[openstack][neutron[nova][kolla-ansible]instance cannot ping after live migrate

Nguyễn Hữu Khôi nguyenhuukhoinw at gmail.com
Sun Jul 30 15:00:22 UTC 2023

Is it ok if we use ovs with native firewall driver which I mean don't use
ovn. How about migration from ovs to ovn.

Nguyen Huu Khoi

On Sun, Jul 30, 2023 at 8:26 AM Satish Patel <satish.txt at gmail.com> wrote:

> iptables + linux bridge integration with OVS was very old and OVS ACL was
> not mature enough in earlier days. But nowadays OVN supports OVS base ACL
> and that means it's much more stable.
> On Sat, Jul 29, 2023 at 10:29 AM Nguyễn Hữu Khôi <
> nguyenhuukhoinw at gmail.com> wrote:
>> Hello.
>> I just known about ops firewall last week. I am going to compare
>> between them.
>> Could you share some experience about why ovs firewall driver over
>> iptables.
>> Thank you.
>> Nguyen Huu Khoi
>> On Sat, Jul 29, 2023 at 5:55 PM Satish Patel <satish.txt at gmail.com>
>> wrote:
>>> Why are you not using openvswitch flow based firewall instead of
>>> Linuxbridge which will add hops in packet path.
>>> Sent from my iPhone
>>> On Jul 27, 2023, at 12:25 PM, Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
>>> wrote:
>>> Hello.
>>> I figured out that my rabbitmq queues are corrupt so neutron port cannot
>>> upgrade security rules. I need delete queues so I can migrate without
>>> problem.
>>> Thank you so much for replying to me.
>>> On Thu, Jul 27, 2023, 8:11 AM Nguyễn Hữu Khôi <nguyenhuukhoinw at gmail.com>
>>> wrote:
>>>> Hello.
>>>> When my instances was migrated to other computes. I check on dest host
>>>> and I see that
>>>> -A neutron-openvswi-i41ec1d15-e -d x.x.x.x(my instance ip)/32 -p udp -m
>>>> udp --sport 67 --dport 68 -j RETURN missing and my instance cannot get IP.
>>>> I must restart neutron_openvswitch_agent then this rule appears and I can
>>>> touch the instance via network.
>>>> I use openswitch and provider networks. This problem has happened this
>>>> week. after the system was upgraded from xena to yoga and I enabled quorum
>>>> queue.
>>>> Nguyen Huu Khoi
>>>> On Wed, Jul 26, 2023 at 5:28 PM Nguyễn Hữu Khôi <
>>>> nguyenhuukhoinw at gmail.com> wrote:
>>>>>  Because I dont see any error logs. Althought, i set debug log to on.
>>>>> Your advices are very helpful to me. I will try to dig deeply. I am
>>>>> lost so some suggests are the best way for me to continue. :)
>>>>> On Wed, Jul 26, 2023, 4:39 PM <smooney at redhat.com> wrote:
>>>>>> On Wed, 2023-07-26 at 07:49 +0700, Nguyễn Hữu Khôi wrote:
>>>>>> > Hello guys.
>>>>>> >
>>>>>> > I am using openstack yoga with kolla ansible.
>>>>>> without logs of some kind i dont think anyoen will be able to hlep
>>>>>> you with this.
>>>>>> you have one issue with the config which i noted inline but that
>>>>>> should not break live migration.
>>>>>> but it would allow it to proceed when otherwise it would have failed.
>>>>>> and it woudl allow this issue to happen instead of the vm goign to
>>>>>> error ro the migration
>>>>>> being aborted in pre live migrate.
>>>>>> >
>>>>>> > When I migrate:
>>>>>> >
>>>>>> > instance1 from host A to host B after that I cannot ping this
>>>>>> > instance(telnet also). I must restart neutron_openvswitch_agent or
>>>>>> move
>>>>>> > this instance back to host B  then this problem has gone.
>>>>>> >
>>>>>> > this is my settings:
>>>>>> >
>>>>>> > ----------------- neutron.conf -----------------
>>>>>> > [nova]
>>>>>> > live_migration_events = True
>>>>>> > ------------------------------------------------
>>>>>> >
>>>>>> > ----------------- nova.conf -----------------
>>>>>> > [DEFAULT]
>>>>>> > vif_plugging_timeout = 600
>>>>>> > vif_plugging_is_fatal = False
>>>>>> you should never run with this set to false in production.
>>>>>> it will break nova ability to detect if netroking is configured
>>>>>> when booting or migrating a vm.
>>>>>> we honestly should have remove this when we removed nova-networks
>>>>>> > debug = True
>>>>>> >
>>>>>> > [compute]
>>>>>> > live_migration_wait_for_vif_plug = True
>>>>>> >
>>>>>> > [workarounds]
>>>>>> > enable_qemu_monitor_announce_self = True
>>>>>> >
>>>>>> > ----------------- openvswitch_agent.ini-----------------
>>>>>> > [securitygroup]
>>>>>> > firewall_driver = openvswitch
>>>>>> > [ovs]
>>>>>> > openflow_processed_per_port = true
>>>>>> >
>>>>>> > I check nova, neutron, ops logs but they are ok.
>>>>>> >
>>>>>> > Thank you.
>>>>>> >
>>>>>> >
>>>>>> > Nguyen Huu Khoi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230730/fa7dc108/attachment.htm>

More information about the openstack-discuss mailing list