Public bug reported: Sorry this is actually a bug report but discussing for better clarification in document.
Currently, we are running iptables firewall in production and saw performance degrade thus we plan to upgrade to ovs firewall in place. By reading the doc I found upgrading process is described here https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_firewall.html#upgrade-path-from-iptables-hybrid-driver. it does provide three methods to allow upgrade the existing cluster. I am interested in method 2 which quotes "plug the tap device into the integration bridge", since it does not provide the command so I would like to ask how to actually perform it. I tried with ```console # brctl delif qbrxxx tapxxx # ovs-vsctl add-port br-int tapxxx ``` but it does not work because network appears to be disconnected. Another question is that is there an option 4, such that ovs firewall could takes control of existing iptables firewalled port and later users could transition to ovs firewalls gradually. Thank you. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1914522 Title: migrate from iptables firewall to ovs firewall Status in neutron: New Bug description: Sorry this is actually a bug report but discussing for better clarification in document. Currently, we are running iptables firewall in production and saw performance degrade thus we plan to upgrade to ovs firewall in place. By reading the doc I found upgrading process is described here https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_firewall.html#upgrade-path-from-iptables-hybrid-driver. it does provide three methods to allow upgrade the existing cluster. I am interested in method 2 which quotes "plug the tap device into the integration bridge", since it does not provide the command so I would like to ask how to actually perform it. I tried with ```console # brctl delif qbrxxx tapxxx # ovs-vsctl add-port br-int tapxxx ``` but it does not work because network appears to be disconnected. Another question is that is there an option 4, such that ovs firewall could takes control of existing iptables firewalled port and later users could transition to ovs firewalls gradually. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1914522/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
