[openstack-dev] [Openstack-security] Neutron security groups for L2 networks in Havana

Aaron Rosen arosen at nicira.com
Fri Nov 8 07:42:50 UTC 2013


On Thu, Nov 7, 2013 at 12:23 PM, Kanthi P <pavuluri.kanthi at gmail.com> wrote:

> Hi,
>
> I am trying to boot a VM which has a network without subnet in Havana, but
> it throws an exception saying that subnet is mandatory if quantum security
> groups are enabled.
>
> Here are the commands I used.
>
> neutron net-create testNet
> neutron net-show testNet
> +---------------------------+--------------------------------------+
> | Field                     | Value                                |
> +---------------------------+--------------------------------------+
> | admin_state_up            | True                                 |
> | id                        | 47208beb-2801-4729-bc7b-6532717232fc |
> | name                      | testNet                              |
> | provider:network_type     | local                                |
> | provider:physical_network |                                      |
> | provider:segmentation_id  |                                      |
> | router:external           | False                                |
> | shared                    | False                                |
> | status                    | ACTIVE                               |
> | subnets                   |                                      |
> | tenant_id                 | b5b591dcda2645cd9d15a4fe3eb1b50d     |
> +---------------------------+--------------------------------------+
>
> nova boot --flavor 2 --image 30c1984c-8a4f-4e3f-8c9a-7de0b321caa2 --nic
> net-id=47208beb-2801-4729-bc7b-6532717232fc testServer1
>
> Here is the piece of code which generated this exception
>
> nova/network/neutronv2/api.py
>
>             if (security_groups and not (
>                     network['subnets']
>                     and network.get('port_security_enabled', True))):
>
>                 raise exception.SecurityGroupCannotBeApplied()
>
>
> Can someone please explain why do we need this check?
>

Hi Kanthi,

We need this check because because in order to enforce security groups the
port needs to have an ip_address (i.e: network needs a subnet) since
Security groups only map to L3/4 headers. Today, nova automatically adds a
default security group to all instances when booted. Hopefully we can punt
this task off to neutron in this release by moving the port-creation up on
the stack to nova-api instead of nova-compute though this isn't the case
right now.

Aaron

>
> To my understanding subnet is used for two purposes in terms of security
> groups
> 1. To allow dhcp traffic if dhcp is enabled on the subnet, example given
> below
>         -A quantum-openvswi-i7bf776d2-b -s 192.168.1.3/32 -p udp -m udp
> --sport 67 --dport 68 -j RETURN
> 2. To avoid ip spoof
>         -A quantum-openvswi-o7bf776d2-b ! -s 192.168.1.2/32 -j DROP
>
> Can we remove this so that we can have guests which has nic with just MAC
> address, guest can configure its own ipaddress. Later if needed they can
> enable their own security rules via quantum api.
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131107/f4c3a65b/attachment.html>


More information about the OpenStack-dev mailing list