Allow disable stateful security group extension on older OVN

This patch adds config option to let cloud operator to disable 'stateful-security-group' API extension if OVN < 21.06 is used. This is the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided. In case when API extension is enabled and OVN < 21.06 is used, Neutron will fallback to stateful ACLs even for stateless security groups which may be confusing for Neutron API users. This needs to be done with config option and not by checking automatically in OVN if "allow-stateless" is supported keyword for ACL's action because it needs to be done during initialization of plugin, where IDL isn't initialized yet and it would cause deadlock when Neutron would try to connect to the OVN NB. Closes-Bug: #2003999 Change-Id: I62e77dad2782e9c546745e860fda7622a8281739
2023-01-27 11:52:45 +01:00 · 2023-01-27 11:52:45 +01:00 · 7cb481a3dc
commit 7cb481a3dc
parent 06e2e22d31
3 changed files with 25 additions and 1 deletions
--- a/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py
+++ b/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py
@ -213,6 +213,13 @@ ovn_opts = [
                       '(VNIC type "baremetal"). This alllow operators to '
                       'plug their own DHCP server of choice for PXE booting '
                       'baremetal nodes. Defaults to False.')),
+    cfg.BoolOpt('allow_stateless_action_supported',
+                default=True,
+                help=_('If OVN older than 21.06 is used together with '
+                       'Neutron, this option should be set to ``False`` in '
+                       'order to disable ``stateful-security-group`` API '
+                       'extension as ``allow-stateless`` keyword is only '
+                       'supported by OVN >= 21.06.')),
 ]


--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
@ -27,6 +27,7 @@ import uuid
 from neutron_lib.api.definitions import portbindings
 from neutron_lib.api.definitions import provider_net
 from neutron_lib.api.definitions import segment as segment_def
+from neutron_lib.api.definitions import stateful_security_group
 from neutron_lib.callbacks import events
 from neutron_lib.callbacks import registry
 from neutron_lib.callbacks import resources
@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver):
        return portbindings.CONNECTIVITY_L2

    def supported_extensions(self, extensions):
-        return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions
+        supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS)
+        if not cfg.CONF.ovn.allow_stateless_action_supported:
+            supported_extensions.discard(stateful_security_group.ALIAS)
+        return set(supported_extensions) & extensions

    @staticmethod
    def provider_network_attribute_updates_supported():
--- a/releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml
+++ b/releasenotes/notes/ovn-config-option-to-disable-stateless-security-groups-241533231a3ed9e7.yaml
@ -0,0 +1,13 @@
+---
+other:
+  - |
+    OVN mechanism driver has now got config option
+    ``allow_stateless_action_supported`` which allows manually disable
+    ``stateful-security-group`` API extension in case when OVN older than 21.06
+    is used because support for ``allow-stateful`` action in OVN's ACL was
+    added in OVN 21.06.
+    By default this option is set to ``True`` so ``stateful-security-group``
+    API extension is enabled.
+    If this option is set to ``True`` and OVN < 21.06 is used, Neutron will
+    fallback to the statefull ACLs even if SG is set to be stateless in Neutron
+    database.