About the use of security groups with neutron ports

Lajos Katona katonalala at gmail.com
Fri Jan 3 09:56:33 UTC 2020


Hi,

General answer:
if you check your processes running on the host you will see which config
files are used:
$ ps -ef |grep neutron-server
lajoska+ 32072     1  2 09:51 ?        00:00:03 /usr/bin/python3.6
/usr/local/bin/neutron-server --config-file /etc/neutron/neutron.conf
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file
/etc/neutron/taas_plugin.ini
....

Similarly you can check your ovs-agent:
$ ps -ef |grep neutron-openvswitch-agent
....

For the documentation of the config files check the configuration reference:
https://docs.openstack.org/neutron/latest/configuration/config.html (this
is the latest, so I suppose you need some older one like train or similar)

Regards
Lajos

<ahmed.zaky.abdallah at gmail.com> ezt írta (időpont: 2019. dec. 27., P,
15:42):

> Thank you very much, Slawek.
>
>
>
> In case I have multiple configuration files, how to know which one is
> currently loaded in neutron?
>
> For example, in my environment I have:
>
>    - ml2_conf.ini
>    - ml2_conf_odl.ini
>    - ml2_conf_sriov.ini
>    - openvswitch_agent.ini
>    - sriov_agent.ini
>
>
>
>
>
> [root at overcloud-controller-0 cbis-admin]# cd /etc/neutron/plugins/ml2/
>
> [root at overcloud-controller-0 ml2]# ls
>
> ml2_conf.ini  ml2_conf_odl.ini  ml2_conf_sriov.ini  openvswitch_agent.ini
> sriov_agent.ini
>
>
>
>
>
> Which one of these is used?
>
>
>
> Cheers,
>
> Ahmed
>
>
>
>
>
>
>
> -----Original Message-----
> From: Slawek Kaplonski <skaplons at redhat.com>
> Sent: Friday, December 27, 2019 10:28 AM
> To: ahmed.zaky.abdallah at gmail.com
> Cc: openstack-discuss at lists.openstack.org
> Subject: Re: About the use of security groups with neutron ports
>
>
>
> Hi,
>
>
>
> > On 27 Dec 2019, at 00:14, ahmed.zaky.abdallah at gmail.com wrote:
>
> >
>
> > Hi All,
>
> >
>
> > I am trying to wrap my head around something I came across in one of the
> OpenStack deployments. I am running Telco VNFs one of them is having
> different VMs using SR-IOV interfaces.
>
> >
>
> > On one of my VNFs on Openstack, I defined a wrong IPv6 Gm bearer
> interface to be exactly the same as the IPv6 Gateway. As I hate
> re-onboarding, I decided to embark on a journey of changing the IPv6 of the
> Gm bearer interface manually on the application side, everything went on
> fine.
>
> >
>
> > After two weeks, my customer started complaining about one way RTP flow.
> The customer was reluctant to blame the operation I carried out because
> everything worked smooth after my modification.
>
> > After days of investigation, I remembered that I have port-security
> enabled and this means AAP “Allowed-Address-Pairs” are defined per vPort
> (AAP contain the floating IP address of the VM so that  the security to
> allow traffic to and from this VIP). I gave it a try and edited AAP
> “Allowed-Address-Pairs” to include the correct new IPv6 address. Doing that
> everything started working fine.
>
> >
>
> > The only logical explanation at that time is security group rules are
> really invoked.
>
> >
>
> > Now, I am trying to understand how the iptables are really invoked. I
> did some digging and it seems like we can control the firewall drivers on
> two levels:
>
> >
>
> >             • Nova compute
>
> >             • ML2 plugin
>
> >
>
> > I was curious to check nova.conf and it has already the following line:
> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>
> >
>
> > However, checking the ml2 plugin configuration, the following is found:
>
> >
>
> >     230 [securitygroup]
>
> >     231
>
> >     232 #
>
> >     233 # From neutron.ml2
>
> >     234 #
>
> >     235
>
> >     236 # Driver for security groups firewall in the L2 agent (string
> value)
>
> >     237 #firewall_driver = <None>
>
> >     238 firewall_driver = openvswitch
>
> >
>
> > So, I am jumping to a conclusion that ml2 plugin is the one responsible
> for enforcing the firewall rules in my case.
>
> >
>
> > Have you had a similar experience?
>
> > Is my assumption correct: If I comment out the ml2 plugin firewall
> driver then the port security carries no sense at all and security groups
> won’t be invoked?
>
>
>
> Firewall_driver config option has to be set to some value. You can set
> “noop” as firewall_driver to completely disable this feature for all ports.
>
> But please remember that You need to set it on agent’s side so it’s on
> compute nodes, not on neutron-server side.
>
> Also, if You want to disable it only for some ports, You can set
> “port_security_enabled” to False and than SG will not be applied for such
> port and You will not need to configure any additional IPs in allowed
> address pairs for this port.
>
>
>
> >
>
> > Cheers,
>
> > Ahmed
>
>
>
>>
> Slawek Kaplonski
>
> Senior software engineer
>
> Red Hat
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200103/cb38ffc1/attachment.html>


More information about the openstack-discuss mailing list