Ask Your Question
1

No flat network connectivity after icehouse upgrade

asked 2014-07-24 10:13:52 -0500

svij gravatar image

We just did an upgrade from havana to icehouse and we have some network connectivity issues.

In Havana we used OVS Neutron Plugin, which we replaced by ML2 Plugin.

Our current (and old) setup is a flat network, so we don't use a L3-Agent or dhcp-agent.

Our old instances, which we created on havana are still working perfectly, no issues there. We only have a problem on newly created instances. They don't get a connection to the external network (flat network).

We recognized a difference between havana and icehouse instances network connection. The old havana instances are directly connected with the tap devices to br-int. The other new icehouse instances are indirectly connected via linuxbridge (qbr) and veth-pair (qvo,qvb) to br-int.

Example part of libvirt.xml of a havana instance, with working network connection:

<interface type="bridge">
  <mac address="fa:16:3e:c4:6b:25"/>
  <model type="virtio"/>
  <source bridge="br-int"/>
  <target dev="tap9dbf7095-1b"/>
  <virtualport type="openvswitch">
    <parameters interfaceid="9dbf7095-1b21-4f93-967b-7b3e7ab83b5c"/>
  </virtualport>
</interface>

Example part of libvirt.xml of an icehouse instance, without a working network connection:

 <interface type="bridge">
  <mac address="fa:16:3e:09:6e:25"/>
  <model type="virtio"/>
  <source bridge="qbr8de8dba3-01"/>
  <target dev="tap8de8dba3-01"/>
</interface>

As you see, the above interface has a virtualport to directly connect to br-int, the other one doesn't have that and connects to a linuxbridge (qbr) which is connected to a veth-par (qvo,qvb) to br-int.

Additionally the ml2_port_bindings in the database are different between icehouse and havana instances. All new Icehouse instaces have "vif_details" with following content: "{"port_filter": true, "ovs_hybrid_plug": true}". Havana instances vif_details are all empty.

These are my config files:

Current and old nova.conf: http://paste.openstack.org/show/UeoQskenn1TwzpR0ca5i/ (http://paste.openstack.org/show/UeoQs...)

Current icehouse neutron.conf: http://paste.openstack.org/show/87958/

Old havana neutron.conf: http://paste.openstack.org/show/QFHSfppyQAH9Tf3zwrZe/ (http://paste.openstack.org/show/QFHSf...)

Old havana ovs_neutron_plugin.ini: http://paste.openstack.org/show/SdAebmHmpqn1dpPJ9d5y/ (http://paste.openstack.org/show/SdAeb...)

Current icehouse ml2_conf.ini: http://paste.openstack.org/show/FaEMQnuWdwer1IEn5QKW/ (http://paste.openstack.org/show/FaEMQ...)

ovs-vsctl show: http://paste.openstack.org/show/dOoVVFFF84lxmjubo7Gl/ (http://paste.openstack.org/show/dOoVV...)

# brctl show
bridge name     bridge id               STP enabled     interfaces
qbr8de8dba3-01          8000.d6df6e76d362       no              qvb8de8dba3-01
                                                        tap8de8dba3-01

Any suggestions, where the error is? There are no errors in the log files…

Thanks for helping!

edit retag flag offensive close merge delete

Comments

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-07-24 12:59:27 -0500 )edit

Hi darragh-oreilly, thanks for your help. Actually this didn't help. I've patched the file here on my machines, but there were no differences in vif_details. Anyway, your answer helped me to look into the firewall issue. See my answer how I corrected it. Thanks!

svij gravatar imagesvij ( 2014-07-25 04:14:20 -0500 )edit

1 answer

Sort by » oldest newest most voted
0

answered 2014-07-25 04:09:59 -0500

svij gravatar image

We've just found the issue:

We completely disabled the firewall feature in nova and neutron. I commented out the "security-group_api=neutron" line in nova.conf and additionally changed both lines in [securitygroup] in ml2_conf.ini to:

firewall_driver = neutron.agent.firewall.NoopFirewallDriver
enable_security_group = False

I'm not sure why the security groups didn't work, but atleast we don't use the security group feature.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-24 10:13:52 -0500

Seen: 259 times

Last updated: Jul 25 '14