Bug 1385341 - [RFE] [Neutron] OVS firewall driver - full support with kernel based OVS
Summary: [RFE] [Neutron] OVS firewall driver - full support with kernel based OVS
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M3
: 12.0 (Pike)
Assignee: Jakub Libosvar
QA Contact: Toni Freger
Depends On:
Blocks: 1442136 1501603
TreeView+ depends on / blocked
Reported: 2016-10-16 11:17 UTC by Nir Yechiel
Modified: 2018-02-05 19:02 UTC (History)
9 users (show)

Fixed In Version: openstack-neutron-11.0.0-0.20170807223712.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 20:49:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1626010 0 None None None 2017-07-03 12:18:02 UTC
Launchpad 1697593 0 None None None 2017-07-03 12:18:39 UTC
OpenStack gerrit 385085 0 'None' MERGED ovsfw: Fix overlapping MAC addresses on integration bridge 2021-01-21 10:45:25 UTC
OpenStack gerrit 472692 0 'None' MERGED ovs-fw: Use TRANSIENT table for traffic classification 2021-01-21 10:44:43 UTC
OpenStack gerrit 473899 0 'None' MERGED Introduce trusted ports to firewall driver API 2021-01-21 10:45:24 UTC
Red Hat Bugzilla 1310654 0 medium CLOSED [RFE] [Neutron] [RHEL 7.3] Open vSwitch (conntrack) firewall driver for kernel OVS 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1367678 0 medium CLOSED [RFE] [Neutron] [OSP-director] Add support for OVS conntrack firewall_driver 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1310654 1367678

Description Nir Yechiel 2016-10-16 11:17:33 UTC
Description of problem:

With RHOSP 10 we introduced a new OVS firewall driver as a technology preview (see BZ 1310654). The new firewall driver is capable of filtering packets based on specified security groups using Open vSwitch only, thanks to integration with conntrack. 

The purpose of this RFE bug is to track the remaining gaps in order to graduate this feature into full support. Apart from full test coverage we also want to ensure that there is a robust upgrade/migration path between the current (iptables based) firewall driver and the OVS firewall driver so that customers would be able to smoothly (and automatically) convert their existing configuration and security-groups policies.

Comment 1 Nir Yechiel 2016-10-16 11:21:40 UTC
Note: this RFEs talks specifically about OVS with its native kernel datapath. OVS-DPDK is out of scope and will be scoped/tested separately.

Link to previous, RHOSP 10 BZ (tech preview offering): https://bugzilla.redhat.com/show_bug.cgi?id=1310654

Link to related OSP director BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1367678

Comment 9 Nir Yechiel 2017-06-22 13:29:40 UTC
For RHOSP 12, this will be fully supported for greenfield deployment only. Migration path will be provided in a future release.

Comment 11 Ihar Hrachyshka 2017-07-05 20:04:29 UTC
My understanding is that the only missing bits to claim completion here are a bunch of neutron patches already posted for review and in good traction, and QE coverage.

For the latter, quoting Frank: "For the firewall driver, OVS-DPDK is expected to be tested, and a minor upgrade test has to be developed: RHOSP12 to RHOSP12.z1 has to work. However, RHOSP11 -> RHOSP12 has not to be tested as security groups are not supported with OVS-DPDK in RHOSP11."

- https://review.openstack.org/#/c/385085/ (has +w)
- https://review.openstack.org/#/c/473899/ (has +w)
- https://review.openstack.org/#/c/472692/ (has -1, needs Kuba's attention)

- minor upgrade with the new driver
- ovs-dpdk with the new driver

Comment 12 Ihar Hrachyshka 2017-07-05 20:06:20 UTC
Moving to POST since all patches seem to be on review.

Comment 13 Ihar Hrachyshka 2017-07-05 20:07:17 UTC
For the record, I created a separate RFE to follow up on migration path from iptables to openvswitch firewall driver: https://bugzilla.redhat.com/show_bug.cgi?id=1468035

Comment 14 Ihar Hrachyshka 2017-07-05 20:10:31 UTC
Clarification for comment#11: it's not clear if DPDK is in scope for the RFE, since Nir suggested before that we should focus on kernel path only. It's to be decided between PMs.

Comment 15 Ihar Hrachyshka 2017-07-05 20:25:12 UTC
Moving back to ON_DEV since it seems like POST is supposed to mean 'merged upstream' while ON_DEV is 'patches posted for review'.

Comment 17 Assaf Muller 2017-07-17 22:57:11 UTC
Quoting Hugh and Perry on the rhos-program ML:

Hugh: "I'll ask Perry to weigh in, but this looks like a reasonable request
to me, +1 pending his ACK."

Perry: "I reviewed the bz and looked at the gerrit reviews as well and also
spoke to Assaf a bit, and based on the above explanation I feel that
ACKing this is the right call."

Meanwhile, 2 out of the 3 patches needed to resolve outstanding bugs have been merged, and we expect the third to merge very soon. At that point we can flip the bug to MODIFIED and then ON_QA. It also happens that the QE test plan was already designed and executed so we're pretty far along in this RFE's cycle.

Comment 18 Assaf Muller 2017-07-20 16:01:28 UTC
The remaining work item here is https://review.openstack.org/#/c/385085/, other patches were recently merged. The linked patch presently has one +2, should merge soon.

Comment 19 Assaf Muller 2017-07-21 12:20:06 UTC
Last patch merged.

Comment 21 Toni Freger 2017-11-08 12:30:40 UTC
Tested on latest osp12 with openstack-neutron-11.0.1-3.el7ost.noarch.rpm     
Setup; 3 controllers and 2 computes

According to CI reports all neutron/security group tests passed successfully.

Comment 25 errata-xmlrpc 2017-12-13 20:49:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.