<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 7, 2013 at 12:23 PM, Kanthi P <span dir="ltr"><<a href="mailto:pavuluri.kanthi@gmail.com" target="_blank">pavuluri.kanthi@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px;color:rgb(80,0,80)">Hi,</span><br style="font-family:arial,sans-serif;font-size:13px">
<div class="gmail_quote" style="font-family:arial,sans-serif;font-size:13px">
<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><br></div><div>I am trying to boot a VM which has a network without subnet in Havana, but it throws an exception saying that subnet is mandatory if quantum security groups are enabled.</div>
<div><br></div><div>Here are the commands I used.</div><div><br></div><div>neutron net-create testNet<br></div><div><div>neutron net-show testNet</div><div>+---------------------------+--------------------------------------+</div>
<div>| Field | Value |</div><div>+---------------------------+--------------------------------------+</div><div>| admin_state_up | True |</div>
<div>| id | 47208beb-2801-4729-bc7b-6532717232fc |</div><div>| name | testNet |</div><div>| provider:network_type | local |</div>
<div>| provider:physical_network | |</div><div>| provider:segmentation_id | |</div><div>| router:external | False |</div>
<div>| shared | False |</div><div>| status | ACTIVE |</div><div>| subnets | |</div>
<div>| tenant_id | b5b591dcda2645cd9d15a4fe3eb1b50d |</div><div>+---------------------------+--------------------------------------+</div></div><div><br></div><div>nova boot --flavor 2 --image 30c1984c-8a4f-4e3f-8c9a-7de0b321caa2 --nic net-id=47208beb-2801-4729-bc7b-6532717232fc testServer1<br>
</div><div><br></div><div>Here is the piece of code which generated this exception</div><div><br></div><div>nova/network/neutronv2/api.py<br></div><div><br></div><div><div> if (security_groups and not (</div><div>
network['subnets']</div><div> and network.get('port_security_enabled', True))):</div><div><br></div><div> raise exception.SecurityGroupCannotBeApplied()</div>
</div><div><br></div><div><br></div><div>Can someone please explain why do we need this check?</div></div></div></div></div></div></blockquote><div> </div><div>Hi Kanthi, </div><div> <br></div><div>We need this check because because in order to enforce security groups the port needs to have an ip_address (i.e: network needs a subnet) since Security groups only map to L3/4 headers. Today, nova automatically adds a default security group to all instances when booted. Hopefully we can punt this task off to neutron in this release by moving the port-creation up on the stack to nova-api instead of nova-compute though this isn't the case right now.</div>
<div><br></div><div>Aaron </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote" style="font-family:arial,sans-serif;font-size:13px">
<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><br></div><div>To my understanding subnet is used for two purposes in terms of security groups</div><div>1. To allow dhcp traffic if dhcp is enabled on the subnet, example given below</div>
<div> -A quantum-openvswi-i7bf776d2-b -s <a href="http://192.168.1.3/32" target="_blank">192.168.1.3/32</a> -p udp -m udp --sport 67 --dport 68 -j RETURN</div><div>2. To avoid ip spoof</div><div> -A quantum-openvswi-o7bf776d2-b ! -s <a href="http://192.168.1.2/32" target="_blank">192.168.1.2/32</a> -j DROP</div>
<div><br></div><div>Can we remove this so that we can have guests which has nic with just MAC address, guest can configure its own ipaddress. Later if needed they can enable their own security rules via quantum api.</div>
</div></div></div></div></div>
<br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br></div></div>