Duplicated ARP responses from ovnmetadata namespaces

I`m posting this as a bug because I believe that the ovn-metadata namespace does not need
and should not be reachable from any other host other than the compute itself.
This traffic could easily be blocked with a OpenFlow rule.

FYI, this bug was fixed in the upstream branch v21.06.0 this is the patch:

https://github.com/ovn-org/ovn/commit/578238b36073256c524a4c2b6ed7521f73aa0019

Just to amend my previous stance. I have tested the fix but it doesn't fix the problem
for all cases. In the case where a host pings or arping the port IP, the ping packets continue
to be returned. 1 for each compute node.

Erlon: For completeness I'm adding the second patch you found we need to resolve this issue: https://github.com/ovn-org/ovn/commit/96959e56d634c8d888af9e3ee340602593c7e4fa

Test on Focal:
   Computes: https://paste.ubuntu.com/p/GHZbYgzH2N/
   Output: https://paste.ubuntu.com/p/48YZmfrMZS/

Test on Hirsute:
  Computes: https://paste.ubuntu.com/p/pkKC6nb6cx/
  Output: https://paste.ubuntu.com/p/m4MHXgG2wc/

This bug is missing a completed SRU template in its description but looking at the upload I see that there is a test for this change so I'm accepting the upload. However, please fill out the bug description with SRU information.

Hello Erlon, or anyone else affected,

Accepted ovn into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ovn/20.12.0-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The Hirsute upload of ovn which fixed this bug include a patch, 'lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch', which is not included in the focal upload of ovn. Why is this patch not included for Focal?

Hi Brian, The current version of the OVN package for Focal (20.03.2) already brings that patch.

Hello Erlon, or anyone else affected,

Accepted ovn into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ovn/20.03.2-0ubuntu0.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tests for Hirsute on proposed branch passed

Console: https://gist.github.com/sombrafam/3f5a62095104f594e5ac8cef097b081c
Compute 1: https://gist.github.com/sombrafam/1b704fd066112abd29dcded57b3c3448
Compute 2: https://gist.github.com/sombrafam/a4f94dc09f303063ccf91114993d7dd4

Test for Focal on proposed branch passed

Console: https://gist.github.com/sombrafam/856f4245b6bf2b9672751a1e2cbe803d
Compute 1: https://gist.github.com/sombrafam/78d12ff153256f4fda7b0d7b243871b1
Compute 2: https://gist.github.com/sombrafam/009414aad781c66521abf4ce7cdd7f42

I deployed the openstack-base bundle (adjusted the bridge as in the reproducer). To check for ARP conflicts, I used the Linux tool arp-scan on the local interfaces and found no conflicts. I'm marking this as 'verification-done'.

The verification of the Stable Release Update for ovn has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ovn - 20.03.2-0ubuntu0.20.04.2

---------------
ovn (20.03.2-0ubuntu0.20.04.2) focal; urgency=medium

  * Add RBAC rules for IGMP_Group table (LP: #1914988):
    - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
    - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
    - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
    - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
  * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
    Do not forward traffic from localport to localnet ports (LP: #1943266).a
  * d/p/lp-1937075-ovn-ctl-Fix-stucked-while-do-cluster-db-init.patch:
    Fix issue where clustered database might not be upgraded (LP: #1937075).

 -- Frode Nordahl <email address hidden> Fri, 01 Oct 2021 09:42:00 +0200

This bug was fixed in the package ovn - 20.12.0-0ubuntu3

---------------
ovn (20.12.0-0ubuntu3) hirsute; urgency=medium

  * Add RBAC rules for IGMP_Group table (LP: #1914988):
    - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
    - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch
    - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
    - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
    - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
    - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
    - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
    - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
  * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
    Do not forward traffic from localport to localnet ports (LP: #1943266).
  * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
    Update RBAC rules for Chassis_Private table (LP: #1913024).
  * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
    Update RBAC rules for Port_Binding table (LP: #1917475).

 -- Frode Nordahl <email address hidden> Fri, 01 Oct 2021 09:42:00 +0200