libvirt on the host does not work when *not* using iptables firewall driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I'm trying to use the libvirt on the host feature (https:/
2022-11-01 15:30:34.997 7 ERROR nova.compute.
2022-11-01 15:30:34.997 7 ERROR nova.compute.
2022-11-01 15:30:34.997 7 ERROR nova.compute.
2022-11-01 15:30:34.997 7 ERROR nova.compute.
It seems libvirt is looking for ovs-vsctl on the host. The following solution seemed to workaround the issue:
(venv-openstack) [cloud-
#!/bin/bash
docker exec openvswitch_
I noticed that the libvirt xml interface definition looks like:
<interface type='bridge'>
<mac address=
<source bridge='br-int'/>
<virtualport type='openvswitch'>
<parameters interfaceid=
<
<target dev='tap52b5be5
<model type='virtio'/>
<driver name='qemu'/>
<mtu size='1500'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
compared to an OVS installation:
<interface type='bridge'>
<mac address=
<source bridge=
<target dev='tap20cdb40
<model type='virtio'/>
<driver name='vhost' queues='4'/>
<mtu size='1450'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
I believe the difference relates to the following option that we configure on openvswitch agent:
ml2_conf.
From https:/
Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups.
I think this means that this would also affect OVS deployments that changed the firewall driver to openvswitch.
Just realised this is more of a kayobe bug as kolla-ansible doesn't actually do the libvirt installation.