[openstack-dev] [Quantum] security groups now enforced w/devstack
Dan Wendlandt
dan at nicira.com
Thu Sep 13 21:10:43 UTC 2012
Hi quantum hackers,
We're pushing a change to devstack to use a new vif-driver for Quantum
with Open vSwitch (https://review.openstack.org/#/c/11650/). The
benefit of this driver is that it is compatible with Nova's security
group filtering. This is "a good thing", since it more closely maps
to how real users will deploy Quantum.
However, this may catch developers by surprise who are suddenly unable
to ping or SSH to instances because the security groups drop traffic
by default.
Preferred method of dealing with this is to add the following lines to
local.sh in your devstack directory, which open up your VMs for ping
and SSH for the 'demo' user:
nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
Another work around is to disable nova security groups by adding
'LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver' to
your localrc
Dan
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the OpenStack-dev
mailing list