[openstack-dev] Reg Neutron security groups in Havana

Kanthi P pavuluri.kanthi at gmail.com
Thu Nov 7 11:20:06 UTC 2013


I am trying to boot a VM which has a network without subnet in Havana, but
it throws an exception saying that subnet is mandatory if quantum security
groups are enabled.

Here are the commands I used.

neutron net-create testNet
[lcc at lcc devstack]$ neutron net-show testNet
| Field                     | Value                                |
| admin_state_up            | True                                 |
| id                        | 47208beb-2801-4729-bc7b-6532717232fc |
| name                      | testNet                              |
| provider:network_type     | local                                |
| provider:physical_network |                                      |
| provider:segmentation_id  |                                      |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | b5b591dcda2645cd9d15a4fe3eb1b50d     |

nova boot --flavor 2 --image 30c1984c-8a4f-4e3f-8c9a-7de0b321caa2 --nic
net-id=47208beb-2801-4729-bc7b-6532717232fc testServer1

Here is the piece of code which generated this exception


            if (security_groups and not (
                    and network.get('port_security_enabled', True))):

                raise exception.SecurityGroupCannotBeApplied()

Can someone please explain why do we need this check?

To my understanding subnet is used for two purposes in terms of security
1. To allow dhcp traffic if dhcp is enabled on the subnet, example given
        -A quantum-openvswi-i7bf776d2-b -s -p udp -m udp
--sport 67 --dport 68 -j RETURN
2. To avoid ip spoof
        -A quantum-openvswi-o7bf776d2-b ! -s -j DROP

Can we remove this so that we can have guests which has nic with just MAC
address, guest can configure its own ipaddress. Later if needed they can
enable their own security rules via quantum api.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131107/b61995a7/attachment.html>

More information about the OpenStack-dev mailing list