Description of problem: Supported migration path to migrate from "Openvswitch Firewall Driver" 'Network Functions Virtualization Configuration Guide'[1] for RHOSP 10 repeatedly state 'NeutronOVSFirewallDriver: openvswitch' in the sample configurations which is contradictory to the release notes[2]., Snippet[3]. Same was also reported in [4] & [5]. As for OSP10 "Openvswitch Firewall Driver" is in tech preview and not supported for production environment, Can we please have a tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV and normal ovs environment to be on supported configuration. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/network_functions_virtualization_configuration_guide/assembly-config-sriov-dpdk-vxlan-vlan#p-sriov-dpdk-2-vlan-networkenv [2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/index#idm140038152796864 [3] ~~~ Configure the parameters for SR-IOV: NeutronSupportedPCIVendorDevs: ['8086:154d', '8086:10ed'] NovaPCIPassthrough: - devname: "ens2f1" physical_network: "tenant" NeutronPhysicalDevMappings: "tenant:ens2f1" NeutronSriovNumVFs: "ens2f1:5" NeutronEnableIsolatedMetadata: true NeutronEnableForceMetadata: true # Global MTU. NeutronGlobalPhysnetMtu: 9000 # Configure the classname of the firewall driver to use for implementing security groups. NeutronOVSFirewallDriver: openvswitch ~~~ [4] https://bugzilla.redhat.com/show_bug.cgi?id=1601112#c8 [5] https://bugzilla.redhat.com/show_bug.cgi?id=1656420 Version-Release number of selected component (if applicable): RedHat OpenStack Version 10.0 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: No tested procedure currently Expected results: A tested procedure to migrate away from Openvswitch Firewall Driver in already deployed environment with no/minimum Impact in NFV(To noop) and normal ovs environment(to iptable based firewall) to be on supported configuration. Additional info:
Any update on this BZ?
Hi Sandeep, Yes, that is the draft I was referencing. The goal would be to only have the firewall driver setting different on nodes when doing the migrations, then set it with Director to be consistent. I'm not sure if you can have it different depending on the node.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0916