openstack-manuals

L2 agent securitygroup config not documented

Bug #1660687 reported by Boden R
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Confirmed
Undecided
Unassigned
openstack-manuals
Won't Fix
Low
Unassigned

Bug Description

This bug was generated after further inspecting [1].

IIUC based on [1], L2 agents with mixed securitygroup firewall drivers are now supported and can be achieved by setting the firewall_driver on each agent::

  [securitygroup]
  firewall_driver = driver_for_agent

This is then reported and used by neutron server (IIUC the server firewall_driver will be used if the agent doesn't report its driver for backwards compat).
The mix approach appears to be reflected in the deploy OVS providers section of the networking guide (ex [2]).

However when following/viewing the config ref for the L2 agents [3], the [securitygroups] section isn't even mentioned. For example [4]. I do see security groups documented in [5], but as a deployer/admin it's not clear how I associate [5] with the L2 agent configs [3].

Is there someway we can make it more clear that [5] is applicable to the L2 agents?

[1] https://bugs.launchpad.net/neutron/+bug/1607724
[2] http://docs.openstack.org/newton/networking-guide/deploy-ovs-provider.html
[3] http://docs.openstack.org/newton/networking-guide/config-ml2.html#agents
[4] http://docs.openstack.org/newton/config-reference/networking/networking_options_reference.html#open-vswitch-agent-configuration-options
[5] http://docs.openstack.org/newton/config-reference/networking/networking_options_reference.html#security-groups

See original description
Revision history for this message
Alexandra Settle (alexandra-settle) wrote :

John?

tags: added: networking-guide
Changed in openstack-manuals:
importance: Undecided → Low
Boden R (boden)
description: updated
John Davidge (john-davidge)
tags: added: config-reference
Revision history for this message
John Davidge (john-davidge) wrote :

Looks like [1] needs to be updated to describe the hybrid driver system.

[2] Definitely needs updating to mention the option.

[3] Made changes to the linuxbridge docs, despite this change only applying to OVS, so that's a bit confusing.

The description in [4] could certainly offer more detail.

[1] http://docs.openstack.org/draft/networking-guide/config-ovsfwdriver.html
[2] http://docs.openstack.org/newton/config-reference/networking/networking_options_reference.html#open-vswitch-agent-configuration-options
[3] https://review.openstack.org/#/c/377830
[4] http://docs.openstack.org/newton/config-reference/networking/networking_options_reference.html#security-groups

Changed in openstack-manuals:
status: New → Confirmed
Revision history for this message
Thomas Maddox (thomas-maddox) wrote :

Had a short chat in IRC. I think as part of the solution here, we need to evolve [1] into a higher-level document describing the firewall driver config option and how its used, including the documentation on how one could configure different firewall drivers on each agent. So, the tasks would be:

* Satisfy the most immediate concern for this bug according to John's comment above
* Modify this document to be higher-level with a section for each available driver describing its use and relevance.
* Ensure section describing heterogeneous driver capability in the higher-level context.

[1] http://docs.openstack.org/draft/networking-guide/config-ovsfwdriver.html

Revision history for this message
Thomas Maddox (thomas-maddox) wrote :

By "this document" I mean [1].

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/458911

Changed in openstack-manuals:
assignee: nobody → Thomas Maddox (thomas-maddox)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/458911
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=ff028f638cb290569624aac2ccfcb82d6c846f29
Submitter: Jenkins
Branch: master

commit ff028f638cb290569624aac2ccfcb82d6c846f29
Author: Thomas Maddox <email address hidden>
Date: Fri Apr 21 11:14:07 2017 -0500

    Add section describing heterogeneous firewall drivers

    There is now support for mixed firewall drivers configured on
    L2 agents. This patch adds some documentation to help highlight
    and explain that capability.

    Change-Id: I99024f9ef392c3e14a416646113d5b47f982563f
    Partial-Bug: 1660687

Alexandra Settle (alexandra-settle)
Changed in openstack-manuals:
assignee: Thomas Maddox (thomas-maddox) → nobody
Alexandra Settle (alexandra-settle)
Changed in openstack-manuals:
assignee: nobody → Alexandra Settle (alexandra-settle)
Alexandra Settle (alexandra-settle)
Changed in openstack-manuals:
assignee: Alexandra Settle (alexandra-settle) → nobody
Alexandra Settle (alexandra-settle)
Changed in neutron:
status: New → Confirmed
Changed in openstack-manuals:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.