Open Stack

Hello.
I just known about ops firewall last week. I am going to compare
between them.
Could you share some experience about why ovs firewall driver over iptables.
Thank you.
Nguyen Huu Khoi


On Sat, Jul 29, 2023 at 5:55 PM Satish Patel <satish.txt at gmail.com> wrote:

> Why are you not using openvswitch flow based firewall instead of
> Linuxbridge which will add hops in packet path.
>
> Sent from my iPhone
>
> On Jul 27, 2023, at 12:25 PM, Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
> wrote:
>
> 
> Hello.
> I figured out that my rabbitmq queues are corrupt so neutron port cannot
> upgrade security rules. I need delete queues so I can migrate without
> problem.
>
> Thank you so much for replying to me.
>
> On Thu, Jul 27, 2023, 8:11 AM Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
> wrote:
>
>> Hello.
>>
>> When my instances was migrated to other computes. I check on dest host
>> and I see that
>>
>> -A neutron-openvswi-i41ec1d15-e -d x.x.x.x(my instance ip)/32 -p udp -m
>> udp --sport 67 --dport 68 -j RETURN missing and my instance cannot get IP.
>> I must restart neutron_openvswitch_agent then this rule appears and I can
>> touch the instance via network.
>>
>> I use openswitch and provider networks. This problem has happened this
>> week. after the system was upgraded from xena to yoga and I enabled quorum
>> queue.
>>
>>
>>
>> Nguyen Huu Khoi
>>
>>
>> On Wed, Jul 26, 2023 at 5:28 PM Nguyễn Hữu Khôi <
>> nguyenhuukhoinw at gmail.com> wrote:
>>
>>>  Because I dont see any error logs. Althought, i set debug log to on.
>>>
>>> Your advices are very helpful to me. I will try to dig deeply. I am lost
>>> so some suggests are the best way for me to continue. :)
>>>
>>> On Wed, Jul 26, 2023, 4:39 PM <smooney at redhat.com> wrote:
>>>
>>>> On Wed, 2023-07-26 at 07:49 +0700, Nguyễn Hữu Khôi wrote:
>>>> > Hello guys.
>>>> >
>>>> > I am using openstack yoga with kolla ansible.
>>>> without logs of some kind i dont think anyoen will be able to hlep you
>>>> with this.
>>>> you have one issue with the config which i noted inline but that should
>>>> not break live migration.
>>>> but it would allow it to proceed when otherwise it would have failed.
>>>> and it woudl allow this issue to happen instead of the vm goign to
>>>> error ro the migration
>>>> being aborted in pre live migrate.
>>>> >
>>>> > When I migrate:
>>>> >
>>>> > instance1 from host A to host B after that I cannot ping this
>>>> > instance(telnet also). I must restart neutron_openvswitch_agent or
>>>> move
>>>> > this instance back to host B  then this problem has gone.
>>>> >
>>>> > this is my settings:
>>>> >
>>>> > ----------------- neutron.conf -----------------
>>>> > [nova]
>>>> > live_migration_events = True
>>>> > ------------------------------------------------
>>>> >
>>>> > ----------------- nova.conf -----------------
>>>> > [DEFAULT]
>>>> > vif_plugging_timeout = 600
>>>> > vif_plugging_is_fatal = False
>>>> you should never run with this set to false in production.
>>>> it will break nova ability to detect if netroking is configured
>>>> when booting or migrating a vm.
>>>> we honestly should have remove this when we removed nova-networks
>>>> > debug = True
>>>> >
>>>> > [compute]
>>>> > live_migration_wait_for_vif_plug = True
>>>> >
>>>> > [workarounds]
>>>> > enable_qemu_monitor_announce_self = True
>>>> >
>>>> > ----------------- openvswitch_agent.ini-----------------
>>>> > [securitygroup]
>>>> > firewall_driver = openvswitch
>>>> > [ovs]
>>>> > openflow_processed_per_port = true
>>>> >
>>>> > I check nova, neutron, ops logs but they are ok.
>>>> >
>>>> > Thank you.
>>>> >
>>>> >
>>>> > Nguyen Huu Khoi
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230729/7d4d4c13/attachment.htm>