Hi Satish,

I just tested openvswitch firewall driver.

It is looking good, I mean no error after changed, but we need config live migrate like that:

----------------- neutron.conf -----------------
[nova]
live_migration_events = True
------------------------------------------------

----------------- nova.conf -----------------
[DEFAULT]
vif_plugging_timeout = 600
vif_plugging_is_fatal = true
debug = True

[compute]
live_migration_wait_for_vif_plug = True

[workarounds]
enable_qemu_monitor_announce_self = True

----------------- openvswitch_agent.ini-----------------

[securitygroup]

firewall_driver = openvswitch
[ovs]
openflow_processed_per_port = true

These configs from the openstack community. You can prefer from docs.

With native firewall backend you must "live_migration_events = True", without it, some instances cannot ping (you need to log in via console to wake up these instances) after live migrate, you can test.

I am planning to test like

https://thesaitech.wordpress.com/2019/02/15/a-comparative-study-of-openstack-networking-architectures/

to see what benefit ovs with native backend will bring to us.

Nguyen Huu Khoi

On Tue, Aug 1, 2023 at 11:30 PM Satish Patel <satish.txt@gmail.com> wrote:

Folks,

Who is running the OVS firewall driver (firewall_driver = openvswitch) in production and are there any issues with running it which I may not be aware of? We are not yet ready for OVN deployments so have to stick with OVS.

LinuxBridge is at the end of its life trying to get rid of any dependency.

[securitygroup]
firewall_driver = openvswitch