<div dir="ltr"><p>Hello everyone,<br></p><p>I'm having problems with Security Group Rule updates not being applied to vms on hypervisors and I think I know why this is happening.</p><p>I see that there's already a bug about that: <a href="https://bugs.launchpad.net/neutron/+bug/1814209">https://bugs.launchpad.net/neutron/+bug/1814209</a> but there isn't much action going on there. In my case, neutron-server is also using the queue q-agent-notifier-security_group-update (as seen from neutron-server logs in debug mode). The neutron version is the same, 12.0.4.</p><p>I went to check the code for my version 12.0.4 and I've found some suspicious part which might be the cause of this bug. Let me explain my understanding of the situation.</p><p>I started with ovs agent code and found that it is using SecurityGroupServerAPIShim (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L374">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L374</a>) class for, well, Security Group RPC. <br><br>Comments in this class definition (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L204">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L204</a>) explain that it is a replacement for an older interface, <span class="gmail-pl-en">SecurityGroupServerRpcApi </span>(<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L33">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L33</a>).<br>SecurityGroupServerAPIShim inherits from SecurityGroupInfoAPIMixin (<a class="gmail-" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/db/securitygroups_rpc_base.py#L126">https://github.com/openstack/neutron/blob/12.0.4/neutron/db/securitygroups_rpc_base.py#L126</a>) which is also a parent of the server side Ml2Plugin (<a class="gmail-" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L121">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L121</a>). From this I make a conclusion that Ml2Plugin was also switched to the new SG RPC interface.</p><p>Now, there are other details that suggest that Ml2Plugin wasn't switched to the new interface entirely and continues to use the old-style SG RPC classes.</p><p>There's a class AgentNotifierApi (<a class="external" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/rpc.py#L376">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/rpc.py#L376</a>) used by neutron-server's Ml2Plugin (<a class="gmail-" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L269">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L269</a>) to send notifications (to agents, I suppose). It inherits from the class SecurityGroupAgentRpcApiMixin (<a class="external" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122</a>) which has been marked for removal starting from Pike 3 years ago in this commit: <a class="external" href="https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293">https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293</a>. This AgentNotifierApi class wasn't switched to a new Shim RPC interface for SG (as it was done for the ovs agent and Ml2Plugin itself).</p><p>All previous links are for 12.0.4 version, the one used in my system currently.<br>And here's the same class AgentNotifierApi from the Rocky release: <a class="gmail-" href="https://github.com/openstack/neutron/blob/stable/rocky/neutron/plugins/ml2/rpc.py#L387">https://github.com/openstack/neutron/blob/stable/rocky/neutron/plugins/ml2/rpc.py#L387</a> . As you can see, it still inherits from the class marked for removal and isn't using new style SG RPC API.</p><p>From all this I conclude that until AgentNotifierApi is using new style API or the way that Ml2Plugin is sending notifications isn't changed, the bug will still be present.</p><p>Please let me know if I'm getting this wrong. If I'm right, I'm interested in helping to fix the bug.</p><p>Thank you for your attention!</p></div>