Fix ACL sync when default sg group is created

Port group not being available in NB DB during ACL sync is bit of a corner case but possible during the ML2/OVS to ML2/OVN migration sync. It can also happen in ML2/OVN only enviroment. See my detailed description of both scenarios in the linked Bug. The easiest fix is to just retry ALL port groups sync one more time if ACL sync cant find a port group row. This additional resync is really quick. Closes-Bug: #2008943 Change-Id: Iac1472f7f896ea434deacb6d236ab469f4f6ed56 (cherry picked from commit 33cf2cd)
openstack · Jul 17, 2023 · a131686 · a131686
1 parent 78735be
commit a131686
Showing 1 changed file with 27 additions and 6 deletions.
diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_db_sync.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_db_sync.py
@@ -25,6 +25,7 @@
 from neutron_lib.plugins import directory
 from neutron_lib.utils import helpers
 from oslo_log import log
+from ovsdbapp.backend.ovs_idl import idlutils
 
 from neutron.common.ovn import acl as acl_utils
 from neutron.common.ovn import constants as ovn_const
@@ -100,7 +101,6 @@ def do_sync(self):
         LOG.debug("Starting OVN-Northbound DB sync process")
 
         ctx = context.get_admin_context()
-
         self.sync_port_groups(ctx)
         self.sync_networks_ports_and_dhcp_opts(ctx)
         self.sync_port_dns_records(ctx)
@@ -299,11 +299,32 @@ def get_num_acls(ovn_acls):
                          'remove': num_acls_to_remove})
 
         if self.mode == SYNC_MODE_REPAIR:
-            with self.ovn_api.transaction(check_error=True) as txn:
-                for acla in neutron_acls:
-                    LOG.warning('ACL found in Neutron but not in '
-                                'OVN DB for port group %s', acla['port_group'])
-                    txn.add(self.ovn_api.pg_acl_add(**acla, may_exist=True))
+            pg_resync_count = 0
+            while True:
+                try:
+                    with self.ovn_api.transaction(check_error=True) as txn:
+                        for acla in neutron_acls:
+                            LOG.warning('ACL found in Neutron but not in '
+                                        'OVN DB for port group %s',
+                                        acla['port_group'])
+                            txn.add(self.ovn_api.pg_acl_add(
+                                **acla, may_exist=True))
+                except idlutils.RowNotFound as row_err:
+                    if row_err.msg.startswith("Cannot find Port_Group"):
+                        if pg_resync_count < 1:
+                            LOG.warning('Port group row was not found during '
+                                        'ACLs sync. Will attempt to sync port '
+                                        'groups one more time. The caught '
+                                        'exception is: %s', row_err)
+                            self.sync_port_groups(ctx)
+                            pg_resync_count += 1
+                            continue
+                        LOG.error('Port group exception during ACL sync '
+                                  'even after one more port group resync. '
+                                  'The caught exception is: %s', row_err)
+                    else:
+                        raise
+                break
 
             with self.ovn_api.transaction(check_error=True) as txn:
                 for aclr in ovn_acls: