Open Stack

iptables + linux bridge integration with OVS was very old and OVS ACL was
not mature enough in earlier days. But nowadays OVN supports OVS base ACL
and that means it's much more stable.

On Sat, Jul 29, 2023 at 10:29 AM Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
wrote:

> Hello.
> I just known about ops firewall last week. I am going to compare
> between them.
> Could you share some experience about why ovs firewall driver over
> iptables.
> Thank you.
> Nguyen Huu Khoi
>
>
> On Sat, Jul 29, 2023 at 5:55 PM Satish Patel <satish.txt at gmail.com> wrote:
>
>> Why are you not using openvswitch flow based firewall instead of
>> Linuxbridge which will add hops in packet path.
>>
>> Sent from my iPhone
>>
>> On Jul 27, 2023, at 12:25 PM, Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
>> wrote:
>>
>> 
>> Hello.
>> I figured out that my rabbitmq queues are corrupt so neutron port cannot
>> upgrade security rules. I need delete queues so I can migrate without
>> problem.
>>
>> Thank you so much for replying to me.
>>
>> On Thu, Jul 27, 2023, 8:11 AM Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
>> wrote:
>>
>>> Hello.
>>>
>>> When my instances was migrated to other computes. I check on dest host
>>> and I see that
>>>
>>> -A neutron-openvswi-i41ec1d15-e -d x.x.x.x(my instance ip)/32 -p udp -m
>>> udp --sport 67 --dport 68 -j RETURN missing and my instance cannot get IP.
>>> I must restart neutron_openvswitch_agent then this rule appears and I can
>>> touch the instance via network.
>>>
>>> I use openswitch and provider networks. This problem has happened this
>>> week. after the system was upgraded from xena to yoga and I enabled quorum
>>> queue.
>>>
>>>
>>>
>>> Nguyen Huu Khoi
>>>
>>>
>>> On Wed, Jul 26, 2023 at 5:28 PM Nguyễn Hữu Khôi <
>>> nguyenhuukhoinw at gmail.com> wrote:
>>>
>>>>  Because I dont see any error logs. Althought, i set debug log to on.
>>>>
>>>> Your advices are very helpful to me. I will try to dig deeply. I am
>>>> lost so some suggests are the best way for me to continue. :)
>>>>
>>>> On Wed, Jul 26, 2023, 4:39 PM <smooney at redhat.com> wrote:
>>>>
>>>>> On Wed, 2023-07-26 at 07:49 +0700, Nguyễn Hữu Khôi wrote:
>>>>> > Hello guys.
>>>>> >
>>>>> > I am using openstack yoga with kolla ansible.
>>>>> without logs of some kind i dont think anyoen will be able to hlep you
>>>>> with this.
>>>>> you have one issue with the config which i noted inline but that
>>>>> should not break live migration.
>>>>> but it would allow it to proceed when otherwise it would have failed.
>>>>> and it woudl allow this issue to happen instead of the vm goign to
>>>>> error ro the migration
>>>>> being aborted in pre live migrate.
>>>>> >
>>>>> > When I migrate:
>>>>> >
>>>>> > instance1 from host A to host B after that I cannot ping this
>>>>> > instance(telnet also). I must restart neutron_openvswitch_agent or
>>>>> move
>>>>> > this instance back to host B  then this problem has gone.
>>>>> >
>>>>> > this is my settings:
>>>>> >
>>>>> > ----------------- neutron.conf -----------------
>>>>> > [nova]
>>>>> > live_migration_events = True
>>>>> > ------------------------------------------------
>>>>> >
>>>>> > ----------------- nova.conf -----------------
>>>>> > [DEFAULT]
>>>>> > vif_plugging_timeout = 600
>>>>> > vif_plugging_is_fatal = False
>>>>> you should never run with this set to false in production.
>>>>> it will break nova ability to detect if netroking is configured
>>>>> when booting or migrating a vm.
>>>>> we honestly should have remove this when we removed nova-networks
>>>>> > debug = True
>>>>> >
>>>>> > [compute]
>>>>> > live_migration_wait_for_vif_plug = True
>>>>> >
>>>>> > [workarounds]
>>>>> > enable_qemu_monitor_announce_self = True
>>>>> >
>>>>> > ----------------- openvswitch_agent.ini-----------------
>>>>> > [securitygroup]
>>>>> > firewall_driver = openvswitch
>>>>> > [ovs]
>>>>> > openflow_processed_per_port = true
>>>>> >
>>>>> > I check nova, neutron, ops logs but they are ok.
>>>>> >
>>>>> > Thank you.
>>>>> >
>>>>> >
>>>>> > Nguyen Huu Khoi
>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230729/3cfa4688/attachment-0001.htm>