Bug 1656443

Summary: Supported migration path to migrate from "Openvswitch Firewall Driver"
Product: Red Hat OpenStack Reporter: Sandeep Yadav <sandyada>
Component: openstack-neutronAssignee: Brian Haley <bhaley>
Status: CLOSED ERRATA QA Contact: Roee Agiman <ragiman>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: alonare, amuller, bhaley, chrisw, jschluet, slinaber
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-30 16:58:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sandeep Yadav 2018-12-05 14:10:36 UTC 
Description of problem:

Supported migration path to migrate from "Openvswitch Firewall Driver" 

'Network Functions Virtualization Configuration Guide'[1] for RHOSP 10 repeatedly state  'NeutronOVSFirewallDriver: openvswitch' in the sample configurations which is contradictory to the release notes[2]., Snippet[3]. Same was also reported in [4] & [5].


As for OSP10 "Openvswitch Firewall Driver"  is in tech preview and not supported for production environment, Can we please have a tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV and normal ovs environment to be on supported configuration.


[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/network_functions_virtualization_configuration_guide/assembly-config-sriov-dpdk-vxlan-vlan#p-sriov-dpdk-2-vlan-networkenv
[2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/index#idm140038152796864
[3]
	~~~
	Configure the parameters for SR-IOV:

	  NeutronSupportedPCIVendorDevs: ['8086:154d', '8086:10ed']
	  NovaPCIPassthrough:
	    - devname: "ens2f1"
	      physical_network: "tenant"

	  NeutronPhysicalDevMappings: "tenant:ens2f1"
	  NeutronSriovNumVFs: "ens2f1:5"
	  NeutronEnableIsolatedMetadata: true
	  NeutronEnableForceMetadata: true
	  # Global MTU.
	  NeutronGlobalPhysnetMtu: 9000
	  # Configure the classname of the firewall driver to use for implementing security groups.
	  NeutronOVSFirewallDriver: openvswitch
	~~~
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1601112#c8
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1656420



Version-Release number of selected component (if applicable): 

RedHat OpenStack Version 10.0



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

No tested procedure currently

Expected results:

A tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV(To noop) and normal ovs environment(to iptable based firewall) to be on supported configuration.


Additional info:
Comment 5 AMOL LONARE 2018-12-25 03:58:49 UTC 
Any update on this BZ?
Comment 10 Brian Haley 2019-01-28 23:30:04 UTC 
Hi Sandeep,

Yes, that is the draft I was referencing.  The goal would be to only have the firewall driver setting different on nodes when doing the migrations, then set it with Director to be consistent.  I'm not sure if you can have it different depending on the node.
Comment 19 errata-xmlrpc 2019-04-30 16:58:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0916