[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Lorin Hochstein lorin at nimbisservices.com
Mon Sep 2 15:00:41 UTC 2013


Darragh:

Can you elaborate on this a little more? Do you mean that the "brcompat"
kernel module has been loaded, and this breaks security groups with the ovs
plugin? Should we add something in the documentation about this?

Lorin


Do you mean that the problem is that the ovs-brcompatd service is running?

openvswitch-brcompat package is installed?


On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly <
dara2002-openstack at yahoo.com> wrote:

>
> it is not working because you are using the ovs bridge compatibility
> module.
>
> Re,
> Darragh.
>
> >________________________________
> > From: Sebastian Porombka <porombka at uni-paderborn.de>
> >To: "openstack-operators at lists.openstack.org" <
> openstack-operators at lists.openstack.org>
> >Sent: Monday, 2 September 2013, 14:48
> >Subject: [Openstack-operators] Quantum Security Groups not working -
> iptables rules are not Evaluated
> >
> >
> >
> >Hi folks.
> >
> >
> >We're currently on the way to deploy an openstack (grizzly) cloud
> environment
> >and suffering in problems implementing the security groups like described
> in [1].
> >
> >
> >The (hopefully) relevant configuration settings are:
> >
> >
> >/etc/nova/nova.conf
> >[…]
> >security_group_api=quantum
> >network_api_class=nova.network.quantumv2.api.API
> >libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
> >firewall_driver=nova.virt.firewall.NoopFirewallDriver
> >[…]
> >
> >
> >/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
> >[…]
> >firewall_driver =
> quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> >[…]
> >
> >
> >The Networks for the vm's are attached to the compute-nodes via VLAN
> >encapsulation and correctly mapped to the vm's.
> >
> >
> >From our point of view - we're understanding the need of the
> >"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
> vm"-construction
> >and observed the single components in our deployment. See [2]
> >
> >
> >Everything is working except the security groups.
> >We observed that ip-tables rules are generated for the quantum-openvswi-*
> chains of iptables.
> >And the traffic arriving untagged (native vlan for management) on the
> machine is processed by iptables but not
> >the traffic which arrived encapsulated.
> >
> >
> >The traffic which is unpacked by openvswitch and is bridged via the veth
> and the tap into
> >the machine isn't processed by the iptables rules.
> >
> >
> >We have no remaining clue/idea how to solve this issue… :(
> >
> >
> >Greetings
> >   Sebastian
> >
> >
> >[1]
> http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_hood_openvswitch.html
> >[2] http://pastebin.com/WXMH6y4A
> >
> >
> >--
> >Sebastian Porombka, M.Sc.
> >Zentrum für Informations- und Medientechnologien (IMT)
> >Universität Paderborn
> >
> >
> >E-Mail: porombka at uni-paderborn.de
> >Tel.: 05251/60-5999
> >Fax: 05251/60-48-5999
> >Raum: N5.314
> >
> >
> >--------------------------------------------
> >Q: Why is this email five sentences or less?
> >A: http://five.sentenc.es
> >
> >
> >Please consider the environment before printing this email.
> >_______________________________________________
> >OpenStack-operators mailing list
> >OpenStack-operators at lists.openstack.org
> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> >
> >
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



-- 
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130902/60036073/attachment.html>


More information about the OpenStack-operators mailing list