Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1656443 - Supported migration path to migrate from "Openvswitch Firewall Driver"
Summary: Supported migration path to migrate from "Openvswitch Firewall Driver"
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 10.0 (Newton)
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 10.0 (Newton)
Assignee: Brian Haley
QA Contact: Roee Agiman
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-05 14:10 UTC by Sandeep Yadav
Modified: 2019-04-30 16:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-04-30 16:58:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0916 0 None None None 2019-04-30 16:58:23 UTC

Description Sandeep Yadav 2018-12-05 14:10:36 UTC
Description of problem:

Supported migration path to migrate from "Openvswitch Firewall Driver" 

'Network Functions Virtualization Configuration Guide'[1] for RHOSP 10 repeatedly state  'NeutronOVSFirewallDriver: openvswitch' in the sample configurations which is contradictory to the release notes[2]., Snippet[3]. Same was also reported in [4] & [5].

As for OSP10 "Openvswitch Firewall Driver"  is in tech preview and not supported for production environment, Can we please have a tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV and normal ovs environment to be on supported configuration.

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/network_functions_virtualization_configuration_guide/assembly-config-sriov-dpdk-vxlan-vlan#p-sriov-dpdk-2-vlan-networkenv
[2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/index#idm140038152796864
	Configure the parameters for SR-IOV:

	  NeutronSupportedPCIVendorDevs: ['8086:154d', '8086:10ed']
	    - devname: "ens2f1"
	      physical_network: "tenant"

	  NeutronPhysicalDevMappings: "tenant:ens2f1"
	  NeutronSriovNumVFs: "ens2f1:5"
	  NeutronEnableIsolatedMetadata: true
	  NeutronEnableForceMetadata: true
	  # Global MTU.
	  NeutronGlobalPhysnetMtu: 9000
	  # Configure the classname of the firewall driver to use for implementing security groups.
	  NeutronOVSFirewallDriver: openvswitch
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1601112#c8
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1656420

Version-Release number of selected component (if applicable): 

RedHat OpenStack Version 10.0

How reproducible:

Steps to Reproduce:

Actual results:

No tested procedure currently

Expected results:

A tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV(To noop) and normal ovs environment(to iptable based firewall) to be on supported configuration.

Additional info:

Comment 5 AMOL LONARE 2018-12-25 03:58:49 UTC
Any update on this BZ?

Comment 10 Brian Haley 2019-01-28 23:30:04 UTC
Hi Sandeep,

Yes, that is the draft I was referencing.  The goal would be to only have the firewall driver setting different on nodes when doing the migrations, then set it with Director to be consistent.  I'm not sure if you can have it different depending on the node.

Comment 19 errata-xmlrpc 2019-04-30 16:58:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.