yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50966
[Bug 1560957] Re: ovs mech_driver depends on neutron server firewall_driver option instead of the agent firewall_driver option to determine if hybrid plug can be used
Reviewed: https://review.openstack.org/311814
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2f17a30ba04082889f3a703aca1884b031767942
Submitter: Jenkins
Branch: master
commit 2f17a30ba04082889f3a703aca1884b031767942
Author: Kevin Benton <kevin@xxxxxxxxxx>
Date: Fri Apr 29 18:01:51 2016 -0700
OVS Mech: Set hybrid plug based on agent config
This adjusts the logic in the OVS mechanism driver to determine
what the ovs_hybrid_plug value should be set to in the VIF details.
Previously it was based purely on the firewall driver configured on
the server side. This prevented a mixed environment where some agents
might be running a native OVS firewall driver while others are still
based on the IPTables hybrid driver.
This patch has the OVS agents report back whether they want hybrid
plugging in their configuration dictionary sent during report_state.
The OVS agent sets this based on an explicit attribute on the firewall
driver requesting OVS hybrid plugging.
To maintain backward compat, if an agent doesn't report this, the old
logic of basing it off of the server-side config is applied.
DocImpact: The server no longer needs to be configured with a firewall
driver for OVS. It will read config from agent state reports.
Closes-Bug: #1560957
Change-Id: Ie554c2d37ce036e7b51818048153b466eee02913
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1560957
Title:
ovs mech_driver depends on neutron server firewall_driver option
instead of the agent firewall_driver option to determine if hybrid
plug can be used
Status in neutron:
Fix Released
Bug description:
The ovs mechanism driver determins if hybrid plug should be used along
the firewall_driver [1] setting that is made on the neutron server
[2].
IPTABLES_FW_DRIVER_FULL = ("neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver")
hybrid_plug_required = (cfg.CONF.SECURITYGROUP.firewall_driver in (IPTABLES_FW_DRIVER_FULL, 'iptables_hybrid'))
--> Only if the cfg.CONF.SECURITYGROUP.firewall_driver option is
configure to be hybrid, hybrid plug is enabled.
Let's assume you have a cloud, with a few nodes running lb and some other running ovs l2 agent.
- neutron server: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node1: neutron-lb-agt: firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver (for lb)
- cpu node 2: neutron -ovs-agt: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (for ovs)
Expected behavior
==============
ovs agent uses hybrid plug, as it is configured in its configuration
Actual result
==========
You'll never get a hybrid plug, as the neutron server does only consider its own fw_driver option instead of the agent option
--> No Security Groups
I see two approaches that can be discussed
=================================
#1 allow listing of multiple fw drivers in the neutron server configuration file
#2 Determine the hybrid_plug_required variable along the fw_driver
configured in the l2 agent (agent can report this to the sever as part
of its regular state report and mech_driver can use this information
to set hybrid plug option correctly when port_binding is requested)
[1] http://docs.openstack.org/liberty/config-reference/content/networking-options-securitygroups.html
[2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/mech_driver/mech_openvswitch.py#L49
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1560957/+subscriptions
References
