Red Hat Bugzilla – Bug 1385341
[RFE] [Neutron] OVS firewall driver - full support with kernel based OVS
Last modified: 2018-02-05 14:02:04 EST
Description of problem: With RHOSP 10 we introduced a new OVS firewall driver as a technology preview (see BZ 1310654). The new firewall driver is capable of filtering packets based on specified security groups using Open vSwitch only, thanks to integration with conntrack. The purpose of this RFE bug is to track the remaining gaps in order to graduate this feature into full support. Apart from full test coverage we also want to ensure that there is a robust upgrade/migration path between the current (iptables based) firewall driver and the OVS firewall driver so that customers would be able to smoothly (and automatically) convert their existing configuration and security-groups policies.
Note: this RFEs talks specifically about OVS with its native kernel datapath. OVS-DPDK is out of scope and will be scoped/tested separately. Link to previous, RHOSP 10 BZ (tech preview offering): https://bugzilla.redhat.com/show_bug.cgi?id=1310654 Link to related OSP director BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1367678
For RHOSP 12, this will be fully supported for greenfield deployment only. Migration path will be provided in a future release.
My understanding is that the only missing bits to claim completion here are a bunch of neutron patches already posted for review and in good traction, and QE coverage. For the latter, quoting Frank: "For the firewall driver, OVS-DPDK is expected to be tested, and a minor upgrade test has to be developed: RHOSP12 to RHOSP12.z1 has to work. However, RHOSP11 -> RHOSP12 has not to be tested as security groups are not supported with OVS-DPDK in RHOSP11." dev: - https://review.openstack.org/#/c/385085/ (has +w) - https://review.openstack.org/#/c/473899/ (has +w) - https://review.openstack.org/#/c/472692/ (has -1, needs Kuba's attention) qe: - minor upgrade with the new driver - ovs-dpdk with the new driver
Moving to POST since all patches seem to be on review.
For the record, I created a separate RFE to follow up on migration path from iptables to openvswitch firewall driver: https://bugzilla.redhat.com/show_bug.cgi?id=1468035
Clarification for comment#11: it's not clear if DPDK is in scope for the RFE, since Nir suggested before that we should focus on kernel path only. It's to be decided between PMs.
Moving back to ON_DEV since it seems like POST is supposed to mean 'merged upstream' while ON_DEV is 'patches posted for review'.
Quoting Hugh and Perry on the rhos-program ML: Hugh: "I'll ask Perry to weigh in, but this looks like a reasonable request to me, +1 pending his ACK." Perry: "I reviewed the bz and looked at the gerrit reviews as well and also spoke to Assaf a bit, and based on the above explanation I feel that ACKing this is the right call." Meanwhile, 2 out of the 3 patches needed to resolve outstanding bugs have been merged, and we expect the third to merge very soon. At that point we can flip the bug to MODIFIED and then ON_QA. It also happens that the QE test plan was already designed and executed so we're pretty far along in this RFE's cycle.
The remaining work item here is https://review.openstack.org/#/c/385085/, other patches were recently merged. The linked patch presently has one +2, should merge soon.
Last patch merged.
Tested on latest osp12 with openstack-neutron-11.0.1-3.el7ost.noarch.rpm Setup; 3 controllers and 2 computes According to CI reports all neutron/security group tests passed successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462