[ovs-dev] [PATCH v2 0/3] ovn-controller: Fix and refactor chassis ovn-sbdb record init

Han Zhou zhouhan at gmail.com
Wed Jul 24 22:50:49 UTC 2019

On Mon, Jul 8, 2019 at 2:11 PM Ben Pfaff <blp at ovn.org> wrote:
> On Mon, Jul 08, 2019 at 12:06:45PM +0200, Dumitru Ceara wrote:
> > The chassis_run code didn't take into account the scenario when the
> > system-id was changed in the Open_vSwitch table. Due to this the code
> > was trying to insert a new Chassis record in the OVN_Southbound DB with
> > the same Encaps as the previous Chassis record. The transaction used
> > to insert the new records was aborting due to the ["type", "ip"]
> > index constraint violation as we were creating new Encap entries with
> > the same "type" and "ip" as the old ones.
> Thanks.  I applied this series to master.
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Hi Dumitru,

When reviewing Numan's fix "ovn-controller: Fix the chassis row recreation
issue" I found this original change and I have a question here regarding
this series. I tried this feature when SSL & RBAC is enabled, and it seems
not working as this patch declared. I used the OVN sandbox (which uses SSL
by default) to test.

$ ovn-sbctl show
Chassis "chassis-1"
    hostname: sandbox
    Encap geneve
        ip: ""
        options: {csum="true"}

Then update chassis id:
$ ovs-vsctl set open . external_ids:system-id="chassis-2"

The SB DB didn't get updated, and there are warn logs:
2019-07-24T08:28:51.036Z|00015|ovsdb_idl|WARN|transaction error:
{"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
prohibit modification of table \"Chassis\".","error":"permission error"}
2019-07-24T08:28:51.036Z|00016|chassis|WARN|Could not find Chassis : stored
(chassis-2) ovs (chassis-2)

This seems to be expected, because otherwise RBAC is malfunctioning.
However, I am not sure what is the goal of this patch. Is it supposed to
solve the problem only when HV uses TCP but not for SSL? If so, shall this
behaviour be clarified in some documents? Or did I misunderstood something?
(Sorry that I was not able to post the question during the patch review.)


More information about the dev mailing list