[openvswitch][neutron] firewall_driver openvswitch in production

Satish Patel satish.txt at gmail.com
Fri Aug 4 04:35:11 UTC 2023 

Thanks for the update. I am going to switch my firewall driver to
openvswitch and will update here for any issues or gotchas!!!

On Wed, Aug 2, 2023 at 7:30 PM Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
wrote:

> Hi Satish,
> I just tested openvswitch firewall driver.
>
> It is looking good, I mean no error after changed, but we need config live
> migrate like that:
>
> ----------------- neutron.conf -----------------
> [nova]
> live_migration_events = True
> ------------------------------------------------
>
> ----------------- nova.conf -----------------
> [DEFAULT]
> vif_plugging_timeout = 600
> vif_plugging_is_fatal = true
> debug = True
>
> [compute]
> live_migration_wait_for_vif_plug = True
>
> [workarounds]
> enable_qemu_monitor_announce_self = True
>
> ----------------- openvswitch_agent.ini-----------------
>
> [securitygroup]
> firewall_driver = openvswitch
> [ovs]
> openflow_processed_per_port = true
>
> These configs from the openstack community. You can prefer from docs.
>
> With native firewall backend you must "live_migration_events = True",
> without it, some instances cannot ping (you need to log in via console to
> wake up these instances) after live migrate, you can test.
>
> I am planning to test like
>
>
> https://thesaitech.wordpress.com/2019/02/15/a-comparative-study-of-openstack-networking-architectures/
>
> to see what benefit ovs with native backend will bring to us.
>
> Nguyen Huu Khoi
>
>
> On Tue, Aug 1, 2023 at 11:30 PM Satish Patel <satish.txt at gmail.com> wrote:
>
>> Folks,
>>
>> Who is running the OVS firewall driver (firewall_driver = openvswitch)
>> in production and are there any issues with running it which I may not be
>> aware of?  We are not yet ready for OVN deployments so have to stick with
>> OVS.
>>
>> LinuxBridge is at the end of its life trying to get rid of any
>> dependency.
>>
>> [securitygroup]
>> firewall_driver = openvswitch
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230804/9e76dd6a/attachment.htm>

More information about the openstack-discuss mailing list