Replacing the original description completely since now we are supporting migrating to ML2/OVN from ML2/OVS+iptables_hybrid firewall driver, Bug 2075038 - [ovn][migration][17.0] Support migration to ML2/OVN from ML2/OVS with hybrid firewall Bug 2075039 - [ovn][migration][16.2] Support migration to ML2/OVN from ML2/OVS with hybrid firewall While it's possible to migrate the environment, some related issues were found and should be documented until they are fixed. Issues with cold migration Bug 2103147 - [RFE] Consider hybrid plugging during cold migration OVS leftovers are not removed after live migration Bug 2109516 - [16.2][OVN migration] iptables hybrid OVS-specific leftovers (qbr/qvb/qvo) still exist after VM migration Bug 2106370 - [OSP17.0][OVN migration] iptables hybrid OVS-specific leftovers (qbr/qvb/qvo) still exist after VM migration
@In reply to Roman Safronov from comment #0) > Description of problem: > There are customers that are using ML2/OVS with iptables_hybrid firewall > driver but planning to migrate to OVN. The OVN migration is not supported > with iptables_hybrid firewall driver and will be blocked, see BZ2021987. > We need to document the procedure for switching ML2/OVS environment with > iptables_hybrid firewalls to ML2/OVS with openvswitch firewalls while there > are existing VMs that are using security groups created with iptables_hybrid > firewall. > > > Possible scenario: > > Step 1. Start from ML2/OVS + iptables_hybrid firewall driver and there are > VMs with security groups. > Make sure that the environment has iptables_hybrid driver configured on all > compute nodes. Important: there should be at least 2 compute nodes, the > below scenario supposes that there are 2 compute nodes. > > Expected result 1: > The workload VMs use hybrid connection, through ovs bridge. > > > Step 2: > Free one of the compute nodes from the running VMs e.g. live/cold migrate > the workload VMs to another compute node. Do we really need to do this? If we migrate all (or part) of the compute nodes to hybrid firewall, they will still work using the intermediate linux bridge. Afterwards we need to ensure that all the workloads have the hybrid plugging removed by cold/live migrating or rebooting them. no? > > Expected result 2: > VMs migration completed successfully, VMs are accessible, There is one > compute node that do not have running VMs > > Step 3: > Change the firewall driver on the free compute node to openvswitch, see > details at > https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html how > to enable the OVS firewall driver. > Then live/cold migrate VMs to this compute node. > > Expected result 3: > VMs migration to the compute node with openvswitch firewall driver completed > successfully, VMs are connected directly without an intermediate bridge. VMs > are accessible according to security group settings. Second compute node is > free of running VMs. > > > Step 4: > Change the firewall driver on the free compute node to openvswitch, see > details at > https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html how > to enable the OVS firewall driver. > and live/cold migrate half of the VMs to this node. > > Expected result 4: > VMs migration completed successfully, VMs are conected directly without an > intermediate bridge. VMs are accessible according to security group settings. > > After that perform OVS to OVN migration according to the official procedure > from the documentation.
There is a section "Upgrade path from iptables hybrid driver" in the upstream openstack documentation, see link https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_firewall.html#upgrade-path-from-iptables-hybrid-driver
*** Bug 2143568 has been marked as a duplicate of this bug. ***
*** Bug 2144089 has been marked as a duplicate of this bug. ***