[SR-IOV] Remove the security group RPC updates

The SR-IOV agent no longer receives the RPC updates for the security groups events. The SR-IOV agent initially implemented the code needed to build a firewall driver. This implementation included the RPC registration to the security group events and the security group RPC agent side, instantiating the class ``SecurityGroupAgentRpc``. All this code has been removed. The aim of this removal is to reduce the noise in the agent logs when receiving updates of the security group events, not relevant for this mechanism driver. If a firewall driver for the SR-IOV mechanism driver is going to be implemented (currently there are no plans for this), this code should be restored. Closes-Bug: #2119960 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I85b571bd10dc6dd8aff945566daecdf999912cb9
2025-08-25 08:44:00 +00:00
parent ca7e479342
commit e533560ff0
5 changed files with 24 additions and 27 deletions
--- a/doc/source/admin/config-sriov.rst
+++ b/doc/source/admin/config-sriov.rst
@@ -354,9 +354,6 @@ Enable neutron-sriov-nic-agent (Compute)

   .. code-block:: ini

-      [securitygroup]
-      firewall_driver = noop
-
      [sriov_nic]
      physical_device_mappings = physnet2:eth3
      exclude_devices =
@@ -369,6 +366,10 @@ Enable neutron-sriov-nic-agent (Compute)
      is connected to ``eth3`` and ``eth4``, then
      ``physnet2:eth3,physnet2:eth4`` is a valid option.

+   .. note::
+
+      The SR-IOV agent does not implement any kind of firewall driver.
+
   The ``exclude_devices`` parameter is empty, therefore, all the VFs
   associated with eth3 may be configured by the agent. To exclude specific
   VFs, add them to the ``exclude_devices`` parameter as follows:
--- a/doc/source/contributor/internals/sriov_nic_agent.rst
+++ b/doc/source/contributor/internals/sriov_nic_agent.rst
@@ -44,9 +44,12 @@ Agent manages Virtual Functions admin state. Quality of service is partially
 implemented with the bandwidth limit and minimum bandwidth rules. In the future
 it will manage additional settings, such as additional
 quality of service rules, rate limit settings, spoofcheck and more.
-Network node will be usually deployed with either Open vSwitch or Linux Bridge
+
+Network node will be usually deployed with either ML2 Open vSwitch or ML2 OVN
 to support network node functionality.

+The SR-IOV network agent does not implement any port firewalling.
+

 Further Reading
 ---------------
--- a/neutron/plugins/ml2/drivers/mech_sriov/agent/sriov_nic_agent.py
+++ b/neutron/plugins/ml2/drivers/mech_sriov/agent/sriov_nic_agent.py
@@ -38,9 +38,7 @@ from neutron._i18n import _
 from neutron.agent.common import utils
 from neutron.agent.l2 import l2_agent_extensions_manager as ext_manager
 from neutron.agent import rpc as agent_rpc
-from neutron.agent import securitygroups_rpc as agent_sg_rpc
 from neutron.api.rpc.callbacks import resources
-from neutron.api.rpc.handlers import securitygroups_rpc as sg_rpc
 from neutron.common import config as common_config
 from neutron.common import profiler as setup_profiler
 from neutron.common import utils as n_utils
@@ -56,7 +54,7 @@ from neutron.privileged.agent.linux import ip_lib as priv_ip_lib
 LOG = logging.getLogger(__name__)


-class SriovNicSwitchRpcCallbacks(sg_rpc.SecurityGroupAgentRpcCallbackMixin):
+class SriovNicSwitchRpcCallbacks:

    # Set RPC API version to 1.0 by default.
    # history
@@ -66,14 +64,16 @@ class SriovNicSwitchRpcCallbacks(sg_rpc.SecurityGroupAgentRpcCallbackMixin):
    #       (works with NoopFirewallDriver)
    #   1.4 Added support for network_update
    #   1.5 Added support for binding_activate and binding_deactivate
+    #   1.6 Removed Security Group RPC; the SR-IOV agent no longer receives
+    #       security group events. That must be reverted if a firewall is
+    #       implemented.

-    target = oslo_messaging.Target(version='1.5')
+    target = oslo_messaging.Target(version='1.6')

-    def __init__(self, context, agent, sg_agent):
+    def __init__(self, context, agent):
        super().__init__()
        self.context = context
        self.agent = agent
-        self.sg_agent = sg_agent

    def port_update(self, context, **kwargs):
        LOG.debug("port_update received")
@@ -176,9 +176,6 @@ class SriovNicSwitchAgent:

        self.context = context.get_admin_context_without_session()
        self.plugin_rpc = agent_rpc.PluginApi(topics.PLUGIN)
-        self.sg_plugin_rpc = sg_rpc.SecurityGroupServerRpcApi(topics.PLUGIN)
-        self.sg_agent = agent_sg_rpc.SecurityGroupAgentRpc(
-            self.context, self.sg_plugin_rpc)
        self._setup_rpc()
        self.ext_manager = self._create_agent_extension_manager(
            self.connection)
@@ -230,14 +227,14 @@ class SriovNicSwitchAgent:
        self.state_rpc = agent_rpc.PluginReportStateAPI(topics.REPORTS)
        # RPC network init
        # Handle updates from service
-        self.endpoints = [SriovNicSwitchRpcCallbacks(self.context, self,
-                                                     self.sg_agent)]
+        self.endpoints = [SriovNicSwitchRpcCallbacks(self.context, self),
+                          ]
        # Define the listening consumers for the agent
        consumers = [[topics.PORT, topics.UPDATE],
                     [topics.NETWORK, topics.UPDATE],
-                     [topics.SECURITY_GROUP, topics.UPDATE],
                     [topics.PORT_BINDING, topics.DEACTIVATE],
-                     [topics.PORT_BINDING, topics.ACTIVATE]]
+                     [topics.PORT_BINDING, topics.ACTIVATE],
+                     ]
        self.connection = agent_rpc.create_consumers(self.endpoints,
                                                     self.topic,
                                                     consumers,
@@ -292,10 +289,6 @@ class SriovNicSwitchAgent:
        resync_a = False
        resync_b = False

-        self.sg_agent.prepare_devices_filter(device_info.get('added'))
-
-        if device_info.get('updated'):
-            self.sg_agent.refresh_firewall()
        # Updated devices are processed the same as new ones, as their
        # admin_state_up may have changed. The set union prevents duplicating
        # work when a device is new and updated in the same polling iteration.
--- a/neutron/tests/unit/plugins/ml2/drivers/mech_sriov/agent/test_sriov_nic_agent.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/mech_sriov/agent/test_sriov_nic_agent.py
@@ -217,15 +217,11 @@ class TestSriovAgent(base.BaseTestCase):
                       'added': {DEV3, DEV4},
                       'updated': {DEV2, DEV3},
                       'removed': {DEV1}}
-        agent.sg_agent.prepare_devices_filter = mock.Mock()
-        agent.sg_agent.refresh_firewall = mock.Mock()
        agent.treat_devices_added_updated = mock.Mock(return_value=False)
        agent.treat_devices_removed = mock.Mock(return_value=False)

        agent.process_network_devices(device_info)

-        agent.sg_agent.prepare_devices_filter.assert_called_with({DEV3, DEV4})
-        self.assertTrue(agent.sg_agent.refresh_firewall.called)
        agent.treat_devices_added_updated.assert_called_with(
            {DEV2, DEV3, DEV4})
        agent.treat_devices_removed.assert_called_with({DEV1})
@@ -471,9 +467,8 @@ class TestSriovNicSwitchRpcCallbacks(base.BaseTestCase):
        super().setUp()
        self.context = object()
        self.agent = FakeAgent()
-        sg_agent = object()
        self.sriov_rpc_callback = sriov_nic_agent.SriovNicSwitchRpcCallbacks(
-            self.context, self.agent, sg_agent)
+            self.context, self.agent)
        self.device_info = agent_rpc.DeviceInfo(DEVICE_MAC, PCI_SLOT)

    def _create_fake_port(self):
--- a/releasenotes/notes/sr-iov-remove-sg-rpc-22f5dc1a515b6dbb.yaml
+++ b/releasenotes/notes/sr-iov-remove-sg-rpc-22f5dc1a515b6dbb.yaml
@@ -0,0 +1,5 @@
+---
+other:
+  - |
+    The ML2 SR-IOV agent has removed the security group RPC events registration
+    and the firewall logic.