[queens] [neutron]security_groups_log]

Ignazio Cassano ignaziocassano at gmail.com
Sun Mar 8 16:17:53 UTC 2020


Hi, I think the problem is the migration from iptables_hybrid  to
openvswitch firewall :
https://docs.openstack.org/neutron/rocky/contributor/internals/openvswitch_firewall.html
Thanks
Ignazio

Il Dom 8 Mar 2020, 15:07 Slawek Kaplonski <skaplons at redhat.com> ha scritto:

> Hi,
>
> > On 7 Mar 2020, at 21:45, Ignazio Cassano <ignaziocassano at gmail.com>
> wrote:
> >
> > Slawek, forgive me if I take advantage of  your patience.
> >
> > Before rebooting nodes,  I modified nodes and controllers with security
> groups logs, modifying neutron.conf, ml2 and openvswitch agents, moving
> from iptables_hybrid to openvswitch firewall etc etc.....
> > I only restarted neutron components and before rebooting nodes and
> controllers, I saw security groups logs and I was able to migrate instances.
> > Why after rebooting not ?
>
> To be honest I don’t know why it’s like that. You probably will need to
> give more info there, what errors You have exactly during the migration.
>
> > And, please, what about “multiple port bindings” ?
>
> Spec for this feature is at
> https://specs.openstack.org/openstack/neutron-specs/specs/ocata/portbinding_information_for_nova.html
> - You should find more details about it there.
>
> >
> > Thanks
> > Ignazio
> >
> >
> >
> > Il giorno sab 7 mar 2020 alle ore 19:02 Slawek Kaplonski <
> skaplons at redhat.com> ha scritto:
> > Hi,
> >
> > > On 7 Mar 2020, at 18:45, Ignazio Cassano <ignaziocassano at gmail.com>
> wrote:
> > >
> > > Hello, I have  queens installation based on centos7.
> > >
> > > Before implementing security groups logs, I had the following
> configuration in
> > > /etc/neutron/plugins/ml2/openvswitch_agent.ini:
> > >
> > > firewall_driver = iptables_hybrid
> > >
> > >
> > > Enabling security groups log I had to change it in :
> > >
> > > firewall_driver = openvswitch
> > >
> > >
> > > It seems to work end security logs are logged .
> > > After restarting kvm nodes and controllers, virtual machines do not
> live migrate.
> > > The firewall driver change could be the cause of my problem ?
> >
> > Yes, In queens there wasn’t yet migration between various firewall
> drivers so that can be an issue. It should works fine since Rocky release
> with “multiple port bindings” feature.
> >
> > > firewall_driver = openvswitch is mandatory for security groups log ?
> >
> > Yes, logging isn’t supported by iptables_hybrid driver.
> >
> > >
> > > Please, any help ?
> > >
> > >
> > > I cannot reproduce the problem  rebooting all my nodes.
> > > I rebooted them because I hat to transfer from a rack to another.
> > >
> > > Ignazio
> > >
> > >
> >
> > —
> > Slawek Kaplonski
> > Senior software engineer
> > Red Hat
> >
>
>> Slawek Kaplonski
> Senior software engineer
> Red Hat
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200308/ef77f9ce/attachment.html>


More information about the openstack-discuss mailing list