From ce1a87057a12c4f27bb4eb2d2a6f2b29d2709d65 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Tue, 2 Nov 2021 17:10:20 +0000 Subject: [PATCH] [OVN] Check if OVN NB supports stateless NAT rules Added a check for OVN NB schema, looking for "options" field in "NAT" table (added in OVN NB schema 5.17). This patch removes the code to support OVN without stateless NAT rules. It is assumed that "options" field in "NAT" table is always present. Closes-Bug: #1949494 Change-Id: Ib3b6dd68009ab635627168b11626d7e7c548ee2f --- neutron/cmd/sanity/checks.py | 15 +++++++++++++++ neutron/cmd/sanity_check.py | 13 +++++++++++++ .../ovn/mech_driver/ovsdb/maintenance.py | 3 --- .../drivers/ovn/mech_driver/ovsdb/ovn_client.py | 9 ++------- .../ovn/mech_driver/ovsdb/test_maintenance.py | 17 ++++------------- ...stateless-sg-mandatory-bdeb1bc626decc51.yaml | 5 +++++ 6 files changed, 39 insertions(+), 23 deletions(-) create mode 100644 releasenotes/notes/ovn-support-stateless-sg-mandatory-bdeb1bc626decc51.yaml diff --git a/neutron/cmd/sanity/checks.py b/neutron/cmd/sanity/checks.py index e7b572d9a24..768414493ac 100644 --- a/neutron/cmd/sanity/checks.py +++ b/neutron/cmd/sanity/checks.py @@ -51,6 +51,7 @@ DIRECT_PORT_QOS_MIN_OVS_VERSION = '2.11' MINIMUM_DIBBLER_VERSION = '1.0.1' CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre' OVN_NB_DB_SCHEMA_PORT_GROUP = '5.11' +OVN_NB_DB_SCHEMA_STATELESS_NAT = '5.17' class OVNCheckType(enum.Enum): @@ -597,3 +598,17 @@ def ovn_nb_db_schema_port_group_supported(): 'Exception: %s', e) return False return True + + +def ovn_nb_db_schema_stateless_nat_supported(): + try: + ver = _get_ovn_version(OVNCheckType.nb_db_schema) + minver = versionutils.convert_version_to_tuple( + OVN_NB_DB_SCHEMA_STATELESS_NAT) + if ver < minver: + return False + except (OSError, RuntimeError, ValueError) as e: + LOG.debug('Exception while checking OVN DB schema version. ' + 'Exception: %s', e) + return False + return True diff --git a/neutron/cmd/sanity_check.py b/neutron/cmd/sanity_check.py index ccebedf9462..601c01be83d 100644 --- a/neutron/cmd/sanity_check.py +++ b/neutron/cmd/sanity_check.py @@ -311,6 +311,14 @@ def check_ovn_nb_db_schema_port_group_support(): return result +def check_ovn_nb_db_schema_stateless_nat(): + result = checks.ovn_nb_db_schema_stateless_nat_supported() + if not result: + LOG.warning('OVN NB DB schema does not support stateless NAT. This ' + 'support was added in DB schema version 5.17.') + return result + + # Define CLI opts to test specific features, with a callback for the test OPTS = [ BoolOptCallback('ovs_vxlan', check_ovs_vxlan, default=False, @@ -379,6 +387,10 @@ OPTS = [ check_ovn_nb_db_schema_port_group_support, help=_('Check OVN NB DB schema support Port_Group'), default=False), + BoolOptCallback('ovn_nb_db_schema_stateless_nat_support', + check_ovn_nb_db_schema_stateless_nat, + help=_('Check OVN NB DB schema support stateless NAT'), + default=False), ] @@ -427,6 +439,7 @@ def enable_tests_from_config(): cfg.CONF.set_default('check_min_tx_rate_support', True) if 'ovn' in cfg.CONF.ml2.mechanism_drivers: cfg.CONF.set_default('ovn_nb_db_schema_port_group_support', True) + cfg.CONF.set_default('ovn_nb_db_schema_stateless_nat_support', True) def all_tests_passed(): diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py index f36b176954a..3c11cbd298f 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py @@ -283,9 +283,6 @@ class DBInconsistenciesPeriodics(SchemaAwarePeriodicsBase): @rerun_on_schema_updates def migrate_to_stateless_fips(self): """Perform the migration from stateful to stateless Floating IPs. """ - if not self._ovn_client.is_stateless_nat_supported(): - raise periodics.NeverAgain() - # Only the worker holding a valid lock within OVSDB will perform the # migration. if not self.has_lock: diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py index 71d832d18fa..9a0cf37c532 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py @@ -117,10 +117,6 @@ class OVNClient(object): return self._nb_idl.is_col_supports_value('ACL', 'action', 'allow-stateless') - # TODO(ihrachys) remove when min OVN version >= 20.03 - def is_stateless_nat_supported(self): - return self._nb_idl.is_col_present('NAT', 'options') - def _get_allowed_addresses_from_port(self, port): if not port.get(psec.PORTSECURITY): return [], [] @@ -745,9 +741,8 @@ class OVNClient(object): 'logical_ip': floatingip['fixed_ip_address'], 'external_ip': floatingip['floating_ip_address'], 'logical_port': floatingip['port_id'], - 'external_ids': ext_ids} - if self.is_stateless_nat_supported(): - columns['options'] = {'stateless': 'true'} + 'external_ids': ext_ids, + 'options': {'stateless': 'true'}} if ovn_conf.is_ovn_distributed_floating_ip(): if self._nb_idl.lsp_get_up(floatingip['port_id']).execute(): diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py index 9e5055cace6..8a09300e39d 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py +++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/ovsdb/test_maintenance.py @@ -140,9 +140,7 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight, never_again=False) def _test_migrate_to_stateless_fips_helper( - self, stateless_supported, migration_expected, never_again): - self.fake_ovn_client.is_stateless_nat_supported.return_value = ( - stateless_supported) + self, migration_expected, never_again): with mock.patch.object(ovn_db_sync.OvnNbSynchronizer, 'migrate_to_stateless_fips') as mtsf: if never_again: @@ -156,17 +154,11 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight, else: mtsf.assert_not_called() - def test_migrate_to_stateless_fips_not_needed(self): - self._test_migrate_to_stateless_fips_helper( - stateless_supported=False, migration_expected=False, - never_again=True) - def test_migrate_to_stateless_fips(self): # Check normal migration path: if the migration has to be done, it will # take place and won't be attempted in the future. - self._test_migrate_to_stateless_fips_helper(stateless_supported=True, - migration_expected=True, - never_again=True) + self._test_migrate_to_stateless_fips_helper(migration_expected=True, + never_again=True) def test_migrate_to_stateless_fips_no_lock(self): with mock.patch.object(maintenance.DBInconsistenciesPeriodics, @@ -175,8 +167,7 @@ class TestDBInconsistenciesPeriodics(testlib_api.SqlTestCaseLight, # Check that if this worker doesn't have the lock, it won't # perform the migration and it will try again later. self._test_migrate_to_stateless_fips_helper( - stateless_supported=True, migration_expected=False, - never_again=False) + migration_expected=False, never_again=False) def _test_fix_create_update_network(self, ovn_rev, neutron_rev): with db_api.CONTEXT_WRITER.using(self.ctx): diff --git a/releasenotes/notes/ovn-support-stateless-sg-mandatory-bdeb1bc626decc51.yaml b/releasenotes/notes/ovn-support-stateless-sg-mandatory-bdeb1bc626decc51.yaml new file mode 100644 index 00000000000..acabe80dfdf --- /dev/null +++ b/releasenotes/notes/ovn-support-stateless-sg-mandatory-bdeb1bc626decc51.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Since this version, the support for stateless security groups is mandatory. + The minimum OVN NB schema version must be 5.17.