<div dir="ltr">Hi Aaron,<div><br></div><div>I missed the latest mail of this thread in my mailbox, so pasting the content of your response below.</div><div><font color="#535353" face="andale mono, lucida console, monospace"><span style="font-size:12px;line-height:14.390625px;white-space:pre-wrap"><i><div>
<br></div><div>The issue is that the nova-api says that by default every instance needs to</div><div>be in a default security group that blocks all ingress traffic from outside</div><div>and allows all ingress from instances that belong to the same security</div>
<div>group. If an instance does not have an ip address we are unable to enforce</div><div>the instance->instance communication of members that are part of the same</div><div>security group (or at least the iptables implementation in place doesn't).</div>
<div><br></div><div>There is an extension in neutron that implements port_security that allows</div><div>one to disable this so that one can do L2 networking as you want to. Though</div><div>unfortunately, this does not work correctly at this time with nova as</div>
<div>currently it's calling into neutron to create the security group and attach</div><div>it to the instance anways. See: <a href="https://bugs.launchpad.net/nova/+bug/1175464">https://bugs.launchpad.net/nova/+bug/1175464</a> .</div>
<div>I'm hoping to resolve this issue in the next few weeks.</div></i></span></font></div><div><i><span style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap"><br>
</span></i></div><div><i><span style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap">There is an extension in neutron that implements port_security that allows</span></i></div>
<div><i style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap">one to disable this so that one can do L2 networking as you want to. Though</i></div>
<div><i style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap">unfortunately, this does not work correctly at this time with nova as</i></div>
<div><i style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap">currently it's calling into neutron to create the security group and attach</i></div>
<div><i style="color:rgb(83,83,83);font-family:'andale mono','lucida console',monospace;font-size:12px;line-height:14.399999618530273px;white-space:pre-wrap">it to the instance anways. See: <a href="https://bugs.launchpad.net/nova/+bug/1175464" style="margin:0px;padding:0px;border:0px;font-weight:inherit;font-family:inherit;vertical-align:baseline;color:rgb(188,21,24);text-decoration:none">https://bugs.launchpad.net/nova/+bug/1175464</a> .</i></div>
<div><pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<i>I'm hoping to resolve this issue in the next few weeks.</i>
</pre><pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="line-height:14.399999618530273px">Thanks a lot for the information.</span></pre><pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="line-height:14.399999618530273px">As per my understanding of the bug description and the code diff, the fix would prevent nova from adding 'default' security group if neutron is not specifying any security group, only for the case where there are </span><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">plugins that implement port_security_api and have port_security_</span><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">enabled=</span><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">False</span></pre>
<pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">I have two concerns here:</span></pre><pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">1. If we don't have any such plugins, then port_security is assumed to be enabled and again default security group would be added by nova, which mandates subnet and L2 networks does not work as expected.</span></pre>
<pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">2. If neutron provides security group(non default) via its own api or by means of security plugins, L2 networks still fail due to the same subnet issue.</span></pre>
<pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">You may ask why security group is needed for L2 networks as the security rules are actually converted to iptables. The reason is that the vNIC may have ipaddress at later point of time and we can add security rules based on this ip then. I am just wondering why should the subnet be mandatory for the vNIC during the instance boot time.</span></pre>
<pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">Regards,</span></pre><pre style="margin-top:1.5em;margin-bottom:1.5em;padding:0px;border:0px;font-size:12px;font-family:'andale mono','lucida console',monospace;vertical-align:baseline;white-space:pre-wrap;line-height:14.399999618530273px;color:rgb(83,83,83)">
<span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;line-height:18px;white-space:normal">Kanthi</span></pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 8, 2013 at 11:45 AM, Kanthi P <span dir="ltr"><<a href="mailto:pavuluri.kanthi@gmail.com" target="_blank">pavuluri.kanthi@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Aaron,<div><br></div><div>Thanks for the reply !</div><div>Yes security groups are mapped to L3/L4 headers, these security rules are being converted to iptables. </div>
<div><br></div><div>If we remove the subnet check, we will be able to launch instances without ipaddress, they just have the mac address.</div>
<div>Users can configure their own ipaddress after they are booted. </div><div><br></div><div>If we use neutron security groups, it provides a default group (on port basis) which blocks all ingress and allows all egress traffic. </div>
<div><br></div><div>Later users can configure security groups based on the ip address what they provided to the vnics.</div><div><br></div><div>I mean to say, ports will have subnet but just that this subnet is not known to openstack during the instance boot time.</div>
<div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 8, 2013 at 9:42 AM, Aaron Rosen <span dir="ltr"><<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Thu, Nov 7, 2013 at 12:23 PM, Kanthi P <span dir="ltr"><<a href="mailto:pavuluri.kanthi@gmail.com" target="_blank">pavuluri.kanthi@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px;color:rgb(80,0,80)">Hi,</span><br style="font-family:arial,sans-serif;font-size:13px">
<div class="gmail_quote" style="font-family:arial,sans-serif;font-size:13px">
<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><br></div><div>I am trying to boot a VM which has a network without subnet in Havana, but it throws an exception saying that subnet is mandatory if quantum security groups are enabled.</div>
<div><br></div><div>Here are the commands I used.</div><div><br></div><div>neutron net-create testNet<br></div><div><div>neutron net-show testNet</div><div>+---------------------------+--------------------------------------+</div>
<div>| Field | Value |</div><div>+---------------------------+--------------------------------------+</div><div>| admin_state_up | True |</div>
<div>| id | 47208beb-2801-4729-bc7b-6532717232fc |</div><div>| name | testNet |</div><div>| provider:network_type | local |</div>
<div>| provider:physical_network | |</div><div>| provider:segmentation_id | |</div><div>| router:external | False |</div>
<div>| shared | False |</div><div>| status | ACTIVE |</div><div>| subnets | |</div>
<div>| tenant_id | b5b591dcda2645cd9d15a4fe3eb1b50d |</div><div>+---------------------------+--------------------------------------+</div></div><div><br></div><div>nova boot --flavor 2 --image 30c1984c-8a4f-4e3f-8c9a-7de0b321caa2 --nic net-id=47208beb-2801-4729-bc7b-6532717232fc testServer1<br>
</div><div><br></div><div>Here is the piece of code which generated this exception</div><div><br></div><div>nova/network/neutronv2/api.py<br></div><div><br></div><div><div> if (security_groups and not (</div><div>
network['subnets']</div><div> and network.get('port_security_enabled', True))):</div><div><br></div><div> raise exception.SecurityGroupCannotBeApplied()</div>
</div><div><br></div><div><br></div><div>Can someone please explain why do we need this check?</div></div></div></div></div></div></blockquote><div> </div></div></div><div>Hi Kanthi, </div><div> <br></div><div>We need this check because because in order to enforce security groups the port needs to have an ip_address (i.e: network needs a subnet) since Security groups only map to L3/4 headers. Today, nova automatically adds a default security group to all instances when booted. Hopefully we can punt this task off to neutron in this release by moving the port-creation up on the stack to nova-api instead of nova-compute though this isn't the case right now.</div>
<div><br></div><div>Aaron </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="ltr"><div class="gmail_quote" style="font-family:arial,sans-serif;font-size:13px">
<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><br></div><div>To my understanding subnet is used for two purposes in terms of security groups</div><div>1. To allow dhcp traffic if dhcp is enabled on the subnet, example given below</div>
<div> -A quantum-openvswi-i7bf776d2-b -s <a href="http://192.168.1.3/32" target="_blank">192.168.1.3/32</a> -p udp -m udp --sport 67 --dport 68 -j RETURN</div><div>2. To avoid ip spoof</div><div> -A quantum-openvswi-o7bf776d2-b ! -s <a href="http://192.168.1.2/32" target="_blank">192.168.1.2/32</a> -j DROP</div>
<div><br></div><div>Can we remove this so that we can have guests which has nic with just MAC address, guest can configure its own ipaddress. Later if needed they can enable their own security rules via quantum api.</div>
</div></div></div></div></div>
<br></div>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>