Open Stack

On 2014-07-16 2:36 AM, Robert van Leeuwen wrote:
>
> After some wondering about why things did not work as expected I discovered that the daemon was not using the config file...

Is "the daemon" still referring to neutron-plugin-openvswitch-agent?


> I also noticed I need to add the following to the ml2_conf to get it working with openvswitch (using vlans):
> [ovs]
> bridge_mappings = default:br-eth1

This should go in ovs_neutron_plugin.ini for 
neutron-plugin-openvswitch-agent to read it. neutron-server does not 
need this config as it is implementation details only required by the 
mechanism agent.


> There is also the point that for security groups you need a placeholder firewall_driver to get it to work
>   (which is in the docs but not in the included/upstream ml2 ini example file) :
> [securitygroup]
> firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (or some dummy value)

On the node running neutron-server, you can use this config in 
ml2_conf.ini instead:

   [securitygroup]/enable_security_group = true

Introduced in https://review.openstack.org/#/c/67281/


On the compute node, you still have to define the appropriate driver though:

   [securitygroup]/firewall = 
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver


> It seems that there is still some work left on documenting actual working configurations.
> Usually I just go to the configfile example in github to look at all the possible options but, as said, that is far from the complete story:
> https://github.com/openstack/neutron/blob/master/etc/neutron/plugins/ml2/ml2_conf.ini
>

I do agree that the relation between ml2_conf.ini and the mechanism 
agent config file is not clear. I had to ask around, do some tests 
and/or blinding trust the documentation. (which happens to work for me)

-- 
Mathieu