[openstack-dev] [Quantum] security groups now enforced w/devstack

Yoshihiro Kaneko ykaneko0929 at gmail.com
Fri Sep 14 10:13:07 UTC 2012 

Hi Dan,

I tried it on Ubuntu 12.04. However VM could not obtain an IP address from
a DHCP server.
Any advice?
If more information is needed, please let me know.

$ git clone git://github.com/openstack-dev/devstack
Cloning into 'devstack'...
remote: Counting objects: 6415, done.
remote: Compressing objects: 100% (2186/2186), done.
remote: Total 6415 (delta 4352), reused 6145 (delta 4151)
Receiving objects: 100% (6415/6415), 1.10 MiB | 470 KiB/s, done.
Resolving deltas: 100% (4352/4352), done.
$ cd devstack/
$ git fetch https://review.openstack.org/openstack-dev/devstack
refs/changes/50/11650/8 && git checkout FETCH_HEAD
remote: Counting objects: 5, done
remote: Finding sources: 100% (3/3)
remote: Total 3 (delta 2), reused 3 (delta 2)
Unpacking objects: 100% (3/3), done.
>From https://review.openstack.org/openstack-dev/devstack
 * branch            refs/changes/50/11650/8 -> FETCH_HEAD
Note: checking out 'FETCH_HEAD'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at cea6c51... Quantum enhancements
$ vi localrc
$ cat localrc
disable_service n-net
enable_service q-svc q-agt q-dhcp q-l3 quantum

$ cp samples/local.sh .
$ ./stack.sh
<snip>
$ . ./openrc demo demo
$ nova image-list
<snip>
$ quantum net-list
<snip>
$ nova boot --flavor 6 --image 7777d0ed-294c-4634-9304-769f64a52c81
--nic net-id=c95edcb8-3df6-4e92-a367-4fce5bce6e63 vm1
<snip>
$ nova list
+--------------------------------------+------+--------+---------------+
| ID                                   | Name | Status | Networks      |
+--------------------------------------+------+--------+---------------+
| 723d76c4-4dea-4fe4-a4d8-6ca8d08bb936 | vm1  | ACTIVE | net1=10.0.0.3 |
+--------------------------------------+------+--------+---------------+
$ nova console-log vm1
<snip>
Starting network...
udhcpc (v1.18.5) started
Sending discover...
Sending discover...
Sending discover...
No lease, failing
WARN: /etc/rc3.d/S40-network failed
<snip>

$ sudo ovs-vsctl show
6d7929f6-8b09-41bc-b775-1ef50915eb7b
    Bridge br-ex
        Port "qg-8c3a652b-f1"
            Interface "qg-8c3a652b-f1"
                type: internal
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-int
        Port "tap5a418ee0-53"
            tag: 1
            Interface "tap5a418ee0-53"
                type: internal
        Port "qr-f9a49be5-c1"
            tag: 1
            Interface "qr-f9a49be5-c1"
                type: internal
        Port "qvo99eea189-fc"
            tag: 1
            Interface "qvo99eea189-fc"
        Port br-int
            Interface br-int
                type: internal
    ovs_version: "1.4.0+build0"

$ ip netns
qrouter-aed60aac-288b-41ee-bc4a-9ed5a356a16d
qdhcp-c95edcb8-3df6-4e92-a367-4fce5bce6e63

$ ps ax|grep dnsmasq
 6107 ?        S      0:00 dnsmasq --no-hosts --no-resolv
--strict-order --bind-interfaces --interface=tap5a418ee0-53
--except-interface=lo --domain=openstacklocal
--pid-file=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/pid
--dhcp-hostsfile=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/host
--dhcp-optsfile=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/opts
--dhcp-script=/opt/stack/quantum/bin/quantum-dhcp-agent-dnsmasq-lease-update
--leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s
 6108 ?        S      0:00 dnsmasq --no-hosts --no-resolv
--strict-order --bind-interfaces --interface=tap5a418ee0-53
--except-interface=lo --domain=openstacklocal
--pid-file=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/pid
--dhcp-hostsfile=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/host
--dhcp-optsfile=/opt/stack/data/dhcp/c95edcb8-3df6-4e92-a367-4fce5bce6e63/opts
--dhcp-script=/opt/stack/quantum/bin/quantum-dhcp-agent-dnsmasq-lease-update
--leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s
28913 pts/1    S+     0:00 grep --color=auto dnsmasq


Thanks,
Kaneko

2012/9/14 Dan Wendlandt <dan at nicira.com>:
> Hi quantum hackers,
>
> We're pushing a change to devstack to use a new vif-driver for Quantum
> with Open vSwitch (https://review.openstack.org/#/c/11650/).  The
> benefit of this driver is that it is compatible with Nova's security
> group filtering.  This is "a good thing", since it more closely maps
> to how real users will deploy Quantum.
>
> However, this may catch developers by surprise who are suddenly unable
> to ping or SSH to instances because the security groups drop traffic
> by default.
>
> Preferred method of dealing with this is to add the following lines to
> local.sh in your devstack directory, which open up your VMs for ping
> and SSH for the 'demo' user:
>
> nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
> nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
>
> Another work around is to disable nova security groups by adding
> 'LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver' to
> your localrc
>
> Dan
>
>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Dan Wendlandt
> Nicira, Inc: www.nicira.com
> twitter: danwendlandt
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list