<div dir="ltr">Darragh:<div><br></div><div>Can you elaborate on this a little more? Do you mean that the "brcompat" kernel module has been loaded, and this breaks security groups with the ovs plugin? Should we add something in the documentation about this? </div>
<div><br></div><div>Lorin</div><div><br></div><div><br></div><div>Do you mean that the problem is that the ovs-brcompatd service is running? </div><div><br></div><div>openvswitch-brcompat package is installed? </div><div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly <span dir="ltr"><<a href="mailto:dara2002-openstack@yahoo.com" target="_blank">dara2002-openstack@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
it is not working because you are using the ovs bridge compatibility module.<br>
<br>
Re,<br>
Darragh.<br>
<br>
>________________________________<br>
> From: Sebastian Porombka <<a href="mailto:porombka@uni-paderborn.de">porombka@uni-paderborn.de</a>><br>
>To: "<a href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>" <<a href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>><br>
>Sent: Monday, 2 September 2013, 14:48<br>
>Subject: [Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated<br>
<div><div class="h5">><br>
><br>
><br>
>Hi folks.<br>
><br>
><br>
>We're currently on the way to deploy an openstack (grizzly) cloud environment <br>
>and suffering in problems implementing the security groups like described in [1].<br>
><br>
><br>
>The (hopefully) relevant configuration settings are:<br>
><br>
><br>
>/etc/nova/nova.conf<br>
>[…]<br>
>security_group_api=quantum<br>
>network_api_class=nova.network.quantumv2.api.API<br>
>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver<br>
>firewall_driver=nova.virt.firewall.NoopFirewallDriver<br>
>[…]<br>
><br>
><br>
>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini<br>
>[…]<br>
>firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver<br>
>[…]<br>
><br>
><br>
>The Networks for the vm's are attached to the compute-nodes via VLAN <br>
>encapsulation and correctly mapped to the vm's.<br>
><br>
><br>
>From our point of view - we're understanding the need of the <br>
>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <> vm"-construction <br>
>and observed the single components in our deployment. See [2]<br>
><br>
><br>
>Everything is working except the security groups. <br>
>We observed that ip-tables rules are generated for the quantum-openvswi-* chains of iptables. <br>
>And the traffic arriving untagged (native vlan for management) on the machine is processed by iptables but not <br>
>the traffic which arrived encapsulated.<br>
><br>
><br>
>The traffic which is unpacked by openvswitch and is bridged via the veth and the tap into <br>
>the machine isn't processed by the iptables rules.<br>
><br>
><br>
>We have no remaining clue/idea how to solve this issue… :(<br>
><br>
><br>
>Greetings<br>
> Sebastian<br>
><br>
><br>
>[1] <a href="http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_hood_openvswitch.html" target="_blank">http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_hood_openvswitch.html</a><br>
>[2] <a href="http://pastebin.com/WXMH6y4A" target="_blank">http://pastebin.com/WXMH6y4A</a><br>
><br>
><br>
>--<br>
>Sebastian Porombka, M.Sc. <br>
>Zentrum für Informations- und Medientechnologien (IMT)<br>
>Universität Paderborn<br>
><br>
><br>
>E-Mail: <a href="mailto:porombka@uni-paderborn.de">porombka@uni-paderborn.de</a><br>
>Tel.: 05251/60-5999<br>
>Fax: 05251/60-48-5999<br>
>Raum: N5.314 <br>
><br>
><br>
>--------------------------------------------<br>
>Q: Why is this email five sentences or less?<br>
>A: <a href="http://five.sentenc.es" target="_blank">http://five.sentenc.es</a><br>
><br>
><br>
>Please consider the environment before printing this email.<br>
</div></div>>_______________________________________________<br>
>OpenStack-operators mailing list<br>
><a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
><br>
><br>
><br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Lorin Hochstein<br><div>Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="http://www.nimbisservices.com" target="_blank">www.nimbisservices.com</a></div>
</div>
</div></div></div>