Ask Your Question
1

Security groups and OVS

asked 2014-07-07 05:21:03 -0500

Krist gravatar image

In Havana the use of LibvirtHybridOVSBridgeDriver has been deprecated. However it is needed for security groups to function.

So on our stack I made the following changes In nova.conf 

libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

And I enabled ipfiltering on the bridge:

sysctl -w net.bridge.bridge-nf-call-iptables = 1

This makes security groups work again, however this comes with a rather hefty performance penalty.

I have therefore two questions: - How can I mitigate this performance problem? - If using LibvritHybridOVSBridge is deprecated, what should I actually use in stead?

edit retag flag offensive close merge delete

Comments

Will this make security groups work again? And how do I configure ML2 on Havana? Documentation for Havana asumes you're using OVS...

Krist gravatar imageKrist ( 2014-07-08 03:37:33 -0500 )edit
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-07-07 09:00:30 -0500

SGPJ gravatar image

You can use ML2 and for security Fwaas.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2014-07-07 05:21:03 -0500

Seen: 83 times

Last updated: Jul 07 '14

Related questions

Unable to launch VM - nova.openstack.common.rpc.amqp ValueError: too many values to unpack [closed]

How can I fix a compute node network problem, in a Fedora 19 Havana 1 controller/1 compute node setup, 3 NIC's per server, using Neutron OVS vlans, built with packstack? [closed]

havana icehouse neutron db migration

Only one (stats) tab on Ceilometer Resource Usage

why is the cinder-volume service down ?

Is it possible to 'vpn' into a neutron network?

DHCP problem

dhcp agent issue when working with ovs vxlan

TripleO lbaas

Adding additional NAT rule on neutron-l3-agent