Allow disable stateful security group extension on older OVN
This patch adds config option to let cloud operator to disable 'stateful-security-group' API extension if OVN < 21.06 is used. This is the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided. In case when API extension is enabled and OVN < 21.06 is used, Neutron will fallback to stateful ACLs even for stateless security groups which may be confusing for Neutron API users. This needs to be done with config option and not by checking automatically in OVN if "allow-stateless" is supported keyword for ACL's action because it needs to be done during initialization of plugin, where IDL isn't initialized yet and it would cause deadlock when Neutron would try to connect to the OVN NB. Closes-Bug: #2003999 Change-Id: I62e77dad2782e9c546745e860fda7622a8281739
This commit is contained in:
parent
06e2e22d31
commit
7cb481a3dc
@ -213,6 +213,13 @@ ovn_opts = [
|
|||||||
'(VNIC type "baremetal"). This alllow operators to '
|
'(VNIC type "baremetal"). This alllow operators to '
|
||||||
'plug their own DHCP server of choice for PXE booting '
|
'plug their own DHCP server of choice for PXE booting '
|
||||||
'baremetal nodes. Defaults to False.')),
|
'baremetal nodes. Defaults to False.')),
|
||||||
|
cfg.BoolOpt('allow_stateless_action_supported',
|
||||||
|
default=True,
|
||||||
|
help=_('If OVN older than 21.06 is used together with '
|
||||||
|
'Neutron, this option should be set to ``False`` in '
|
||||||
|
'order to disable ``stateful-security-group`` API '
|
||||||
|
'extension as ``allow-stateless`` keyword is only '
|
||||||
|
'supported by OVN >= 21.06.')),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -27,6 +27,7 @@ import uuid
|
|||||||
from neutron_lib.api.definitions import portbindings
|
from neutron_lib.api.definitions import portbindings
|
||||||
from neutron_lib.api.definitions import provider_net
|
from neutron_lib.api.definitions import provider_net
|
||||||
from neutron_lib.api.definitions import segment as segment_def
|
from neutron_lib.api.definitions import segment as segment_def
|
||||||
|
from neutron_lib.api.definitions import stateful_security_group
|
||||||
from neutron_lib.callbacks import events
|
from neutron_lib.callbacks import events
|
||||||
from neutron_lib.callbacks import registry
|
from neutron_lib.callbacks import registry
|
||||||
from neutron_lib.callbacks import resources
|
from neutron_lib.callbacks import resources
|
||||||
@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver):
|
|||||||
return portbindings.CONNECTIVITY_L2
|
return portbindings.CONNECTIVITY_L2
|
||||||
|
|
||||||
def supported_extensions(self, extensions):
|
def supported_extensions(self, extensions):
|
||||||
return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions
|
supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS)
|
||||||
|
if not cfg.CONF.ovn.allow_stateless_action_supported:
|
||||||
|
supported_extensions.discard(stateful_security_group.ALIAS)
|
||||||
|
return set(supported_extensions) & extensions
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def provider_network_attribute_updates_supported():
|
def provider_network_attribute_updates_supported():
|
||||||
|
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
other:
|
||||||
|
- |
|
||||||
|
OVN mechanism driver has now got config option
|
||||||
|
``allow_stateless_action_supported`` which allows manually disable
|
||||||
|
``stateful-security-group`` API extension in case when OVN older than 21.06
|
||||||
|
is used because support for ``allow-stateful`` action in OVN's ACL was
|
||||||
|
added in OVN 21.06.
|
||||||
|
By default this option is set to ``True`` so ``stateful-security-group``
|
||||||
|
API extension is enabled.
|
||||||
|
If this option is set to ``True`` and OVN < 21.06 is used, Neutron will
|
||||||
|
fallback to the statefull ACLs even if SG is set to be stateless in Neutron
|
||||||
|
database.
|
Loading…
Reference in New Issue
Block a user