From eaff57bd038dd3d392e31e42d17fadaa8f8baad9 Mon Sep 17 00:00:00 2001 From: Jakub Libosvar Date: Tue, 19 Apr 2022 15:02:08 +0000 Subject: [PATCH] [ovn][migration] Support migration to OVN from iptables firewall Before this patch, when migrating from ML2/OVS to ML2/OVN, we removed the VIF details that are not used by OVN. However, this changes how the VIFs are plugged if the hybrid iptables firewall was used. In order to not break the migration, we want to keep whatever plugging was used in ML2/OVS. For this reason, this patch is leaving the VIF details untouched. The consequence is that, after migration, whatever workloads used the hybrid plugging will remain like that. Newly created VIFs will be plugged to the OVS bridge directly. As a result, the migration to OVN won't require moving to the OVS firewall first while in ML2/OVS. This patch is also removing the constraint that prevented the migration if the hybrid firewall was used. Signed-off-by: Daniel Alvarez Sanchez Change-Id: Iad4fae7af54cc502ac0ba02a911cdd4fefa13535 (cherry picked from commit 5f2eaadf40ab9d349ff2af9b0b8575bcbb4262dc) --- neutron/plugins/ml2/drivers/ovn/db_migration.py | 10 +++++----- .../unit/plugins/ml2/drivers/ovn/test_db_migration.py | 1 + .../tripleo_environment/playbooks/ovn-migration.yml | 8 -------- .../roles/pre-checks/ovn-controllers/tasks/main.yml | 10 ---------- 4 files changed, 6 insertions(+), 23 deletions(-) delete mode 100644 tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml diff --git a/neutron/plugins/ml2/drivers/ovn/db_migration.py b/neutron/plugins/ml2/drivers/ovn/db_migration.py index 07ba29fbf58..9e8f97fe549 100644 --- a/neutron/plugins/ml2/drivers/ovn/db_migration.py +++ b/neutron/plugins/ml2/drivers/ovn/db_migration.py @@ -30,17 +30,17 @@ from neutron.objects import trunk as trunk_obj LOG = logging.getLogger(__name__) VIF_DETAILS_TO_REMOVE = ( - pb_api.OVS_HYBRID_PLUG, - pb_api.VIF_DETAILS_BRIDGE_NAME) + pb_api.VIF_DETAILS_BRIDGE_NAME, +) def migrate_neutron_database_to_ovn(plugin): """Change DB content from OVS to OVN mech driver. - Changes vxlan network type to Geneve and updates Geneve allocations. - - Removes unnecessary settings from port binding vif details, such as - connectivity, bridge_name and ovs_hybrid_plug, as they are not used by - OVN. + - Removes bridge name from port binding vif details to support operations + on instances with a trunk bridge. + - Updates the port profile for trunk ports. """ ctx = n_context.get_admin_context() with db_api.CONTEXT_WRITER.using(ctx) as session: diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py index 0b9ad4b521d..42e26f49b08 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py +++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py @@ -152,6 +152,7 @@ class TestMigrateNeutronDatabaseToOvn( ] expected_vif_details = [ {pb.CAP_PORT_FILTER: "true", + pb.OVS_HYBRID_PLUG: "true", pb.VIF_DETAILS_CONNECTIVITY: pb.CONNECTIVITY_L2}, {pb.CAP_PORT_FILTER: "true"}, {"foo": "bar"}, diff --git a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml index 9b504ef59c7..340daca3bc3 100644 --- a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml +++ b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml @@ -14,14 +14,6 @@ - pre-migration -- name: Pre migration checks in the OVN controllers - hosts: ovn-controllers - roles: - - pre-checks/ovn-controllers - tags: - - pre-migration - - # # This step is executed before migration, and will backup some config # files related to containers before those get lost. diff --git a/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml b/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml deleted file mode 100644 index 7f8ebc410e9..00000000000 --- a/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Read OVS configuration file and extract "firewall_driver" variable. - set_fact: - firewall_driver: "{{ lookup('ini', 'firewall_driver section=securitygroup file=/var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/openvswitch_agent.ini', allow_no_value=True) }}" - -- name: Check OVS agent firewall is not using "iptables_hybrid" option - assert: - that: - - "'iptables_hybrid' != firewall_driver" - fail_msg: "OVS agent firewall cannot be 'iptables_hybrid', migration will not continue"