Merge pull request #253 from stackhpc/upstream/2025.1-2026-01-26

priteau · web-flow · commit 957fdd54e730 · 2026-01-26T22:50:55.000+01:00
Synchronise 2025.1 with upstream
diff --git a/neutron/common/ovn/acl.py b/neutron/common/ovn/acl.py
@@ -296,15 +296,23 @@ def update_acls_for_security_group(plugin,
     if not is_sg_enabled():
         return
 
+    # It's possible to have a security group created on one controller and
+    # then a security group rule created on a different controller quickly
+    # enough that the second controller does not yet see that security group
+    # in its local cache of the OVN northbound database. Check if the port
+    # group is present or not in the idl's local copy of the database before
+    # creating the security group rule.
+    pg_name = utils.ovn_port_group_name(security_group_id)
+    ovn.check_for_row_by_value_and_retry('Port_Group', 'name', pg_name)
+
     # Check if ACL log name and severity supported or not
     keep_name_severity = _acl_columns_name_severity_supported(ovn)
 
     sg = plugin.get_security_group(admin_context, security_group_id)
     stateful = is_sg_stateful(sg)
 
     acl = _add_sg_rule_acl_for_port_group(
-        utils.ovn_port_group_name(security_group_id),
-        stateful, security_group_rule)
+        pg_name, stateful, security_group_rule)
     # Remove ACL log name and severity if not supported
     if is_add_acl:
         if not keep_name_severity:
diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@@ -4522,6 +4522,15 @@ def test_update_sg_change_rule(self):
             sg_r = self._create_sg_rule(sg['id'], 'ingress',
                                         const.PROTO_NAME_UDP,
                                         ethertype=const.IPv6)
+
+            # Updating an ACL will call 'check_for_row_by_value_and_retry'
+            # for the PG at least once.
+            pg_name = ovn_utils.ovn_port_group_name(sg['id'])
+            cfrbvar = self.mech_driver.nb_ovn.check_for_row_by_value_and_retry
+            cfrbvar.assert_has_calls([
+                mock.call('Port_Group', 'name', pg_name)
+            ])
+
             self.assertEqual(
                 1, self.mech_driver.nb_ovn.pg_acl_add.call_count)
 
