[Openstack] [Neutron] Security groups issue when running latest libvirt?

Simon Pasquier simon.pasquier at bull.net
Wed Nov 6 17:03:31 UTC 2013


Answering myself as I investigated a little further and cross-posting to 
openstack-dev because I'd like to get feedback from Nova/Neutron devs.

Users running Havana should configure 
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver.
This driver is still available in the Havana release although 
deprecated. AFAIU, this is the only option if you want effective 
security groups with KVM & OVS.

For people using the master branch of nova, sorry but security groups 
are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). 
Joe Gordon asked the Neutron devs about it few weeks ago [1] but no 
answer and in another review [2], the conclusion was that the Tempest 
tests passed with Neutron. However I don't see anywhere in the tests 
([3], [4]) that we check if the security rules allow/block traffic.

It would be nice if core devs could confirm or refute.

Regards,

Simon

[0] https://review.openstack.org/#/c/49660/
[1] 
http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html
[2] https://review.openstack.org/#/c/44349
[3] 
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py
[4] 
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py

Le 05/11/2013 14:57, Simon Pasquier a écrit :
> Hi all,
>
> I'm struggling with security groups on Havana with Neutron and OVS
> plugin (GRE tunnels). No problem to create/delete security group rules
> but even though iptables configuration is updated, traffic to my
> instances is never filtered [0].
>
> I'm running DevStack on 2 nodes (1 controller + 1 compute):
> - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
> - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
> - libvirt package version: 1.1.1-0ubuntu8~cloud2
> - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
> pasted at [1] (I didn't modify any of these files after the DevStack run)
>
> According to [2], [3] and [4], iptables is not compatible with TAP
> devices connectd directly to Open vSwitch ports, this is why there used
> to be the additional veth + bridge interfaces [5]. But in my setup, this
> is not the case anymore as shown in [6] ('ovs-vsctl show' +
> 'iptables-save' ouptut). I've also pasted the libvirt XML configuration
> [7] that shows that the instance is directly connected to the Open vSwitch.
>
> Are the security groups supposed to work when the instance is directly
> connected to OVS? If yes, what am I doing wrong?
>
> Regards,
>
> [0] http://paste.openstack.org/show/50490/
> [1] http://paste.openstack.org/show/50448/
> [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
> [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
> [4]
> http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html
>
> [5]
> http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
>
> [6] http://paste.openstack.org/show/50486/
> [7] http://paste.openstack.org/show/50487/


-- 
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49
http://www.bull.com




More information about the Openstack mailing list