Open Stack

Hu Jakub, migrating vm from a not with hybrid_itatabes ti a node switched
on openvswitch works fine . The problem is this migration create the qbr on
the mode switched to openvswitch.
But when I switch another compute node to openvswitch and I try to live
migrate the same vm (openvswitch to qopenswitch) it does not work because
the qbr presence.
I verified on nova logs.
Ignazio

Il Gio 12 Mar 2020, 23:15 Jakub Libosvar <jlibosva at redhat.com> ha scritto:

> On 12/03/2020 11:38, Ignazio Cassano wrote:
> > Hello All, I am facing some problems migrating from iptables_hybrid
> > frirewall to openvswitch firewall on centos 7 queens,
> > I am doing this because I want enable security groups logs which require
> > openvswitch firewall.
> > I would like to migrate without restarting my instances.
> > I startded moving all instances from compute node 1.
> > Then I configured openvswitch firewall on compute node 1,
> > Instances migrated from compute node 2 to compute node 1 without
> problems.
> > Once the compute node 2 was empty, I migrated it to openvswitch.
> > But now instances does not migrate from node 1 to node 2 because it
> > requires the presence of qbr bridge on node 2
> >
> > This happened because migrating instances from node2 with iptables_hybrid
> > to compute node 1 with openvswitch, does not put the tap under br-int as
> > requested by  openvswich firewall, but qbr is still present on compute
> node
> > 1.
> > Once I enabled openvswitch on compute node 2, migration from compute
> node 1
> > fails because it exprects qbr on compute node 2 .
> > So I think I should moving on the fly tap interfaces from qbr to br-int
> on
> > compute node 1 before migrating to compute node 2 but it is a huge work
> on
> > a lot of instances.
> >
> > Any workaround, please ?
> >
> > Ignazio
> >
>
> I may be a little outdated here but to the best of my knowledge there
> are two ways how to migrate from iptables to openvswitch.
>
> 1) If you don't mind the intermediate linux bridge and you care about
> logs, you can just change the config file on compute node to start using
> openvswitch firewall and restart the ovs agent. That should trigger a
> mechanism that deletes iptables rules and starts using openflow rules.
> It will leave the intermediate bridge there but except the extra hop in
> networking stack, it doesn't mind.
>
> 2) With multiple-port binding feature, what you described above should
> be working. I know Miguel spent some time working on that so perhaps he
> has more information about which release it should be functional at, I
> think it was Queens. Not sure if any Nova work was required to make it
> work.
>
> Hope that helps.
> Kuba
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200313/8053bf72/attachment.html>