Allow disable stateful security group extension on older OVN

This patch adds config option to let cloud operator to disable
'stateful-security-group' API extension if OVN < 21.06 is used. This is
the case e.g. on Ubuntu 20.04 where OVN 20.03 is provided.
In case when API extension is enabled and OVN < 21.06 is used, Neutron
will fallback to stateful ACLs even for stateless security groups which
may be confusing for Neutron API users.

This needs to be done with config option and not by checking
automatically in OVN if "allow-stateless" is supported keyword for ACL's
action because it needs to be done during initialization of plugin,
where IDL isn't initialized yet and it would cause deadlock when Neutron
would try to connect to the OVN NB.

Closes-Bug: #2003999
Change-Id: I62e77dad2782e9c546745e860fda7622a8281739
This commit is contained in:
Slawek Kaplonski 2023-01-27 11:52:45 +01:00
parent 06e2e22d31
commit 7cb481a3dc
3 changed files with 25 additions and 1 deletions

View File

@ -213,6 +213,13 @@ ovn_opts = [
'(VNIC type "baremetal"). This alllow operators to ' '(VNIC type "baremetal"). This alllow operators to '
'plug their own DHCP server of choice for PXE booting ' 'plug their own DHCP server of choice for PXE booting '
'baremetal nodes. Defaults to False.')), 'baremetal nodes. Defaults to False.')),
cfg.BoolOpt('allow_stateless_action_supported',
default=True,
help=_('If OVN older than 21.06 is used together with '
'Neutron, this option should be set to ``False`` in '
'order to disable ``stateful-security-group`` API '
'extension as ``allow-stateless`` keyword is only '
'supported by OVN >= 21.06.')),
] ]

View File

@ -27,6 +27,7 @@ import uuid
from neutron_lib.api.definitions import portbindings from neutron_lib.api.definitions import portbindings
from neutron_lib.api.definitions import provider_net from neutron_lib.api.definitions import provider_net
from neutron_lib.api.definitions import segment as segment_def from neutron_lib.api.definitions import segment as segment_def
from neutron_lib.api.definitions import stateful_security_group
from neutron_lib.callbacks import events from neutron_lib.callbacks import events
from neutron_lib.callbacks import registry from neutron_lib.callbacks import registry
from neutron_lib.callbacks import resources from neutron_lib.callbacks import resources
@ -227,7 +228,10 @@ class OVNMechanismDriver(api.MechanismDriver):
return portbindings.CONNECTIVITY_L2 return portbindings.CONNECTIVITY_L2
def supported_extensions(self, extensions): def supported_extensions(self, extensions):
return set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS) & extensions supported_extensions = set(ovn_extensions.ML2_SUPPORTED_API_EXTENSIONS)
if not cfg.CONF.ovn.allow_stateless_action_supported:
supported_extensions.discard(stateful_security_group.ALIAS)
return set(supported_extensions) & extensions
@staticmethod @staticmethod
def provider_network_attribute_updates_supported(): def provider_network_attribute_updates_supported():

View File

@ -0,0 +1,13 @@
---
other:
- |
OVN mechanism driver has now got config option
``allow_stateless_action_supported`` which allows manually disable
``stateful-security-group`` API extension in case when OVN older than 21.06
is used because support for ``allow-stateful`` action in OVN's ACL was
added in OVN 21.06.
By default this option is set to ``True`` so ``stateful-security-group``
API extension is enabled.
If this option is set to ``True`` and OVN < 21.06 is used, Neutron will
fallback to the statefull ACLs even if SG is set to be stateless in Neutron
database.