25 lines
1.2 KiB
YAML
25 lines
1.2 KiB
YAML
---
|
|
prelude: >
|
|
Historically, Open vSwitch (OVS) could not interact directly with iptables
|
|
to implement security groups. Thus, the OVS agent and Compute service use a
|
|
Linux bridge between each instance (VM) and the OVS integration bridge
|
|
br-int to implement security groups. Now the OVS agent includes an optional
|
|
firewall driver that natively implements security groups as flows in OVS
|
|
rather than the Linux bridge device and iptables. This increases
|
|
scalability and performance.
|
|
features:
|
|
- |
|
|
You can override the default ``iptables_hybrid`` firewall driver for Open
|
|
vSwitch by setting ``neutron_firewall_driver: openvswitch``
|
|
upgrade:
|
|
- |
|
|
Introduce this feature to empty compute nodes, and migrate VMs over once
|
|
the agents have been restarted.
|
|
critical:
|
|
- |
|
|
This feature requires kernel and user space support for conntrack, thus
|
|
requiring minimum versions of the Linux kernel and Open vSwitch. All cases
|
|
require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer
|
|
includes conntrack support. Kernel version 3.3, but less than 4.3, does not
|
|
include conntrack support and requires building the OVS modules.
|