Ask Your Question

Linux bridges between OVS & instance not needed anymore?(havana-3)

asked 2014-03-02 09:28:53 -0500

sebastian gravatar image

While doing packstack allinone I spotted that linux bridges are missing and instance is being connected directly to OVS. Looking at the code in ( we can find:

# Since libvirt 0.9.11, <interface type='bridge'>
# supports OpenVSwitch natively.

I'm wondering about two things: 1. shall we log a bug in openstack networking documentation ( which says that:

Security groups: iptables and Linux bridges

Ideally, the TAP device vnet0 would be connected directly to the integration bridge, br-int. Unfortunately, this isn't possible because of how OpenStack security groups are currently implemented. OpenStack uses iptables rules on the TAP devices such as vnet0 to implement security groups, and Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an Open vSwitch port.

Networking uses an extra Linux bridge and a veth pair as a workaround for this issue. Instead of connecting vnet0 to an Open vSwitch bridge, it is connected to a Linux bridge, qbrXXX. This bridge is connected to the integration bridge, br-int, through the (qvbXXX, qvoXXX) veth pair.

as it looks like this is no longer a case

  1. Where we can find packstack release notes - to see in which release libvirt was changed - as I remember that when I was installing RDO 2-3 months ago (allinone) - I had linux bridges between OVS & instance. So it looks like libvirt was changed.


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-04-03 20:26:26 -0500

larsks gravatar image

updated 2014-04-03 20:26:42 -0500

Where we can find packstack release notes - to see in which release libvirt was changed

Packstack has nothing to do with which version of libvirt is installed on your system; packstack just asks for the libvirt package and gets whatever yum believes is the latest. If you want to know about libvirt, you can run rpm -q --changelog libvirt to get the package changelog, or you can check out the source from and browse the git changelog.

shall we log a bug in openstack networking documentation ...

The fact that libvirt natively supports OVS bridges does not have any impact on the use of Linux bridge devices to support security groups. This was due to a Linux kernel limitation that did not permit iptables rules to be associated directly with OVS interfaces.

I don't know whether or not this limitation still exists, but this is a separate issue from libvirt's support of OVS interfaces.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-03-02 09:28:53 -0500

Seen: 369 times

Last updated: Apr 03 '14