Public bug reported:
In neutron master,
We must use the OVSHybridIptablesFirewallDriver to set in neutron-server side
now.
If not , neutron will return the port contained "ovs_hybrid_plug": false", so
nova will plug the vm port on br-int directly. This will cause the security
group not available even the iptables rules set correct.
The case in this view:
1.There are some agent types in openstack, 1 type agent use iptables for
security group, 1 type agent use flow tables for security group.
2.If the firewall driver of background agent realize the security group based
on ovs flow table, the port should be plugged on br-int directly and not use
linux bridge.
3.The firewall driver of background agent realize security group based on
iptables should still use the linux bridge.
4.If neutron server side not config the firewall driver, the vms on the
iptables agents hosts will lose efficacy as nova will plug the vm port on
br-int, but flow table based agents will ok.
5.If neutron server side want hybrid_plug_required, it will set firewall driver
as neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver, it
will cause the port of the vms on the ovs-flow agent hosts plug on linux bridge
, this must be strange.
So what I feel strange is why neutron should config firewall driver, it
should only set enable_sg is ok, and agent will realize their own
function. And agents should report their own firewall driver , then
server side could check it if return "ovs_hybrid_plug": false" /"true"
to nova.
** Affects: neutron
Importance: Undecided
Assignee: zhaobo (zhaobo6)
Status: New
** Changed in: neutron
Assignee: (unassigned) => zhaobo (zhaobo6)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570681
Title:
neutron server side should not specified the firewall driver
Status in neutron:
New
Bug description:
In neutron master,
We must use the OVSHybridIptablesFirewallDriver to set in neutron-server side
now.
If not , neutron will return the port contained "ovs_hybrid_plug": false", so
nova will plug the vm port on br-int directly. This will cause the security
group not available even the iptables rules set correct.
The case in this view:
1.There are some agent types in openstack, 1 type agent use iptables for
security group, 1 type agent use flow tables for security group.
2.If the firewall driver of background agent realize the security group
based on ovs flow table, the port should be plugged on br-int directly and not
use linux bridge.
3.The firewall driver of background agent realize security group based on
iptables should still use the linux bridge.
4.If neutron server side not config the firewall driver, the vms on the
iptables agents hosts will lose efficacy as nova will plug the vm port on
br-int, but flow table based agents will ok.
5.If neutron server side want hybrid_plug_required, it will set firewall
driver as
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver, it will
cause the port of the vms on the ovs-flow agent hosts plug on linux bridge ,
this must be strange.
So what I feel strange is why neutron should config firewall driver,
it should only set enable_sg is ok, and agent will realize their own
function. And agents should report their own firewall driver , then
server side could check it if return "ovs_hybrid_plug": false"
/"true" to nova.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570681/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
