Libvirt driver cannot avoid ovs_hybrid

Bug #1336624 reported by Ryota Mibu on 2014-07-02
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
neutron
Low
Ryota Mibu
Icehouse
Undecided
Unassigned
Juno
Undecided
Unassigned

Bug Description

This bug is related to Nova and Neutron.

Libvirt driver cannot avoid ovs_hybrid though if NoopFirewallDriver is selected, while using LibvirtGenericVIFDriver at Nova and ML2+OVS at Neutron.

Since Nova follows "binding:vif_detail" from Neutron [1], that is intended behavior. OVS mech driver in Neutron always return the following vif_detail:

  vif_details: {
    "port_filter": true,
    "ovs_hybrid_plug": true,
  }

So, Neutron is right place to configure to avoid ovs_hybrid plugging. I think we can set ovs_hybrid_plug=False in OVS mech driver if security_group is disabled.

[1] https://review.openstack.org/#/c/83190/

tags: added: sg-fw
Changed in neutron:
importance: Undecided → Low
assignee: nobody → Eugene Nikanorov (enikanorov)
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/104240

Changed in neutron:
assignee: Eugene Nikanorov (enikanorov) → Ryota Mibu (r-mibu)
status: Confirmed → In Progress
Changed in neutron:
milestone: none → kilo-1

Reviewed: https://review.openstack.org/104240
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e73f8da072cb41559ecee7f29f864a10db475444
Submitter: Jenkins
Branch: master

commit e73f8da072cb41559ecee7f29f864a10db475444
Author: Ryota MIBU <email address hidden>
Date: Thu Jul 3 00:10:32 2014 +0900

    Set vif_details to reflect enable_security_group

    While plugging vif, VIFDriver in Nova follows "ovs_hybrid_plug" and
    "port_filter" in "binding:vif_detail" which is passed from Neutron, but
    those are always true. This patch make ML2 OVS mech driver set those
    param depends on enable_security_group flag. It enables users to avoid
    ovs_hybrid plugging.

    This patch also fixes the same issue in the following plugins/drivers:
      * NEC Plugin
      * BigSwitch Plugin
      * Ryu Plugin
      * ML2 Plugin - OFAgent Mech Driver

    Closes-Bug: #1336624
    Change-Id: I2b7fb526a6f1b730ad65289307b24fd28b996e1b

Changed in neutron:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/133421
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=506bd9491837cffbdaf63843e5ec108f717588d3
Submitter: Jenkins
Branch: stable/icehouse

commit 506bd9491837cffbdaf63843e5ec108f717588d3
Author: Ryota MIBU <email address hidden>
Date: Thu Jul 3 00:10:32 2014 +0900

    Set vif_details to reflect enable_security_group

    While plugging vif, VIFDriver in Nova follows "ovs_hybrid_plug" and
    "port_filter" in "binding:vif_detail" which is passed from Neutron, but
    those are always true. This patch make ML2 OVS mech driver set those
    param depends on enable_security_group flag. It enables users to avoid
    ovs_hybrid plugging.

    This patch also fixes the same issue in the following plugins/drivers:
      * NEC Plugin
      * BigSwitch Plugin
      * Ryu Plugin
      * ML2 Plugin - OFAgent Mech Driver

    Conflicts:
     neutron/tests/unit/ml2/drivers/test_ofagent_mech.py

    Closes-Bug: #1336624
    Change-Id: I2b7fb526a6f1b730ad65289307b24fd28b996e1b
    (cherry picked from commit e73f8da072cb41559ecee7f29f864a10db475444)

tags: added: in-stable-icehouse

Reviewed: https://review.openstack.org/132759
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=08778910d1cbcd8c923a766d4b03f4d7220245c6
Submitter: Jenkins
Branch: stable/juno

commit 08778910d1cbcd8c923a766d4b03f4d7220245c6
Author: Ryota MIBU <email address hidden>
Date: Thu Jul 3 00:10:32 2014 +0900

    Set vif_details to reflect enable_security_group

    While plugging vif, VIFDriver in Nova follows "ovs_hybrid_plug" and
    "port_filter" in "binding:vif_detail" which is passed from Neutron, but
    those are always true. This patch make ML2 OVS mech driver set those
    param depends on enable_security_group flag. It enables users to avoid
    ovs_hybrid plugging.

    This patch also fixes the same issue in the following plugins/drivers:
      * NEC Plugin
      * BigSwitch Plugin
      * Ryu Plugin
      * ML2 Plugin - OFAgent Mech Driver

    Closes-Bug: #1336624
    Change-Id: I2b7fb526a6f1b730ad65289307b24fd28b996e1b
    (cherry picked from commit e73f8da072cb41559ecee7f29f864a10db475444)

tags: added: in-stable-juno
Thierry Carrez (ttx) on 2014-12-18
Changed in neutron:
status: Fix Committed → Fix Released
Kimi Zhang (kimi-zhangkai) wrote :

How about if we still want to enable security group but with firewall_driver = neutron.agent.firewall.NoopFirewallDriver on each neutron ovs agent node, and we want avoid ovs_hybrid ?

In this way, we keep "fake" security group function running for back-compatibility support for existing Heat templates, and we get rid of ovs_hybrid.

Thierry Carrez (ttx) on 2015-04-30
Changed in neutron:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers