Merge "Allow overriding firewall_driver for ovs"

2021-01-19 19:58:36 +00:00 · 2021-01-19 19:58:36 +00:00 · c1089ad3e1
commit c1089ad3e1
parent 4f327cf5b1 5dddaa2cfa
2 changed files with 26 additions and 2 deletions
--- a/releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml
+++ b/releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml
@ -0,0 +1,24 @@
+---
+prelude: >
+    Historically, Open vSwitch (OVS) could not interact directly with iptables
+    to implement security groups. Thus, the OVS agent and Compute service use a
+    Linux bridge between each instance (VM) and the OVS integration bridge
+    br-int to implement security groups. Now the OVS agent includes an optional
+    firewall driver that natively implements security groups as flows in OVS
+    rather than the Linux bridge device and iptables. This increases
+    scalability and performance.
+features:
+  - |
+    You can override the default ``iptables_hybrid`` firewall driver for Open
+    vSwitch by setting ``neutron_firewall_driver: openvswitch``
+upgrade:
+  - |
+    Introduce this feature to empty compute nodes, and migrate VMs over once
+    the agents have been restarted.
+critical:
+  - |
+    This feature requires kernel and user space support for conntrack, thus
+    requiring minimum versions of the Linux kernel and Open vSwitch. All cases
+    require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer
+    includes conntrack support. Kernel version 3.3, but less than 4.3, does not
+    include conntrack support and requires building the OVS modules.
--- a/vars/main.yml
+++ b/vars/main.yml
@ -161,7 +161,7 @@ neutron_plugins:
    plugin_core: ml2
    plugin_ini: plugins/ml2/ml2_conf.ini
  ml2.ovs:
-    driver_firewall: iptables_hybrid
+    driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
    driver_interface: openvswitch
    drivers_type: "{{ neutron_ml2_drivers_type }}"
    l2_population: "{{ neutron_l2_population }}"
@ -171,7 +171,7 @@ neutron_plugins:
    plugin_core: ml2
    plugin_ini: plugins/ml2/ml2_conf.ini
  ml2.ovs.dvr:
-    driver_firewall: iptables_hybrid
+    driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
    driver_interface: openvswitch
    drivers_type: "{{ neutron_ml2_drivers_type }}"
    l2_population: "{{ neutron_l2_population }}"