 'true'}}
if ovn_conf.is_ovn_distributed_floating_ip():
if self._nb_idl.lsp_get_up(floatingip['port_id']).execute():

17
neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py
View File

@ -140,9 +140,7 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight,
never_again=False)
def _test_migrate_to_stateless_fips_helper(
self, stateless_supported, migration_expected, never_again):
self.fake_ovn_client.is_stateless_nat_supported.return_value = (
stateless_supported)
self, migration_expected, never_again):
with mock.patch.object(ovn_db_sync.OvnNbSynchronizer,
'migrate_to_stateless_fips') as mtsf:
if never_again:
@ -156,17 +154,11 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight,
else:
mtsf.assert_not_called()
def test_migrate_to_stateless_fips_not_needed(self):
self._test_migrate_to_stateless_fips_helper(
stateless_supported=False, migration_expected=False,
never_again=True)
def test_migrate_to_stateless_fips(self):
# Check normal migration path: if the migration has to be done, it will
# take place and won't be attempted in the future.
self._test_migrate_to_stateless_fips_helper(stateless_supported=True,
migration_expected=True,
never_again=True)
self._test_migrate_to_stateless_fips_helper(migration_expected=True,
never_again=True)
def test_migrate_to_stateless_fips_no_lock(self):
with mock.patch.object(maintenance.DBInconsistenciesPeriodics,
@ -175,8 +167,7 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight,
# Check that if this worker doesn't have the lock, it won't
# perform the migration and it will try again later.
self._test_migrate_to_stateless_fips_helper(
stateless_supported=True, migration_expected=False,
never_again=False)
migration_expected=False, never_again=False)
def _test_fix_create_update_network(self, ovn_rev, neutron_rev):
with db_api.CONTEXT_WRITER.using(self.ctx):

5
releasenotes/notes/ovn-support-stateless-sg-mandatory-bdeb1bc626decc51.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
Since this version, the support for stateless security groups is mandatory.
The minimum OVN NB schema version must be 5.17.