[qeeens][neutron] migrating from iptables_hybrid to openvswitch

Ignazio Cassano ignaziocassano at gmail.com
Thu Mar 12 10:38:44 UTC 2020


Hello All, I am facing some problems migrating from iptables_hybrid
frirewall to openvswitch firewall on centos 7 queens,
I am doing this because I want enable security groups logs which require
openvswitch firewall.
I would like to migrate without restarting my instances.
I startded moving all instances from compute node 1.
Then I configured openvswitch firewall on compute node 1,
Instances migrated from compute node 2 to compute node 1 without problems.
Once the compute node 2 was empty, I migrated it to openvswitch.
But now instances does not migrate from node 1 to node 2 because it
requires the presence of qbr bridge on node 2

This happened because migrating instances from node2 with iptables_hybrid
to compute node 1 with openvswitch, does not put the tap under br-int as
requested by  openvswich firewall, but qbr is still present on compute node
1.
Once I enabled openvswitch on compute node 2, migration from compute node 1
fails because it exprects qbr on compute node 2 .
So I think I should moving on the fly tap interfaces from qbr to br-int on
compute node 1 before migrating to compute node 2 but it is a huge work on
a lot of instances.

Any workaround, please ?

Ignazio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200312/a366e31e/attachment.html>


More information about the openstack-discuss mailing list