[ovn][migration] Support migration to OVN from iptables firewall

Before this patch, when migrating from ML2/OVS to ML2/OVN, we removed the VIF details that are not used by OVN. However, this changes how the VIFs are plugged if the hybrid iptables firewall was used. In order to not break the migration, we want to keep whatever plugging was used in ML2/OVS. For this reason, this patch is leaving the VIF details untouched. The consequence is that, after migration, whatever workloads used the hybrid plugging will remain like that. Newly created VIFs will be plugged to the OVS bridge directly. As a result, the migration to OVN won't require moving to the OVS firewall first while in ML2/OVS. This patch is also removing the constraint that prevented the migration if the hybrid firewall was used. Signed-off-by: Daniel Alvarez Sanchez <dalvarez@redhat.com> Change-Id: Iad4fae7af54cc502ac0ba02a911cdd4fefa13535
2022-04-19 15:02:08 +00:00 · 2022-04-19 15:02:08 +00:00 · 5f2eaadf40
commit 5f2eaadf40
parent 1a111b5e04
4 changed files with 6 additions and 23 deletions
--- a/neutron/plugins/ml2/drivers/ovn/db_migration.py
+++ b/neutron/plugins/ml2/drivers/ovn/db_migration.py
@ -30,17 +30,17 @@ from neutron.objects import trunk as trunk_obj
 LOG = logging.getLogger(__name__)

 VIF_DETAILS_TO_REMOVE = (
-    pb_api.OVS_HYBRID_PLUG,
-    pb_api.VIF_DETAILS_BRIDGE_NAME)
+    pb_api.VIF_DETAILS_BRIDGE_NAME,
+)


 def migrate_neutron_database_to_ovn():
    """Change DB content from OVS to OVN mech driver.

     - Changes vxlan network type to Geneve and updates Geneve allocations.
-     - Removes unnecessary settings from port binding vif details, such as
-       connectivity, bridge_name and ovs_hybrid_plug, as they are not used by
-       OVN.
+     - Removes bridge name from port binding vif details to support operations
+       on instances with a trunk bridge.
+     - Updates the port profile for trunk ports.
    """
    ctx = n_context.get_admin_context()
    with db_api.CONTEXT_WRITER.using(ctx) as session:
--- a/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/test_db_migration.py
@ -152,6 +152,7 @@ class TestMigrateNeutronDatabaseToOvn(
        ]
        expected_vif_details = [
            {pb.CAP_PORT_FILTER: "true",
+             pb.OVS_HYBRID_PLUG: "true",
             pb.VIF_DETAILS_CONNECTIVITY: pb.CONNECTIVITY_L2},
            {pb.CAP_PORT_FILTER: "true"},
            {"foo": "bar"},
--- a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml
@ -14,14 +14,6 @@
    - pre-migration


- name: Pre migration checks in the OVN controllers
-  hosts: ovn-controllers
-  roles:
-    - pre-checks/ovn-controllers
-  tags:
-    - pre-migration
-
-
 #
 # This step is executed before migration, and will backup some config
 # files related to containers before those get lost.
--- a/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml
@ -1,10 +0,0 @@
---
- name: Read OVS configuration file and extract "firewall_driver" variable.
-  set_fact:
-    firewall_driver: "{{ lookup('ini', 'firewall_driver section=securitygroup file=/var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/openvswitch_agent.ini', allow_no_value=True) }}"
-
- name: Check OVS agent firewall is not using "iptables_hybrid" option
-  assert:
-    that:
-      - "'iptables_hybrid' != firewall_driver"
-    fail_msg: "OVS agent firewall cannot be 'iptables_hybrid', migration will not continue"