Merge "[OVN] Prevent binding a virtual type port" into stable/2023.1

Zuul · openstack-gerrit · commit 6bba3bdb544a · 2023-07-21T13:05:31.000Z
diff --git a/neutron/common/ovn/utils.py b/neutron/common/ovn/utils.py
@@ -976,3 +976,27 @@ def determine_bind_host(sb_idl, port, port_context=None):
             bp_info.bp_param[
                 constants.VIF_DETAILS_CARD_SERIAL_NUMBER]).hostname
     return ''
+
+
+def validate_port_binding_and_virtual_port(
+        port_context, nb_idl, sb_idl, ml2_plugin, port):
+    """If the port is type=virtual and it is bound, raise BadRequest"""
+    if not determine_bind_host(sb_idl, port, port_context=port_context):
+        # The port is not bound, exit.
+        return
+
+    fixed_ips = port.get('fixed_ips', [])
+    subnet_ids = set([fixed_ip['subnet_id'] for fixed_ip in fixed_ips
+                      if 'subnet_id' in fixed_ip])
+    if not subnet_ids:
+        # If the port has no fixed_ips/subnets, it cannot be virtual.
+        return
+
+    subnets = ml2_plugin.get_subnets(port_context.plugin_context,
+                                     filters={'id': list(subnet_ids)})
+    port_type, _, _ = get_port_type_virtual_and_parents(
+        subnets, fixed_ips, port['network_id'], port['id'], nb_idl)
+    if port_type == constants.LSP_TYPE_VIRTUAL:
+        raise n_exc.BadRequest(
+            resource='port',
+            msg='A virtual logical switch port cannot be bound to a host')
diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/mech_driver.py
@@ -814,6 +814,8 @@ def update_port_precommit(self, context):
         self._validate_ignored_port(port, original_port)
         ovn_utils.validate_and_get_data_from_binding_profile(port)
         self._validate_port_extra_dhcp_opts(port)
+        ovn_utils.validate_port_binding_and_virtual_port(
+            context, self.nb_ovn, self.sb_ovn, self._plugin, port)
         if self._is_port_provisioning_required(port, context.host,
                                                context.original_host):
             self._insert_port_provisioning_block(context.plugin_context,
diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@@ -4342,7 +4342,7 @@ def setUp(self):
             self.fmt, name='net1', admin_state_up=True)['network']
         self.subnet = self._make_subnet(
             self.fmt, {'network': self.net},
-            '10.0.0.1', '10.0.0.0/24')['subnet']
+            '10.0.0.1', '10.0.0.0/24')
 
     @mock.patch.object(ovn_utils, 'determine_bind_host')
     def test_create_port_with_virtual_type_and_options(self, *args):
@@ -4353,7 +4353,7 @@ def test_create_port_with_virtual_type_and_options(self, *args):
                     'mac_address': '00:00:00:00:00:00',
                     'device_owner': device_owner,
                     'network_id': self.net['id'],
-                    'fixed_ips': [{'subnet_id': self.subnet['id'],
+                    'fixed_ips': [{'subnet_id': self.subnet['subnet']['id'],
                                    'ip_address': '10.0.0.55'}],
                     portbindings.PROFILE: {},
                     }
@@ -4416,6 +4416,25 @@ def test_delete_virtual_port_parent(self):
         self.nb_idl.unset_lswitch_port_to_virtual_type.assert_called_once_with(
             virt_port['id'], parent['id'], if_exists=True)
 
+    def test_update_port_bound(self):
+        with self.port(subnet=self.subnet, is_admin=True) as port:
+            port = port['port']
+            updated_port = copy.deepcopy(port)
+            updated_port[portbindings.HOST_ID] = 'host1'
+            context = mock.Mock(current=updated_port, original=port)
+            with mock.patch.object(self.mech_driver._plugin, 'get_subnets') \
+                    as mock_get_subnets:
+                mock_get_subnets.return_value = [self.subnet['subnet']]
+                # 1) The port is not virtual, it has no parents.
+                self.mock_vp_parents.return_value = ''
+                self.mech_driver.update_port_precommit(context)
+                # 2) The port (LSP) has parents, that means it is a virtual
+                # port.
+                self.mock_vp_parents.return_value = ['parent-0', 'parent-1']
+                self.assertRaises(n_exc.BadRequest,
+                                  self.mech_driver.update_port_precommit,
+                                  context)
+
 
 class TestOVNAvailabilityZone(OVNMechanismDriverTestCase):
 
diff --git a/releasenotes/notes/ovn-virtual-port-prevent-binding-50efba5521e8a28e.yaml b/releasenotes/notes/ovn-virtual-port-prevent-binding-50efba5521e8a28e.yaml
@@ -0,0 +1,9 @@
+---
+other:
+  - |
+    A ML2/OVN virtual port cannot be bound to a virtual machine. If a port
+    IP address is assigned as an allowed address pair into another port, the
+    first one is considered a virtual port. If the second port (non-virtual)
+    is bound to ML2/OVN, the virtual port cannot be bound to a virtual
+    machine; a virtual port is created only to reserve a set of IP addresses
+    to be used by other ports.
