firewall_driver = openvswitch

asked 2016-11-01 19:07:22 -0500

eyeofthebeholder gravatar image

updated 2016-11-04 15:48:07 -0500

rbowen gravatar image

Setup:

Openstack version: Mitaka, OVS version: 2.60

I'm trying to set our firewall driver to be openvswitch by modifying these parameters:

vim /etc/neutron/plugins/ml2/openvswitch_agent.ini
[securitygroup]
firewall_driver = openvswitch

After successfully restarting the Openvswitch service, I don't see the flow's I would expect on br-int... After looking in /var/log/neutron/openvswitch-agent.log, I see that it tries to add the respective security-group flows, but can't:

ERROR neutron.agent.common.ovs_lib [req-1ba2a804-69de-4d19-8acc-a1afa7bfe846 - - - - -] Unable to execute ['ovs-ofctl', 'add-flows', 'br-int', '-']. Exception: Exit code: 1; Stdin: hard_timeout=0,idle_timeout=0,priority=100,table=0,cookie=11220059674139377154,in_port=8,actions=set_field:8->reg5,set_field:1->reg6,resubmit(,71)
hard_timeout=0,idle_timeout=0,priority=90,table=0,dl_dst=fa:16:3e:c3:9a:2d,cookie=11220059674139377154,actions=set_field:8->reg5,set_field:1->reg6,resubmit(,81)
(many flows follow these)

Any idea why this might be happening?

Thanks in advance!

edit retag flag offensive close merge delete

Comments

I try to use the native openvswitch firewall too but i can't (on newton release). Everything run without error but agent never creates the xvlan tunnels on br-tun.

tze gravatar imagetze ( 2017-01-14 09:54:03 -0500 )edit

I have this exact some problem. Did you find a solution? I get it when I attempt to spin up and instance However I also have a dhcp running on the same host which is pingable from the controller so openvswitch isn't total broken.

dodizzle gravatar imagedodizzle ( 2017-05-11 17:33:31 -0500 )edit

Okay after searching around I found this bug which has been fixed. https://bugs.launchpad.net/neutron/+bug/1642223 (https://bugs.launchpad.net/neutron/+b...) However neutron 9.3.0 isn't currently available for ubuntu. Guess I'll have to use the iptables_hybrid firewall_driver instead.

dodizzle gravatar imagedodizzle ( 2017-05-11 18:08:41 -0500 )edit