openstack/openstack-ansible-os_neutron
Code Issues Proposed changes

Merge "Allow overriding firewall_driver for ovs"

Browse Source
This commit is contained in:
Zuul 2021-01-19 19:58:36 +00:00 committed by Gerrit Code Review
commit c1089ad3e1
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml Normal file
View File

@ -0,0 +1,24 @@
---
prelude: >
Historically, Open vSwitch (OVS) could not interact directly with iptables
to implement security groups. Thus, the OVS agent and Compute service use a
Linux bridge between each instance (VM) and the OVS integration bridge
br-int to implement security groups. Now the OVS agent includes an optional
firewall driver that natively implements security groups as flows in OVS
rather than the Linux bridge device and iptables. This increases
scalability and performance.
features:
- |
You can override the default ``iptables_hybrid`` firewall driver for Open
vSwitch by setting ``neutron_firewall_driver: openvswitch``
upgrade:
- |
Introduce this feature to empty compute nodes, and migrate VMs over once
the agents have been restarted.
critical:
- |
This feature requires kernel and user space support for conntrack, thus
requiring minimum versions of the Linux kernel and Open vSwitch. All cases
require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer
includes conntrack support. Kernel version 3.3, but less than 4.3, does not
include conntrack support and requires building the OVS modules.

4
vars/main.yml
View File

@ -161,7 +161,7 @@ neutron_plugins:
plugin_core: ml2 plugin_core: ml2
plugin_ini: plugins/ml2/ml2_conf.ini plugin_ini: plugins/ml2/ml2_conf.ini
ml2.ovs: ml2.ovs:
driver_firewall: iptables_hybrid driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
driver_interface: openvswitch driver_interface: openvswitch
drivers_type: "{{ neutron_ml2_drivers_type }}" drivers_type: "{{ neutron_ml2_drivers_type }}"
l2_population: "{{ neutron_l2_population }}" l2_population: "{{ neutron_l2_population }}"
@ -171,7 +171,7 @@ neutron_plugins:
plugin_core: ml2 plugin_core: ml2
plugin_ini: plugins/ml2/ml2_conf.ini plugin_ini: plugins/ml2/ml2_conf.ini
ml2.ovs.dvr: ml2.ovs.dvr:
driver_firewall: iptables_hybrid driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
driver_interface: openvswitch driver_interface: openvswitch
drivers_type: "{{ neutron_ml2_drivers_type }}" drivers_type: "{{ neutron_ml2_drivers_type }}"
l2_population: "{{ neutron_l2_population }}" l2_population: "{{ neutron_l2_population }}"