Hello All, I am facing some problems migrating from iptables_hybrid frirewall to openvswitch firewall on centos 7 queens,

I am doing this because I want enable security groups logs which require openvswitch firewall.

I would like to migrate without restarting my instances.

I startded moving all instances from compute node 1.

Then I configured openvswitch firewall on compute node 1,

Instances migrated from compute node 2 to compute node 1 without problems.

Once the compute node 2 was empty, I migrated it to openvswitch.

But now instances does not migrate from node 1 to node 2 because it requires the presence of qbr bridge on node 2

This happened because migrating instances from node2 with iptables_hybrid to compute node 1 with openvswitch, does not put the tap under br-int as requested by  openvswich firewall, but qbr is still present on compute node 1.

Once I enabled openvswitch on compute node 2, migration from compute node 1 fails because it exprects qbr on compute node 2 .

So I think I should moving on the fly tap interfaces from qbr to br-int on compute node 1 before migrating to compute node 2 but it is a huge work on a lot of instances.

Any workaround, please ?

Ignazio