<div dir="ltr"><div dir="ltr"><div>Hi Neil,</div><div><br></div><div>Thanks for your reply!</div><div><br></div><div>I had a look at the code you mentioned, and while I don't know enough about the calico implementation, one thing seems like a good idea for an improvement to me.</div><div>In this code, you're patching method <span class="gmail-pl-s"><span class="gmail-pl-pds"></span>security_groups_rule_updated<span class="gmail-pl-pds"> to be able to run mech_driver.send_sg_updates(sgids, context). I think that it should be possible to read notifications about <span class="gmail-pl-s"><span class="gmail-pl-pds"></span>security_groups_rule_updated<span class="gmail-pl-pds"></span></span> from MQ and run the mech_driver's method there, in a separate chunk of code. The current implementation of AgentNotifierApi is inheriting from <span class="gmail-pl-en">SecurityGroupAgentRpcApiMixin and you can see the code sending notifications to MQ here [1] It should allow you to be more agnostic of AgentNotifierApi implementations and get rid of this patching.<br></span></span></span></div><div><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en"><br></span></span></span></div><div><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en">Back to my point.</span></span></span> I needed clarification about the situation I described because I don't know much about internals of neutron. Is it a bug that AgentNotifierApi is still inheriting from the class [2] marked for removal [3]? Or is it something intended to be and I'm just interpreting it wrong?</div><div><br></div><div><div><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en">[1] <a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L148">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L148</a><br></span></span></span></div><div><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en">[2] <a class="gmail-m_-4603617297723276079external" href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122</a><br></span></span></span></div><div>[3] <a class="gmail-m_-4603617297723276079external" href="https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293" target="_blank">https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293</a><br><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en"></span></span></span></div></div><div><br></div><div>Thanks!<br></div><div><span class="gmail-pl-s"><span class="gmail-pl-pds"><span class="gmail-pl-en"></span></span></span></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 11, 2019 at 8:09 PM Neil Jerram <<a href="mailto:neil@tigera.io">neil@tigera.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Just,<br>
<br>
I'm interested in what you're saying, because it sounds like it<br>
relates to the following horrible code in networking-calico [1], which<br>
I'd love to make less horrible:<br>
<br>
# This terrible global variable points to the running instance of the<br>
# Calico Mechanism Driver. This variable relies on the basic assertion that<br>
# any Neutron process, forked or not, should only ever have *one* Calico<br>
# Mechanism Driver in it. It's used by our monkeypatch of the<br>
# security_groups_rule_updated method below to locate the mechanism driver.<br>
# TODO(nj): Let's not do this any more. Please?<br>
mech_driver = None<br>
<br>
[...]<br>
<br>
# This section monkeypatches the<br>
AgentNotifierApi.security_groups_rule_updated<br>
# method to ensure that the Calico driver gets told about security group<br>
# updates at all times. This is a deeply unpleasant hack. Please,<br>
do as I say,<br>
# not as I do.<br>
#<br>
# For more info, please see issues #635 and #641.<br>
original_sgr_updated = rpc.AgentNotifierApi.security_groups_rule_updated<br>
<br>
<br>
def security_groups_rule_updated(self, context, sgids):<br>
LOG.info("security_groups_rule_updated: %s %s" % (context, sgids))<br>
mech_driver.send_sg_updates(sgids, context)<br>
original_sgr_updated(self, context, sgids)<br>
<br>
<br>
rpc.AgentNotifierApi.security_groups_rule_updated = (<br>
security_groups_rule_updated<br>
)<br>
<br>
[1] <a href="https://opendev.org/openstack/networking-calico/src/branch/master/networking_calico/plugins/ml2/drivers/calico/mech_calico.py#L148" rel="noreferrer" target="_blank">https://opendev.org/openstack/networking-calico/src/branch/master/networking_calico/plugins/ml2/drivers/calico/mech_calico.py#L148</a><br>
<br>
But I'm afraid I'm unclear what your point is. Is it about something<br>
that could improve the code above?<br>
<br>
Thanks,<br>
Neil<br>
<br>
On Fri, Mar 8, 2019 at 3:13 PM Just FooBar <<a href="mailto:just.foobar42@gmail.com" target="_blank">just.foobar42@gmail.com</a>> wrote:<br>
><br>
> Hello everyone,<br>
><br>
> I'm having problems with Security Group Rule updates not being applied to vms on hypervisors and I think I know why this is happening.<br>
><br>
> I see that there's already a bug about that: <a href="https://bugs.launchpad.net/neutron/+bug/1814209" rel="noreferrer" target="_blank">https://bugs.launchpad.net/neutron/+bug/1814209</a> but there isn't much action going on there. In my case, neutron-server is also using the queue q-agent-notifier-security_group-update (as seen from neutron-server logs in debug mode). The neutron version is the same, 12.0.4.<br>
><br>
> I went to check the code for my version 12.0.4 and I've found some suspicious part which might be the cause of this bug. Let me explain my understanding of the situation.<br>
><br>
> I started with ovs agent code and found that it is using SecurityGroupServerAPIShim (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L374" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L374</a>) class for, well, Security Group RPC.<br>
><br>
> Comments in this class definition (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L204" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L204</a>) explain that it is a replacement for an older interface, SecurityGroupServerRpcApi (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L33" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L33</a>).<br>
> SecurityGroupServerAPIShim inherits from SecurityGroupInfoAPIMixin (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/db/securitygroups_rpc_base.py#L126" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/db/securitygroups_rpc_base.py#L126</a>) which is also a parent of the server side Ml2Plugin (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L121" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L121</a>). From this I make a conclusion that Ml2Plugin was also switched to the new SG RPC interface.<br>
><br>
> Now, there are other details that suggest that Ml2Plugin wasn't switched to the new interface entirely and continues to use the old-style SG RPC classes.<br>
><br>
> There's a class AgentNotifierApi (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/rpc.py#L376" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/rpc.py#L376</a>) used by neutron-server's Ml2Plugin (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L269" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/plugins/ml2/plugin.py#L269</a>) to send notifications (to agents, I suppose). It inherits from the class SecurityGroupAgentRpcApiMixin (<a href="https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/12.0.4/neutron/api/rpc/handlers/securitygroups_rpc.py#L122</a>) which has been marked for removal starting from Pike 3 years ago in this commit: <a href="https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/commit/97338258967d3b95f382f188ab2ab573a3432c17#diff-e4d9694fe7cfd3a791360aa215c12db8R293</a>. This AgentNotifierApi class wasn't switched to a new Shim RPC interface for SG (as it was done for the ovs agent and Ml2Plugin itself).<br>
><br>
> All previous links are for 12.0.4 version, the one used in my system currently.<br>
> And here's the same class AgentNotifierApi from the Rocky release: <a href="https://github.com/openstack/neutron/blob/stable/rocky/neutron/plugins/ml2/rpc.py#L387" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/stable/rocky/neutron/plugins/ml2/rpc.py#L387</a> . As you can see, it still inherits from the class marked for removal and isn't using new style SG RPC API.<br>
><br>
> From all this I conclude that until AgentNotifierApi is using new style API or the way that Ml2Plugin is sending notifications isn't changed, the bug will still be present.<br>
><br>
> Please let me know if I'm getting this wrong. If I'm right, I'm interested in helping to fix the bug.<br>
><br>
> Thank you for your attention!<br>
</blockquote></div>