Bug 1656443 - Supported migration path to migrate from "Openvswitch Firewall Driver"
Summary: Supported migration path to migrate from "Openvswitch Firewall Driver"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 10.0 (Newton)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 10.0 (Newton)
Assignee: Brian Haley
QA Contact: Roee Agiman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 14:10 UTC by Sandeep Yadav
Modified: 2022-07-09 10:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-30 16:58:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-13878 0 None None None 2022-03-13 17:14:54 UTC
Red Hat Product Errata RHSA-2019:0916 0 None None None 2019-04-30 16:58:23 UTC

Description Sandeep Yadav 2018-12-05 14:10:36 UTC 
Description of problem:

Supported migration path to migrate from "Openvswitch Firewall Driver" 

'Network Functions Virtualization Configuration Guide'[1] for RHOSP 10 repeatedly state  'NeutronOVSFirewallDriver: openvswitch' in the sample configurations which is contradictory to the release notes[2]., Snippet[3]. Same was also reported in [4] & [5].


As for OSP10 "Openvswitch Firewall Driver"  is in tech preview and not supported for production environment, Can we please have a tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV and normal ovs environment to be on supported configuration.


[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/network_functions_virtualization_configuration_guide/assembly-config-sriov-dpdk-vxlan-vlan#p-sriov-dpdk-2-vlan-networkenv
[2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/index#idm140038152796864
[3]
	~~~
	Configure the parameters for SR-IOV:

	  NeutronSupportedPCIVendorDevs: ['8086:154d', '8086:10ed']
	  NovaPCIPassthrough:
	    - devname: "ens2f1"
	      physical_network: "tenant"

	  NeutronPhysicalDevMappings: "tenant:ens2f1"
	  NeutronSriovNumVFs: "ens2f1:5"
	  NeutronEnableIsolatedMetadata: true
	  NeutronEnableForceMetadata: true
	  # Global MTU.
	  NeutronGlobalPhysnetMtu: 9000
	  # Configure the classname of the firewall driver to use for implementing security groups.
	  NeutronOVSFirewallDriver: openvswitch
	~~~
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1601112#c8
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1656420



Version-Release number of selected component (if applicable): 

RedHat OpenStack Version 10.0



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

No tested procedure currently

Expected results:

A tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV(To noop) and normal ovs environment(to iptable based firewall) to be on supported configuration.


Additional info:
Comment 5 AMOL LONARE 2018-12-25 03:58:49 UTC 
Any update on this BZ?
Comment 10 Brian Haley 2019-01-28 23:30:04 UTC 
Hi Sandeep,

Yes, that is the draft I was referencing.  The goal would be to only have the firewall driver setting different on nodes when doing the migrations, then set it with Director to be consistent.  I'm not sure if you can have it different depending on the node.
Comment 19 errata-xmlrpc 2019-04-30 16:58:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0916
Note You need to log in before you can comment on or make changes to this bug.