[neutron] Security groups with SR-IOV as a second ML2 mechanism driver
Dear all, I'm planning to use the SR-IOV Networking L2 Agent with another L2 Agent as Open vSwitch or Linux Bridge (a configuration with multiple ML2 mechanism drivers). Does anybody know if I can use the Open vSwitch or Linux Bridge L2 agents with security group feature (implemented with iptables firewall driver or Native Open vSwitch firewall driver)? Or am I restricted to apply no security to my instances because SR-IOV L2 agent is being used as a second mechanism driver in the same OpenStack deployment? Thanks in advance, Gabriel Gamero
firewall driver is per agent config. So it fine to have SR-IOV agent firewall as noop and OVS agent as ovs/hybrid.
-----Original Message----- From: GABRIEL OMAR GAMERO MONTENEGRO <gabriel.gamero@pucp.edu.pe> Sent: Tuesday, October 6, 2020 1:12 AM To: openstack-discuss@lists.openstack.org Subject: [neutron] Security groups with SR-IOV as a second ML2 mechanism driver
External email: Use caution opening links or attachments
Dear all,
I'm planning to use the SR-IOV Networking L2 Agent with another L2 Agent as Open vSwitch or Linux Bridge (a configuration with multiple ML2 mechanism drivers).
Does anybody know if I can use the Open vSwitch or Linux Bridge L2 agents with security group feature (implemented with iptables firewall driver or Native Open vSwitch firewall driver)? Or am I restricted to apply no security to my instances because SR-IOV L2 agent is being used as a second mechanism driver in the same OpenStack deployment?
Thanks in advance, Gabriel Gamero
Hi, On Mon, Oct 05, 2020 at 05:12:20PM -0500, GABRIEL OMAR GAMERO MONTENEGRO wrote:
Dear all,
I'm planning to use the SR-IOV Networking L2 Agent with another L2 Agent as Open vSwitch or Linux Bridge (a configuration with multiple ML2 mechanism drivers).
Does anybody know if I can use the Open vSwitch or Linux Bridge L2 agents with security group feature (implemented with iptables firewall driver or Native Open vSwitch firewall driver)? Or am I restricted to apply no security to my instances because SR-IOV L2 agent is being used as a second mechanism driver in the same OpenStack deployment?
Yes, it should works fine if You will use SG for ports which are bound by Linuxbridge or Openvswitch mech drivers.
Thanks in advance, Gabriel Gamero
-- Slawek Kaplonski Principal Software Engineer Red Hat
participants (3)
-
GABRIEL OMAR GAMERO MONTENEGRO
-
Moshe Levi
-
Slawek Kaplonski