yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1652071] [NEW] Implement migration from iptables-based security groups to ovsfw

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: John Schwarz <jschwarz@xxxxxxxxxx>
Date: Thu, 22 Dec 2016 14:34:06 -0000
Reply-to: Bug 1652071 <1652071@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When switching an ovs-agent from iptables to ovsfw, new instances will
be created using the ovsfw, but old instances will stick with iptables.
In fact, there isn't a way to migrate an instance from iptables to
ovsfw, and one should be provided.

Considerations:
a. It isn't enough to just remove the qvo/qvb/qbr interfaces and then attach the tap device directly to the integration bridge - we should also change the domain xml of the instance itself, so that when migrating an instance from one compute node to the other, nova won't depend on non-existent devices. Should this be done in Nova or in Neutron? Should Nova be notified?
b. On Neutron side, we should also change the Port table to indicate a change. This might require a new RPC call from the agent side.

** Affects: neutron
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1652071

Title:
Implement migration from iptables-based security groups to ovsfw

Status in neutron:
New

Bug description:
When switching an ovs-agent from iptables to ovsfw, new instances will
be created using the ovsfw, but old instances will stick with
iptables. In fact, there isn't a way to migrate an instance from
iptables to ovsfw, and one should be provided.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1652071/+subscriptions

Follow ups

[Bug 1652071] Re: [RFE] Implement migration from iptables-based security groups to ovsfw
From: Brian Haley, 2024-06-13