79e9b02c65
In the ML2/OVN backend, if IP address of the unbound port is added to the other port as `allowed_address_pair`, OVN treats this port as `virtual`. This could break connectivity to the metadata service as it uses "special" port with device_owner set to `network:distributed` and this port is `unbound`. So if someone would add IP address assigned to such `network:distributed` port to the allowed_address_pair of the other port, connectivity to the metadata will be broken. This patch adds new validation of the allowed_address_pairs by the OVN mech_driver. If IP address set as allowed_address_pair is used by the `network:distributed` port, such API request will return BadRequest error code and allowed_address_pair will not be set for the port. Closes-Bug: #2116249 Depends-On: https://review.opendev.org/c/openstack/tempest/+/955569 Change-Id: I9b54e12fbd9b930a79660f2be195641107a5754e Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
9 lines
371 B
YAML
9 lines
371 B
YAML
---
|
|
fixes:
|
|
- |
|
|
When ML2/OVN backend is used, usage of the metadata port IP address as a
|
|
virtual IP address is blocked. That means that setting such IP address as
|
|
allowed_address_pair for other port is not allowed and API will return 400
|
|
error in such case. For more information, see bug
|
|
`2116249 <https://bugs.launchpad.net/neutron/+bug/2116249>`_.
|