[queens] [neutron]security_groups_log]

Slawek Kaplonski skaplons at redhat.com
Sun Mar 8 14:07:47 UTC 2020 

Hi,

> On 7 Mar 2020, at 21:45, Ignazio Cassano <ignaziocassano at gmail.com> wrote:
> 
> Slawek, forgive me if I take advantage of  your patience.
> 
> Before rebooting nodes,  I modified nodes and controllers with security groups logs, modifying neutron.conf, ml2 and openvswitch agents, moving from iptables_hybrid to openvswitch firewall etc etc.....
> I only restarted neutron components and before rebooting nodes and controllers, I saw security groups logs and I was able to migrate instances.
> Why after rebooting not ?

To be honest I don’t know why it’s like that. You probably will need to give more info there, what errors You have exactly during the migration.

> And, please, what about “multiple port bindings” ?

Spec for this feature is at https://specs.openstack.org/openstack/neutron-specs/specs/ocata/portbinding_information_for_nova.html - You should find more details about it there.

> 
> Thanks
> Ignazio
> 
> 
> 
> Il giorno sab 7 mar 2020 alle ore 19:02 Slawek Kaplonski <skaplons at redhat.com> ha scritto:
> Hi,
> 
> > On 7 Mar 2020, at 18:45, Ignazio Cassano <ignaziocassano at gmail.com> wrote:
> > 
> > Hello, I have  queens installation based on centos7.
> > 
> > Before implementing security groups logs, I had the following configuration in 
> > /etc/neutron/plugins/ml2/openvswitch_agent.ini:
> > 
> > firewall_driver = iptables_hybrid
> > 
> > 
> > Enabling security groups log I had to change it in :
> > 
> > firewall_driver = openvswitch
> > 
> > 
> > It seems to work end security logs are logged .
> > After restarting kvm nodes and controllers, virtual machines do not live migrate.
> > The firewall driver change could be the cause of my problem ?
> 
> Yes, In queens there wasn’t yet migration between various firewall drivers so that can be an issue. It should works fine since Rocky release with “multiple port bindings” feature.
> 
> > firewall_driver = openvswitch is mandatory for security groups log ?
> 
> Yes, logging isn’t supported by iptables_hybrid driver.
> 
> > 
> > Please, any help ?
> > 
> > 
> > I cannot reproduce the problem  rebooting all my nodes.
> > I rebooted them because I hat to transfer from a rack to another.
> > 
> > Ignazio
> > 
> > 
> 
>> Slawek Kaplonski
> Senior software engineer
> Red Hat
> 

— 
Slawek Kaplonski
Senior software engineer
Red Hat

More information about the openstack-discuss mailing list