yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1560957] [NEW] ovs mech_driver depends on neutron server firewall_driver option instead of the agent firewall_driver option to determine if hybrid plug can be used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andreas Scheuring <andreas.scheuring@xxxxxxxxxx>
Date: Wed, 23 Mar 2016 12:32:45 -0000
Reply-to: Bug 1560957 <1560957@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The ovs mechanism driver determins if hybrid plug should be used along
the firewall_driver [1] setting that is made on the neutron server [2].

        IPTABLES_FW_DRIVER_FULL = ("neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver")
        hybrid_plug_required = (cfg.CONF.SECURITYGROUP.firewall_driver in (IPTABLES_FW_DRIVER_FULL, 'iptables_hybrid'))

--> Only if the cfg.CONF.SECURITYGROUP.firewall_driver option is
configure to be hybrid, hybrid plug is enabled.


Let's assume you have a cloud, with a few nodes running lb and some other running ovs l2 agent. 
- neutron server: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver          (for lb)
- cpu node1: neutron-lb-agt: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver          (for lb)
- cpu node 2: neutron -ovs-agt: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (for ovs)


Expected behavior
==============
ovs agent uses hybrid plug, as it is configured in its configuration

Actual result
==========

You'll never get a hybrid plug, as the neutron server does only consider its own fw_driver option instead of the agent option
--> No Security Groups

I see two approaches that can be discussed
=================================


#1 allow listing of multiple fw drivers in the neutron server configuration file

#2 Determine the hybrid_plug_required variable along the fw_driver
configured in the l2 agent (agent can report this to the sever as part
of its regular state report and mech_driver can use this information to
set hybrid plug option correctly when port_binding is requested)


[1] http://docs.openstack.org/liberty/config-reference/content/networking-options-securitygroups.html
[2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#L49

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovs sg-fw

** Summary changed:

- ovs mech driver depends on neutron server firewall_driver option instead of the agent firewall driver to determine if hybrid plug can be used
+ ovs mech_driver depends on neutron server firewall_driver option instead of the agent firewall_driver option to determine if hybrid plug can be used

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1560957

Title:
  ovs mech_driver depends on neutron server firewall_driver option
  instead of the agent firewall_driver option to determine if hybrid
  plug can be used

Status in neutron:
  New

Bug description:
  The ovs mechanism driver determins if hybrid plug should be used along
  the firewall_driver [1] setting that is made on the neutron server
  [2].

          IPTABLES_FW_DRIVER_FULL = ("neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver")
          hybrid_plug_required = (cfg.CONF.SECURITYGROUP.firewall_driver in (IPTABLES_FW_DRIVER_FULL, 'iptables_hybrid'))

  --> Only if the cfg.CONF.SECURITYGROUP.firewall_driver option is
  configure to be hybrid, hybrid plug is enabled.

  
  Let's assume you have a cloud, with a few nodes running lb and some other running ovs l2 agent. 
  - neutron server: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver          (for lb)
  - cpu node1: neutron-lb-agt: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver          (for lb)
  - cpu node 2: neutron -ovs-agt: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (for ovs)

  
  Expected behavior
  ==============
  ovs agent uses hybrid plug, as it is configured in its configuration

  Actual result
  ==========

  You'll never get a hybrid plug, as the neutron server does only consider its own fw_driver option instead of the agent option
  --> No Security Groups

  I see two approaches that can be discussed
  =================================

  
  #1 allow listing of multiple fw drivers in the neutron server configuration file

  #2 Determine the hybrid_plug_required variable along the fw_driver
  configured in the l2 agent (agent can report this to the sever as part
  of its regular state report and mech_driver can use this information
  to set hybrid plug option correctly when port_binding is requested)


  
  [1] http://docs.openstack.org/liberty/config-reference/content/networking-options-securitygroups.html
  [2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#L49

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1560957/+subscriptions

Follow ups

[Bug 1560957] Re: ovs mech_driver depends on neutron server firewall_driver option instead of the agent firewall_driver option to determine if hybrid plug can be used
From: OpenStack Infra, 2016-05-16