Open Stack

Hello Jakub, in my previous email I asked about multiple port binding but I
forgot to discuss about the point 1 of your email (qbr).
I do not mind about intermediate bridge but the following is what happen:

A) evacuate node  1 and after changing its openvswitch agent configuration
and restarting it, I can migrate vm1 form node 2.
Intermediate qbr bridge is created for vm1 on node 1
B) evacuate node 2 and after changing its openvswitch agent configuration
and restarting it, live migrating vm1 form node 1 to mode 2 does not works
because no qbr is created on node 2 (this is reported on nova logs)

Probably without restarting instances live migration works from
hybrid_iptables to openvswitch but does not work fron openvswitch to
openvswitch.

If the first migration is not live, qbr is not created and all works fine.
Regards
Ignazio




Il Gio 12 Mar 2020, 23:15 Jakub Libosvar <jlibosva at redhat.com> ha scritto:

> On 12/03/2020 11:38, Ignazio Cassano wrote:
> > Hello All, I am facing some problems migrating from iptables_hybrid
> > frirewall to openvswitch firewall on centos 7 queens,
> > I am doing this because I want enable security groups logs which require
> > openvswitch firewall.
> > I would like to migrate without restarting my instances.
> > I startded moving all instances from compute node 1.
> > Then I configured openvswitch firewall on compute node 1,
> > Instances migrated from compute node 2 to compute node 1 without
> problems.
> > Once the compute node 2 was empty, I migrated it to openvswitch.
> > But now instances does not migrate from node 1 to node 2 because it
> > requires the presence of qbr bridge on node 2
> >
> > This happened because migrating instances from node2 with iptables_hybrid
> > to compute node 1 with openvswitch, does not put the tap under br-int as
> > requested by  openvswich firewall, but qbr is still present on compute
> node
> > 1.
> > Once I enabled openvswitch on compute node 2, migration from compute
> node 1
> > fails because it exprects qbr on compute node 2 .
> > So I think I should moving on the fly tap interfaces from qbr to br-int
> on
> > compute node 1 before migrating to compute node 2 but it is a huge work
> on
> > a lot of instances.
> >
> > Any workaround, please ?
> >
> > Ignazio
> >
>
> I may be a little outdated here but to the best of my knowledge there
> are two ways how to migrate from iptables to openvswitch.
>
> 1) If you don't mind the intermediate linux bridge and you care about
> logs, you can just change the config file on compute node to start using
> openvswitch firewall and restart the ovs agent. That should trigger a
> mechanism that deletes iptables rules and starts using openflow rules.
> It will leave the intermediate bridge there but except the extra hop in
> networking stack, it doesn't mind.
>
> 2) With multiple-port binding feature, what you described above should
> be working. I know Miguel spent some time working on that so perhaps he
> has more information about which release it should be functional at, I
> think it was Queens. Not sure if any Nova work was required to make it
> work.
>
> Hope that helps.
> Kuba
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200315/26c3469d/attachment.html>