| *** yamamoto_ has joined #openstack-fwaas | 05:24 | |
| *** yamamoto has quit IRC | 05:27 | |
| *** irclogbot_3 has quit IRC | 05:30 | |
| *** irclogbot_3 has joined #openstack-fwaas | 05:31 | |
| *** threestrands has joined #openstack-fwaas | 06:27 | |
| openstackgerrit | Slawek Kaplonski proposed openstack/neutron-fwaas master: Switch legacy-neutron-fwaas-v2-dsvm-tempest job to python3 https://review.opendev.org/666165 | 06:34 |
|---|---|---|
| *** yamamoto_ has quit IRC | 07:54 | |
| *** trident has quit IRC | 07:57 | |
| *** threestrands has quit IRC | 07:59 | |
| *** trident has joined #openstack-fwaas | 08:01 | |
| *** yamamoto has joined #openstack-fwaas | 08:18 | |
| *** yamamoto has quit IRC | 08:29 | |
| *** yamamoto has joined #openstack-fwaas | 08:32 | |
| *** yamamoto has quit IRC | 08:32 | |
| CeeMac | hi fwaas team, is anyone online? | 09:06 |
| CeeMac | amotoki: jhesketh: trident: are any of you free to help with a config issue? | 09:07 |
| *** yamamoto has joined #openstack-fwaas | 09:48 | |
| *** yamamoto has quit IRC | 09:57 | |
| *** yamamoto has joined #openstack-fwaas | 10:29 | |
| *** njohnston has joined #openstack-fwaas | 11:12 | |
| *** yamamoto has quit IRC | 11:57 | |
| *** yamamoto has joined #openstack-fwaas | 12:41 | |
| CeeMac | njohnston: are you about? | 14:31 |
| *** yamamoto has quit IRC | 15:15 | |
| openstackgerrit | Slawek Kaplonski proposed openstack/neutron-fwaas master: Switch legacy-neutron-fwaas-v2-dsvm-tempest job to python3 https://review.opendev.org/666165 | 16:53 |
| *** trident has quit IRC | 17:02 | |
| *** trident has joined #openstack-fwaas | 17:04 | |
| njohnston | CeeMac: Hi! Sprry I missed you yesterday. How can I help? | 17:36 |
| CeeMac | Hi njohnston , no worries I'm sure your a busy man :) just wondering if you could take a quick look at my config issue http://paste.openstack.org/show/753144 | 17:42 |
| CeeMac | njohnston: I'm running rocky with neutron ovs implementation | 17:43 |
| njohnston | CeeMac: sure, checking it out | 17:43 |
| CeeMac | Thanks | 17:43 |
| openstackgerrit | Slawek Kaplonski proposed openstack/neutron-fwaas master: Switch legacy-neutron-fwaas-v2-dsvm-tempest job to python3 https://review.opendev.org/666165 | 17:44 |
| CeeMac | I just can't quite put the pieces together | 17:44 |
| njohnston | CeeMac: I'll fire a series of questions at you. | 17:45 |
| CeeMac | I've had to remove it from the env as were due to go into production but I'll be reworking my dev env soon to ovs and it would be great to understand which configs I need to change | 17:45 |
| CeeMac | Sure | 17:46 |
| njohnston | Do you have "service_plugins = firewall_v2" in /etc/neutron/neutron.conf? | 17:46 |
| CeeMac | Yes | 17:46 |
| njohnston | ok, that was not in your paste, only the "service_provider" line was | 17:47 |
| njohnston | do you have a "[fwaas]" section in /etc/neutron/neutron.conf? | 17:47 |
| CeeMac | Sorry, I missed that bit. [fwaas] is in l3_agent.ini in my deployment (using openstack-ansible to deploy) | 17:53 |
| CeeMac | Looked at changing it but wasn't sure if it would need to be in neutron.conf just on neutron-server or in all network and conpute nodes too | 17:54 |
| CeeMac | It does work in that all the services are running and the dashboard is present, I just get the error in the paste if I try and attach a port | 17:55 |
| CeeMac | njohnston: I tried changing the settings as per the scenario for rocky with the hybrid provider but neutron-server looped errors with no service provider loaded. | 18:22 |
| njohnston | CeeMac: What I am noticing as I read the scenario doc is that mismatched configs are specified: OVS firewall in "service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default" | 18:36 |
| njohnston | but iptables firewall in "driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver" | 18:36 |
| njohnston | IIRC you would prefer OVS FW for all, correct CeeMac? | 18:36 |
| CeeMac | njohnston: correct, does it nee to match up with the security group driver too? | 18:37 |
| CeeMac | I also got confused with the L2 firewall driver elements when digging in to the module specs | 18:37 |
| CeeMac | s/nee/need | 18:38 |
| openstackgerrit | Slawek Kaplonski proposed openstack/neutron-fwaas master: Switch legacy-neutron-fwaas-v2-dsvm-tempest job to python3 https://review.opendev.org/666165 | 18:41 |
| njohnston | it all needs to match, you cannot do L3 security with one and L2 with the other | 18:41 |
| CeeMac | security group is openvswitch currently | 18:42 |
| njohnston | so service_provider should = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall:default | 18:43 |
| njohnston | and in the [fwaas] section "driver" should = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall:OVSFirewallDriver | 18:44 |
| njohnston | sorry service_provider should = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall:OVSFirewallDriver:default | 18:44 |
| njohnston | (missed part of it in the copy and paste there) | 18:44 |
| njohnston | no thats not right either | 18:46 |
| CeeMac | njohnston: actually, it looks like the security group firewall_driver = iptables_hybrid | 18:48 |
| CeeMac | Presumably that should be openvswitch? | 18:50 |
| njohnston | CeeMac: https://docs.openstack.org/releasenotes/neutron-fwaas/queens.html#known-issues | 18:51 |
| njohnston | CeeMac: That link addresses that question as well as others I think you had about interoperability with SG | 18:52 |
| CeeMac | Yeah I saw that earlier and I couldn't quite make sense of it. Think my brain was in knots. Incidentally I tried ovs as firewall driver and neutron-server borked | 18:53 |
| CeeMac | njohnston: if you wouldn't mind could you do me a quick paste with the correct config in so I can keep a record for when I get back in the office tomorrow? | 18:54 |
| CeeMac | njohnston: alternatively, is there a fallback option of iptables for both SG and FWaaS? | 18:56 |
| njohnston | I need to see if I can come up with a working example, can I email you CeeMac? | 19:47 |
| CeeMac | Sure, I'll dm you my address, if you could manage an example for both iptables and ovs options that would be amazing, then I can propose a patch to OSA with the working settings | 20:06 |
| openstackgerrit | Slawek Kaplonski proposed openstack/neutron-fwaas master: Switch legacy-neutron-fwaas-v2-dsvm-tempest job to python3 https://review.opendev.org/666165 | 21:14 |
| *** yamamoto has joined #openstack-fwaas | 21:51 | |
| *** yamamoto has quit IRC | 21:56 | |
| *** yamamoto has joined #openstack-fwaas | 23:53 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!