Public bug reported:
The ovs mechanism driver determins if hybrid plug should be used along
the firewall_driver [1] setting that is made on the neutron server [2].
IPTABLES_FW_DRIVER_FULL =
("neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver")
hybrid_plug_required = (cfg.CONF.SECURITYGROUP.firewall_driver in
(IPTABLES_FW_DRIVER_FULL, 'iptables_hybrid'))
--> Only if the cfg.CONF.SECURITYGROUP.firewall_driver option is
configure to be hybrid, hybrid plug is enabled.
Let's assume you have a cloud, with a few nodes running lb and some other
running ovs l2 agent.
- neutron server: firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node1: neutron-lb-agt: firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node 2: neutron -ovs-agt: firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (for ovs)
Expected behavior
==============
ovs agent uses hybrid plug, as it is configured in its configuration
Actual result
==========
You'll never get a hybrid plug, as the neutron server does only consider its
own fw_driver option instead of the agent option
--> No Security Groups
I see two approaches that can be discussed
=================================
#1 allow listing of multiple fw drivers in the neutron server configuration file
#2 Determine the hybrid_plug_required variable along the fw_driver
configured in the l2 agent (agent can report this to the sever as part
of its regular state report and mech_driver can use this information to
set hybrid plug option correctly when port_binding is requested)
[1]
http://docs.openstack.org/liberty/config-reference/content/networking-options-securitygroups.html
[2]
https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#L49
** Affects: neutron
Importance: Undecided
Status: New
** Tags: ovs sg-fw
** Summary changed:
- ovs mech driver depends on neutron server firewall_driver option instead of
the agent firewall driver to determine if hybrid plug can be used
+ ovs mech_driver depends on neutron server firewall_driver option instead of
the agent firewall_driver option to determine if hybrid plug can be used
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1560957
Title:
ovs mech_driver depends on neutron server firewall_driver option
instead of the agent firewall_driver option to determine if hybrid
plug can be used
Status in neutron:
New
Bug description:
The ovs mechanism driver determins if hybrid plug should be used along
the firewall_driver [1] setting that is made on the neutron server
[2].
IPTABLES_FW_DRIVER_FULL =
("neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver")
hybrid_plug_required = (cfg.CONF.SECURITYGROUP.firewall_driver in
(IPTABLES_FW_DRIVER_FULL, 'iptables_hybrid'))
--> Only if the cfg.CONF.SECURITYGROUP.firewall_driver option is
configure to be hybrid, hybrid plug is enabled.
Let's assume you have a cloud, with a few nodes running lb and some other
running ovs l2 agent.
- neutron server: firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node1: neutron-lb-agt: firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node 2: neutron -ovs-agt: firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (for ovs)
Expected behavior
==============
ovs agent uses hybrid plug, as it is configured in its configuration
Actual result
==========
You'll never get a hybrid plug, as the neutron server does only consider its
own fw_driver option instead of the agent option
--> No Security Groups
I see two approaches that can be discussed
=================================
#1 allow listing of multiple fw drivers in the neutron server configuration
file
#2 Determine the hybrid_plug_required variable along the fw_driver
configured in the l2 agent (agent can report this to the sever as part
of its regular state report and mech_driver can use this information
to set hybrid plug option correctly when port_binding is requested)
[1]
http://docs.openstack.org/liberty/config-reference/content/networking-options-securitygroups.html
[2]
https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#L49
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1560957/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
