Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix syncEgressFirewall (truncate ACL names) and SetupMaster (stop recreating cluster-wide PGs) #3466

Merged
merged 3 commits into from
Mar 7, 2023
Merged

Fix syncEgressFirewall (truncate ACL names) and SetupMaster (stop recreating cluster-wide PGs) #3466

merged 3 commits into from
Mar 7, 2023

Commits on Mar 6, 2023

  1. Add test to showcase syncEgressFirewall isn't truncating ACL names 

    This commit adds a test to showcase that
since syncEgressFirewall isn't calling libovsdbops.BuildACL
directly, we are not truncating ACL names.

Note that we really need ovn-org/libovsdb#338
for our test server to start screaming for long names.

Signed-off-by: Surya Seetharaman <[email protected]>
    @tssurya
    tssurya committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    d996d0e View commit details
    Browse the repository at this point in the history

  2. Fix syncEgressFirewall to truncate ACL names 

    This commit ensures we truncate names as a precaution
also in CreateOrUpdateACLsOps so that our bases are
covered since not all code snippets call BuildACL
directly

Signed-off-by: Surya Seetharaman <[email protected]>
    @tssurya
    tssurya committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    7bfe50e View commit details
    Browse the repository at this point in the history

Commits on Mar 7, 2023

  1. Don't recreate clusterPGs and clusterRtrPGs unless needed 

    In SetupMaster, we always call CreateOrUpdatePortGroupsOps
with empty ACLs and PGs for the cluster-wide port group
and cluster-wide-router-PG. This is disruptive during
upgrades since momentarily all efw ACLs and multicast ACLs
will be wiped out.

This commit changes this to first check if the PG already exists,
if then no need to do anything.
Each of those features are responsible for ensuring ACLs, Ports
are good on those PGs they own.

NOTE: This bug was an issue for multicast and started being an
issue for egf from ovn-org@bd29f41
Before that we didn't have ACLs on cluster wide PG.

Signed-off-by: Surya Seetharaman <[email protected]>
    @tssurya
    tssurya committed Mar 7, 2023
    Configuration menu
    Copy the full SHA
    935bc55 View commit details
    Browse the repository at this point in the history