<div dir="ltr"><div>I am sorry Sam, on that link there is not all configurations you need.</div><div>On neutron node you must enable in /etc/neutron/plugins/ml2/openvswitch_agent.ini under [securitygroup] :</div><div><br></div><div>firewall_driver = openvswitch</div><div><br></div><div>Restart the openvswitch agent on neutron node</div><div><br></div><div>Ignazio<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno sab 21 mar 2020 alle ore 16:35 Sa Pham <<a href="mailto:saphi070@gmail.com">saphi070@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Which configuration did you use? Or You configured log plugin in neutron node?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 21, 2020 at 10:02 PM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Sorry, I mean I added ssh access and then I removed it</div><div>Openviswitch is a requirement for security group logs.</div><div>So , if you read at the documentation, it suggests to modify iptables_hybrid on neutron node as well.</div><div><br></div><div>1 month ago I addes a compute node with openvswitch on an openstack with iptables_hybrid on neutron node: it did not worked until I modified the neutron node. I do not know why <br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno sab 21 mar 2020 alle ore 15:57 Sa Pham <<a href="mailto:saphi070@gmail.com" target="_blank">saphi070@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I just use Openvswitch for firewall driver. I did not use log plugin. <div><br></div><div>You said you conffigured sec group rules to allow and deny. As I know, Security group cannot add deny rule. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 21, 2020 at 9:53 PM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Sa, have you modified only the compute node side ?<br></div><div>I've modified also the controller node (neutron node) side ad reported in documentation for enabling security groups logs.</div><div><br></div><div><a href="https://docs.openstack.org/neutron/queens/admin/config-logging.html" target="_blank">https://docs.openstack.org/neutron/queens/admin/config-logging.html</a></div><div><br></div><div>Ignazio</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno sab 21 mar 2020 alle ore 15:49 Sa Pham <<a href="mailto:saphi070@gmail.com" target="_blank">saphi070@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">One problem which I got few days ago. <div><br></div><div>I have existing openstack with iptables_hybrid. I changed the firewall driver to openvswitch then restart neutron-openvswitch-agent. <div>I couldn't reach that VM any more. I tried to reboot or hard reboot that VM but It didn't work.</div></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 21, 2020 at 9:41 PM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Sure, Sa.</div><div>I have tested it 2 minutes ago.</div><div>It works .</div><div>I also changed security groups rules to allow/deny ssh access . It works also after hard reboot</div><div>Ignazio<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno sab 21 mar 2020 alle ore 14:22 Sa Pham <<a href="mailto:saphi070@gmail.com" target="_blank">saphi070@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">With VM uses provider network directly, When I hard reboot that VM, I cannot reach that VM again. Can you test in your environment?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 21, 2020 at 7:33 PM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hello Sa, I am using self service and provider networks.It works fine in both cases. The problem is the migration from iptables hybrid to openvswitch without rebooting instanes.<div dir="auto">Do you mean security groups do not work on provider networks ?</div><div dir="auto">Ignazio</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il Sab 21 Mar 2020, 12:38 Sa Pham <<a href="mailto:saphi070@gmail.com" target="_blank">saphi070@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello Ignazio,<div><br></div><div>Does your openstack environment using self-service network ?</div><div><br></div><div>I have tried openvswitch firewall native with openstack queens version using provider network. But It's not working good.</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 19, 2020 at 11:12 PM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" rel="noreferrer" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello Jakub,</div><div>I will try again but if there is a bug on queens I do not think it will be corrected because is going out of support.</div><div>Thanks</div><div>Ignazio<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno gio 19 mar 2020 alle ore 13:54 Jakub Libosvar <<a href="mailto:jlibosva@redhat.com" rel="noreferrer" target="_blank">jlibosva@redhat.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 13/03/2020 08:24, Ignazio Cassano wrote:<br>
> Hu Jakub, migrating vm from a not with hybrid_itatabes ti a node switched<br>
> on openvswitch works fine . The problem is this migration create the qbr on<br>
> the mode switched to openvswitch.<br>
> But when I switch another compute node to openvswitch and I try to live<br>
> migrate the same vm (openvswitch to qopenswitch) it does not work because<br>
> the qbr presence.<br>
> I verified on nova logs.<br>
> Ignazio<br>
<br>
Hi Ignazio,<br>
<br>
I think the first step - migrating from hybrid_iptables to ovs should<br>
not create the qbr on the target node. It sounds like a bug - IIRC the<br>
libvirt domxml should not have the qbr when migrating.<br>
<br>
<br>
> <br>
> Il Gio 12 Mar 2020, 23:15 Jakub Libosvar <<a href="mailto:jlibosva@redhat.com" rel="noreferrer" target="_blank">jlibosva@redhat.com</a>> ha scritto:<br>
> <br>
>> On 12/03/2020 11:38, Ignazio Cassano wrote:<br>
>>> Hello All, I am facing some problems migrating from iptables_hybrid<br>
>>> frirewall to openvswitch firewall on centos 7 queens,<br>
>>> I am doing this because I want enable security groups logs which require<br>
>>> openvswitch firewall.<br>
>>> I would like to migrate without restarting my instances.<br>
>>> I startded moving all instances from compute node 1.<br>
>>> Then I configured openvswitch firewall on compute node 1,<br>
>>> Instances migrated from compute node 2 to compute node 1 without<br>
>> problems.<br>
>>> Once the compute node 2 was empty, I migrated it to openvswitch.<br>
>>> But now instances does not migrate from node 1 to node 2 because it<br>
>>> requires the presence of qbr bridge on node 2<br>
>>><br>
>>> This happened because migrating instances from node2 with iptables_hybrid<br>
>>> to compute node 1 with openvswitch, does not put the tap under br-int as<br>
>>> requested by openvswich firewall, but qbr is still present on compute<br>
>> node<br>
>>> 1.<br>
>>> Once I enabled openvswitch on compute node 2, migration from compute<br>
>> node 1<br>
>>> fails because it exprects qbr on compute node 2 .<br>
>>> So I think I should moving on the fly tap interfaces from qbr to br-int<br>
>> on<br>
>>> compute node 1 before migrating to compute node 2 but it is a huge work<br>
>> on<br>
>>> a lot of instances.<br>
>>><br>
>>> Any workaround, please ?<br>
>>><br>
>>> Ignazio<br>
>>><br>
>><br>
>> I may be a little outdated here but to the best of my knowledge there<br>
>> are two ways how to migrate from iptables to openvswitch.<br>
>><br>
>> 1) If you don't mind the intermediate linux bridge and you care about<br>
>> logs, you can just change the config file on compute node to start using<br>
>> openvswitch firewall and restart the ovs agent. That should trigger a<br>
>> mechanism that deletes iptables rules and starts using openflow rules.<br>
>> It will leave the intermediate bridge there but except the extra hop in<br>
>> networking stack, it doesn't mind.<br>
>><br>
>> 2) With multiple-port binding feature, what you described above should<br>
>> be working. I know Miguel spent some time working on that so perhaps he<br>
>> has more information about which release it should be functional at, I<br>
>> think it was Queens. Not sure if any Nova work was required to make it<br>
>> work.<br>
>><br>
>> Hope that helps.<br>
>> Kuba<br>
>><br>
>><br>
>><br>
>><br>
> <br>
<br>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Sa Pham Dang</div><div dir="ltr"><div>Skype: great_bn</div><div>Phone/Telegram: 0986.849.582</div><div><br><div><br></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Sa Pham Dang</div><div dir="ltr"><div>Skype: great_bn</div><div>Phone/Telegram: 0986.849.582</div><div><br><div><br></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Sa Pham Dang</div><div dir="ltr"><div>Skype: great_bn</div><div>Phone/Telegram: 0986.849.582</div><div><br><div><br></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Sa Pham Dang</div><div dir="ltr"><div>Skype: great_bn</div><div>Phone/Telegram: 0986.849.582</div><div><br><div><br></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Sa Pham Dang</div><div dir="ltr"><div>Skype: great_bn</div><div>Phone/Telegram: 0986.849.582</div><div><br><div><br></div></div></div></div></div></div></div>
</blockquote></div>