Change default ml2 firewall driver back to iptables_hybrid
I2b564610721152c4f4dab9da79442256ba8d0b33 unexpectedly switched the default firewall driver for security groups from iptables_hybrid to openvswitch for neutron-server. (openvswitch agent is still configured for iptables_hybrid.) This made openvswitch ml2 mechanism driver to disable hybrid bridges in vif details unless the agent explictly requests it. Good news is that openvswitch agent does request hybrid bridges if its firewall driver has OVS_HYBRID_PLUG_REQUIRED set to True, which is the case for iptables_hybrid, and we still configure firewall_driver to iptables_hybrid for the agent, so it still worked out as if there was no change for the driver. That being said, this all worked out by mere chance, and so we should not rely on it. Besides, changing default configuration to a driver that is not the default one in integrated gate unnecessarily diverges tripleo from main OpenStack components. And there is no established migration path between those drivers for brown field deployments. Long story short, TripleO should stick to neutron choices. We could just remove the TripleO knob and allow puppet to do its job (that would pick iptables_hybrid), but it's not backwards compatible with existing users of the knob. The change doesn't remove the newly introduced option to avoid breaking templates using it, but just falls back to iptables_hybrid as default option. Change-Id: Icf5d14f5d08973c1877c91ba12d93d4776513a08
This commit is contained in:
Ihar Hrachyshka
@@ -75,7 +75,7 @@ parameters:
|
||||
NeutronFirewallDriver:
|
||||
description: Firewall driver for realizing neutron security group function
|
||||
type: string
|
||||
default: 'openvswitch'
|
||||
default: 'iptables_hybrid'
|
||||
NeutronOverlayIPVersion:
|
||||
default: 4
|
||||
description: IP version used for all overlay network endpoints.
|
||||
|
||||
Reference in New Issue
Block a user