Open Stack

Hi Satish,
I just tested openvswitch firewall driver.

It is looking good, I mean no error after changed, but we need config live
migrate like that:

----------------- neutron.conf -----------------
[nova]
live_migration_events = True
------------------------------------------------

----------------- nova.conf -----------------
[DEFAULT]
vif_plugging_timeout = 600
vif_plugging_is_fatal = true
debug = True

[compute]
live_migration_wait_for_vif_plug = True

[workarounds]
enable_qemu_monitor_announce_self = True

----------------- openvswitch_agent.ini-----------------

[securitygroup]
firewall_driver = openvswitch
[ovs]
openflow_processed_per_port = true

These configs from the openstack community. You can prefer from docs.

With native firewall backend you must "live_migration_events = True",
without it, some instances cannot ping (you need to log in via console to
wake up these instances) after live migrate, you can test.

I am planning to test like

https://thesaitech.wordpress.com/2019/02/15/a-comparative-study-of-openstack-networking-architectures/

to see what benefit ovs with native backend will bring to us.

Nguyen Huu Khoi


On Tue, Aug 1, 2023 at 11:30 PM Satish Patel <satish.txt at gmail.com> wrote:

> Folks,
>
> Who is running the OVS firewall driver (firewall_driver = openvswitch)  in
> production and are there any issues with running it which I may not be
> aware of?  We are not yet ready for OVN deployments so have to stick with
> OVS.
>
> LinuxBridge is at the end of its life trying to get rid of any dependency.
>
> [securitygroup]
> firewall_driver = openvswitch
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230803/2cec1cfe/attachment.htm>