[neutron][ovn] Stateless Security Group
Slawek Kaplonski
skaplons at redhat.com
Tue Nov 2 11:14:26 UTC 2021
Hi,
On wtorek, 2 listopada 2021 11:24:20 CET Ammad Syed wrote:
> Hi,
>
> I have reported the bug but not sure how to propose that change. Any guide
> to propose change would be highly appreciated.
Please go through https://docs.openstack.org/contributors/code-and-documentation/quick-start.html as it should be good start :)
If You will have any questions, You can reach out to me on IRC. I'm slaweq
there and You can catch me on the #openstack-neutron channel.
>
> https://bugs.launchpad.net/neutron/+bug/1949451
Thx
>
> On Tue, Nov 2, 2021 at 2:45 PM Slawek Kaplonski <skaplons at redhat.com> wrote:
> > Hi,
> >
> > On wtorek, 2 listopada 2021 10:04:40 CET Ammad Syed wrote:
> > > Hi Slawek,
> > >
> > > Yes, after adding extension, SG created with stateful=false.
> >
> > That's good. Can You report an Launchpad bug for that? And You can also
> > propose that change as fix for that bug too :)
> >
> > > # neutron ext-list | grep stateful-security-group
> > > neutron CLI is deprecated and will be removed in the Z cycle. Use
> >
> > openstack
> >
> > > CLI instead.
> > >
> > > | stateful-security-group | Stateful security group
> > >
> > > # openstack security group create --stateless sec02-stateless
> > > +-----------------
> >
> > +-----------------------------------------------------------
> >
> >
> >
----------------------------------------------------------------------------
> > -->
> > > ---------------------------------------+
> > >
> > > | Field | Value
> > >
> > > +-----------------
> >
> > +-----------------------------------------------------------
> >
> >
> >
----------------------------------------------------------------------------
> > -->
> > > ---------------------------------------+
> > >
> > > | created_at | 2021-11-02T09:02:42Z
> > > |
> > > |
> > > | description | sec02-stateless
> > > |
> > > |
> > > | id | 29c28678-9a03-496c-8157-4afbcdc8f2af
> > > |
> > > |
> > > | name | sec02-stateless
> > > |
> > > |
> > > | project_id | 98687873a146418eaeeb54a01693669f
> > > |
> > > |
> > > | revision_number | 1
> > > |
> > > |
> > > | rules | created_at='2021-11-02T09:02:42Z',
> >
> > direction='egress',
> >
> > > ethertype='IPv6', id='17079c04-dc1d-4fbd-9f15-e79c6e585932',
> > > standard_attr_id='2863', updated_at='2021-11-02T09:02:42Z' |
> > >
> > > | | created_at='2021-11-02T09:02:42Z',
> >
> > direction='egress',
> >
> > > ethertype='IPv4', id='fadfbf09-f759-453d-b493-e6f73077113a',
> > > standard_attr_id='2860', updated_at='2021-11-02T09:02:42Z' |
> > >
> > > | stateful | False
> > > |
> > > |
> > > | tags | []
> > > |
> > > |
> > > | updated_at | 2021-11-02T09:02:42Z
> > >
> > > +-----------------
> >
> > +-----------------------------------------------------------
> >
> >
> >
----------------------------------------------------------------------------
> > -->
> > > ---------------------------------------+
> > >
> > > Let me test this feature further.
> > >
> > > Ammad
> > >
> > > On Tue, Nov 2, 2021 at 1:54 PM Slawek Kaplonski <skaplons at redhat.com>
> >
> > wrote:
> > > > Hi,
> > > >
> > > > On wtorek, 2 listopada 2021 09:29:13 CET Ammad Syed wrote:
> > > > > Thanks Lajos,
> > > > >
> > > > > I was checking the release notes and found that stateless acl is
> > > >
> > > > supported
> > > >
> > > > > by ovn in xena.
> > > > >
> > > > > https://docs.openstack.org/releasenotes/neutron/
> > > >
> > > > xena.html#:~:text=Support%20st
> > > >
> > > > > ateless%20security%20groups%20with%20the%20latest%20OVN%2021.06%2B.
> > > >
> > > > %20The%20st
> >
> >
ateful%3DFalse%20security%20groups%20are%20mapped%20to%20the%20new%20%E2%80%
> >
> > > > 9C>
> > > >
> > > > > allow-stateless%E2%80%9D%20OVN%20ACL%20verb .
> > > >
> > > > It should be supported by the OVN driver now IIRC. Maybe we forgot
> >
> > about
> >
> > > > adding this extension to the list:
> > > > https://github.com/openstack/neutron/blob/
> > > > master/neutron/common/ovn/extensions.py#L93
> > > > <https://github.com/openstack/neutron/blob/master/neutron/common/ovn/
> >
> > extensi
> >
> > > > ons.py#L93> Can You try to add it there and see if the extension will
> >
> > be
> >
> > > > loaded then?>
> > > >
> > > > > Ammad
> > > > >
> > > > > On Tue, Nov 2, 2021 at 1:25 PM Lajos Katona <katonalala at gmail.com>
> > > >
> > > > wrote:
> > > > > > Hi,
> > > > > > statefull security-groups are only available with iptables based
> > > >
> > > > drivers:
> > https://review.opendev.org/c/openstack/neutron/+/572767/53/releasenotes/
> >
> > > > note
> > > >
> > > > > > s/stateful-security-group-04b2902ed9c44e4f.yaml
> > > > > >
> > > > > > For OVS and OVN we have open RFE, nut as I know at the moment
> >
> > nobody
> >
> > > > works
> > > >
> > > > > > on them:
> > > > > > https://bugs.launchpad.net/neutron/+bug/1885261
> > > > > > https://bugs.launchpad.net/neutron/+bug/1885262
> > > > > >
> > > > > > Regards
> > > > > > Lajos Katona (lajoskatona)
> > > > > >
> > > > > > Ammad Syed <syedammad83 at gmail.com> ezt írta (időpont: 2021. nov.
> >
> > 2.,
> >
> > > > K,
> > > >
> > > > > > 9:00):
> > > > > >> Hi,
> > > > > >>
> > > > > >> I have upgraded my lab to latest xena release and ovn 21.09 and
> >
> > ovs
> >
> > > > 2.16.
> > > >
> > > > > >> I am trying to create stateless security group. But its getting
> > > >
> > > > failed
> > > > with
> > > >
> > > > > >> below error message.
> > > > > >>
> > > > > >> # openstack security group create --stateless sec02-stateless
> > > > > >> Error while executing command: BadRequestException: 400,
> >
> > Unrecognized
> >
> > > > > >> attribute(s) 'stateful'
> > > > > >>
> > > > > >> I see below logs in neutron server logs.
> > > > > >>
> > > > > >> 2021-11-02 12:47:41.921 1346 DEBUG neutron.wsgi [-] (1346)
> >
> > accepted
> >
> > > > > >> ('172.16.40.45', 41272) server
> > > > > >> /usr/lib/python3/dist-packages/eventlet/wsgi.py:992
> > > > > >> 2021-11-02 12:47:42.166 1346 DEBUG neutron.api.v2.base
> > > > > >> [req-b6a37fff-090f-4754-9df7-6e4314ed9481
> > > >
> > > > 19844bf62a7b498eb443508ef150e9b8
> > > >
> > > > > >> 98687873a146418eaeeb54a01693669f - default default] Request body:
> > > > > >> {'security_group': {'name': 'sec02-stateless', 'stateful': False,
> > > > > >> 'description': 'sec02-stateless'}} prepare_request_body
> > > > > >> /usr/lib/python3/dist-packages/neutron/api/v2/base.py:729
> > > > > >> 2021-11-02 12:47:42.167 1346 WARNING neutron.api.v2.base
> > > > > >> [req-b6a37fff-090f-4754-9df7-6e4314ed9481
> > > >
> > > > 19844bf62a7b498eb443508ef150e9b8
> > > >
> > > > > >> 98687873a146418eaeeb54a01693669f - default default] An exception
> > > >
> > > > happened
> > > >
> > > > > >> while processing the request body. The exception message is
> > > >
> > > > [Unrecognized
> > > >
> > > > > >> attribute(s) 'stateful'].: webob.exc.HTTPBadRequest: Unrecognized
> > > > > >> attribute(s) 'stateful'
> > > > > >> 2021-11-02 12:47:42.167 1346 INFO neutron.api.v2.resource
> > > > > >> [req-b6a37fff-090f-4754-9df7-6e4314ed9481
> > > >
> > > > 19844bf62a7b498eb443508ef150e9b8
> > > >
> > > > > >> 98687873a146418eaeeb54a01693669f - default default] create failed
> > > >
> > > > (client
> > > >
> > > > > >> error): Unrecognized attribute(s) 'stateful'
> > > > > >> 2021-11-02 12:47:42.168 1346 INFO neutron.wsgi
> > > > > >> [req-b6a37fff-090f-4754-9df7-6e4314ed9481
> > > >
> > > > 19844bf62a7b498eb443508ef150e9b8
> > > >
> > > > > >> 98687873a146418eaeeb54a01693669f - default default] 172.16.40.45
> >
> > "POST
> >
> > > > > >> /v2.0/security-groups HTTP/1.1" status: 400 len: 317 time:
> > 0.2455938
> >
> > > > > >> Any advice on how to fix it ?
> > > > > >>
> > > > > >> Ammad
> > > >
> > > > --
> > > > Slawek Kaplonski
> > > > Principal Software Engineer
> > > > Red Hat
> >
> > --
> > Slawek Kaplonski
> > Principal Software Engineer
> > Red Hat
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211102/cc9afb02/attachment-0001.sig>
More information about the openstack-discuss
mailing list