[openvswitch][neutron] firewall_driver openvswitch in production
Folks, Who is running the OVS firewall driver (firewall_driver = openvswitch) in production and are there any issues with running it which I may not be aware of? We are not yet ready for OVN deployments so have to stick with OVS. LinuxBridge is at the end of its life trying to get rid of any dependency. [securitygroup] firewall_driver = openvswitch
Hi Satish, I just tested openvswitch firewall driver. It is looking good, I mean no error after changed, but we need config live migrate like that: ----------------- neutron.conf ----------------- [nova] live_migration_events = True ------------------------------------------------ ----------------- nova.conf ----------------- [DEFAULT] vif_plugging_timeout = 600 vif_plugging_is_fatal = true debug = True [compute] live_migration_wait_for_vif_plug = True [workarounds] enable_qemu_monitor_announce_self = True ----------------- openvswitch_agent.ini----------------- [securitygroup] firewall_driver = openvswitch [ovs] openflow_processed_per_port = true These configs from the openstack community. You can prefer from docs. With native firewall backend you must "live_migration_events = True", without it, some instances cannot ping (you need to log in via console to wake up these instances) after live migrate, you can test. I am planning to test like https://thesaitech.wordpress.com/2019/02/15/a-comparative-study-of-openstack... to see what benefit ovs with native backend will bring to us. Nguyen Huu Khoi On Tue, Aug 1, 2023 at 11:30 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
Who is running the OVS firewall driver (firewall_driver = openvswitch) in production and are there any issues with running it which I may not be aware of? We are not yet ready for OVN deployments so have to stick with OVS.
LinuxBridge is at the end of its life trying to get rid of any dependency.
[securitygroup] firewall_driver = openvswitch
Thanks for the update. I am going to switch my firewall driver to openvswitch and will update here for any issues or gotchas!!! On Wed, Aug 2, 2023 at 7:30 PM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
Hi Satish, I just tested openvswitch firewall driver.
It is looking good, I mean no error after changed, but we need config live migrate like that:
----------------- neutron.conf ----------------- [nova] live_migration_events = True ------------------------------------------------
----------------- nova.conf ----------------- [DEFAULT] vif_plugging_timeout = 600 vif_plugging_is_fatal = true debug = True
[compute] live_migration_wait_for_vif_plug = True
[workarounds] enable_qemu_monitor_announce_self = True
----------------- openvswitch_agent.ini-----------------
[securitygroup] firewall_driver = openvswitch [ovs] openflow_processed_per_port = true
These configs from the openstack community. You can prefer from docs.
With native firewall backend you must "live_migration_events = True", without it, some instances cannot ping (you need to log in via console to wake up these instances) after live migrate, you can test.
I am planning to test like
https://thesaitech.wordpress.com/2019/02/15/a-comparative-study-of-openstack...
to see what benefit ovs with native backend will bring to us.
Nguyen Huu Khoi
On Tue, Aug 1, 2023 at 11:30 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
Who is running the OVS firewall driver (firewall_driver = openvswitch) in production and are there any issues with running it which I may not be aware of? We are not yet ready for OVN deployments so have to stick with OVS.
LinuxBridge is at the end of its life trying to get rid of any dependency.
[securitygroup] firewall_driver = openvswitch
participants (2)
-
Nguyễn Hữu Khôi
-
Satish Patel