[qeeens][neutron] migrating from iptables_hybrid to openvswitch

Ignazio Cassano ignaziocassano at gmail.com
Sat Mar 21 14:41:26 UTC 2020


Sure, Sa.
I have tested it 2 minutes ago.
It works .
I also changed security groups rules to allow/deny ssh access . It works
also after hard reboot
Ignazio

Il giorno sab 21 mar 2020 alle ore 14:22 Sa Pham <saphi070 at gmail.com> ha
scritto:

> With VM uses provider network directly, When I hard reboot that VM, I
> cannot reach that VM again. Can you test in your environment?
>
> On Sat, Mar 21, 2020 at 7:33 PM Ignazio Cassano <ignaziocassano at gmail.com>
> wrote:
>
>> Hello Sa, I am using self service and provider networks.It works fine in
>> both cases. The problem is the migration from iptables hybrid to
>> openvswitch without rebooting instanes.
>> Do you mean security groups do not work on provider networks ?
>> Ignazio
>>
>>
>> Il Sab 21 Mar 2020, 12:38 Sa Pham <saphi070 at gmail.com> ha scritto:
>>
>>> Hello Ignazio,
>>>
>>> Does your openstack environment  using self-service network ?
>>>
>>> I have tried openvswitch firewall native with openstack queens version
>>> using provider network. But It's not working good.
>>>
>>>
>>>
>>> On Thu, Mar 19, 2020 at 11:12 PM Ignazio Cassano <
>>> ignaziocassano at gmail.com> wrote:
>>>
>>>> Hello Jakub,
>>>> I will try again but if there is a bug on queens I do not think it will
>>>> be corrected because is going out of support.
>>>> Thanks
>>>> Ignazio
>>>>
>>>> Il giorno gio 19 mar 2020 alle ore 13:54 Jakub Libosvar <
>>>> jlibosva at redhat.com> ha scritto:
>>>>
>>>>> On 13/03/2020 08:24, Ignazio Cassano wrote:
>>>>> > Hu Jakub, migrating vm from a not with hybrid_itatabes ti a node
>>>>> switched
>>>>> > on openvswitch works fine . The problem is this migration create the
>>>>> qbr on
>>>>> > the mode switched to openvswitch.
>>>>> > But when I switch another compute node to openvswitch and I try to
>>>>> live
>>>>> > migrate the same vm (openvswitch to qopenswitch) it does not work
>>>>> because
>>>>> > the qbr presence.
>>>>> > I verified on nova logs.
>>>>> > Ignazio
>>>>>
>>>>> Hi Ignazio,
>>>>>
>>>>> I think the first step - migrating from hybrid_iptables to ovs should
>>>>> not create the qbr on the target node. It sounds like a bug - IIRC the
>>>>> libvirt domxml should not have the qbr when migrating.
>>>>>
>>>>>
>>>>> >
>>>>> > Il Gio 12 Mar 2020, 23:15 Jakub Libosvar <jlibosva at redhat.com> ha
>>>>> scritto:
>>>>> >
>>>>> >> On 12/03/2020 11:38, Ignazio Cassano wrote:
>>>>> >>> Hello All, I am facing some problems migrating from iptables_hybrid
>>>>> >>> frirewall to openvswitch firewall on centos 7 queens,
>>>>> >>> I am doing this because I want enable security groups logs which
>>>>> require
>>>>> >>> openvswitch firewall.
>>>>> >>> I would like to migrate without restarting my instances.
>>>>> >>> I startded moving all instances from compute node 1.
>>>>> >>> Then I configured openvswitch firewall on compute node 1,
>>>>> >>> Instances migrated from compute node 2 to compute node 1 without
>>>>> >> problems.
>>>>> >>> Once the compute node 2 was empty, I migrated it to openvswitch.
>>>>> >>> But now instances does not migrate from node 1 to node 2 because it
>>>>> >>> requires the presence of qbr bridge on node 2
>>>>> >>>
>>>>> >>> This happened because migrating instances from node2 with
>>>>> iptables_hybrid
>>>>> >>> to compute node 1 with openvswitch, does not put the tap under
>>>>> br-int as
>>>>> >>> requested by  openvswich firewall, but qbr is still present on
>>>>> compute
>>>>> >> node
>>>>> >>> 1.
>>>>> >>> Once I enabled openvswitch on compute node 2, migration from
>>>>> compute
>>>>> >> node 1
>>>>> >>> fails because it exprects qbr on compute node 2 .
>>>>> >>> So I think I should moving on the fly tap interfaces from qbr to
>>>>> br-int
>>>>> >> on
>>>>> >>> compute node 1 before migrating to compute node 2 but it is a huge
>>>>> work
>>>>> >> on
>>>>> >>> a lot of instances.
>>>>> >>>
>>>>> >>> Any workaround, please ?
>>>>> >>>
>>>>> >>> Ignazio
>>>>> >>>
>>>>> >>
>>>>> >> I may be a little outdated here but to the best of my knowledge
>>>>> there
>>>>> >> are two ways how to migrate from iptables to openvswitch.
>>>>> >>
>>>>> >> 1) If you don't mind the intermediate linux bridge and you care
>>>>> about
>>>>> >> logs, you can just change the config file on compute node to start
>>>>> using
>>>>> >> openvswitch firewall and restart the ovs agent. That should trigger
>>>>> a
>>>>> >> mechanism that deletes iptables rules and starts using openflow
>>>>> rules.
>>>>> >> It will leave the intermediate bridge there but except the extra
>>>>> hop in
>>>>> >> networking stack, it doesn't mind.
>>>>> >>
>>>>> >> 2) With multiple-port binding feature, what you described above
>>>>> should
>>>>> >> be working. I know Miguel spent some time working on that so
>>>>> perhaps he
>>>>> >> has more information about which release it should be functional
>>>>> at, I
>>>>> >> think it was Queens. Not sure if any Nova work was required to make
>>>>> it
>>>>> >> work.
>>>>> >>
>>>>> >> Hope that helps.
>>>>> >> Kuba
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >
>>>>>
>>>>>
>>>
>>> --
>>> Sa Pham Dang
>>> Skype: great_bn
>>> Phone/Telegram: 0986.849.582
>>>
>>>
>>>
>
> --
> Sa Pham Dang
> Skype: great_bn
> Phone/Telegram: 0986.849.582
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200321/e35b7da9/attachment-0001.html>


More information about the openstack-discuss mailing list