neutron

[RFE] Implement migration from iptables-based security groups to ovsfw

Bug #1652071 reported by John Schwarz
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Triaged
Wishlist
Unassigned

Bug Description

When switching an ovs-agent from iptables to ovsfw, new instances will be created using the ovsfw, but old instances will stick with iptables. In fact, there isn't a way to migrate an instance from iptables to ovsfw, and one should be provided.

Considerations:
a. It isn't enough to just remove the qvo/qvb/qbr interfaces and then attach the tap device directly to the integration bridge - we should also change the domain xml of the instance itself, so that when migrating an instance from one compute node to the other, nova won't depend on non-existent devices. Should this be done in Nova or in Neutron? Should Nova be notified?
b. On Neutron side, we should also change the Port table to indicate a change. This might require a new RPC call from the agent side.

John Davidge (john-davidge)
tags: added: ovs-fw rfe
summary: - Implement migration from iptables-based security groups to ovsfw
+ [RFE] Implement migration from iptables-based security groups to ovsfw
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → John Schwarz (jschwarz)
status: New → In Progress
John Schwarz (jschwarz)
Changed in neutron:
assignee: John Schwarz (jschwarz) → nobody
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: In Progress → Incomplete
importance: Undecided → Wishlist
Revision history for this message
Kevin Benton (kevinbenton) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
status: Incomplete → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/413082
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

I suppose if we are ever going to mark OVS Firewall as the default firewall in the future, we need to come to an agreement on what we're going to do for existing deployments.

Changed in neutron:
status: New → Incomplete
status: Incomplete → Triaged
Revision history for this message
Kevin Benton (kevinbenton) wrote :

Marking this as postponed for now. Let's focus on getting live migration between firewall types to work.

tags: added: rfe-postponed
removed: rfe timeout-abandon
Revision history for this message
Kevin Benton (kevinbenton) wrote :

We can revisit once we want to deprecate the hybrid driver.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.