When the openvswitch plugin processes an update_port() API call, is in RPC mode, and admin_state_up has changed, it invokes the port_update RPC on the agent, passing the network's segmentation_id as the vlan_id parameter. If admin_state_up is True, then OVSRpcCallbacks.port_update() in the agent will set the tag of the VIF's port on br-int to the vlan_id that was passed via the RPC. This made sense in the old VLAN mode, but is incorrect for tunnels and for the way VLAN and flat networks are now implemented. The VLAN tag used on the integration bridge must always be the local VLAN ID, obtained from LocalVLANMapping.vlan in OVSQuantumAgent.local_vlan_map. There is no need to send the segmentation_id in the RPC request, and the REVISIT comments in OVSQuantumPluginV2.update_port() and OVSRpcCallbacks.port_update() should be removed.
As the code exists right now, any user who changes their port admin_state_up to False and then to True again will get disconnected from their own network, and possibly get connected to some other network belonging to some other tenant, with serious security implications.
Fix proposed to branch: master /review. openstack. org/12290
Review: https:/