Hello Sa, I am using self service and provider networks.It works fine in both cases. The problem is the migration from iptables hybrid to openvswitch without rebooting instanes.
Do you mean security groups do not work on provider networks ?
Ignazio


Il Sab 21 Mar 2020, 12:38 Sa Pham <saphi070@gmail.com> ha scritto:
Hello Ignazio,

Does your openstack environment  using self-service network ?

I have tried openvswitch firewall native with openstack queens version using provider network. But It's not working good.



On Thu, Mar 19, 2020 at 11:12 PM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello Jakub,
I will try again but if there is a bug on queens I do not think it will be corrected because is going out of support.
Thanks
Ignazio

Il giorno gio 19 mar 2020 alle ore 13:54 Jakub Libosvar <jlibosva@redhat.com> ha scritto:
On 13/03/2020 08:24, Ignazio Cassano wrote:
> Hu Jakub, migrating vm from a not with hybrid_itatabes ti a node switched
> on openvswitch works fine . The problem is this migration create the qbr on
> the mode switched to openvswitch.
> But when I switch another compute node to openvswitch and I try to live
> migrate the same vm (openvswitch to qopenswitch) it does not work because
> the qbr presence.
> I verified on nova logs.
> Ignazio

Hi Ignazio,

I think the first step - migrating from hybrid_iptables to ovs should
not create the qbr on the target node. It sounds like a bug - IIRC the
libvirt domxml should not have the qbr when migrating.


>
> Il Gio 12 Mar 2020, 23:15 Jakub Libosvar <jlibosva@redhat.com> ha scritto:
>
>> On 12/03/2020 11:38, Ignazio Cassano wrote:
>>> Hello All, I am facing some problems migrating from iptables_hybrid
>>> frirewall to openvswitch firewall on centos 7 queens,
>>> I am doing this because I want enable security groups logs which require
>>> openvswitch firewall.
>>> I would like to migrate without restarting my instances.
>>> I startded moving all instances from compute node 1.
>>> Then I configured openvswitch firewall on compute node 1,
>>> Instances migrated from compute node 2 to compute node 1 without
>> problems.
>>> Once the compute node 2 was empty, I migrated it to openvswitch.
>>> But now instances does not migrate from node 1 to node 2 because it
>>> requires the presence of qbr bridge on node 2
>>>
>>> This happened because migrating instances from node2 with iptables_hybrid
>>> to compute node 1 with openvswitch, does not put the tap under br-int as
>>> requested by  openvswich firewall, but qbr is still present on compute
>> node
>>> 1.
>>> Once I enabled openvswitch on compute node 2, migration from compute
>> node 1
>>> fails because it exprects qbr on compute node 2 .
>>> So I think I should moving on the fly tap interfaces from qbr to br-int
>> on
>>> compute node 1 before migrating to compute node 2 but it is a huge work
>> on
>>> a lot of instances.
>>>
>>> Any workaround, please ?
>>>
>>> Ignazio
>>>
>>
>> I may be a little outdated here but to the best of my knowledge there
>> are two ways how to migrate from iptables to openvswitch.
>>
>> 1) If you don't mind the intermediate linux bridge and you care about
>> logs, you can just change the config file on compute node to start using
>> openvswitch firewall and restart the ovs agent. That should trigger a
>> mechanism that deletes iptables rules and starts using openflow rules.
>> It will leave the intermediate bridge there but except the extra hop in
>> networking stack, it doesn't mind.
>>
>> 2) With multiple-port binding feature, what you described above should
>> be working. I know Miguel spent some time working on that so perhaps he
>> has more information about which release it should be functional at, I
>> think it was Queens. Not sure if any Nova work was required to make it
>> work.
>>
>> Hope that helps.
>> Kuba
>>
>>
>>
>>
>



--
Sa Pham Dang
Skype: great_bn
Phone/Telegram: 0986.849.582