[OVN] Prevent binding a virtual type port

A LSP is type=virtual when its IP address is used by other ports as allowed address. If a LSP is type=virtual, this port cannot be bound (that means cannot be used as a port for a virtual machine). Closes-Bug: #2018529 Change-Id: I1943e6e0d7d8e255e95f93881cc3caec16ab67fe
2023-05-08 18:07:03 +02:00 · 2023-05-08 18:07:03 +02:00 · 68ecae5ff9
commit 68ecae5ff9
parent 2968e4523b
4 changed files with 56 additions and 2 deletions
--- a/neutron/common/ovn/utils.py
+++ b/neutron/common/ovn/utils.py
@ -1051,3 +1051,27 @@ def determine_bind_host(sb_idl, port, port_context=None):
            bp_info.bp_param[
                constants.VIF_DETAILS_CARD_SERIAL_NUMBER]).hostname
    return ''
 def validate_port_binding_and_virtual_port(
        port_context, nb_idl, sb_idl, ml2_plugin, port):
    """If the port is type=virtual and it is bound, raise BadRequest"""
    if not determine_bind_host(sb_idl, port, port_context=port_context):
        # The port is not bound, exit.
        return
    fixed_ips = port.get('fixed_ips', [])
    subnet_ids = set([fixed_ip['subnet_id'] for fixed_ip in fixed_ips
                      if 'subnet_id' in fixed_ip])
    if not subnet_ids:
        # If the port has no fixed_ips/subnets, it cannot be virtual.
        return
    subnets = ml2_plugin.get_subnets(port_context.plugin_context,
                                     filters={'id': list(subnet_ids)})
    port_type, _, _ = get_port_type_virtual_and_parents(
        subnets, fixed_ips, port['network_id'], port['id'], nb_idl)
    if port_type == constants.LSP_TYPE_VIRTUAL:
        raise n_exc.BadRequest(
            resource='port',
            msg='A virtual logical switch port cannot be bound to a host')
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
@ -818,6 +818,8 @@ class OVNMechanismDriver(api.MechanismDriver):
        self._validate_ignored_port(port, original_port)
        ovn_utils.validate_and_get_data_from_binding_profile(port)
        self._validate_port_extra_dhcp_opts(port)
        ovn_utils.validate_port_binding_and_virtual_port(
            context, self.nb_ovn, self.sb_ovn, self._plugin, port)
        if self._is_port_provisioning_required(port, context.host,
                                               context.original_host):
            self._insert_port_provisioning_block(context.plugin_context,
--- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@ -4345,7 +4345,7 @@ class TestOVNVVirtualPort(OVNMechanismDriverTestCase):
            self.fmt, name='net1', admin_state_up=True)['network']
        self.subnet = self._make_subnet(
            self.fmt, {'network': self.net},
-            '10.0.0.1', '10.0.0.0/24')['subnet']
+            '10.0.0.1', '10.0.0.0/24')
    @mock.patch.object(ovn_utils, 'determine_bind_host')
    def test_create_port_with_virtual_type_and_options(self, *args):
@ -4356,7 +4356,7 @@ class TestOVNVVirtualPort(OVNMechanismDriverTestCase):
                    'mac_address': '00:00:00:00:00:00',
                    'device_owner': device_owner,
                    'network_id': self.net['id'],
-                    'fixed_ips': [{'subnet_id': self.subnet['id'],
+                    'fixed_ips': [{'subnet_id': self.subnet['subnet']['id'],
                                   'ip_address': '10.0.0.55'}],
                    portbindings.PROFILE: {},
                    }
@ -4419,6 +4419,25 @@ class TestOVNVVirtualPort(OVNMechanismDriverTestCase):
        self.nb_idl.unset_lswitch_port_to_virtual_type.assert_called_once_with(
            virt_port['id'], parent['id'], if_exists=True)
    def test_update_port_bound(self):
        with self.port(subnet=self.subnet, is_admin=True) as port:
            port = port['port']
            updated_port = copy.deepcopy(port)
            updated_port[portbindings.HOST_ID] = 'host1'
            context = mock.Mock(current=updated_port, original=port)
            with mock.patch.object(self.mech_driver._plugin, 'get_subnets') \
                    as mock_get_subnets:
                mock_get_subnets.return_value = [self.subnet['subnet']]
                # 1) The port is not virtual, it has no parents.
                self.mock_vp_parents.return_value = ''
                self.mech_driver.update_port_precommit(context)
                # 2) The port (LSP) has parents, that means it is a virtual
                # port.
                self.mock_vp_parents.return_value = ['parent-0', 'parent-1']
                self.assertRaises(n_exc.BadRequest,
                                  self.mech_driver.update_port_precommit,
                                  context)
 class TestOVNAvailabilityZone(OVNMechanismDriverTestCase):
--- a/releasenotes/notes/ovn-virtual-port-prevent-binding-50efba5521e8a28e.yaml
+++ b/releasenotes/notes/ovn-virtual-port-prevent-binding-50efba5521e8a28e.yaml
@ -0,0 +1,9 @@
 ---
 other:
  - |
    A ML2/OVN virtual port cannot be bound to a virtual machine. If a port
    IP address is assigned as an allowed address pair into another port, the
    first one is considered a virtual port. If the second port (non-virtual)
    is bound to ML2/OVN, the virtual port cannot be bound to a virtual
    machine; a virtual port is created only to reserve a set of IP addresses
    to be used by other ports.