On IRC Yair Fried reminded me that we have not yet solved the issue around
security groups not enforced on the gate.

An accurate report of the current status is here [1]

And it seems there is some consensus around using the additional port
binding parameters for security groups (lp: [2] and gerrit: [3]) to solve
this issue and ensure the hybrid driver is used again by nova when neutron
security groups are enforced via iptables.

I know that Amir Sadoughi and other are working on a ovs-based
implementation of security group which will make the hybrid driver
unnecessary; however, since I'm not up to date about the progress on this
feature, I think we should strive to solve this issue, which at the end of
the day is probably just a configuration issue, as soon as possible.

The gerrit patch has not received a review in 3 weeks, so perhaps it's time
to give it some more attention.


[1] https://bugs.launchpad.net/devstack/+bug/1252620
[2] https://bugs.launchpad.net/nova/+bug/1112912
[3] https://review.openstack.org/#/c/21946/
OpenStack-dev mailing list

Reply via email to