[nova][neutron] os-vif params
Sean Mooney
smooney at redhat.com
Mon Mar 7 11:09:48 UTC 2022
On Fri, 2022-03-04 at 19:57 +0100, Arnaud wrote:
> Hi Sean, Rodolfo,
>
> Thanks for your answers.
> I will try to do the patch next week so these parameters are included in the nova config sample and documentation.
>
> About the isolated_vif params. It seems like a security enhancement to set it to True when using ovs? Do you confirm that?
yes if you are usging ovs with ml2/ovs and the l2 agent then you shoudl enable isolated_vif to enaure that the port are added to the
"dead" vlan 4095 which will drop all packets until the l2 agent moves the port onto the correct local vlan for the neutron netowrk.
this impoves tenant isolation during move operations.
it is not requried/tested with ovn, odl or other sdn contolers that use ovs as a switch.
they do not use vlans for local tenant isolation or the normal action. they use ovs in secure
mode which will drop packets by default if there are no openflow rules to process the packet.
as such they shoudl not have isolated_vif enabled.
>
> Regards,
> Arnaud
>
> Le 4 mars 2022 18:57:40 GMT+01:00, Sean Mooney <smooney at redhat.com> a écrit :
> > On Fri, 2022-03-04 at 18:33 +0100, Rodolfo Alonso Hernandez wrote:
> > > Hi Arnaud:
> > >
> > > Those parameters should be set in nova.conf, in the "os_vif_XXX" section
> > > [1].
> > >
> > > "network_device_mtu" is deprecated. The interface MTU is retrieved from the
> > > network MTU. "ovs_vsctl_timeout" is deprecated too, we don't use vsctl
> > > commands anymore.
> > actully we do use vsctl at least in ci but it is deprecated.
> > we are currently using it in ci to workaround a bug in the ovs python bindings.
> >
> > after the RC period is clear i might revert that since i think the ovs python bidnign are
> > fixed but im not sure they are fixed in ubuntu 20.04 so i dont want to regress the ci stablity
> > currently by reverting to the native bindings.
> >
> > https://review.opendev.org/c/openstack/devstack/+/796826
> >
> > ill update https://github.com/openstack/devstack/blob/master/lib/os-vif#L6 to native
> > once we are sure https://bugs.launchpad.net/os-vif/+bug/1929446 is fixed in the ovs python bindings.
> >
> >
> > >
> > > Maybe Nova folks can extend my answer.
> > >
> > > Regards.
> > >
> > > [1]
> > > https://github.com/openstack/nova/blob/50fdbc752a9ca9c31488140ef2997ed59d861a41/releasenotes/notes/libvirt-uses-os-vif-plugins-31a0617de0c248b9.yaml
> > >
> > >
> > > On Fri, Mar 4, 2022 at 6:18 PM Arnaud Morin <arnaud.morin at gmail.com> wrote:
> > >
> > > > Hey all,
> > > >
> > > > When I take a look at [1], I can see some parameters, such as
> > > > network_device_mtu, isolate_vif, etc.
> > > >
> > > > As far as I can tell, nova is using these params when plugging the port
> > > > in OVS (if using OVS as ml2 plugin of course).
> > > >
> > > > But I cannot find the config params in the documentation: [2]
> > > >
> > > > Am I missing something?
> > > >
> > > > Cheers,
> > > > Arnaud.
> > > >
> > > > [1] https://github.com/openstack/os-vif/blob/master/vif_plug_ovs/ovs.py
> > > > [2] https://docs.openstack.org/nova/latest/configuration/config.html
> > > >
> > > >
> >
More information about the openstack-discuss
mailing list