From 7cb481a3dc090d0ebd33a0ef577ae40e13291f5c Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 27 Jan 2023 11:52:45 +0100 Subject: [PATCH] Allow disable stateful security group extension on older OVN This patch adds config option to let cloud operator to disable 'stateful-security-group' API extension if OVN < 21.06 is used. This is the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided. In case when API extension is enabled and OVN < 21.06 is used, Neutron will fallback to stateful ACLs even for stateless security groups which may be confusing for Neutron API users. This needs to be done with config option and not by checking automatically in OVN if "allow-stateless" is supported keyword for ACL's action because it needs to be done during initialization of plugin, where IDL isn't initialized yet and it would cause deadlock when Neutron would try to connect to the OVN NB. Closes-Bug: #2003999 Change-Id: I62e77dad2782e9c546745e860fda7622a8281739 --- neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py | 7 +++++++ .../ml2/drivers/ovn/mech_driver/mech_driver.py | 6 +++++- ...-stateless-security-groups-241533231a3ed9e7.yaml | 13 +++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml diff --git a/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py b/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py index 00d3640eb75..40f4e0315cb 100644 --- a/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py +++ b/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py @@ -213,6 +213,13 @@ ovn_opts = [ '(VNIC type "baremetal"). This alllow operators to ' 'plug their own DHCP server of choice for PXE booting ' 'baremetal nodes. Defaults to False.')), + cfg.BoolOpt('allow_stateless_action_supported', + default=True, + help=_('If OVN older than 21.06 is used together with ' + 'Neutron, this option should be set to ``False`` in ' + 'order to disable ``stateful-security-group`` API ' + 'extension as ``allow-stateless`` keyword is only ' + 'supported by OVN >= 21.06.')), ] diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py index 02778bae34e..ef16d06227d 100644 --- a/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py +++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py @@ -27,6 +27,7 @@ import uuid from neutron_lib.api.definitions import portbindings from neutron_lib.api.definitions import provider_net from neutron_lib.api.definitions import segment as segment_def +from neutron_lib.api.definitions import stateful_security_group from neutron_lib.callbacks import events from neutron_lib.callbacks import registry from neutron_lib.callbacks import resources @@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver): return portbindings.CONNECTIVITY_L2 def supported_extensions(self, extensions): - return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions + supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) + if not cfg.CONF.ovn.allow_stateless_action_supported: + supported_extensions.discard(stateful_security_group.ALIAS) + return set(supported_extensions) & extensions @staticmethod def provider_network_attribute_updates_supported(): diff --git a/releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml b/releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml new file mode 100644 index 00000000000..9d6900f5b2c --- /dev/null +++ b/releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml @@ -0,0 +1,13 @@ +--- +other: + - | + OVN mechanism driver has now got config option + ``allow_stateless_action_supported`` which allows manually disable + ``stateful-security-group`` API extension in case when OVN older than 21.06 + is used because support for ``allow-stateful`` action in OVN's ACL was + added in OVN 21.06. + By default this option is set to ``True`` so ``stateful-security-group`` + API extension is enabled. + If this option is set to ``True`` and OVN < 21.06 is used, Neutron will + fallback to the statefull ACLs even if SG is set to be stateless in Neutron + database.